SEJeff/srv_data_etc_ferm_ferm.conf

## srv_data_etc_ferm_ferm.conf
domain (ip ip6) {
    table filter {
        chain INPUT {
            policy DROP;

            # connection tracking
            mod state state INVALID DROP;
            mod state state (ESTABLISHED RELATED) ACCEPT;

            # allow local packet
            interface lo ACCEPT;

            # respond to ping
            proto icmp ACCEPT;

            # allow SSH connections
            proto tcp dport ssh ACCEPT;

            # allow spectrum/snmp queries
            proto udp dport snmp ACCEPT;

            {% if salt['pkg.version']('nginx') %}
            # allow HTTP connections
            proto tcp dport http ACCEPT;
            {% endif %}

            {% if salt['pkg.version']('vsftpd') %}
            # allow FTP connections
            proto tcp dport 20 ACCEPT;
            proto tcp dport 21 ACCEPT;
            proto tcp dport 64000:64100 ACCEPT;
            {% endif %}

            {% if salt['pkg.version']('samba') %}
            # allow samba connections
            proto udp dport 137 ACCEPT;
            proto udp dport 138 ACCEPT;
            proto tcp dport 139 ACCEPT;
            {% endif %}

            {% if salt['pkg.version']('ntp') %}
            # allow NTP queries
            proto udp dport 123 ACCEPT;
            {% endif %}
        }
        chain OUTPUT {
            policy ACCEPT;

            # connection tracking
            #mod state state INVALID DROP;
            mod state state (ESTABLISHED RELATED) ACCEPT;
        }
        chain FORWARD {
            policy DROP;

            # connection tracking
            mod state state INVALID DROP;
            mod state state (ESTABLISHED RELATED) ACCEPT;
        }
    }
}
	domain (ip ip6) {
	table filter {
	chain INPUT {
	policy DROP;

	# connection tracking
	mod state state INVALID DROP;
	mod state state (ESTABLISHED RELATED) ACCEPT;

	# allow local packet
	interface lo ACCEPT;

	# respond to ping
	proto icmp ACCEPT;

	# allow SSH connections
	proto tcp dport ssh ACCEPT;

	# allow spectrum/snmp queries
	proto udp dport snmp ACCEPT;

	{% if salt['pkg.version']('nginx') %}
	# allow HTTP connections
	proto tcp dport http ACCEPT;
	{% endif %}

	{% if salt['pkg.version']('vsftpd') %}
	# allow FTP connections
	proto tcp dport 20 ACCEPT;
	proto tcp dport 21 ACCEPT;
	proto tcp dport 64000:64100 ACCEPT;
	{% endif %}

	{% if salt['pkg.version']('samba') %}
	# allow samba connections
	proto udp dport 137 ACCEPT;
	proto udp dport 138 ACCEPT;
	proto tcp dport 139 ACCEPT;
	{% endif %}

	{% if salt['pkg.version']('ntp') %}
	# allow NTP queries
	proto udp dport 123 ACCEPT;
	{% endif %}
	}
	chain OUTPUT {
	policy ACCEPT;

	# connection tracking
	#mod state state INVALID DROP;
	mod state state (ESTABLISHED RELATED) ACCEPT;
	}
	chain FORWARD {
	policy DROP;

	# connection tracking
	mod state state INVALID DROP;
	mod state state (ESTABLISHED RELATED) ACCEPT;
	}
	}
	}