diff --git a/debian/ferm.conf b/debian/ferm.conf index 227c565..599ec3e 100644 --- a/debian/ferm.conf +++ b/debian/ferm.conf @@ -2,47 +2,5 @@ # # Configuration file for ferm(1). # -domain (ip ip6) { - table filter { - chain INPUT { - policy DROP; - - # connection tracking - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - # allow local packet - interface lo ACCEPT; - - # respond to ping - proto icmp ACCEPT; - - # allow IPsec - proto udp dport 500 ACCEPT; - @if @eq($DOMAIN, ip) { - proto (esp ah) ACCEPT; - } @else { - proto (esp) ACCEPT; - } - - # allow SSH connections - proto tcp dport ssh ACCEPT; - } - chain OUTPUT { - policy ACCEPT; - - # connection tracking - #mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - } - chain FORWARD { - policy DROP; - - # connection tracking - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - } - } -} @include ferm.d/; diff --git a/debian/ferm.d/10-policy b/debian/ferm.d/10-policy new file mode 100644 index 0000000..df5b7c2 --- /dev/null +++ b/debian/ferm.d/10-policy @@ -0,0 +1,18 @@ +# -*- shell-script -*- +# +# Configuration file for ferm(1). +# +domain (ip ip6) { + table filter { + chain INPUT { + policy DROP; + } + chain OUTPUT { + policy ACCEPT; + } + chain FORWARD { + policy DROP; + } + } +} + diff --git a/debian/ferm.d/20-conntrack b/debian/ferm.d/20-conntrack new file mode 100644 index 0000000..529b675 --- /dev/null +++ b/debian/ferm.d/20-conntrack @@ -0,0 +1,24 @@ +# -*- shell-script -*- +# +# Configuration file for ferm(1). +# +domain (ip ip6) { + table filter { + chain INPUT { + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + } + chain OUTPUT { + # connection tracking + #mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + } + chain FORWARD { + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + } + } +} + diff --git a/debian/ferm.d/30-local b/debian/ferm.d/30-local new file mode 100644 index 0000000..e097c2f --- /dev/null +++ b/debian/ferm.d/30-local @@ -0,0 +1,12 @@ +# -*- shell-script -*- +# +# Configuration file for ferm(1). +# +domain (ip ip6) { + table filter { + chain INPUT { + # allow local packet + interface lo ACCEPT; + } + } +} diff --git a/debian/ferm.d/40-ping b/debian/ferm.d/40-ping new file mode 100644 index 0000000..bceb6ef --- /dev/null +++ b/debian/ferm.d/40-ping @@ -0,0 +1,12 @@ +# -*- shell-script -*- +# +# Configuration file for ferm(1). +# +domain (ip ip6) { + table filter { + chain INPUT { + # respond to ping + proto icmp ACCEPT; + } + } +} diff --git a/debian/ferm.d/50-ipsec b/debian/ferm.d/50-ipsec new file mode 100644 index 0000000..70c1281 --- /dev/null +++ b/debian/ferm.d/50-ipsec @@ -0,0 +1,17 @@ +# -*- shell-script -*- +# +# Configuration file for ferm(1). +# +domain (ip ip6) { + table filter { + chain INPUT { + # allow IPsec + proto udp dport 500 ACCEPT; + @if @eq($DOMAIN, ip) { + proto (esp ah) ACCEPT; + } @else { + proto (esp) ACCEPT; + } + } + } +} diff --git a/debian/ferm.d/60-ssh b/debian/ferm.d/60-ssh new file mode 100644 index 0000000..e448608 --- /dev/null +++ b/debian/ferm.d/60-ssh @@ -0,0 +1,12 @@ +# -*- shell-script -*- +# +# Configuration file for ferm(1). +# +domain (ip ip6) { + table filter { + chain INPUT { + # allow SSH connections + proto tcp dport ssh ACCEPT; + } + } +} diff --git a/debian/ferm.install b/debian/ferm.install index 007c33a..7c07e1e 100644 --- a/debian/ferm.install +++ b/debian/ferm.install @@ -1,4 +1,5 @@ debian/ferm.conf etc/ferm +debian/ferm.d etc/ferm examples usr/share/doc/ferm src/ferm usr/sbin src/import-ferm usr/sbin