3 # Configuration file for ferm(1).
11 mod state state INVALID DROP;
12 mod state state (ESTABLISHED RELATED) ACCEPT;
21 proto udp dport 500 ACCEPT;
22 proto (esp ah) ACCEPT;
24 proto tcp dport ssh ACCEPT;
27 proto tcp dport 1235 ACCEPT;
29 proto (tcp udp) dport ( kerberos afs3-callback ) ACCEPT;
32 @include 'service.in.d/';
33 @include 'local_ports_in.conf';
34 @include 'users_tcp_in.conf';
40 #mod state state INVALID DROP;
41 mod state state (ESTABLISHED RELATED) ACCEPT;
43 proto tcp dport ssh ACCEPT;
45 # connections to domtool dispatcher and slaves (for e.g. QFoo)
46 proto tcp dport 1234 ACCEPT;
47 proto tcp dport 1235 ACCEPT;
49 proto (tcp udp) dport ( kerberos afs3-fileserver afs3-callback afs3-prserver afs3-vlserver afs3-volser afs3-errors afs3-bos ) ACCEPT;
50 proto tcp dport kerberos-adm ACCEPT;
52 proto (tcp udp) dport ntp ACCEPT;
53 proto (tcp udp) dport domain ACCEPT;
55 # Allow mail to be routed to smarthost. This may be less than
56 # idea: it seems safer to generate a list of system users to
57 # allow, and then require individual members to request smtp
58 # access. We'll leave that for the wheezy machines.
59 proto tcp dport smtp daddr mail.hcoop.net ACCEPT;
61 # At least for now, open ports to database servers. If dbtool
62 # adduser could also add firewall rules, that would be better.
63 proto (tcp udp) dport mysql daddr mysql.hcoop.net ACCEPT;
64 proto (tcp udp) dport (postgresql 5433) daddr postgres.hcoop.net ACCEPT;
66 # root needs port 80 for things like apt-get
67 mod owner uid-owner 0 { proto (tcp) dport (http https) ACCEPT; }
69 @include 'service.out.d/';
70 @include 'local_ports_out.conf';
71 @include 'users_tcp_out.conf';
77 mod state state INVALID DROP;
78 mod state state (ESTABLISHED RELATED) ACCEPT;
82 @include 'user_chains.conf';