#yum -y install ferm #chkconfig ferm on; service ferm restart #mkdir /etc/ferm Basic example:
#vi /etc/ferm/ferm.conf # Interfaces @def $DEV_LOCAL = lo; @def $DEV_LAN = bond1; @def $DEV_INTERNET = bond0; # Ports @def $PORTS_LAN = (ssh mysql http https); @def $PORTS_INTERNET = (ssh mysql http https); table filter { chain INPUT { policy DROP; # connection tracking - for ftp related mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; # allow local connections - lo and LAN if required interface $DEV_LOCAL ACCEPT; #interface $DEV_LAN ACCEPT; # respond to ping - allowed? proto icmp icmp-type echo-request ACCEPT; # our services to the Internet proto tcp interface $DEV_INTERNET dport $PORTS_INTERNET ACCEPT; # our services to the LAN proto tcp interface $DEV_LAN dport $PORTS_LAN ACCEPT; # the rest is dropped by the above policy } # outgoing connections are not limited chain OUTPUT { outerface lo ACCEPT; proto ( tcp udp ) dport 53 ACCEPT; mod state state (ESTABLISHED RELATED) ACCEPT; } # this is not a router chain FORWARD { policy DROP; mod state state (ESTABLISHED RELATED) ACCEPT; } }In production, let CFEngine or Puppet manages ferm.conf and customize local module in ferm.rule.d.]]>