Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Merge pull request #2 from jnorell/master

Merged lots of features: config & command line options, discarded packets logging, ICMP support, ...
  • Loading branch information...
commit 6c804e07b85271148b2f4dbd45be975cd8058ebf 2 parents 77e5a7f + efc44ae
@DmitryKoterov authored
Showing with 553 additions and 33 deletions.
  1. +3 −2 README.txt
  2. +525 −31 vzfirewall
  3. +25 −0 vzfirewall.conf
View
5 README.txt
@@ -62,5 +62,6 @@ SYNOPSIS
characters again.
2. Run:
- # vzfirewall -a - to apply rules
- # vafirewall -t - to test rules with no application
+ # vzfirewall -a - to apply rules
+ # vzfirewall -t - to test rules with no application
+ # vzfirewall -h -v - vzfirewall documentation
View
556 vzfirewall
@@ -1,31 +1,144 @@
#!/usr/bin/perl -w
+#
+# vzfirewall: A simple firewall for OpenVZ
+#
+# See 'vzfirewall -h' for documentaion.
+#
+# Check https://github.com/DmitryKoterov/vzfirewall
+# for latest version and development info.
+
use strict;
+use Pod::Usage;
use File::Basename;
use POSIX 'strftime';
+use Getopt::Long 2.25 qw(:config posix_default no_ignore_case);
+use Switch;
+
+my $VERSION = "1.14, 2014-01-27";
+
+my %conf = (); # running configuration (defaults + config file + cli opts)
+my %opt = (); # command line options
+
+my @ICMP_TYPES;
+my @FAILSAFE_ADDRS;
+GetOptions(\%opt, 'help|h', 'version|V', 'apply|a', 'test|t',
+ 'vzfw-conf|conf|c=s', 'force|f', 'verbose|v',
+ 'iptables-rules|rules=s', 'openvz-conf-dir|dir|d=s',
+ 'icmp-types=s{1,}' => \@ICMP_TYPES,
+ 'failsafe-addrs=s{1,}' => \@FAILSAFE_ADDRS,
+ 'enable-logging|l',
+) or exit(1);
+
+if ($opt{'vzfw-conf'}) {
+ $conf{'vzfw-conf'} = $opt{'vzfw-conf'};
+ read_vzfirewall_conf( $conf{'vzfw-conf'}, \%conf, \%opt );
+}
+
+if ($opt{'openvz-conf-dir'}) {
+ $conf{'openvz-conf-dir'} = $opt{'openvz-conf-dir'};
+} elsif (! $conf{'openvz-conf-dir'}) {
+ ($conf{'openvz-conf-dir'}) = grep { -d $_ } ("/etc/sysconfig/vz-scripts", "/etc/vz/conf");
+}
+
+unless ($conf{'openvz-conf-dir'} && -d $conf{'openvz-conf-dir'}) {
+ print STDERR qq(
+ERROR: vzfirewall could not find openvz container conf files.
+(Is openvz installed?)
+
+Use -d to specify their location.
+
+);
+
+ pod2usage( -verbose => 1 );
+}
+
+unless ($conf{'vzfw-conf'}) {
+ ($conf{'vzfw-conf'}) = dirname($conf{'openvz-conf-dir'}) . "/vzfirewall.conf";
+ if ( -f $conf{'vzfw-conf'} ) {
+ read_vzfirewall_conf( $conf{'vzfw-conf'}, \%conf, \%opt );
+ }
+}
+
+unless ($conf{'openvz-conf-dir'} && -d $conf{'openvz-conf-dir'}) {
+ die "ERROR: invalid openvz container conf directory.\n"
+ . "Fix OPENVZ_CONF_DIR in $conf{'vzfw-conf'}.\n";
+}
+
+my ($RULES_FALLBACK) = dirname($conf{'openvz-conf-dir'}) . "/vzfirewall.rules";
+my $RULES_FALLBACK_USED = 0;
+
+my $IPTABLES;
+if ($opt{'iptables-rules'}) {
+ $IPTABLES = $opt{'iptables-rules'};
+} elsif ($conf{'iptables-rules'}) {
+ $IPTABLES = $conf{'iptables-rules'};
+} else {
+ ($IPTABLES) = grep { -f $_ } (
+ "/etc/sysconfig/iptables", # RHEL systems
+ "/etc/iptables/rules.v4", # iptables-persist
+ $RULES_FALLBACK # vzfirewall fallback
+ );
+ unless ($IPTABLES) {
+ $IPTABLES = $RULES_FALLBACK;
+ $RULES_FALLBACK_USED = 1;
+ }
+}
+
+if ($opt{'enable-logging'}) {
+ $conf{'enable-logging'} = $opt{'enable-logging'};
+}
+
+if ($opt{help}) {
+ pod2usage( -verbose => $opt{verbose} ? 2 : 1 );
+}
+if ($opt{version}) {
+ print "vzfirewall $VERSION\n"; exit(0)
+}
+
+@ICMP_TYPES = split(" ", join(' ', @ICMP_TYPES)); # set via Getoptions
+if ($ICMP_TYPES[0]) {
+ $conf{'icmp-types'} = \@ICMP_TYPES;
+} elsif (! $conf{'icmp-types'}) {
+ @ICMP_TYPES = (3, 4, 11, 12, 8,);
+ $conf{'icmp-types'} = \@ICMP_TYPES;
+}
+
+@FAILSAFE_ADDRS = split(" ", join(' ', @FAILSAFE_ADDRS)); # set via Getoptions
+if ($FAILSAFE_ADDRS[0]) {
+ $conf{'failsafe-addrs'} = \@FAILSAFE_ADDRS;
+} elsif (! $conf{'failsafe-addrs'}) {
+ @FAILSAFE_ADDRS = ("any",);
+ $conf{'failsafe-addrs'} = \@FAILSAFE_ADDRS;
+}
+
+if ($RULES_FALLBACK_USED && $opt{verbose}) {
+ print STDERR qq(
+NOTICE: vzfirewall did not find any persistent iptables rules locations.
+vzfirewall will write iptables rules to: $RULES_FALLBACK
+
+You will need to arrange for those rules to be loaded at system boot time,
+eg. by adding this command to system startup scripts:
+
+ iptables-restore < $RULES_FALLBACK
-my $VERSION = "1.06, 2013-12-18";
-my $IPTABLES = "/etc/sysconfig/iptables";
-my ($DIR) = grep { -d $_ } ("/etc/sysconfig/vz-scripts", "/etc/vz/conf");
+Or you may find a package such as iptables-persistent for your OS to handle
+this for you.
-if (@ARGV && $ARGV[0] eq "-a") {
- do_apply(0, $ARGV[1] && $ARGV[1] eq "-f");
-} elsif (@ARGV && $ARGV[0] eq "-t") {
- do_apply(1);
+);
+}
+
+if ($opt{test}) {
+ do_apply(1);
+} elsif ($opt{apply}) {
+ do_apply(0, defined $opt{force});
} else {
- die
- "dkLab vzfirewall: simple rules for openvz firewall.\n" .
- "Version: $VERSION\n" .
- "Homepage: http://en.dklab.ru/lib/dklab_vzfirewall\n" .
- "Usage:\n" .
- " - Apply rules in $DIR/*.conf (FIREWALL directives):\n" .
- " $0 -a [-f]\n" .
- " - Preview rules in $DIR/*.conf without activation:\n" .
- " $0 -t\n";
+ pod2usage( -verbose => 1 );
}
sub do_apply {
my ($test_mode, $force) = @_;
-
+ my ($deny_chain) = ($conf{'enable-logging'} ? 'vzfw-log-deny' : 'vzfw-deny');
+
my @cmds = ();
push @cmds, "##\n## PLEASE DO NOT EDIT THIS FILE MANUALLY!!!\n##\n";
push @cmds, "## It is generated by " . basename($0) . "\n";
@@ -35,27 +148,69 @@ sub do_apply {
push @cmds, ":FORWARD ACCEPT [0:0]\n";
push @cmds, ":OUTPUT ACCEPT [0:0]\n";
push @cmds, "\n\n";
- push @cmds, "##\n## Default opened channels.\n##\n";
+ push @cmds, "##\n## Basic logging and policy action rules\n##\n";
+ push @cmds, ":vzfw-log-allow - [0:0]\n";
+ push @cmds, ":vzfw-log-deny - [0:0]\n";
+ push @cmds, ":vzfw-deny - [0:0]\n";
+ push @cmds, "# logging with RETURN policy\n";
+ push @cmds, "-A vzfw-log-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix \"[VZFW ALLOW] \"\n";
+ push @cmds, "# logging with DENY policy\n";
+ push @cmds, "-A vzfw-log-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix \"[VZFW BLOCK] \"\n";
+ push @cmds, "-A vzfw-log-deny -m state --state INVALID -j DROP\n";
+ push @cmds, "-A vzfw-log-deny -m addrtype --dst-type MULTICAST -j DROP\n";
+ push @cmds, "-A vzfw-log-deny -m addrtype --dst-type BROADCAST -j DROP\n";
+ push @cmds, "-A vzfw-log-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix \"[VZFW BLOCK] \"\n";
+ push @cmds, "-A vzfw-log-deny -j REJECT --reject-with icmp-admin-prohibited\n";
+ push @cmds, "# DENY policy\n";
+ push @cmds, "-A vzfw-deny -m state --state INVALID -j DROP\n";
+ push @cmds, "-A vzfw-deny -m addrtype --dst-type MULTICAST -j DROP\n";
+ push @cmds, "-A vzfw-deny -m addrtype --dst-type BROADCAST -j DROP\n";
+ push @cmds, "-A vzfw-deny -j REJECT --reject-with icmp-admin-prohibited\n";
+ push @cmds, "\n\n";
+ push @cmds, "##\n## Default opened on loopback interface.\n##\n";
push @cmds, "-A INPUT -i lo -j ACCEPT\n";
push @cmds, "-A OUTPUT -o lo -j ACCEPT\n";
push @cmds, "-A FORWARD -i lo -j ACCEPT\n";
- for ("INPUT", "OUTPUT", "FORWARD") {
- push @cmds, "-A $_ -p icmp -j ACCEPT\n";
- push @cmds, "-A $_ -m state --state ESTABLISHED,RELATED -j ACCEPT\n";
+ push @cmds, "\n##\n## Stop spoofing of our addresses.\n##\n";
+ push @cmds, "-A INPUT -m addrtype --src-type LOCAL -j $deny_chain\n";
+ for my $chain ("INPUT", "OUTPUT", "FORWARD") {
+ push @cmds, "\n##\n## Firewall states ($chain).\n##\n";
+ push @cmds, "-A $chain -m state --state INVALID -j $deny_chain\n";
+ push @cmds, "-A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT\n";
+
+ push @cmds, "# Allowed icmp types\n";
+ for my $type ( @{$conf{'icmp-types'}} ) {
+ push @cmds, "-A $chain -p icmp --icmp-type $type -j ACCEPT\n";
+ }
+ }
+ if ( grep { /any/i } @{$conf{'failsafe-addrs'}} ) {
+ push @cmds, "\n# Failsafe SSH access open to hardware node.\n";
+ if ($conf{'enable-logging'}) {
+ push @cmds, "-A INPUT -p tcp --dport 22 -j vzfw-log-allow\n";
+ }
+ push @cmds, "-A INPUT -p tcp --dport 22 -j ACCEPT\n";
+ } elsif ( grep { /none/i } @{$conf{'failsafe-addrs'}} ) {
+ push @cmds, "\n# Failsafe SSH access to hardware node is disabled.\n";
+ } else {
+ push @cmds, "\n# Failsafe SSH access to hardware node.\n";
+ for my $addr ( @{$conf{'failsafe-addrs'}} ) {
+ if ($conf{'enable-logging'}) {
+ push @cmds, "-A INPUT -p tcp -s $addr --dport 22 -j vzfw-log-allow\n";
+ }
+ push @cmds, "-A INPUT -p tcp -s $addr --dport 22 -j ACCEPT\n";
+ }
}
- push @cmds, "# Open SSH port on hardware node - for safety.\n";
- push @cmds, "-A INPUT -p tcp --dport 22 -j ACCEPT\n";
push @cmds, "\n\n";
# Collect all data.
my @parsed = ();
- foreach my $conf (glob($DIR . "/*.conf")) {
- my $basename = basename($conf);
- my $opts = read_conf($conf);
+ foreach my $ct_conf (glob($conf{'openvz-conf-dir'} . "/*.conf")) {
+ my $basename = basename($ct_conf);
+ my $opts = read_openvz_conf($ct_conf);
my ($rules, $custom) = read_rules($opts->{FIREWALL});
my @dst_ips;
if ($basename ne "0.conf") {
- my $ips = $opts->{IP_ADDRESS} or die "Cannot find IP_ADDRESS in $conf\n";
+ my $ips = $opts->{IP_ADDRESS} or die "Cannot find IP_ADDRESS in $ct_conf\n";
$ips =~ s/^\s+|\s+$//sg;
@dst_ips = split /\s+/, $ips;
} else {
@@ -119,8 +274,8 @@ sub do_apply {
}
push @cmds, "\n\n##\n## Default action for incoming packets - reject.\n##\n";
- push @cmds, "-A INPUT -j DROP\n";
- push @cmds, "-A FORWARD -j DROP\n";
+ push @cmds, "-A INPUT -j $deny_chain\n";
+ push @cmds, "-A FORWARD -j $deny_chain\n";
push @cmds, "COMMIT\n";
my $cmds = join "", @cmds;
@@ -211,7 +366,8 @@ sub generate_open_rule {
sub generate_close_rule {
my ($dst_ip) = @_;
- return ($dst_ip && $dst_ip ne "*"? "-A FORWARD -d $dst_ip" : "-A INPUT") . " -j DROP\n";
+ my ($deny_chain) = ($conf{'enable-logging'} ? 'vzfw-log-deny' : 'vzfw-deny');
+ return ($dst_ip && $dst_ip ne "*"? "-A FORWARD -d $dst_ip" : "-A INPUT") . " -j $deny_chain\n";
}
sub generate_outgoing_rule {
@@ -219,7 +375,7 @@ sub generate_outgoing_rule {
return ($src_ip && $src_ip ne "*"? "-A FORWARD -s $src_ip" : "-A OUTPUT") . " -j ACCEPT\n";
}
-sub read_conf {
+sub read_openvz_conf {
my ($conf) = @_;
open(local *F, $conf) or die "Cannot open $conf: $!\n";
local $/;
@@ -230,11 +386,73 @@ sub read_conf {
for (my $i = 0; $i < @matches; $i += 3) {
my $data = $matches[$i + 2];
$data =~ s/^#//mg if $matches[$i];
+ $data =~ s/'/"/sg;
$opts{$matches[$i + 1]} = $data;
}
return \%opts;
}
+sub read_vzfirewall_conf {
+ my ($conf, $cfg, $cli) = @_;
+ my ($l, $n, $v);
+ my %filecfg = ();
+
+ open(local *F, $conf) or die "Cannot open $conf: $!\n";
+ while (<F>) {
+ chop ($l = $_);
+
+ $l =~ s/#.*$//; # comments
+ $l =~ s/^\s*//; # leading spaces
+ $l =~ s/\s*$//; # trailing spaces
+
+ if ($l ne "") {
+ ($n, $v) = split (/\w*=\w*/, $l);
+
+ $n = join(" ", split(" ", $n) );
+ $n =~ s/^\s*//;
+ $n =~ s/\s*$//;
+
+ $v = join(" ", split(" ", $v) );
+ $v =~ s/^\s*//;
+ $v =~ s/\s*$//;
+
+ switch ($n) {
+ case "OPENVZ_CONF_DIR" {
+ unless ($$cli{'openvz-conf-dir'}) {
+ $$cfg{'openvz-conf-dir'} = $v;
+ }
+ }
+ case "IPTABLES_RULES" {
+ unless ($$cli{'iptables-rules'}) {
+ $$cfg{'iptables-rules'} = $v;
+ }
+ }
+ case "ICMP_TYPES" {
+ unless ($$cli{'icmp-types'}) {
+ my (@v) = split(" ", $v);
+ $$cfg{'icmp-types'} = \@v;
+ }
+ }
+ case "FAILSAFE_ADDRS" {
+ unless ($$cli{'failsafe-addrs'}) {
+ my (@v) = split(" ", $v);
+ $$cfg{'failsafe-addrs'} = \@v;
+ }
+ }
+ case "ENABLE_LOGGING" {
+ unless ($$cli{'enable-logging'}) {
+ if ($v !~ /^(false|no|off|0)$/i) {
+ $$cfg{'enable-logging'} = $v;
+ }
+ }
+ }
+ }
+ }
+ }
+ close(F);
+ return;
+}
+
my %resolved = ();
sub resolve {
my ($host) = @_;
@@ -246,3 +464,279 @@ sub resolve {
}
return $resolved{$host} = \@ips;
}
+
+
+__END__
+
+=head1 NAME
+
+vzfirewall - A simple firewall for OpenVZ
+
+
+=head1 SYNOPSIS
+
+B<vzfirewall> (B<-h>|B<-V>|B<-a>|B<-t>) [B<option> ...]
+
+You B<must> specify an action with one of the following:
+
+=over 20
+
+=item B<-h>, B<--help>
+
+Display this help and exit.
+
+=item B<-V>, B<--version>
+
+Output vzfirewall version and exit.
+
+=item B<-a>, B<--apply>
+
+Apply iptables rules in openvz container *.conf files (FIREWALL directives).
+
+=item B<-t>, B<--test>
+
+Preview iptables rules in openvz container *.conf files without activation.
+
+=back
+
+You B<may> specify any of the options:
+
+=over 20
+
+=item B<-c>, B<--conf>, B<vzfw-conf>=I<PATH>
+
+Location of vzfirewall configuration file.
+
+=item B<-f>, B<--force>
+
+Force rewrite of iptables rules even if rules are unchanged.
+
+=item B<-d>, B<--dir>, B<--openvz-conf-dir>=I<PATH>
+
+Specify directory containing per-container .conf files.
+
+=item B<--rules>, B<--iptables-rules>=I<PATH>
+
+Store iptables rules in this file.
+
+=item B<-v>, B<--verbose>
+
+Be more verbose.
+
+=back
+
+You can change the default firewall behavior with the following options:
+
+=over 20
+
+=item B<--icmp-types>=I<types>
+
+Specify allowed icmp types.
+
+Default: 3 4 11 12 8 (destination-unreachable source-quench time-exceeded parameter-problem echo-request)
+
+=item B<--failsafe-addrs>=I<addr>
+
+Specify hosts allowed administrative (ssh) access to the openvz hardware node.
+I<addr> can be a single host, subnet, C<any> or C<none>.
+
+Default: any
+
+=item B<-l>, B<--enable-logging>
+
+Enable logging of denied traffic.
+
+=back
+
+
+=head1 DESCRIPTION
+
+vzfirewall is a simple firewall for an openvz host
+which protects both the openvz host and its containers.
+
+vzfirewall uses openvz .conf files for configuration of
+individual containers, just add a C<FIREWALL> directive
+to specify the container's firewall rules.
+
+vzfirewall can use an optional config file for system settings,
+but does try to figure out it's environment and use sane defaults
+so the config file often isn't needed. Command line options
+override the corresponding config file settings.
+
+
+=head1 CONFIGURATION FILE
+
+The C<vzfirewall.conf> file uses a basic B<name = value> syntax;
+comments begin with #.
+
+The following settings are supported:
+
+=over 20
+
+=item C<OPENVZ_CONF_DIR>
+
+The location of openvz container configuration files.
+
+Corresponds to --openvz-conf-dir command-line option.
+
+=item C<IPTABLES_RULES>
+
+File that iptables rules will be written to. This file needs to be
+loaded using iptables-restore on system startup.
+
+Corresponds to --iptables-rules command-line option.
+
+=item C<ICMP_TYPES>
+
+Allowed icmp types.
+
+Corresponds to --icmp-types command-line option.
+
+=item C<FAILSAFE_ADDRS>
+
+Specify hosts allowed administrative (ssh) access to the openvz hardware node.
+
+Corresponds to --failsafe-addrs command-line option.
+
+=item C<ENABLE_LOGGING>
+
+Enable logging of denied traffic.
+
+Corresponds to the --enable-logging command-line option.
+
+=back
+
+
+=head1 EXAMPLES
+
+
+=head2 C<vzfirewall.conf>
+
+The following C<vzfirewall.conf> is equivalent to the default settings
+on a C<debian> system using C<iptables-persistent> to load iptables rules:
+
+ OPENVZ_CONF_DIR = /etc/vz/conf
+ IPTABLES_RULES = /etc/iptables/rules.v4
+ ICMP_TYPES = 3 4 11 12 8
+ FAILSAFE_ADDRS = any
+ ENABLE_LOGGING = false
+
+
+=head2 Firewall the OpenVZ host
+
+A C<FIREWALL> directive in I<0.conf> specifies firewall rules
+for the openvz host. Add something like this to I</etc/vz/conf/0.conf>:
+
+ #FIREWALL="
+ # # allow all access from the administrator's workstation
+ # admin.domain.com
+ #
+ # # allow our OpenVZ Web Panel to talk to the owp hardware daemon
+ # [7767]
+ # owp.domain.com
+ #
+ # # we run an ntp server on the openvz host
+ # [udp:123]
+ # *
+ #"
+
+Run C<vzfirewall -t> to test the configuration.
+When it looks good, apply the new rules: C<vzfirewall -a>.
+
+Note the C<#> prefix character for the entire C<FIREWALL> directive
+is intentional, other OpenVZ utilities issue warnings if left out.
+
+
+=head2 Firewall a container
+
+Say you have a container with C<CTID> I<123> running a web server.
+(Use C<vzlist> to determine the container id.) Add the following to
+I</etc/vz/conf/123.conf>:
+
+ #FIREWALL="
+ # [80,443]
+ # *
+ #"
+
+Run C<vzfirewall -a> to apply the new rules.
+
+
+=head1 FILES
+
+=over
+
+=item C</etc/vz/vzfirewall.conf>, C</etc/sysconfig/vzfirewall.conf>
+
+Default vzfirewall configuration file locations.
+
+=item C</etc/vz/conf/*.conf>, C</etc/sysconfig/vz-scripts/*.conf>
+
+Default location of OpenVZ container .conf scripts.
+
+=item C</etc/sysconfig/iptables>, C</etc/iptables/rules.v4>, C</etc/vz/vzfirewall.rules>
+
+Default locations searched for stored iptables rules file.
+
+=back
+
+
+=head1 SEE ALSO
+
+=over
+
+=item L<iptables(8)>
+
+administration tool for IPv4 packet filtering and NAT
+
+=item L<ctid.conf(5)>
+
+configuration file for an OpenVZ container
+
+=item L<http://en.dklab.ru/lib/dklab_vzfirewall>
+
+vzfirewall homepage
+
+=item L<https://github.com/DmitryKoterov/vzfirewall>
+
+Development and Latest Version
+
+=back
+
+
+=head1 LICENSE
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU Lesser General Public License as published
+by the Free Software Foundation; either version 2.1 of the License,
+or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Lesser General Public License for more details.
+
+You should have received a copy of the GNU Lesser General Public License
+along with this program; if not, write to:
+
+=over 4
+
+ The Free Software Foundation, Inc.
+ 51 Franklin Street
+ Fifth Floor
+ Boston, MA 02110-1301 USA
+
+=back
+
+
+=head1 AUTHORS
+
+=over
+
+=item Dmitry Koterov <dmitry.koterov@gmail.com>
+
+=item Jesse Norell <jesse@kci.net>
+
+=back
+
+=cut
+
View
25 vzfirewall.conf
@@ -0,0 +1,25 @@
+#
+# vzfirewall.conf: vzfirewall system configuration
+#
+# vzfirewall will look in /etc/vz/conf and /etc/sysconfig/ for this file,
+# or you can specify the location with: vzfirewall -c /path/to/your/vzfirewall.conf
+#
+# See "vzfirewall -h -v" for more info.
+#
+
+# Directory containing openvz container .conf files
+#OPENVZ_CONF_DIR = /etc/vz/conf
+
+# The file where vzfirewall will store iptables rules.
+# iptables-restore should read this file at system boot.
+#IPTABLES_RULES = /etc/iptables/rules.v4
+
+# Allowed ICMP types
+#ICMP_TYPES = 3 4 11 12 8
+
+# Hosts/subnets allowed admin (ssh) access to the hardware node.
+# Use "none" to disable
+#FAILSAFE_ADDRS = any
+
+# Enable logging of denied traffic
+ENABLE_LOGGING = true
Please sign in to comment.
Something went wrong with that request. Please try again.