blob: e9a1e88bf555675ea030d4bed94aaf3fbedd497e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
# -*- shell-script -*-
#
# Configuration file for ferm(1).
#
@def $PUBLIC_SERVICES=(ssh);
@def $BADGUYS=();
domain (ip ip6) table filter {
chain (INPUT OUTPUT FORWARD) {
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
chain INPUT {
policy DROP;
# drop blacklisted connections
saddr @ipfilter($BADGUYS) DROP;
# allow local packet
interface lo ACCEPT;
# respond to ping
proto icmp ACCEPT;
proto tcp dport $PUBLIC_SERVICES ACCEPT;
}
chain OUTPUT {
policy ACCEPT;
}
chain FORWARD {
policy DROP;
}
}
|
