Gregory Colpart
6 years ago
1 changed files with 44 additions and 45 deletions
@ -1,97 +1,96 @@ |
|||
# Fichier de configuration |
|||
# pour minifirewall |
|||
|
|||
# Configuration for minifirewall : https://forge.evolix.org/projects/minifirewall |
|||
# For fun, we keep last change from first CVS repository: |
|||
# version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $ |
|||
|
|||
# Interface concernee |
|||
# Main interface |
|||
INT='eth0' |
|||
|
|||
# IPv6 |
|||
IPV6=on |
|||
|
|||
# IP associee (plus utilisee dans les scripts) |
|||
# INTIP='192.168.0.2' |
|||
# reseau beneficiant d'acces privilegies |
|||
# (sera souvent IP/32) |
|||
# Trusted IPv4 local network |
|||
# ...will be often IP/32 if you don't trust anything |
|||
INTLAN='192.168.0.2/32' |
|||
|
|||
# trusted ip addresses |
|||
TRUSTEDIPS='62.212.121.90 62.212.111.216 88.179.18.233 85.118.59.4 85.118.59.50 31.170.8.4 31.170.9.129' |
|||
# Trusted IPv4 addresses for private and semi-public services |
|||
TRUSTEDIPS='62.212.121.90 88.179.18.233 85.118.59.4 31.170.8.4 31.170.9.129' |
|||
|
|||
# privilegied ip addresses |
|||
# (trusted ip addresses *are* privilegied) |
|||
# Privilegied IPv4 addresses for semi-public services |
|||
# (no need to add again TRUSTEDIPS) |
|||
PRIVILEGIEDIPS='' |
|||
|
|||
# Services "protected" |
|||
# a mettre aussi en public si necessaire !! |
|||
SERVICESTCP1p='21' |
|||
|
|||
# Local services IPv4/IPv6 restrictions |
|||
####################################### |
|||
|
|||
# Protected services |
|||
# (add also in Public services if needed) |
|||
SERVICESTCP1p='22' |
|||
SERVICESUDP1p='' |
|||
|
|||
# Services "publics" |
|||
SERVICESTCP1='20 21 25 53 993 995' |
|||
# Public services (IPv4/IPv6) |
|||
SERVICESTCP1='25 53 443 993 995 2222' |
|||
SERVICESUDP1='53' |
|||
|
|||
# Services "semi-publics" |
|||
SERVICESTCP2='22 80 110 143 443' |
|||
# Semi-public services (IPv4) |
|||
SERVICESTCP2='20 21 22 80 110 143' |
|||
SERVICESUDP2='' |
|||
|
|||
# Services "prives" |
|||
# Private services (IPv4) |
|||
SERVICESTCP3='5666' |
|||
SERVICESUDP3='' |
|||
|
|||
################### SORTANTS |
|||
# Standard output IPv4 access restrictions |
|||
########################################## |
|||
|
|||
# DNS |
|||
# (Attention, si un serveur DNS est installe en local |
|||
# mettre 0.0.0.0/0) |
|||
# DNS authorizations |
|||
# (if you have local DNS server, set 0.0.0.0/0) |
|||
DNSSERVEURS='0.0.0.0/0' |
|||
|
|||
# HTTP : security.d.o x3, zidane, modsecurity www.debian.org |
|||
# /!\ Possibilite d'utiliser des noms de domaines |
|||
# mais il est conseiller de placer un rechargement |
|||
# du minifirewall en crontab |
|||
# (Attention, si un proxy HTTP est installe en local |
|||
# mettre 0.0.0.0/0) |
|||
# HTTP authorizations |
|||
# (you can use DNS names but set cron to reload minifirewall regularly) |
|||
# (if you have HTTP proxy, set 0.0.0.0/0) |
|||
HTTPSITES='security.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net zidane.evolix.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org' |
|||
|
|||
# HTTPS |
|||
# /!\ Possibilite d'utiliser des noms de domaines |
|||
# mais il est conseiller de placer un rechargement |
|||
# du minifirewall en crontab |
|||
# HTTPS authorizations |
|||
HTTPSSITES='0.0.0.0/0' |
|||
|
|||
# FTP |
|||
# FTP authorizations |
|||
FTPSITES='' |
|||
|
|||
# SSH |
|||
# SSH authorizations |
|||
SSHOK='0.0.0.0/0' |
|||
|
|||
# SMTP |
|||
# SMTP authorizations |
|||
SMTPOK='0.0.0.0/0' |
|||
|
|||
# SMTP secure (port 465 et 587) |
|||
# SMTP secure authorizations (ports TCP/465 and TCP/587) |
|||
SMTPSECUREOK='' |
|||
|
|||
# NTP |
|||
# NTP authorizations |
|||
NTPOK='0.0.0.0/0' |
|||
|
|||
################### IPv6 Specific rules |
|||
# /sbin/ip6tables ... |
|||
|
|||
# Allow Input HTTP/HTTPS/SMTP/DNS traffic |
|||
# IPv6 Specific rules |
|||
##################### |
|||
|
|||
# Example: allow input HTTP/HTTPS/SMTP/DNS traffic |
|||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT |
|||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT |
|||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT |
|||
/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT |
|||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT |
|||
|
|||
# Allow Output DNS, NTP and traceroute traffic |
|||
# Example: allow output DNS, NTP and traceroute traffic |
|||
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT |
|||
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT |
|||
#/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT |
|||
|
|||
# Allow DHCPv6 |
|||
# Example: allow DHCPv6 |
|||
/sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT |
|||
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT |
|||
|
|||
################### IPv4 Specific rules |
|||
# IPv4 Specific rules |
|||
##################### |
|||
|
|||
# /sbin/iptables ... |
|||
Write
Preview
Loading…
Cancel
Save
Reference in new issue