# Firewall configuration.
#
# Based on example by Max Kellermann <max@duempel.org>
# <http://ferm.foo-projects.org/download/examples/dsl_router.ferm>

table filter {
    chain INPUT {
        policy DROP;
        mod state state (RELATED ESTABLISHED) ACCEPT;

        proto icmp ACCEPT;
        proto udp dport (53 60583) ACCEPT;

        proto tcp dport (ssh) ACCEPT;

#        # Incoming SSH is OK from specific jump hosts only.
#        proto tcp dport (ssh) @subchain {
#            saddr 78.47.62.141 ACCEPT;
#            saddr 78.46.87.180 ACCEPT;
#        }
    }

    # Allow all outgoing traffic.
    chain OUTPUT policy ACCEPT;

    # Allow only specific incoming connections to a guest VM.
    chain FORWARD {
        policy DROP;
        mod state state (RELATED ESTABLISHED) ACCEPT;

        proto icmp ACCEPT;
        proto udp dport (53 60583) ACCEPT;
        proto tcp dport (ssh http https) ACCEPT;
    }
}