ansible-roles/minifirewall/files/minifirewall.conf

# Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall
# For fun, we keep last change from first CVS repository:
# version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $

# Main interface
INT='eth0'

# IPv6
IPV6=on

# Trusted IPv4 local network
# ...will be often IP/32 if you don't trust anything
INTLAN='192.168.0.2/32'

# Trusted IPv4 addresses for private and semi-public services
TRUSTEDIPS='62.212.121.90 88.179.18.233 31.170.8.4 31.170.9.129'

# Privilegied IPv4 addresses for semi-public services
# (no need to add again TRUSTEDIPS)
PRIVILEGIEDIPS=''


# Local services IPv4/IPv6 restrictions
#######################################

# Protected services
# (add also in Public services if needed)
SERVICESTCP1p='22'
SERVICESUDP1p=''

# Public services (IPv4/IPv6)
SERVICESTCP1='25 53 443 993 995 2222'
SERVICESUDP1='53'

# Semi-public services (IPv4)
SERVICESTCP2='20 21 22 80 110 143'
SERVICESUDP2=''

# Private services (IPv4)
SERVICESTCP3='5666'
SERVICESUDP3=''

# Standard output IPv4 access restrictions
##########################################

# DNS authorizations
# (if you have local DNS server, set 0.0.0.0/0)
DNSSERVEURS='0.0.0.0/0'

# HTTP authorizations
# (you can use DNS names but set cron to reload minifirewall regularly)
# (if you have HTTP proxy, set 0.0.0.0/0)
HTTPSITES=''

# HTTPS authorizations
HTTPSSITES='0.0.0.0/0'

# FTP authorizations
FTPSITES=''

# SSH authorizations
SSHOK='0.0.0.0/0'

# SMTP authorizations
SMTPOK='0.0.0.0/0'

# SMTP secure authorizations (ports TCP/465 and TCP/587)
SMTPSECUREOK=''

# NTP authorizations
NTPOK='0.0.0.0/0'


# IPv6 Specific rules
#####################

# Example: allow SSH from Trusted IPv6 addresses
/sbin/ip6tables -A INPUT -i $INT -p tcp --dport 22 -s 2a01:9500:37:129::/64 -j ACCEPT

# Example: allow outgoing SSH/HTTP/HTTPS/SMTP/DNS traffic 
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 22 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT

# Example: allow output DNS, NTP and traceroute traffic
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
#/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT

# Example: allow DHCPv6
/sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT

# IPv4 Specific rules
#####################

# /sbin/iptables ...