Translation(s): English - Italiano


ferm is a frontend for iptables, providing a way to write manageable rulesets without sacrificing flexibility. To use ferm, you need know how to write iptables rules.

About

Most iptables scripts run the iptables command repeatedly to insert various rules. ferm provides a way to write a single configuration file for your firewall and apply it at once.

Advantages:

Example

Here is an example script to get you started.

# ferm firewall rules
# http://ferm.foo-projects.org

# Chain policies
domain (ip ip6) {
 table filter {
  chain (INPUT FORWARD) policy DROP;
  chain OUTPUT policy ACCEPT;
 }
}

# loopback
domain (ip ip6) table filter {
 chain INPUT interface lo ACCEPT;
 chain OUTPUT outerface lo ACCEPT;
}

# ipv6
domain ip table filter chain (INPUT OUTPUT) protocol ipv6 ACCEPT;

# icmp (kernel does rate-limiting)
domain (ip ip6) table filter chain (INPUT OUTPUT) protocol icmp ACCEPT;

# invalid
domain (ip ip6) table filter chain INPUT mod state state INVALID DROP;

# established/related connections
domain (ip ip6) table filter chain (INPUT OUTPUT) mod state state (ESTABLISHED RELATED) ACCEPT;

# allow no more than 8 ssh attempts from a source ip in 5 minutes
domain (ip ip6) table filter chain INPUT {
 protocol tcp dport ssh @subchain {
  mod recent name SSH {
   set NOP;
   update seconds 300 hitcount 8 @subchain {
    LOG log-prefix "Blocked-ssh: " log-level warning;
    DROP;
   }
  }
  ACCEPT;
 }
}

# FORWARD chain REJECT
domain (ip ip6) table filter chain FORWARD REJECT;

# log all other INPUT
domain (ip ip6) table filter chain INPUT {
 mod limit limit 3/min limit-burst 10 LOG log-prefix "INPUT-rejected: " log-level debug;
 REJECT;
}

See also