From e0f806a2f44bc08ff8931f8e5dab09579850154d Mon Sep 17 00:00:00 2001
From: Peter Bex <peter@more-magic.net>
Date: Sun, 14 Feb 2016 19:16:04 +0100
Subject: First version of vps image builder.

---
 assets/firewall/ferm.conf | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 assets/firewall/ferm.conf

(limited to 'assets/firewall/ferm.conf')

diff --git a/assets/firewall/ferm.conf b/assets/firewall/ferm.conf
new file mode 100644
index 0000000..e9a1e88
--- /dev/null
+++ b/assets/firewall/ferm.conf
@@ -0,0 +1,38 @@
+# -*- shell-script -*-
+#
+#  Configuration file for ferm(1).
+#
+
+@def $PUBLIC_SERVICES=(ssh);
+@def $BADGUYS=();
+
+domain (ip ip6) table filter {
+	chain (INPUT OUTPUT FORWARD) {
+		# connection tracking
+		mod state state INVALID DROP;
+		mod state state (ESTABLISHED RELATED) ACCEPT;
+	}
+
+	chain INPUT {
+		policy DROP;
+
+		# drop blacklisted connections
+		saddr @ipfilter($BADGUYS) DROP;
+
+		# allow local packet
+		interface lo ACCEPT;
+
+		# respond to ping
+		proto icmp ACCEPT; 
+
+		proto tcp dport $PUBLIC_SERVICES ACCEPT;
+	}
+
+	chain OUTPUT {
+		policy ACCEPT;
+	}
+
+	chain FORWARD {
+		policy DROP;
+	}
+}
-- 
cgit v1.2.3