#mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
+ # Allow ping
+ proto icmp ACCEPT;
+
proto tcp dport ssh ACCEPT;
# connections to domtool dispatcher and slaves (for e.g. QFoo)
# access. We'll leave that for the wheezy machines.
proto tcp dport smtp daddr mail.hcoop.net ACCEPT;
+ # At least for now, open ports to database servers. If dbtool
+ # adduser could also add firewall rules, that would be better.
+ proto (tcp udp) dport mysql daddr mysql.hcoop.net ACCEPT;
+ proto (tcp udp) dport (postgresql 5433) daddr postgres.hcoop.net ACCEPT;
+
# root needs port 80 for things like apt-get
mod owner uid-owner 0 { proto (tcp) dport (http https) ACCEPT; }