Allow outgoing ping

[hcoop/zz_old/debian/hcoop-firewall-config.git] / files / ferm.conf.hcoop

diff --git a/files/ferm.conf.hcoop b/files/ferm.conf.hcoop
index a85e14d..24f2adf 100644 (file)
--- a/files/ferm.conf.hcoop
+++ b/files/ferm.conf.hcoop
@@ -31,7 +31,7 @@ table filter {
        # system ports
        @include 'service.in.d/';
        @include 'local_ports_in.conf';
-       #@include 'users_tcp_in.conf'
+       @include 'users_tcp_in.conf';
     }
     chain OUTPUT {
         policy DROP;
@@ -40,6 +40,9 @@ table filter {
         #mod state state INVALID DROP;
         mod state state (ESTABLISHED RELATED) ACCEPT;
 
+       # Allow ping
+       proto icmp ACCEPT;
+
        proto tcp dport ssh ACCEPT;
 
         # connections to domtool dispatcher and slaves (for e.g. QFoo)
@@ -52,12 +55,23 @@ table filter {
        proto (tcp udp) dport ntp ACCEPT;
        proto (tcp udp) dport domain ACCEPT;
 
+       # Allow mail to be routed to smarthost. This may be less than
+       # idea: it seems safer to generate a list of system users to
+       # allow, and then require individual members to request smtp
+       # access. We'll leave that for the wheezy machines.
+       proto tcp dport smtp daddr mail.hcoop.net ACCEPT;
+
+       # At least for now, open ports to database servers. If dbtool
+       # adduser could also add firewall rules, that would be better.
+       proto (tcp udp) dport mysql daddr mysql.hcoop.net ACCEPT;
+       proto (tcp udp) dport (postgresql 5433) daddr postgres.hcoop.net ACCEPT;
+
         # root needs port 80 for things like apt-get
        mod owner uid-owner 0 { proto (tcp) dport (http https) ACCEPT; }
 
        @include 'service.out.d/';
        @include 'local_ports_out.conf';
-       #include 'users_tcp_out.conf'
+       @include 'users_tcp_out.conf';
     }
     chain FORWARD {
         policy DROP;
@@ -68,7 +82,7 @@ table filter {
     }
 }
 
-#include 'user_chains.conf'
+@include 'user_chains.conf';
 
 # IPv6:
 #domain ip6 {