diff options
author | Peter Bex <peter@more-magic.net> | 2016-02-14 19:16:04 +0100 |
---|---|---|
committer | Peter Bex <peter@more-magic.net> | 2016-02-21 00:40:40 +0100 |
commit | e0f806a2f44bc08ff8931f8e5dab09579850154d (patch) | |
tree | 774f1e676093937e7775de39f11f6a91afcdbb21 /assets/firewall | |
download | vps-builder-e0f806a2f44bc08ff8931f8e5dab09579850154d.tar.gz |
First version of vps image builder.
Diffstat (limited to 'assets/firewall')
-rw-r--r-- | assets/firewall/ferm.conf | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/assets/firewall/ferm.conf b/assets/firewall/ferm.conf new file mode 100644 index 0000000..e9a1e88 --- /dev/null +++ b/assets/firewall/ferm.conf @@ -0,0 +1,38 @@ +# -*- shell-script -*- +# +# Configuration file for ferm(1). +# + +@def $PUBLIC_SERVICES=(ssh); +@def $BADGUYS=(); + +domain (ip ip6) table filter { + chain (INPUT OUTPUT FORWARD) { + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + } + + chain INPUT { + policy DROP; + + # drop blacklisted connections + saddr @ipfilter($BADGUYS) DROP; + + # allow local packet + interface lo ACCEPT; + + # respond to ping + proto icmp ACCEPT; + + proto tcp dport $PUBLIC_SERVICES ACCEPT; + } + + chain OUTPUT { + policy ACCEPT; + } + + chain FORWARD { + policy DROP; + } +} |