Commit | Line | Data |
---|---|---|
d4245e04 CE |
1 | # -*- shell-script -*- |
2 | # | |
3 | # Configuration file for ferm(1). | |
4 | # | |
5 | ||
6 | table filter { | |
7 | chain INPUT { | |
8 | policy DROP; | |
9 | ||
10 | # connection tracking | |
11 | mod state state INVALID DROP; | |
12 | mod state state (ESTABLISHED RELATED) ACCEPT; | |
13 | ||
14 | # allow local packet | |
15 | interface lo ACCEPT; | |
16 | ||
17 | # respond to ping | |
18 | proto icmp ACCEPT; | |
19 | ||
20 | # allow IPsec | |
21 | proto udp dport 500 ACCEPT; | |
22 | proto (esp ah) ACCEPT; | |
23 | ||
24 | proto tcp dport ssh ACCEPT; | |
25 | ||
26 | # domtool slave | |
27 | proto tcp dport 1235 ACCEPT; | |
28 | ||
29 | proto (tcp udp) dport ( kerberos afs3-callback ) ACCEPT; | |
30 | ||
31 | # system ports | |
42a257dc | 32 | @include 'service.in.d/'; |
d4245e04 | 33 | @include 'local_ports_in.conf'; |
2994c128 | 34 | @include 'users_tcp_in.conf'; |
d4245e04 CE |
35 | } |
36 | chain OUTPUT { | |
37 | policy DROP; | |
38 | ||
39 | # connection tracking | |
40 | #mod state state INVALID DROP; | |
41 | mod state state (ESTABLISHED RELATED) ACCEPT; | |
42 | ||
43 | proto tcp dport ssh ACCEPT; | |
44 | ||
45 | # connections to domtool dispatcher and slaves (for e.g. QFoo) | |
46 | proto tcp dport 1234 ACCEPT; | |
47 | proto tcp dport 1235 ACCEPT; | |
48 | ||
49 | proto (tcp udp) dport ( kerberos afs3-fileserver afs3-callback afs3-prserver afs3-vlserver afs3-volser afs3-errors afs3-bos ) ACCEPT; | |
73e277b2 | 50 | proto tcp dport kerberos-adm ACCEPT; |
d4245e04 CE |
51 | |
52 | proto (tcp udp) dport ntp ACCEPT; | |
53 | proto (tcp udp) dport domain ACCEPT; | |
54 | ||
4c7f0eaa CE |
55 | # Allow mail to be routed to smarthost. This may be less than |
56 | # idea: it seems safer to generate a list of system users to | |
57 | # allow, and then require individual members to request smtp | |
58 | # access. We'll leave that for the wheezy machines. | |
59 | proto tcp dport smtp daddr mail.hcoop.net ACCEPT; | |
60 | ||
e5e1f183 CE |
61 | # At least for now, open ports to database servers. If dbtool |
62 | # adduser could also add firewall rules, that would be better. | |
63 | proto (tcp udp) dport mysql daddr mysql.hcoop.net ACCEPT; | |
64 | proto (tcp udp) dport (postgresql 5433) daddr postgres.hcoop.net ACCEPT; | |
65 | ||
d4245e04 CE |
66 | # root needs port 80 for things like apt-get |
67 | mod owner uid-owner 0 { proto (tcp) dport (http https) ACCEPT; } | |
68 | ||
42a257dc | 69 | @include 'service.out.d/'; |
d4245e04 | 70 | @include 'local_ports_out.conf'; |
2994c128 | 71 | @include 'users_tcp_out.conf'; |
d4245e04 CE |
72 | } |
73 | chain FORWARD { | |
74 | policy DROP; | |
75 | ||
76 | # connection tracking | |
77 | mod state state INVALID DROP; | |
78 | mod state state (ESTABLISHED RELATED) ACCEPT; | |
79 | } | |
80 | } | |
81 | ||
2994c128 | 82 | @include 'user_chains.conf'; |
d4245e04 CE |
83 | |
84 | # IPv6: | |
85 | #domain ip6 { | |
86 | # table filter { | |
87 | # chain INPUT { | |
88 | # policy ACCEPT; | |
89 | # # ... | |
90 | # } | |
91 | # # ... | |
92 | # } | |
93 | #} |