dockerfiles/ferm/README.md

ferm - for Easy Rule Making
===========================

![](https://badge.imagelayers.io/vimagick/ferm:latest.svg)

[`ferm`][1] is a frontend for iptables, providing a way to write manageable
rulesets without sacrificing flexibility.

## Tutorial

```
$ alias ferm='docker run -i --rm vimagick/ferm'

$ cat > iptables.rules <<_EOF_
chain INPUT {
    policy DROP;
    mod state  state (RELATED ESTABLISHED)  ACCEPT;
    proto tcp  dport (http ftp ssh)  ACCEPT;
}
_EOF_

$ ferm -h
Usage:
    ferm *options* *inputfiles*

Options:
     -n, --noexec      Do not execute the rules, just simulate
     -F, --flush       Flush all netfilter tables managed by ferm
     -l, --lines       Show all rules that were created
     -i, --interactive Interactive mode: revert if user does not confirm
     -t, --timeout s   Define interactive mode timeout in seconds
     --remote          Remote mode; ignore host specific configuration.
                       This implies --noexec and --lines.
     -V, --version     Show current version number
     -h, --help        Look at this text
     --slow            Slow mode, do not use iptables-restore
     --shell           Generate a shell script which calls iptables-restore
     --domain {ip|ip6} Handle only the specified domain
     --def '$name=v'   Override a variable

$ ferm < iptables.rules
# Generated by ferm 2.2 on Mon Jul  6 00:32:04 2015
*filter
:INPUT DROP [0:0]
-A INPUT --match state --state RELATED,ESTABLISHED --jump ACCEPT
-A INPUT --protocol tcp --dport http --jump ACCEPT
-A INPUT --protocol tcp --dport ftp --jump ACCEPT
-A INPUT --protocol tcp --dport ssh --jump ACCEPT
COMMIT

$ ferm --slow - < iptables.rules
iptables -t filter -P INPUT ACCEPT
iptables -t filter -F
iptables -t filter -X
iptables -t filter -P INPUT DROP
iptables -t filter -A INPUT --match state --state RELATED,ESTABLISHED --jump ACCEPT
iptables -t filter -A INPUT --protocol tcp --dport http --jump ACCEPT
iptables -t filter -A INPUT --protocol tcp --dport ftp --jump ACCEPT
iptables -t filter -A INPUT --protocol tcp --dport ssh --jump ACCEPT
```

[1]: http://ferm.foo-projects.org/
add ferm 2015-07-06 02:35:53 +02:00			`ferm - for Easy Rule Making`
			`===========================`

update 2015-07-06 02:46:13 +02:00			`![](https://badge.imagelayers.io/vimagick/ferm:latest.svg)`
add ferm 2015-07-06 02:35:53 +02:00
			[`ferm`][1] is a frontend for iptables, providing a way to write manageable
			`rulesets without sacrificing flexibility.`

			`## Tutorial`

			```
			`$ alias ferm='docker run -i --rm vimagick/ferm'`

			`$ cat > iptables.rules <<_EOF_`
			`chain INPUT {`
			`policy DROP;`
			`mod state state (RELATED ESTABLISHED) ACCEPT;`
			`proto tcp dport (http ftp ssh) ACCEPT;`
			`}`
			`_EOF_`

			`$ ferm -h`
			`Usage:`
			`ferm options inputfiles`

			`Options:`
			`-n, --noexec Do not execute the rules, just simulate`
			`-F, --flush Flush all netfilter tables managed by ferm`
			`-l, --lines Show all rules that were created`
			`-i, --interactive Interactive mode: revert if user does not confirm`
			`-t, --timeout s Define interactive mode timeout in seconds`
			`--remote Remote mode; ignore host specific configuration.`
			`This implies --noexec and --lines.`
			`-V, --version Show current version number`
			`-h, --help Look at this text`
update 2015-07-06 04:18:43 +02:00			`--slow Slow mode, do not use iptables-restore`
add ferm 2015-07-06 02:35:53 +02:00			`--shell Generate a shell script which calls iptables-restore`
			`--domain {ip\|ip6} Handle only the specified domain`
			`--def '$name=v' Override a variable`

			`$ ferm < iptables.rules`
			`# Generated by ferm 2.2 on Mon Jul 6 00:32:04 2015`
			`*filter`
			`:INPUT DROP [0:0]`
			`-A INPUT --match state --state RELATED,ESTABLISHED --jump ACCEPT`
			`-A INPUT --protocol tcp --dport http --jump ACCEPT`
			`-A INPUT --protocol tcp --dport ftp --jump ACCEPT`
			`-A INPUT --protocol tcp --dport ssh --jump ACCEPT`
			`COMMIT`

			`$ ferm --slow - < iptables.rules`
			`iptables -t filter -P INPUT ACCEPT`
			`iptables -t filter -F`
			`iptables -t filter -X`
			`iptables -t filter -P INPUT DROP`
			`iptables -t filter -A INPUT --match state --state RELATED,ESTABLISHED --jump ACCEPT`
			`iptables -t filter -A INPUT --protocol tcp --dport http --jump ACCEPT`
			`iptables -t filter -A INPUT --protocol tcp --dport ftp --jump ACCEPT`
			`iptables -t filter -A INPUT --protocol tcp --dport ssh --jump ACCEPT`
			```

			`[1]: http://ferm.foo-projects.org/`