diff options
| author | Tim Meusel <tim@bastelfreak.de> | 2017-09-18 15:23:36 +0200 |
|---|---|---|
| committer | Tim Meusel <tim@bastelfreak.de> | 2018-03-15 17:06:08 +0100 |
| commit | 2d355a4c1baadc761d6b12645d0274da8866f722 (patch) | |
| tree | e6d1a78f9719397ed9ce9144bf4706a3ccd46c48 /files | |
| download | puppet-ferm-2d355a4c1baadc761d6b12645d0274da8866f722.tar.gz puppet-ferm-2d355a4c1baadc761d6b12645d0274da8866f722.tar.bz2 | |
initial commit
Diffstat (limited to 'files')
| -rw-r--r-- | files/ferm.conf | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/files/ferm.conf b/files/ferm.conf new file mode 100644 index 0000000..27eea58 --- /dev/null +++ b/files/ferm.conf @@ -0,0 +1,38 @@ +# -*- shell-script -*- +# +# Ferm example script +# +# Firewall configuration for a workstation which accepts remote ssh login. +# +# Author: Max Kellermann <max@duempel.org> +# + +table filter { + chain INPUT { + policy DROP; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # allow local connections + interface lo ACCEPT; + + # respond to ping + proto icmp icmp-type echo-request ACCEPT; + + # allow SSH connections + proto tcp dport ssh ACCEPT; + + # ident connections are also allowed + proto tcp dport auth ACCEPT; + + # the rest is dropped by the above policy + } + + # outgoing connections are not limited + chain OUTPUT policy ACCEPT; + + # this is not a router + chain FORWARD policy DROP; +} |