• Diff for "ferm"

Translation(s): none

ferm is a frontend for iptables, providing a way to write manageable rulesets without sacrificing flexibility. To use ferm, you need know how to write iptables rules.

About

Most iptables scripts run the iptables command repeatedly to insert various rules. ferm provides a way to write a single configuration file for your firewall and apply it at once.

Advantages:

• Much faster; see the relevant section of iptables-tutorial and the "--fast" option in the ferm(1) man page.

• Rule configuration is smaller, more manageable, and more readable: nesting can be used to accomplish many rules in a single config line, and ipv4 and ipv6 can coexist in the same config file.
• Includes an "--interactive" option, in case you lock yourself out when administrating remotely.

Example

Here is an example script to get you started.

# ferm firewall rules
# http://ferm.foo-projects.org

# Chain policies
domain (ip ip6) {
 table filter {
  chain (INPUT FORWARD) policy DROP;
  chain OUTPUT policy ACCEPT;
 }
}

# loopback
domain (ip ip6) table filter {
 chain INPUT interface lo ACCEPT;
 chain OUTPUT outerface lo ACCEPT;
}

# ipv6
domain ip table filter chain (INPUT OUTPUT) protocol ipv6 ACCEPT;

# icmp (kernel does rate-limiting)
domain (ip ip6) table filter chain (INPUT OUTPUT) protocol icmp ACCEPT;

# invalid
domain (ip ip6) table filter chain INPUT mod state state INVALID DROP;

# established/related connections
domain (ip ip6) table filter chain (INPUT OUTPUT) mod state state (ESTABLISHED RELATED) ACCEPT;

# FORWARD chain REJECT
domain (ip ip6) table filter chain FORWARD REJECT;

# log all other INPUT
domain (ip ip6) table filter chain INPUT {
 mod limit limit 3/min limit-burst 10 LOG log-prefix "INPUT-rejected: " log-level debug;
 REJECT;
}

See also

• Website: http://ferm.foo-projects.org

• ferm package

• madduck's Debian on IPv6