diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2022-01-08 15:50:26 -0300 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2022-01-08 15:50:26 -0300 |
commit | 3d1cf84f39fece3f2a9f8b7247a792212eb81177 (patch) | |
tree | f1fa5ca591908d363d13d30256f7af3b242d2d6b /files | |
parent | 55fa862bae8e2582e5ac0c008a0bb0ec53d9bfff (diff) | |
download | puppet-firewall-3d1cf84f39fece3f2a9f8b7247a792212eb81177.tar.gz puppet-firewall-3d1cf84f39fece3f2a9f8b7247a792212eb81177.tar.bz2 |
Feat: major refactor
Diffstat (limited to 'files')
-rw-r--r-- | files/ferm/ferm.conf.tpc | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/files/ferm/ferm.conf.tpc b/files/ferm/ferm.conf.tpc new file mode 100644 index 0000000..8a1017e --- /dev/null +++ b/files/ferm/ferm.conf.tpc @@ -0,0 +1,33 @@ +# Firewall configuration for a TPC +# Inspired by http://ferm.foo-projects.org/download/examples/workstation.ferm +# File managed by puppet + +table filter { + chain INPUT { + policy DROP; + + # connection tracking + #mod state state INVALID DROP; + #mod state state (ESTABLISHED RELATED) ACCEPT; + + # allow local connections + interface lo ACCEPT; + + # respond to ping + #proto icmp icmp-type echo-request ACCEPT; + + # allow SSH connections + #proto tcp dport ssh ACCEPT; + + # ident connections are also allowed + #proto tcp dport auth ACCEPT; + + # the rest is dropped by the above policy + } + + # outgoing connections are not limited + chain OUTPUT policy ACCEPT; + + # this is not a router + chain FORWARD policy DROP; +} |