summaryrefslogtreecommitdiff
path: root/assets/firewall
diff options
context:
space:
mode:
Diffstat (limited to 'assets/firewall')
-rw-r--r--assets/firewall/ferm.conf38
1 files changed, 38 insertions, 0 deletions
diff --git a/assets/firewall/ferm.conf b/assets/firewall/ferm.conf
new file mode 100644
index 0000000..e9a1e88
--- /dev/null
+++ b/assets/firewall/ferm.conf
@@ -0,0 +1,38 @@
+# -*- shell-script -*-
+#
+# Configuration file for ferm(1).
+#
+
+@def $PUBLIC_SERVICES=(ssh);
+@def $BADGUYS=();
+
+domain (ip ip6) table filter {
+ chain (INPUT OUTPUT FORWARD) {
+ # connection tracking
+ mod state state INVALID DROP;
+ mod state state (ESTABLISHED RELATED) ACCEPT;
+ }
+
+ chain INPUT {
+ policy DROP;
+
+ # drop blacklisted connections
+ saddr @ipfilter($BADGUYS) DROP;
+
+ # allow local packet
+ interface lo ACCEPT;
+
+ # respond to ping
+ proto icmp ACCEPT;
+
+ proto tcp dport $PUBLIC_SERVICES ACCEPT;
+ }
+
+ chain OUTPUT {
+ policy ACCEPT;
+ }
+
+ chain FORWARD {
+ policy DROP;
+ }
+}