diff options
Diffstat (limited to 'assets/firewall')
-rw-r--r-- | assets/firewall/ferm.conf | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/assets/firewall/ferm.conf b/assets/firewall/ferm.conf new file mode 100644 index 0000000..e9a1e88 --- /dev/null +++ b/assets/firewall/ferm.conf @@ -0,0 +1,38 @@ +# -*- shell-script -*- +# +# Configuration file for ferm(1). +# + +@def $PUBLIC_SERVICES=(ssh); +@def $BADGUYS=(); + +domain (ip ip6) table filter { + chain (INPUT OUTPUT FORWARD) { + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + } + + chain INPUT { + policy DROP; + + # drop blacklisted connections + saddr @ipfilter($BADGUYS) DROP; + + # allow local packet + interface lo ACCEPT; + + # respond to ping + proto icmp ACCEPT; + + proto tcp dport $PUBLIC_SERVICES ACCEPT; + } + + chain OUTPUT { + policy ACCEPT; + } + + chain FORWARD { + policy DROP; + } +} |