minifirewall/minifirewall.conf

# Configuration for minifirewall : https://forge.evolix.org/projects/minifirewall

# Main interface
INT='eth0'

# IPv6
IPV6=on

# Docker Mode
# Changes the behaviour of minifirewall to not break the containers' network
# For instance, turning it on will disable nat table purge
# Also, we'll add the DOCKER-USER chain, in iptable
DOCKER='off'

# Trusted IPv4 local network
# ...will be often IP/32 if you don't trust anything
INTLAN='192.168.0.2/32'

# Trusted IPv4 addresses for private and semi-public services
TRUSTEDIPS=''

# Privileged IPv4 addresses for semi-public services
# (no need to add again TRUSTEDIPS)
PRIVILEGEDIPS=''


# Local services IPv4/IPv6 restrictions
#######################################

# Protected services
# (add also in Public services if needed)
SERVICESTCP1p='22'
SERVICESUDP1p=''

# Public services (IPv4/IPv6)
SERVICESTCP1='25 53 443 993 995 2222'
SERVICESUDP1='53'

# Semi-public services (IPv4)
SERVICESTCP2='20 21 22 80 110 143'
SERVICESUDP2=''

# Private services (IPv4)
SERVICESTCP3='5666'
SERVICESUDP3=''


# Standard output IPv4 access restrictions
##########################################

# DNS authorizations
# (if you have local DNS server, set 0.0.0.0/0)
DNSSERVEURS='0.0.0.0/0'

# HTTP authorizations
# (you can use DNS names but set cron to reload minifirewall regularly)
# (if you have HTTP proxy, set 0.0.0.0/0)
HTTPSITES='security.debian.org pub.evolix.net security-cdn.debian.org volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org ocsp.int-x3.letsencrypt.org'

# HTTPS authorizations
HTTPSSITES='0.0.0.0/0'

# FTP authorizations
FTPSITES=''

# SSH authorizations
SSHOK='0.0.0.0/0'

# SMTP authorizations
SMTPOK='0.0.0.0/0'

# SMTP secure authorizations (ports TCP/465 and TCP/587)
SMTPSECUREOK=''

# NTP authorizations
NTPOK='0.0.0.0/0'

# Per host output autorisations (IP!Port)
# OUTPUTOK='203.0.113.1!42 203.0.113.2!43'
OUTPUTOK=''
Improve configuration file 2015-09-13 20:13:05 +02:00			`# Configuration for minifirewall : https://forge.evolix.org/projects/minifirewall`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00
Improve configuration file 2015-09-13 20:13:05 +02:00			`# Main interface`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00			`INT='eth0'`

Improve configuration file 2015-09-13 20:13:05 +02:00			`# IPv6`
Patch to have compatibility with poor non-IPv6 server 2011-11-11 15:47:37 +01:00			`IPV6=on`

Make it compatible with docker Add a new variable "DOCKER" that should be set to "on" when this is a docker machine. It will - Disable the nat tables flush on stop/restart Reason : Not breaking outgoing networking for containers - Create the "DOCKER-USER" chain, and add a DROP By default everything is closed and we don't expose services to the outside world - Add rules in the "DOCKER-USER" chain to open services to the outside world. Untested with swarm 2020-02-21 16:33:15 +01:00			`# Docker Mode`
			`# Changes the behaviour of minifirewall to not break the containers' network`
			`# For instance, turning it on will disable nat table purge`
			`# Also, we'll add the DOCKER-USER chain, in iptable`
			`DOCKER='off'`

Improve configuration file 2015-09-13 20:13:05 +02:00			`# Trusted IPv4 local network`
			`# ...will be often IP/32 if you don't trust anything`
Add NEEDRESTRICT chain to deny some services by free rules Somes improvements 2009-08-12 13:21:53 +02:00			`INTLAN='192.168.0.2/32'`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00
Improve configuration file 2015-09-13 20:13:05 +02:00			`# Trusted IPv4 addresses for private and semi-public services`
Fix IPV6 var not being defined on stop 2020-02-21 16:26:41 +01:00			`TRUSTEDIPS=''`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00
First nftables version of minifirewall 2020-08-24 16:59:15 +02:00			`# Privileged IPv4 addresses for semi-public services`
Improve configuration file 2015-09-13 20:13:05 +02:00			`# (no need to add again TRUSTEDIPS)`
First nftables version of minifirewall 2020-08-24 16:59:15 +02:00			`PRIVILEGEDIPS=''`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00
Improve configuration file 2015-09-13 20:13:05 +02:00
			`# Local services IPv4/IPv6 restrictions`
			`#######################################`

			`# Protected services`
			`# (add also in Public services if needed)`
			`SERVICESTCP1p='22'`
Add NEEDRESTRICT chain to deny some services by free rules Somes improvements 2009-08-12 13:21:53 +02:00			`SERVICESUDP1p=''`

Improve configuration file 2015-09-13 20:13:05 +02:00			`# Public services (IPv4/IPv6)`
			`SERVICESTCP1='25 53 443 993 995 2222'`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00			`SERVICESUDP1='53'`

Improve configuration file 2015-09-13 20:13:05 +02:00			`# Semi-public services (IPv4)`
			`SERVICESTCP2='20 21 22 80 110 143'`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00			`SERVICESUDP2=''`

Improve configuration file 2015-09-13 20:13:05 +02:00			`# Private services (IPv4)`
Add NEEDRESTRICT chain to deny some services by free rules Somes improvements 2009-08-12 13:21:53 +02:00			`SERVICESTCP3='5666'`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00			`SERVICESUDP3=''`

Make it compatible with docker Add a new variable "DOCKER" that should be set to "on" when this is a docker machine. It will - Disable the nat tables flush on stop/restart Reason : Not breaking outgoing networking for containers - Create the "DOCKER-USER" chain, and add a DROP By default everything is closed and we don't expose services to the outside world - Add rules in the "DOCKER-USER" chain to open services to the outside world. Untested with swarm 2020-02-21 16:33:15 +01:00
Improve configuration file 2015-09-13 20:13:05 +02:00			`# Standard output IPv4 access restrictions`
			`##########################################`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00
Improve configuration file 2015-09-13 20:13:05 +02:00			`# DNS authorizations`
			`# (if you have local DNS server, set 0.0.0.0/0)`
Allow all DNS requests by default 2011-04-19 15:51:15 +02:00			`DNSSERVEURS='0.0.0.0/0'`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00
Improve configuration file 2015-09-13 20:13:05 +02:00			`# HTTP authorizations`
			`# (you can use DNS names but set cron to reload minifirewall regularly)`
			`# (if you have HTTP proxy, set 0.0.0.0/0)`
Add security-cdn.debian.org to HTTPSITES whitelist Debian migrated its security.debian.org repository to Fastly CDN (security-cdn.debian.org) so we have to whitelist it too to make security upgrades possible. 2018-01-29 17:22:46 +01:00			`HTTPSITES='security.debian.org pub.evolix.net security-cdn.debian.org volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org ocsp.int-x3.letsencrypt.org'`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00
Improve configuration file 2015-09-13 20:13:05 +02:00			`# HTTPS authorizations`
Open HTTPS by default 2011-04-02 11:48:19 +02:00			`HTTPSSITES='0.0.0.0/0'`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00
Improve configuration file 2015-09-13 20:13:05 +02:00			`# FTP authorizations`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00			`FTPSITES=''`

Improve configuration file 2015-09-13 20:13:05 +02:00			`# SSH authorizations`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00			`SSHOK='0.0.0.0/0'`

Improve configuration file 2015-09-13 20:13:05 +02:00			`# SMTP authorizations`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00			`SMTPOK='0.0.0.0/0'`

Improve configuration file 2015-09-13 20:13:05 +02:00			`# SMTP secure authorizations (ports TCP/465 and TCP/587)`
Fix a bug with var name, and remove _ (uniformization) 2011-06-03 11:53:51 +02:00			`SMTPSECUREOK=''`
Added a SMTP_SECURE_OK rule (port 465) Signed-off-by: Gregory Colpart <reg@evolix.fr> 2011-03-25 19:02:45 +01:00
Improve configuration file 2015-09-13 20:13:05 +02:00			`# NTP authorizations`
We authorize now all NTP traffic by default 2011-07-14 15:23:04 +02:00			`NTPOK='0.0.0.0/0'`
Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00
Add per host output autorisation capability 2020-11-18 18:10:27 +01:00			`# Per host output autorisations (IP!Port)`
			`# OUTPUTOK='203.0.113.1!42 203.0.113.2!43'`
			`OUTPUTOK=''`