Created
July 8, 2009 12:22
-
-
Save koos/142775 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # -*- shell-script -*- | |
| # | |
| # Configuration file for ferm(1). | |
| # | |
| def $SERVER_TCP_PORTS = (http https ssh); | |
| table filter { | |
| chain INPUT { | |
| policy DROP; | |
| # connection tracking | |
| mod state state INVALID DROP; | |
| mod state state (ESTABLISHED RELATED) ACCEPT; | |
| # allow local packages | |
| interface lo ACCEPT; | |
| # respond to ping, but limit that | |
| proto icmp ACCEPT; | |
| # allow IPsec | |
| proto udp dport 500 ACCEPT; | |
| proto (esp ah) ACCEPT; | |
| # allow the defined tcp connections | |
| #proto tcp dport ssh ACCEPT; | |
| proto tcp dport $SERVER_TCP_PORTS ACCEPT; | |
| } | |
| chain OUTPUT { | |
| policy ACCEPT; | |
| # connection tracking | |
| #mod state state INVALID DROP; | |
| mod state state (ESTABLISHED RELATED) ACCEPT; | |
| } | |
| chain FORWARD { | |
| policy DROP; | |
| # connection tracking | |
| mod state state INVALID DROP; | |
| mod state state (ESTABLISHED RELATED) ACCEPT; | |
| } | |
| } | |
| # IPv6: | |
| #domain ip6 { | |
| # table filter { | |
| # chain INPUT { | |
| # policy ACCEPT; | |
| # # ... | |
| # } | |
| # # ... | |
| # } | |
| #} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment