# include some ferm definitions, useful for adding function to abstract stuff
@include 'defs.conf';

# a simple default and fairly secure policy
domain (ip ip6) {
	chain INPUT {
		policy DROP;
		mod state state (ESTABLISHED RELATED) ACCEPT;
		interface lo ACCEPT;
		proto tcp mod state state NEW !syn DROP;
		proto icmp ACCEPT;
	}
}

# per-host configuration
@include 'conf.d/';

# managed via puppet
@include 'dsa.d/';