@include 'conf.d/';
-domain ip {
+domain (ip ip6) {
table filter {
chain log_and_reject {
- ULOG ulog-prefix "REJECT: ";
+ NFLOG nflog-prefix "REJECT: ";
proto tcp REJECT reject-with tcp-reset;
REJECT;
}
chain log_or_drop {
- mod hashlimit hashlimit-name ulogreject hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second jump log_and_reject;
- mod hashlimit hashlimit-name uloglogdrop hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second ULOG ulog-prefix "DROP: ";
+ mod hashlimit hashlimit-name nflogreject hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second jump log_and_reject;
+ mod hashlimit hashlimit-name nfloglogdrop hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second NFLOG nflog-prefix "DROP: ";
DROP;
}
}
}
-domain ip6 {
- table filter {
- chain log_and_reject {
- LOG log-prefix "REJECT: ";
- proto tcp REJECT reject-with tcp-reset;
- REJECT;
- }
-
- chain log_or_drop {
- mod hashlimit hashlimit-name logreject hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second jump log_and_reject;
- mod hashlimit hashlimit-name loglogdrop hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second LOG log-prefix "DROP: ";
- DROP;
- }
- }
-}
domain (ip ip6) {
table filter {
chain INPUT {
}
}
+@hook pre "umask 0177; rm -f /var/run/iptables-ferm.checksum /var/run/ip6tables-ferm.checksum";
@hook post "umask 0177; iptables-save | sed -e 's/\[.*//' -e 's/^#.*//' | sha256sum > /var/run/iptables-ferm.checksum";
@hook post "umask 0177; ip6tables-save | sed -e 's/\[.*//' -e 's/^#.*//' | sha256sum > /var/run/ip6tables-ferm.checksum";
# vim:set et: