HCoop / hcoop / zz_old / debian / hcoop-firewall-config.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Basic restrictive firewall
[hcoop/zz_old/debian/hcoop-firewall-config.git] / files / ferm.conf.hcoop
1 # -*- shell-script -*-
2 #
3 # Configuration file for ferm(1).
4 #
5
6 table filter {
7 chain INPUT {
8 policy DROP;
9
10 # connection tracking
11 mod state state INVALID DROP;
12 mod state state (ESTABLISHED RELATED) ACCEPT;
13
14 # allow local packet
15 interface lo ACCEPT;
16
17 # respond to ping
18 proto icmp ACCEPT;
19
20 # allow IPsec
21 proto udp dport 500 ACCEPT;
22 proto (esp ah) ACCEPT;
23
24 proto tcp dport ssh ACCEPT;
25
26 # domtool slave
27 proto tcp dport 1235 ACCEPT;
28
29 proto (tcp udp) dport ( kerberos afs3-callback ) ACCEPT;
30
31 # system ports
32 @include 'local_ports_in.conf';
33 #@include 'users_tcp_in.conf'
34 }
35 chain OUTPUT {
36 policy DROP;
37
38 # connection tracking
39 #mod state state INVALID DROP;
40 mod state state (ESTABLISHED RELATED) ACCEPT;
41
42 proto tcp dport ssh ACCEPT;
43
44 # connections to domtool dispatcher and slaves (for e.g. QFoo)
45 proto tcp dport 1234 ACCEPT;
46 proto tcp dport 1235 ACCEPT;
47
48 proto (tcp udp) dport ( kerberos afs3-fileserver afs3-callback afs3-prserver afs3-vlserver afs3-volser afs3-errors afs3-bos ) ACCEPT;
49
50 proto (tcp udp) dport ntp ACCEPT;
51 proto (tcp udp) dport domain ACCEPT;
52
53 # root needs port 80 for things like apt-get
54 mod owner uid-owner 0 { proto (tcp) dport (http https) ACCEPT; }
55
56 @include 'local_ports_out.conf';
57 #include 'users_tcp_out.conf'
58 }
59 chain FORWARD {
60 policy DROP;
61
62 # connection tracking
63 mod state state INVALID DROP;
64 mod state state (ESTABLISHED RELATED) ACCEPT;
65 }
66 }
67
68 #include 'user_chains.conf'
69
70 # IPv6:
71 #domain ip6 {
72 # table filter {
73 # chain INPUT {
74 # policy ACCEPT;
75 # # ...
76 # }
77 # # ...
78 # }
79 #}
hcoop-firewall-config packaging