185:8a11bbe68b67
Anton Shestakov <av6@dwimlabs.net>, Sat, 27 Jul 2019 23:39:54 +0800
fj: use more seccomp system call groups by default
previous change 184:5e3ee9d17ca9

fj/template.net

Permissions: -rw-r--r--

File Latest Revisions Annotate Diff Comparison
Other formats:
JSON Raw
Feeds:
Atom RSS 
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
#allow all loopback traffic
-A INPUT -i lo -j ACCEPT
# no incoming connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# allow ping etc.
-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# allow incoming ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
# allow outgoing DNS
-A OUTPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --sport 53 -j ACCEPT
COMMIT