You can use protocol names ( tcp/ udp) or simple numbers, as defined in /etc/protocols. Host related rules can use arbitrary strings. You have to use network configuration key names for VMs and containers ( net\d+). Port ranges can be specified with \d+:\d+, for example 80:85, and you can use comma separated list to match several ports or ranges. You can use service names or simple numbers (0-65535), as defined in /etc/services. Please do not mix IPv4 and IPv6 addresses inside such lists. You can also specify an address range like 20.34.101.207-201.3.9.99, or a list of IP addresses and networks (entries are separated by comma). This can refer to a single IP address, an IP set ( +ipsetname) or an IP alias definition. This sections contains VM/Container firewall rules.
For containers the configured IP addresses will be implicitly added. Such ipsets implicitly contain sane default restrictions such as restricting IPv6 link local addresses to the one derived from the interface’s MAC address. This is equivalent to adding an empty ipfilter-net ipset for every interface. This is used to set VM/Container related firewall options.Įnable default IP filters. This sections contains host specific firewall rules. Synflood protection rate syn/sec by ip src.įilter illegal combinations of TCP flags. Protection_synflood_rate: ( default = 200) Synflood protection rate burst by ip src. Protection_synflood_burst: ( default = 1000)
Nf_conntrack_tcp_timeout_syn_recv: (30 - 60) ( default = 60)
Nf_conntrack_tcp_timeout_established: (7875 - N) ( default = 432000) Supported protocols: amanda, ftp, irc, netbios-ns, pptp, sane, sip, snmp, tftp Nf_conntrack_allow_invalid: ( default = 0)Īllow invalid packets on connection tracking.Įnable conntrack helpers for specific protocols. This is used to set host related firewall options.Įnable NDP (Neighbor Discovery Protocol).
0 kommentar(er)
