# -*- shell-script -*-
#
#  Configuration file for ferm(1).
#

@def $PUBLIC_SERVICES=(ssh);
@def $BADGUYS=();

domain (ip ip6) table filter {
	chain (INPUT OUTPUT FORWARD) {
		# connection tracking
		mod state state INVALID DROP;
		mod state state (ESTABLISHED RELATED) ACCEPT;
	}

	chain INPUT {
		policy DROP;

		# drop blacklisted connections
		saddr @ipfilter($BADGUYS) DROP;

		# allow local packet
		interface lo ACCEPT;

		# respond to ping
		proto icmp ACCEPT; 

		proto tcp dport $PUBLIC_SERVICES ACCEPT;
	}

	chain OUTPUT {
		policy ACCEPT;
	}

	chain FORWARD {
		policy DROP;
	}
}