[hcoop/zz_old/debian/hcoop-firewall-config.git] / files / ferm.conf.hcoop

# -*- shell-script -*-
#
#  Configuration file for ferm(1).
#

table filter {
    chain INPUT {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        # allow local packet
        interface lo ACCEPT;

        # respond to ping
        proto icmp ACCEPT; 

        # allow IPsec
        proto udp dport 500 ACCEPT;
        proto (esp ah) ACCEPT;

	proto tcp dport ssh ACCEPT;

        # domtool slave
	proto tcp dport 1235 ACCEPT;

	proto (tcp udp) dport ( kerberos afs3-callback ) ACCEPT;

	# system ports
	@include 'local_ports_in.conf';
	#@include 'users_tcp_in.conf'
    }
    chain OUTPUT {
        policy DROP;

        # connection tracking
        #mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

	proto tcp dport ssh ACCEPT;

        # connections to domtool dispatcher and slaves (for e.g. QFoo)
	proto tcp dport 1234 ACCEPT;
	proto tcp dport 1235 ACCEPT;

	proto (tcp udp) dport ( kerberos afs3-fileserver afs3-callback afs3-prserver afs3-vlserver afs3-volser afs3-errors afs3-bos ) ACCEPT;

	proto (tcp udp) dport ntp ACCEPT;
	proto (tcp udp) dport domain ACCEPT;

        # root needs port 80 for things like apt-get
	mod owner uid-owner 0 { proto (tcp) dport (http https) ACCEPT; }

	@include 'local_ports_out.conf';
	#include 'users_tcp_out.conf'
    }
    chain FORWARD {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
    }
}

#include 'user_chains.conf'

# IPv6:
#domain ip6 {
#    table filter {
#        chain INPUT {
#            policy ACCEPT;
#            # ...
#        }
#        # ...
#    }
#}
Commit	Line	Data
d4245e04 CE	1	# -- shell-script --
	2	#
	3	# Configuration file for ferm(1).
	4	#
	5
	6	table filter {
	7	chain INPUT {
	8	policy DROP;
	9
	10	# connection tracking
	11	mod state state INVALID DROP;
	12	mod state state (ESTABLISHED RELATED) ACCEPT;
	13
	14	# allow local packet
	15	interface lo ACCEPT;
	16
	17	# respond to ping
	18	proto icmp ACCEPT;
	19
	20	# allow IPsec
	21	proto udp dport 500 ACCEPT;
	22	proto (esp ah) ACCEPT;
	23
	24	proto tcp dport ssh ACCEPT;
	25
	26	# domtool slave
	27	proto tcp dport 1235 ACCEPT;
	28
	29	proto (tcp udp) dport ( kerberos afs3-callback ) ACCEPT;
	30
	31	# system ports
	32	@include 'local_ports_in.conf';
	33	#@include 'users_tcp_in.conf'
	34	}
	35	chain OUTPUT {
	36	policy DROP;
	37
	38	# connection tracking
	39	#mod state state INVALID DROP;
	40	mod state state (ESTABLISHED RELATED) ACCEPT;
	41
	42	proto tcp dport ssh ACCEPT;
	43
	44	# connections to domtool dispatcher and slaves (for e.g. QFoo)
	45	proto tcp dport 1234 ACCEPT;
	46	proto tcp dport 1235 ACCEPT;
	47
	48	proto (tcp udp) dport ( kerberos afs3-fileserver afs3-callback afs3-prserver afs3-vlserver afs3-volser afs3-errors afs3-bos ) ACCEPT;
	49
	50	proto (tcp udp) dport ntp ACCEPT;
	51	proto (tcp udp) dport domain ACCEPT;
	52
	53	# root needs port 80 for things like apt-get
	54	mod owner uid-owner 0 { proto (tcp) dport (http https) ACCEPT; }
	55
	56	@include 'local_ports_out.conf';
	57	#include 'users_tcp_out.conf'
	58	}
	59	chain FORWARD {
	60	policy DROP;
	61
	62	# connection tracking
	63	mod state state INVALID DROP;
	64	mod state state (ESTABLISHED RELATED) ACCEPT;
65	}
66	}
67
68	#include 'user_chains.conf'
69
70	# IPv6:
71	#domain ip6 {
72	# table filter {
73	# chain INPUT {
74	# policy ACCEPT;
75	# # ...
76	# }
77	# # ...
78	# }
79	#}