[hcoop/zz_old/debian/hcoop-firewall-config.git] / files / ferm.conf.hcoop

# -*- shell-script -*-
#
#  Configuration file for ferm(1).
#

table filter {
    chain INPUT {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        # allow local packet
        interface lo ACCEPT;

        # respond to ping
        proto icmp ACCEPT; 

        # allow IPsec
        proto udp dport 500 ACCEPT;
        proto (esp ah) ACCEPT;

	proto tcp dport ssh ACCEPT;

        # domtool slave
	proto tcp dport 1235 ACCEPT;

	proto (tcp udp) dport ( kerberos afs3-callback ) ACCEPT;

	# system ports
	@include 'service.in.d/';
	@include 'local_ports_in.conf';
	#@include 'users_tcp_in.conf'
    }
    chain OUTPUT {
        policy DROP;

        # connection tracking
        #mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

	proto tcp dport ssh ACCEPT;

        # connections to domtool dispatcher and slaves (for e.g. QFoo)
	proto tcp dport 1234 ACCEPT;
	proto tcp dport 1235 ACCEPT;

	proto (tcp udp) dport ( kerberos afs3-fileserver afs3-callback afs3-prserver afs3-vlserver afs3-volser afs3-errors afs3-bos ) ACCEPT;

	proto (tcp udp) dport ntp ACCEPT;
	proto (tcp udp) dport domain ACCEPT;

        # root needs port 80 for things like apt-get
	mod owner uid-owner 0 { proto (tcp) dport (http https) ACCEPT; }

	@include 'service.out.d/';
	@include 'local_ports_out.conf';
	#include 'users_tcp_out.conf'
    }
    chain FORWARD {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
    }
}

#include 'user_chains.conf'

# IPv6:
#domain ip6 {
#    table filter {
#        chain INPUT {
#            policy ACCEPT;
#            # ...
#        }
#        # ...
#    }
#}
Commit	Line	Data
d4245e04 CE	1	# -- shell-script --
	2	#
	3	# Configuration file for ferm(1).
	4	#
	5
	6	table filter {
	7	chain INPUT {
	8	policy DROP;
	9
	10	# connection tracking
	11	mod state state INVALID DROP;
	12	mod state state (ESTABLISHED RELATED) ACCEPT;
	13
	14	# allow local packet
	15	interface lo ACCEPT;
	16
	17	# respond to ping
	18	proto icmp ACCEPT;
	19
	20	# allow IPsec
	21	proto udp dport 500 ACCEPT;
	22	proto (esp ah) ACCEPT;
	23
	24	proto tcp dport ssh ACCEPT;
	25
	26	# domtool slave
	27	proto tcp dport 1235 ACCEPT;
	28
	29	proto (tcp udp) dport ( kerberos afs3-callback ) ACCEPT;
	30
	31	# system ports
42a257dc	32	@include 'service.in.d/';
d4245e04 CE	33	@include 'local_ports_in.conf';
	34	#@include 'users_tcp_in.conf'
	35	}
	36	chain OUTPUT {
	37	policy DROP;
	38
	39	# connection tracking
	40	#mod state state INVALID DROP;
	41	mod state state (ESTABLISHED RELATED) ACCEPT;
	42
	43	proto tcp dport ssh ACCEPT;
	44
	45	# connections to domtool dispatcher and slaves (for e.g. QFoo)
	46	proto tcp dport 1234 ACCEPT;
	47	proto tcp dport 1235 ACCEPT;
	48
	49	proto (tcp udp) dport ( kerberos afs3-fileserver afs3-callback afs3-prserver afs3-vlserver afs3-volser afs3-errors afs3-bos ) ACCEPT;
	50
	51	proto (tcp udp) dport ntp ACCEPT;
	52	proto (tcp udp) dport domain ACCEPT;
	53
	54	# root needs port 80 for things like apt-get
	55	mod owner uid-owner 0 { proto (tcp) dport (http https) ACCEPT; }
	56
42a257dc	57	@include 'service.out.d/';
d4245e04 CE	58	@include 'local_ports_out.conf';
	59	#include 'users_tcp_out.conf'
	60	}
	61	chain FORWARD {
	62	policy DROP;
	63
	64	# connection tracking
	65	mod state state INVALID DROP;
	66	mod state state (ESTABLISHED RELATED) ACCEPT;
	67	}
	68	}
	69
	70	#include 'user_chains.conf'
	71
	72	# IPv6:
	73	#domain ip6 {
	74	# table filter {
	75	# chain INPUT {
	76	# policy ACCEPT;
	77	# # ...
	78	# }
	79	# # ...
	80	# }
	81	#}