apparently this is a known bug only for icmp - make target match all protocols but...

[dsa-puppet.git] / modules / ferm / files / ferm.conf

diff --git a/modules/ferm/files/ferm.conf b/modules/ferm/files/ferm.conf
index 6cd911f986aa7f9e5b1b5ef377c4a67031146d91..d25d1b4f5c2c24730fe081162b8b67dbf1867a0b 100644 (file)
--- a/modules/ferm/files/ferm.conf
+++ b/modules/ferm/files/ferm.conf
@@ -1,19 +1,18 @@
-# include some ferm definitions, useful for adding function to abstract stuff
-@include 'defs.conf';
+# -*- shell-script -*-
+#
+#  Configuration file for ferm(1).
+#
+
+@include 'conf.d/';
 
-# a simple default and fairly secure policy
 domain (ip ip6) {
-       chain INPUT {
-               policy DROP;
-               mod state state (ESTABLISHED RELATED) ACCEPT;
-               interface lo ACCEPT;
-               proto tcp mod state state NEW !syn DROP;
-               proto icmp ACCEPT;
-       }
+       chain INPUT {
+               policy DROP;
+               mod state state (ESTABLISHED RELATED) ACCEPT;
+               interface lo ACCEPT;
+               proto icmp ACCEPT;
+               proto mod state state (INVALID) DROP;
+       }
 }
 
-# per-host configuration
-@include 'conf.d/';
-
-# managed via puppet
 @include 'dsa.d/';