minifirewall/minifirewall.conf

# Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall
# Version 21.05 — 2021-05-22 23:22:10
# shellcheck shell=sh disable=SC2034

# Main interface
INT='eth0'

# IPv6
IPV6=on

# Docker Mode
# Changes the behaviour of minifirewall to not break the containers' network
# For instance, turning it on will disable nat table purge
# Also, we'll add the DOCKER-USER chain, in iptable
DOCKER='off'

# Trusted IPv4 local network
# ...will be often IP/32 if you don't trust anything
INTLAN='192.168.0.2/32'

# Trusted IPv4 addresses for private and semi-public services
TRUSTEDIPS='31.170.9.129 62.212.121.90 31.170.8.4 82.65.34.85 54.37.106.210 51.210.84.146'

# Privilegied IPv4 addresses for semi-public services
# (no need to add again TRUSTEDIPS)
PRIVILEGIEDIPS=''


# Local services IPv4/IPv6 restrictions
#######################################

# Protected services
# (add also in Public services if needed)
SERVICESTCP1p='22222'
SERVICESUDP1p=''

# Public services (IPv4/IPv6)
SERVICESTCP1='22222'
SERVICESUDP1=''

# Semi-public services (IPv4)
SERVICESTCP2='22'
SERVICESUDP2=''

# Private services (IPv4)
SERVICESTCP3='5666'
SERVICESUDP3=''


# Standard output IPv4 access restrictions
##########################################

# DNS authorizations
# (if you have local DNS server, set 0.0.0.0/0)
DNSSERVEURS='0.0.0.0/0'

# HTTP authorizations
# (you can use DNS names but set cron to reload minifirewall regularly)
# (if you have HTTP proxy, set 0.0.0.0/0)
HTTPSITES='security.debian.org pub.evolix.net security-cdn.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org ocsp.int-x3.letsencrypt.org'

# HTTPS authorizations
HTTPSSITES='0.0.0.0/0'

# FTP authorizations
FTPSITES=''

# SSH authorizations
SSHOK='0.0.0.0/0'

# SMTP authorizations
SMTPOK='0.0.0.0/0'

# SMTP secure authorizations (ports TCP/465 and TCP/587)
SMTPSECUREOK=''

# NTP authorizations
NTPOK='0.0.0.0/0'


# Backup servers
# (add IP:PORT for each one, example: '192.168.10.1:1234 192.168.10.2:5678')
BACKUPSERVERS=''

# Includes
#####################

# Files in /etc/default/minifirewall.d/* (without "." in name)
# are automatically included in alphanumerical order.
Update copyright and add version number 2020-12-01 22:55:59 +01:00			`# Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall`
update verison 2021-05-22 23:22:31 +02:00			`# Version 21.05 — 2021-05-22 23:22:10`
Source files in /etc/default/minifirewall.d 2021-05-22 09:11:49 +02:00			`# shellcheck shell=sh disable=SC2034`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00
Improve configuration file 2015-09-13 20:13:05 +02:00			`# Main interface`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00			`INT='eth0'`

Improve configuration file 2015-09-13 20:13:05 +02:00			`# IPv6`
Patch to have compatibility with poor non-IPv6 server 2011-11-11 15:47:37 +01:00			`IPV6=on`

Make it compatible with docker Add a new variable "DOCKER" that should be set to "on" when this is a docker machine. It will - Disable the nat tables flush on stop/restart Reason : Not breaking outgoing networking for containers - Create the "DOCKER-USER" chain, and add a DROP By default everything is closed and we don't expose services to the outside world - Add rules in the "DOCKER-USER" chain to open services to the outside world. Untested with swarm 2020-02-21 16:33:15 +01:00			`# Docker Mode`
			`# Changes the behaviour of minifirewall to not break the containers' network`
			`# For instance, turning it on will disable nat table purge`
			`# Also, we'll add the DOCKER-USER chain, in iptable`
			`DOCKER='off'`

Improve configuration file 2015-09-13 20:13:05 +02:00			`# Trusted IPv4 local network`
			`# ...will be often IP/32 if you don't trust anything`
Add NEEDRESTRICT chain to deny some services by free rules Somes improvements 2009-08-12 13:21:53 +02:00			`INTLAN='192.168.0.2/32'`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00
Improve configuration file 2015-09-13 20:13:05 +02:00			`# Trusted IPv4 addresses for private and semi-public services`
Put our IPs back in the TRUSTEDIPS variable The TRUSTEDIPS variable is the public reference for Evolix IPs 2021-02-05 15:25:28 +01:00			`TRUSTEDIPS='31.170.9.129 62.212.121.90 31.170.8.4 82.65.34.85 54.37.106.210 51.210.84.146'`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00
Improve configuration file 2015-09-13 20:13:05 +02:00			`# Privilegied IPv4 addresses for semi-public services`
			`# (no need to add again TRUSTEDIPS)`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00			`PRIVILEGIEDIPS=''`

Improve configuration file 2015-09-13 20:13:05 +02:00
			`# Local services IPv4/IPv6 restrictions`
			`#######################################`

			`# Protected services`
			`# (add also in Public services if needed)`
new policy for default ports: we close almost all to be sure that nothing works if we don't configure it nouvelle politique d'ouverture des ports par défaut : on ferme quasi tout pour que rien ne marche ou presque si on ne configure rien 2020-09-22 16:59:39 +02:00			`SERVICESTCP1p='22222'`
Add NEEDRESTRICT chain to deny some services by free rules Somes improvements 2009-08-12 13:21:53 +02:00			`SERVICESUDP1p=''`

Improve configuration file 2015-09-13 20:13:05 +02:00			`# Public services (IPv4/IPv6)`
new policy for default ports: we close almost all to be sure that nothing works if we don't configure it nouvelle politique d'ouverture des ports par défaut : on ferme quasi tout pour que rien ne marche ou presque si on ne configure rien 2020-09-22 16:59:39 +02:00			`SERVICESTCP1='22222'`
			`SERVICESUDP1=''`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00
Improve configuration file 2015-09-13 20:13:05 +02:00			`# Semi-public services (IPv4)`
new policy for default ports: we close almost all to be sure that nothing works if we don't configure it nouvelle politique d'ouverture des ports par défaut : on ferme quasi tout pour que rien ne marche ou presque si on ne configure rien 2020-09-22 16:59:39 +02:00			`SERVICESTCP2='22'`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00			`SERVICESUDP2=''`

Improve configuration file 2015-09-13 20:13:05 +02:00			`# Private services (IPv4)`
Add NEEDRESTRICT chain to deny some services by free rules Somes improvements 2009-08-12 13:21:53 +02:00			`SERVICESTCP3='5666'`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00			`SERVICESUDP3=''`

Make it compatible with docker Add a new variable "DOCKER" that should be set to "on" when this is a docker machine. It will - Disable the nat tables flush on stop/restart Reason : Not breaking outgoing networking for containers - Create the "DOCKER-USER" chain, and add a DROP By default everything is closed and we don't expose services to the outside world - Add rules in the "DOCKER-USER" chain to open services to the outside world. Untested with swarm 2020-02-21 16:33:15 +01:00
Improve configuration file 2015-09-13 20:13:05 +02:00			`# Standard output IPv4 access restrictions`
			`##########################################`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00
Improve configuration file 2015-09-13 20:13:05 +02:00			`# DNS authorizations`
			`# (if you have local DNS server, set 0.0.0.0/0)`
Allow all DNS requests by default 2011-04-19 15:51:15 +02:00			`DNSSERVEURS='0.0.0.0/0'`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00
Improve configuration file 2015-09-13 20:13:05 +02:00			`# HTTP authorizations`
			`# (you can use DNS names but set cron to reload minifirewall regularly)`
			`# (if you have HTTP proxy, set 0.0.0.0/0)`
Remove volatile.debian.org from HTTPSITES This domain doesn't exist anymore. 2021-01-14 08:16:50 +01:00			`HTTPSITES='security.debian.org pub.evolix.net security-cdn.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org ocsp.int-x3.letsencrypt.org'`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00
Improve configuration file 2015-09-13 20:13:05 +02:00			`# HTTPS authorizations`
Open HTTPS by default 2011-04-02 11:48:19 +02:00			`HTTPSSITES='0.0.0.0/0'`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00
Improve configuration file 2015-09-13 20:13:05 +02:00			`# FTP authorizations`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00			`FTPSITES=''`

Improve configuration file 2015-09-13 20:13:05 +02:00			`# SSH authorizations`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00			`SSHOK='0.0.0.0/0'`

Improve configuration file 2015-09-13 20:13:05 +02:00			`# SMTP authorizations`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00			`SMTPOK='0.0.0.0/0'`

Improve configuration file 2015-09-13 20:13:05 +02:00			`# SMTP secure authorizations (ports TCP/465 and TCP/587)`
Fix a bug with var name, and remove _ (uniformization) 2011-06-03 11:53:51 +02:00			`SMTPSECUREOK=''`
Added a SMTP_SECURE_OK rule (port 465) Signed-off-by: Gregory Colpart <reg@evolix.fr> 2011-03-25 19:02:45 +01:00
Improve configuration file 2015-09-13 20:13:05 +02:00			`# NTP authorizations`
We authorize now all NTP traffic by default 2011-07-14 15:23:04 +02:00			`NTPOK='0.0.0.0/0'`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00

Add macro for backup servers 2021-05-26 13:12:15 +02:00			`# Backup servers`
			`# (add IP:PORT for each one, example: '192.168.10.1:1234 192.168.10.2:5678')`
			`BACKUPSERVERS=''`

Source files in /etc/default/minifirewall.d 2021-05-22 09:11:49 +02:00			`# Includes`
Improve configuration file 2015-09-13 20:13:05 +02:00			`#####################`

Source files in /etc/default/minifirewall.d 2021-05-22 09:11:49 +02:00			`# Files in /etc/default/minifirewall.d/* (without "." in name)`
			`# are automatically included in alphanumerical order.`