X-Git-Url: https://git.stderr.nl/gitweb?a=blobdiff_plain;f=etc%2Fvuurmuur%2Frules%2Frules.conf;h=b78554ebb84bda629a5a11b3e27e45781478d780;hb=14c8577b515f524a5a62c831a74895c9d2f401b5;hp=b7085fe6b03e1b2373454d605ff988d46eb857f8;hpb=70f4f512ef539e6140c47f3fc32fe5022a75fb07;p=matthijs%2Fservers%2Fdrsnuggles.git diff --git a/etc/vuurmuur/rules/rules.conf b/etc/vuurmuur/rules/rules.conf index b7085fe..b78554e 100644 --- a/etc/vuurmuur/rules/rules.conf +++ b/etc/vuurmuur/rules/rules.conf @@ -1,14 +1,30 @@ -RULE="Accept service ping from any to any options comment=\"ping\"" +RULE="separator options comment=\"Outgoing traffic\"" RULE="Accept service any from firewall to world.inet options comment=\"Outgoing host traffic\"" -RULE="Accept service any from vservers.internal to world.inet options comment=\"Outgoing vserver traffic\"" -RULE="Snat service any from vservers.internal to world.inet options comment=\"snat for vservers\"" -RULE="separator" +RULE="Accept service any from any to world.inet options comment=\"Outgoing vserver traffic (but from any due to vuurmuur limits)\"" +RULE="Snat service any from vservers.internal to world.inet options out_int=\"inet-nic\",comment=\"snat for vservers\"" +RULE="separator options comment=\"Zeratul crosslink\"" RULE="Accept service any from zeratul.direct to firewall options comment=\"direct traffic from zeratul\"" RULE="Accept service any from firewall to zeratul.direct options comment=\"direct traffice to zeratul\"" -RULE="separator" +RULE="separator options comment=\"Open up ports on the host\"" RULE="Accept service ssh-host from any to firewall(any) options comment=\"ssh access to the host\"" -RULE="Portfw service http from world.inet to www.vservers.internal options comment=\"http to www\"" -RULE="Portfw service smtp from world.inet to mail.vservers.internal options comment=\"smtp to mail\"" -RULE="Portfw service dns from world.inet to dns.vservers.internal options comment=\"dns to dns\"" -RULE="Portfw service imaps from world.inet to mail.vservers.internal options comment=\"imaps to mail\"" -RULE="Portfw service ssh from world.inet to login.vservers.internal options comment=\"ssh to login\"" +RULE="Accept service ident from world.inet to firewall(any)" +RULE="separator options comment=\"Forward ports to vservers\"" +RULE="Dnat service http from world.inet to www.vservers.internal options in_int=\"inet-nic\",comment=\"http to www\"" +RULE="Accept service http from world.inet to firewall options in_int=\"vserver-www-nic\"" +RULE="Dnat service https from world.inet to www.vservers.internal options in_int=\"inet-nic\",comment=\"https to www\"" +RULE="Accept service https from world.inet to firewall options in_int=\"vserver-www-nic\"" +RULE="Dnat service smtp from world.inet to mail.vservers.internal options comment=\"smtp to mail\"" +RULE="Accept service smtp from world.inet to firewall options in_int=\"vserver-mail-nic\"" +RULE="Dnat service dns from world.inet to dns.vservers.internal options in_int=\"inet-nic\",remoteport=\"54\",comment=\"dns to dns (running on port 54)\"" +RULE="Accept service dns-internal from world.inet to firewall options in_int=\"vserver-dns-nic\"" +RULE="Dnat service imaps from world.inet to mail.vservers.internal options in_int=\"inet-nic\",comment=\"imaps to mail\"" +RULE="Accept service imaps from world.inet to firewall options in_int=\"vserver-mail-nic\"" +RULE="Dnat service ssh from world.inet to login.vservers.internal options in_int=\"inet-nic\",comment=\"ssh to login\"" +RULE="Accept service ssh from world.inet to firewall options in_int=\"vserver-login-nic\"" +RULE="Dnat service locus from world.inet to login.vservers.internal options in_int=\"inet-nic\",comment=\"Locus GPS tracker to login\"" +RULE="Accept service locus from world.inet to firewall options in_int=\"vserver-login-nic\"" +RULE="Dnat service telnet from world.inet to www.vservers.internal options in_int=\"inet-nic\",remoteport=\"2323\",comment=\"Hunternet gameserver\"" +RULE="Accept service telnet-nonpriv from world.inet to firewall options in_int=\"vserver-www-nic\",comment=\"Hunternet gameserver\"" +RULE="separator options comment=\"Other rules\"" +RULE="Drop service dhcp from any to any options comment=\"Drop all DHCP without logging\"" +RULE="Accept service ping from any to any options comment=\"ping\""