2020-12-01 22:55:59 +01:00
|
|
|
# Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall
|
2021-05-22 23:22:31 +02:00
|
|
|
# Version 21.05 — 2021-05-22 23:22:10
|
2021-05-22 09:11:49 +02:00
|
|
|
# shellcheck shell=sh disable=SC2034
|
2009-08-10 19:02:09 +02:00
|
|
|
|
2015-09-13 20:13:05 +02:00
|
|
|
# Main interface
|
2009-08-10 19:02:09 +02:00
|
|
|
INT='eth0'
|
|
|
|
|
2015-09-13 20:13:05 +02:00
|
|
|
# IPv6
|
2021-06-04 14:08:04 +02:00
|
|
|
IPV6='on'
|
2011-11-11 15:47:37 +01:00
|
|
|
|
2020-02-21 16:33:15 +01:00
|
|
|
# Docker Mode
|
|
|
|
# Changes the behaviour of minifirewall to not break the containers' network
|
|
|
|
# For instance, turning it on will disable nat table purge
|
|
|
|
# Also, we'll add the DOCKER-USER chain, in iptable
|
|
|
|
DOCKER='off'
|
|
|
|
|
2021-09-14 11:05:59 +02:00
|
|
|
# Trusted local network
|
|
|
|
# ...will be often IPv4/32 or IPv6/128 if you don't trust anything
|
|
|
|
INTLAN='192.0.2.1/32 2001:db8::1/128'
|
2009-08-10 19:02:09 +02:00
|
|
|
|
2021-09-14 11:05:59 +02:00
|
|
|
# Trusted IP addresses for private and semi-public services
|
|
|
|
# TODO: add all our IPv6 adresses
|
|
|
|
TRUSTEDIPS='31.170.9.129 2a01:9500:37:129::/64 62.212.121.90 31.170.8.4 2a01:9500::fada/128 82.65.34.85 54.37.106.210 51.210.84.146'
|
2009-08-10 19:02:09 +02:00
|
|
|
|
2021-09-14 11:05:59 +02:00
|
|
|
# Privilegied IP addresses for semi-public services
|
2015-09-13 20:13:05 +02:00
|
|
|
# (no need to add again TRUSTEDIPS)
|
2009-08-10 19:02:09 +02:00
|
|
|
PRIVILEGIEDIPS=''
|
|
|
|
|
2015-09-13 20:13:05 +02:00
|
|
|
|
2021-09-14 11:05:59 +02:00
|
|
|
# Local services IP restrictions
|
2015-09-13 20:13:05 +02:00
|
|
|
#######################################
|
|
|
|
|
|
|
|
# Protected services
|
|
|
|
# (add also in Public services if needed)
|
2020-09-22 16:59:39 +02:00
|
|
|
SERVICESTCP1p='22222'
|
2009-08-12 13:21:53 +02:00
|
|
|
SERVICESUDP1p=''
|
|
|
|
|
2015-09-13 20:13:05 +02:00
|
|
|
# Public services (IPv4/IPv6)
|
2020-09-22 16:59:39 +02:00
|
|
|
SERVICESTCP1='22222'
|
|
|
|
SERVICESUDP1=''
|
2009-08-10 19:02:09 +02:00
|
|
|
|
2015-09-13 20:13:05 +02:00
|
|
|
# Semi-public services (IPv4)
|
2020-09-22 16:59:39 +02:00
|
|
|
SERVICESTCP2='22'
|
2009-08-10 19:02:09 +02:00
|
|
|
SERVICESUDP2=''
|
|
|
|
|
2015-09-13 20:13:05 +02:00
|
|
|
# Private services (IPv4)
|
2009-08-12 13:21:53 +02:00
|
|
|
SERVICESTCP3='5666'
|
2009-08-10 19:02:09 +02:00
|
|
|
SERVICESUDP3=''
|
|
|
|
|
2020-02-21 16:33:15 +01:00
|
|
|
|
2021-09-14 09:12:08 +02:00
|
|
|
# Standard output IPv4/IPv6 access restrictions
|
2015-09-13 20:13:05 +02:00
|
|
|
##########################################
|
2009-08-10 19:02:09 +02:00
|
|
|
|
2015-09-13 20:13:05 +02:00
|
|
|
# DNS authorizations
|
|
|
|
# (if you have local DNS server, set 0.0.0.0/0)
|
2021-09-14 09:12:08 +02:00
|
|
|
DNSSERVEURS='0.0.0.0/0 ::/0'
|
2009-08-10 19:02:09 +02:00
|
|
|
|
2015-09-13 20:13:05 +02:00
|
|
|
# HTTP authorizations
|
|
|
|
# (you can use DNS names but set cron to reload minifirewall regularly)
|
|
|
|
# (if you have HTTP proxy, set 0.0.0.0/0)
|
2021-09-14 09:12:08 +02:00
|
|
|
HTTPSITES='0.0.0.0/0 ::/0'
|
2009-08-10 19:02:09 +02:00
|
|
|
|
2015-09-13 20:13:05 +02:00
|
|
|
# HTTPS authorizations
|
2021-09-14 09:12:08 +02:00
|
|
|
HTTPSSITES='0.0.0.0/0 ::/0'
|
2009-08-10 19:02:09 +02:00
|
|
|
|
2015-09-13 20:13:05 +02:00
|
|
|
# FTP authorizations
|
2009-08-10 19:02:09 +02:00
|
|
|
FTPSITES=''
|
|
|
|
|
2015-09-13 20:13:05 +02:00
|
|
|
# SSH authorizations
|
2021-09-14 09:12:08 +02:00
|
|
|
SSHOK='0.0.0.0/0 ::/0'
|
2009-08-10 19:02:09 +02:00
|
|
|
|
2015-09-13 20:13:05 +02:00
|
|
|
# SMTP authorizations
|
2021-09-14 09:12:08 +02:00
|
|
|
SMTPOK='0.0.0.0/0 ::/0'
|
2009-08-10 19:02:09 +02:00
|
|
|
|
2015-09-13 20:13:05 +02:00
|
|
|
# SMTP secure authorizations (ports TCP/465 and TCP/587)
|
2011-06-03 11:53:51 +02:00
|
|
|
SMTPSECUREOK=''
|
2011-03-25 19:02:45 +01:00
|
|
|
|
2015-09-13 20:13:05 +02:00
|
|
|
# NTP authorizations
|
2021-09-14 09:12:08 +02:00
|
|
|
NTPOK='0.0.0.0/0 ::/0'
|
2009-08-10 19:02:09 +02:00
|
|
|
|
2021-05-26 13:20:12 +02:00
|
|
|
# Proxy (Squid)
|
|
|
|
PROXY='off'
|
2021-06-04 14:06:37 +02:00
|
|
|
# (proxy port)
|
|
|
|
PROXYPORT='8888'
|
|
|
|
# (destinations that bypass the proxy)
|
2021-09-14 11:05:59 +02:00
|
|
|
PROXYBYPASS="${INTLAN} 127.0.0.0/8 ::1/128"
|
2009-08-10 19:02:09 +02:00
|
|
|
|
2021-05-26 13:12:15 +02:00
|
|
|
# Backup servers
|
|
|
|
# (add IP:PORT for each one, example: '192.168.10.1:1234 192.168.10.2:5678')
|
|
|
|
BACKUPSERVERS=''
|
|
|
|
|
2021-05-22 09:11:49 +02:00
|
|
|
# Includes
|
2015-09-13 20:13:05 +02:00
|
|
|
#####################
|
|
|
|
|
2021-05-26 13:13:26 +02:00
|
|
|
# Files in /etc/minifirewall.d/* (without "." in name)
|
2021-05-22 09:11:49 +02:00
|
|
|
# are automatically included in alphanumerical order.
|