Commit | Line | Data |
---|---|---|
d4245e04 CE |
1 | # -*- shell-script -*- |
2 | # | |
3 | # Configuration file for ferm(1). | |
4 | # | |
5 | ||
6 | table filter { | |
7 | chain INPUT { | |
8 | policy DROP; | |
9 | ||
10 | # connection tracking | |
11 | mod state state INVALID DROP; | |
12 | mod state state (ESTABLISHED RELATED) ACCEPT; | |
13 | ||
14 | # allow local packet | |
15 | interface lo ACCEPT; | |
16 | ||
17 | # respond to ping | |
18 | proto icmp ACCEPT; | |
19 | ||
20 | # allow IPsec | |
21 | proto udp dport 500 ACCEPT; | |
22 | proto (esp ah) ACCEPT; | |
23 | ||
24 | proto tcp dport ssh ACCEPT; | |
25 | ||
26 | # domtool slave | |
27 | proto tcp dport 1235 ACCEPT; | |
28 | ||
29 | proto (tcp udp) dport ( kerberos afs3-callback ) ACCEPT; | |
30 | ||
31 | # system ports | |
32 | @include 'local_ports_in.conf'; | |
33 | #@include 'users_tcp_in.conf' | |
34 | } | |
35 | chain OUTPUT { | |
36 | policy DROP; | |
37 | ||
38 | # connection tracking | |
39 | #mod state state INVALID DROP; | |
40 | mod state state (ESTABLISHED RELATED) ACCEPT; | |
41 | ||
42 | proto tcp dport ssh ACCEPT; | |
43 | ||
44 | # connections to domtool dispatcher and slaves (for e.g. QFoo) | |
45 | proto tcp dport 1234 ACCEPT; | |
46 | proto tcp dport 1235 ACCEPT; | |
47 | ||
48 | proto (tcp udp) dport ( kerberos afs3-fileserver afs3-callback afs3-prserver afs3-vlserver afs3-volser afs3-errors afs3-bos ) ACCEPT; | |
49 | ||
50 | proto (tcp udp) dport ntp ACCEPT; | |
51 | proto (tcp udp) dport domain ACCEPT; | |
52 | ||
53 | # root needs port 80 for things like apt-get | |
54 | mod owner uid-owner 0 { proto (tcp) dport (http https) ACCEPT; } | |
55 | ||
56 | @include 'local_ports_out.conf'; | |
57 | #include 'users_tcp_out.conf' | |
58 | } | |
59 | chain FORWARD { | |
60 | policy DROP; | |
61 | ||
62 | # connection tracking | |
63 | mod state state INVALID DROP; | |
64 | mod state state (ESTABLISHED RELATED) ACCEPT; | |
65 | } | |
66 | } | |
67 | ||
68 | #include 'user_chains.conf' | |
69 | ||
70 | # IPv6: | |
71 | #domain ip6 { | |
72 | # table filter { | |
73 | # chain INPUT { | |
74 | # policy ACCEPT; | |
75 | # # ... | |
76 | # } | |
77 | # # ... | |
78 | # } | |
79 | #} |