Jérémy Lecour
ba90203f21
Some checks reported errors
continuous-integration/drone/push Build was killed
136 lines
3.5 KiB
Plaintext
136 lines
3.5 KiB
Plaintext
# Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall
|
|
# Version 22.03.1 — 2022-03-15
|
|
# shellcheck shell=sh disable=SC2034
|
|
|
|
# Main interface
|
|
INT='eth0'
|
|
|
|
# IPv6
|
|
IPV6='on'
|
|
|
|
# Docker Mode
|
|
# Changes the behaviour of minifirewall to not break the containers' network
|
|
# For instance, turning it on will disable nat table purge
|
|
# Also, we'll add the DOCKER-USER chain, in iptables
|
|
#
|
|
# WARNING : If the port mapping is different between the host and the container
|
|
# (ie: Listen on :8090 on host, but :8080 in container)
|
|
# then you need to give the port used inside the container
|
|
DOCKER='off'
|
|
|
|
# Trusted local network
|
|
# ...will be often IPv4/32 or IPv6/128 if you don't trust anything
|
|
INTLAN='192.0.2.1/32 2001:db8::1/128'
|
|
|
|
# Trusted IP addresses for private and semi-public services
|
|
# TODO: add all our IPv6 adresses
|
|
TRUSTEDIPS='31.170.9.129 2a01:9500:37:129::/64 62.212.121.90 31.170.8.4 2a01:9500::fada/128 82.65.34.85 54.37.106.210 51.210.84.146'
|
|
|
|
# Privilegied IP addresses for semi-public services
|
|
# (no need to add again TRUSTEDIPS)
|
|
PRIVILEGIEDIPS=''
|
|
|
|
|
|
# Local services IP restrictions
|
|
#######################################
|
|
|
|
# Protected services
|
|
# (add also in Public services if needed)
|
|
SERVICESTCP1p='22222'
|
|
SERVICESUDP1p=''
|
|
|
|
# Public services (IPv4/IPv6)
|
|
SERVICESTCP1='22222'
|
|
SERVICESUDP1=''
|
|
|
|
# Semi-public services (IPv4)
|
|
SERVICESTCP2='22'
|
|
SERVICESUDP2=''
|
|
|
|
# Private services (IPv4)
|
|
SERVICESTCP3='5666'
|
|
SERVICESUDP3=''
|
|
|
|
|
|
# Standard output IPv4/IPv6 access restrictions
|
|
##########################################
|
|
|
|
# DNS authorizations
|
|
# (if you have local DNS server, set 0.0.0.0/0)
|
|
DNSSERVEURS='0.0.0.0/0 ::/0'
|
|
|
|
# HTTP authorizations
|
|
# (you can use DNS names but set cron to reload minifirewall regularly)
|
|
# (if you have HTTP proxy, set 0.0.0.0/0)
|
|
HTTPSITES='0.0.0.0/0 ::/0'
|
|
|
|
# HTTPS authorizations
|
|
HTTPSSITES='0.0.0.0/0 ::/0'
|
|
|
|
# FTP authorizations
|
|
FTPSITES=''
|
|
|
|
# SSH authorizations
|
|
SSHOK='0.0.0.0/0 ::/0'
|
|
|
|
# SMTP authorizations
|
|
SMTPOK='0.0.0.0/0 ::/0'
|
|
|
|
# SMTP secure authorizations (ports TCP/465 and TCP/587)
|
|
SMTPSECUREOK=''
|
|
|
|
# NTP authorizations
|
|
NTPOK='0.0.0.0/0 ::/0'
|
|
|
|
# Proxy (Squid)
|
|
PROXY='off'
|
|
# (proxy port)
|
|
PROXYPORT='8888'
|
|
# (destinations that bypass the proxy)
|
|
PROXYBYPASS="${INTLAN} 127.0.0.0/8 ::1/128"
|
|
|
|
# Backup servers
|
|
# (add IP:PORT for each one, example: '192.168.10.1:1234 192.168.10.2:5678')
|
|
BACKUPSERVERS=''
|
|
|
|
|
|
# Includes
|
|
#####################
|
|
|
|
# Files in /etc/minifirewall.d/* (without "." in name)
|
|
# are automatically included in alphanumerical order.
|
|
#
|
|
# Within included files, you can use those helper functions :
|
|
# * is_ipv6_enabled: returns true if IPv6 is enabled, or false
|
|
# * is_docker_enabled: returns true if Docker mode is eabled, or false
|
|
# * is_proxy_enabled: returns true if Proxy mode is enabled , or false
|
|
|
|
|
|
# Custom sysctl values (advanced)
|
|
#################################
|
|
|
|
# In most cases, the default values set by minifirewall are good.
|
|
# If you really know what you are doing,
|
|
# you can uncomment some lines and customize the values.
|
|
|
|
# Set 1 to ignore broadcast pings (default)
|
|
# SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS='1'
|
|
|
|
# Set 1 to ignore bogus ICMP responses (default)
|
|
# SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES='1'
|
|
|
|
# Set 0 to disable source routing (default)
|
|
# SYSCTL_ACCEPT_SOURCE_ROUTE='0'
|
|
|
|
# Set 1 to enable TCP SYN cookies (default)
|
|
# SYSCTL_TCP_SYNCOOKIES='1'
|
|
|
|
# Set 0 to disable ICMP redirects (default)
|
|
# SYSCTL_ICMP_REDIRECTS='0'
|
|
|
|
# Set 1 to enable Reverse Path filtering (default)
|
|
# Set 0 if VRRP is used
|
|
# SYSCTL_RP_FILTER='1'
|
|
|
|
# Set 1 to log packets with inconsistent address (default)
|
|
# SYSCTL_LOG_MARTIANS='1' |