files/ferm.conf.hcoop

   1 # -*- shell-script -*-
   2 #
   3 #  Configuration file for ferm(1).
   4 #
   5
   6 table filter {
   7     chain INPUT {
   8         policy DROP;
   9
  10         # connection tracking
  11         mod state state INVALID DROP;
  12         mod state state (ESTABLISHED RELATED) ACCEPT;
  13
  14         # allow local packet
  15         interface lo ACCEPT;
  16
  17         # respond to ping
  18         proto icmp ACCEPT;
  19
  20         # allow IPsec
  21         proto udp dport 500 ACCEPT;
  22         proto (esp ah) ACCEPT;
  23
  24         proto tcp dport ssh ACCEPT;
  25
  26         # domtool slave
  27         proto tcp dport 1235 ACCEPT;
  28
  29         proto (tcp udp) dport ( kerberos afs3-callback ) ACCEPT;
  30
  31         # system ports
  32         @include 'service.in.d/';
  33         @include 'local_ports_in.conf';
  34         @include 'users_tcp_in.conf';
  35     }
  36     chain OUTPUT {
  37         policy DROP;
  38
  39         # connection tracking
  40         #mod state state INVALID DROP;
  41         mod state state (ESTABLISHED RELATED) ACCEPT;
  42
  43         # Allow ping
  44         proto icmp ACCEPT;
  45
  46         proto tcp dport ssh ACCEPT;
  47
  48         # connections to domtool dispatcher and slaves (for e.g. QFoo)
  49         proto tcp dport 1234 ACCEPT;
  50         proto tcp dport 1235 ACCEPT;
  51
  52         proto (tcp udp) dport ( kerberos afs3-fileserver afs3-callback afs3-prserver afs3-vlserver afs3-volser afs3-errors afs3-bos ) ACCEPT;
  53         proto tcp dport kerberos-adm ACCEPT;
  54
  55         proto (tcp udp) dport ntp ACCEPT;
  56         proto (tcp udp) dport domain ACCEPT;
  57
  58         # Allow mail to be routed to smarthost. This may be less than
  59         # idea: it seems safer to generate a list of system users to
  60         # allow, and then require individual members to request smtp
  61         # access. We'll leave that for the wheezy machines.
  62         proto tcp dport smtp daddr mail.hcoop.net ACCEPT;
  63
  64         # At least for now, open ports to database servers. If dbtool
  65         # adduser could also add firewall rules, that would be better.
  66         proto (tcp udp) dport mysql daddr mysql.hcoop.net ACCEPT;
  67         proto (tcp udp) dport (postgresql 5433) daddr postgres.hcoop.net ACCEPT;
  68
  69         # root needs port 80 for things like apt-get
  70         mod owner uid-owner 0 { proto (tcp) dport (http https) ACCEPT; }
  71
  72         @include 'service.out.d/';
  73         @include 'local_ports_out.conf';
  74         @include 'users_tcp_out.conf';
  75     }
  76     chain FORWARD {
  77         policy DROP;
  78
  79         # connection tracking
  80         mod state state INVALID DROP;
  81         mod state state (ESTABLISHED RELATED) ACCEPT;
  82     }
  83 }
  84
  85 @include 'user_chains.conf';
  86
  87 # IPv6:
  88 #domain ip6 {
  89 #    table filter {
  90 #        chain INPUT {
  91 #            policy ACCEPT;
  92 #            # ...
  93 #        }
  94 #        # ...
  95 #    }
  96 #}