minifirewall/minifirewall.conf

103 lines
3.0 KiB
Plaintext
Raw Normal View History

# Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall
# Version 20.12 — 2020-12-01 22:55:35
2015-09-13 20:13:05 +02:00
# Main interface
INT='eth0'
2015-09-13 20:13:05 +02:00
# IPv6
IPV6=on
# Docker Mode
# Changes the behaviour of minifirewall to not break the containers' network
# For instance, turning it on will disable nat table purge
# Also, we'll add the DOCKER-USER chain, in iptable
DOCKER='off'
2015-09-13 20:13:05 +02:00
# Trusted IPv4 local network
# ...will be often IP/32 if you don't trust anything
INTLAN='192.168.0.2/32'
2015-09-13 20:13:05 +02:00
# Trusted IPv4 addresses for private and semi-public services
2020-02-21 16:26:41 +01:00
TRUSTEDIPS=''
2015-09-13 20:13:05 +02:00
# Privilegied IPv4 addresses for semi-public services
# (no need to add again TRUSTEDIPS)
PRIVILEGIEDIPS=''
2015-09-13 20:13:05 +02:00
# Local services IPv4/IPv6 restrictions
#######################################
# Protected services
# (add also in Public services if needed)
SERVICESTCP1p='22222'
SERVICESUDP1p=''
2015-09-13 20:13:05 +02:00
# Public services (IPv4/IPv6)
SERVICESTCP1='22222'
SERVICESUDP1=''
2015-09-13 20:13:05 +02:00
# Semi-public services (IPv4)
SERVICESTCP2='22'
SERVICESUDP2=''
2015-09-13 20:13:05 +02:00
# Private services (IPv4)
SERVICESTCP3='5666'
SERVICESUDP3=''
2015-09-13 20:13:05 +02:00
# Standard output IPv4 access restrictions
##########################################
2015-09-13 20:13:05 +02:00
# DNS authorizations
# (if you have local DNS server, set 0.0.0.0/0)
2011-04-19 15:51:15 +02:00
DNSSERVEURS='0.0.0.0/0'
2015-09-13 20:13:05 +02:00
# HTTP authorizations
# (you can use DNS names but set cron to reload minifirewall regularly)
# (if you have HTTP proxy, set 0.0.0.0/0)
HTTPSITES='security.debian.org pub.evolix.net security-cdn.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org ocsp.int-x3.letsencrypt.org'
2015-09-13 20:13:05 +02:00
# HTTPS authorizations
2011-04-02 11:48:19 +02:00
HTTPSSITES='0.0.0.0/0'
2015-09-13 20:13:05 +02:00
# FTP authorizations
FTPSITES=''
2015-09-13 20:13:05 +02:00
# SSH authorizations
SSHOK='0.0.0.0/0'
2015-09-13 20:13:05 +02:00
# SMTP authorizations
SMTPOK='0.0.0.0/0'
2015-09-13 20:13:05 +02:00
# SMTP secure authorizations (ports TCP/465 and TCP/587)
SMTPSECUREOK=''
2015-09-13 20:13:05 +02:00
# NTP authorizations
NTPOK='0.0.0.0/0'
2015-09-13 20:13:05 +02:00
# IPv6 Specific rules
#####################
# Example: allow input HTTP/HTTPS/SMTP/DNS traffic
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
2015-09-13 20:13:05 +02:00
# Example: allow output DNS, NTP and traceroute traffic
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
2014-09-11 23:33:33 +02:00
#/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
2015-09-13 20:13:05 +02:00
# Example: allow DHCPv6
/sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT
2013-12-13 11:22:27 +01:00
2015-09-13 20:13:05 +02:00
# IPv4 Specific rules
#####################
# /sbin/iptables ...