From 5588ed6009fd4be679e897f920695ebf94a9d566 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 4 Feb 2021 10:55:26 +0100
Subject: [PATCH] minifirewall: change some defaults

Only SSH (22) is open on privilegied IPs
Remove volatile.debian.org domain
---
 CHANGELOG.md                         |  1 +
 minifirewall/files/minifirewall.conf | 10 +++++-----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 71483c5b..6a79e349 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@ The **patch** part changes incrementally at each release.
 
 * certbot: use a fixed 1.9.0 version of the certbot-auto script (renamed "letsencrypt-auto")
 * evoacme: upstream release 21.01
+* minifirewall: change some defaults
 
 ### Fixed
 
diff --git a/minifirewall/files/minifirewall.conf b/minifirewall/files/minifirewall.conf
index 745d58cd..47be78bf 100644
--- a/minifirewall/files/minifirewall.conf
+++ b/minifirewall/files/minifirewall.conf
@@ -30,15 +30,15 @@ PRIVILEGIEDIPS=''
 
 # Protected services
 # (add also in Public services if needed)
-SERVICESTCP1p='22'
+SERVICESTCP1p='22222'
 SERVICESUDP1p=''
 
 # Public services (IPv4/IPv6)
-SERVICESTCP1='25 53 443 993 995 22222'
-SERVICESUDP1='53'
+SERVICESTCP1='22222'
+SERVICESUDP1=''
 
 # Semi-public services (IPv4)
-SERVICESTCP2='20 21 22 80 110 143'
+SERVICESTCP2='22'
 SERVICESUDP2=''
 
 # Private services (IPv4)
@@ -55,7 +55,7 @@ DNSSERVEURS='0.0.0.0/0'
 # HTTP authorizations
 # (you can use DNS names but set cron to reload minifirewall regularly)
 # (if you have HTTP proxy, set 0.0.0.0/0)
-# HTTPSITES='security.debian.org security-cdn.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org'
+# HTTPSITES='security.debian.org pub.evolix.net security-cdn.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org ocsp.int-x3.letsencrypt.org'
 HTTPSITES='0.0.0.0/0'
 
 # HTTPS authorizations