Jérémy Lecour
afa0fd35c8
All checks were successful
continuous-integration/drone/push Build is passing
102 lines
3.3 KiB
Plaintext
102 lines
3.3 KiB
Plaintext
# Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall
|
|
# For fun, we keep last change from first CVS repository:
|
|
# version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $
|
|
|
|
# Main interface
|
|
INT='eth0'
|
|
|
|
# IPv6
|
|
IPV6=on
|
|
|
|
# Trusted IPv4 local network
|
|
# ...will be often IP/32 if you don't trust anything
|
|
INTLAN='192.168.0.2/32'
|
|
|
|
# Trusted IPv4 addresses for private and semi-public services
|
|
TRUSTEDIPS='62.212.121.90 88.179.18.233 31.170.8.4 31.170.9.129'
|
|
|
|
# Privilegied IPv4 addresses for semi-public services
|
|
# (no need to add again TRUSTEDIPS)
|
|
PRIVILEGIEDIPS=''
|
|
|
|
|
|
# Local services IPv4/IPv6 restrictions
|
|
#######################################
|
|
|
|
# Protected services
|
|
# (add also in Public services if needed)
|
|
SERVICESTCP1p='22'
|
|
SERVICESUDP1p=''
|
|
|
|
# Public services (IPv4/IPv6)
|
|
SERVICESTCP1='25 53 443 993 995 22222'
|
|
SERVICESUDP1='53'
|
|
|
|
# Semi-public services (IPv4)
|
|
SERVICESTCP2='20 21 22 80 110 143'
|
|
SERVICESUDP2=''
|
|
|
|
# Private services (IPv4)
|
|
SERVICESTCP3='5666'
|
|
SERVICESUDP3=''
|
|
|
|
# Standard output IPv4 access restrictions
|
|
##########################################
|
|
|
|
# DNS authorizations
|
|
# (if you have local DNS server, set 0.0.0.0/0)
|
|
DNSSERVEURS='0.0.0.0/0'
|
|
|
|
# HTTP authorizations
|
|
# (you can use DNS names but set cron to reload minifirewall regularly)
|
|
# (if you have HTTP proxy, set 0.0.0.0/0)
|
|
# HTTPSITES='security.debian.org security-cdn.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org'
|
|
HTTPSITES='0.0.0.0/0'
|
|
|
|
# HTTPS authorizations
|
|
HTTPSSITES='0.0.0.0/0'
|
|
|
|
# FTP authorizations
|
|
FTPSITES=''
|
|
|
|
# SSH authorizations
|
|
SSHOK='0.0.0.0/0'
|
|
|
|
# SMTP authorizations
|
|
SMTPOK='0.0.0.0/0'
|
|
|
|
# SMTP secure authorizations (ports TCP/465 and TCP/587)
|
|
SMTPSECUREOK=''
|
|
|
|
# NTP authorizations
|
|
NTPOK='0.0.0.0/0'
|
|
|
|
|
|
# IPv6 Specific rules
|
|
#####################
|
|
|
|
# Example: allow SSH from Trusted IPv6 addresses
|
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --dport 22 -s 2a01:9500:37:129::/64 -j ACCEPT
|
|
|
|
# Example: allow outgoing SSH/HTTP/HTTPS/SMTP/DNS traffic
|
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 22 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
|
/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
# Example: allow output DNS, NTP and traceroute traffic
|
|
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
|
|
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
|
|
#/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
|
|
|
# Example: allow DHCPv6
|
|
/sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT
|
|
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT
|
|
|
|
# IPv4 Specific rules
|
|
#####################
|
|
|
|
# /sbin/iptables ...
|