Browse Source

Improve configuration file

systemd
Gregory Colpart 6 years ago
parent
commit
4ea10ccc83
  1. 89
      minifirewall.conf

89
minifirewall.conf

@ -1,97 +1,96 @@
# Fichier de configuration
# pour minifirewall
# Configuration for minifirewall : https://forge.evolix.org/projects/minifirewall
# For fun, we keep last change from first CVS repository:
# version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $
# Interface concernee
# Main interface
INT='eth0'
# IPv6
IPV6=on
# IP associee (plus utilisee dans les scripts)
# INTIP='192.168.0.2'
# reseau beneficiant d'acces privilegies
# (sera souvent IP/32)
# Trusted IPv4 local network
# ...will be often IP/32 if you don't trust anything
INTLAN='192.168.0.2/32'
# trusted ip addresses
TRUSTEDIPS='62.212.121.90 62.212.111.216 88.179.18.233 85.118.59.4 85.118.59.50 31.170.8.4 31.170.9.129'
# Trusted IPv4 addresses for private and semi-public services
TRUSTEDIPS='62.212.121.90 88.179.18.233 85.118.59.4 31.170.8.4 31.170.9.129'
# privilegied ip addresses
# (trusted ip addresses *are* privilegied)
# Privilegied IPv4 addresses for semi-public services
# (no need to add again TRUSTEDIPS)
PRIVILEGIEDIPS=''
# Services "protected"
# a mettre aussi en public si necessaire !!
SERVICESTCP1p='21'
# Local services IPv4/IPv6 restrictions
#######################################
# Protected services
# (add also in Public services if needed)
SERVICESTCP1p='22'
SERVICESUDP1p=''
# Services "publics"
SERVICESTCP1='20 21 25 53 993 995'
# Public services (IPv4/IPv6)
SERVICESTCP1='25 53 443 993 995 2222'
SERVICESUDP1='53'
# Services "semi-publics"
SERVICESTCP2='22 80 110 143 443'
# Semi-public services (IPv4)
SERVICESTCP2='20 21 22 80 110 143'
SERVICESUDP2=''
# Services "prives"
# Private services (IPv4)
SERVICESTCP3='5666'
SERVICESUDP3=''
################### SORTANTS
# Standard output IPv4 access restrictions
##########################################
# DNS
# (Attention, si un serveur DNS est installe en local
# mettre 0.0.0.0/0)
# DNS authorizations
# (if you have local DNS server, set 0.0.0.0/0)
DNSSERVEURS='0.0.0.0/0'
# HTTP : security.d.o x3, zidane, modsecurity www.debian.org
# /!\ Possibilite d'utiliser des noms de domaines
# mais il est conseiller de placer un rechargement
# du minifirewall en crontab
# (Attention, si un proxy HTTP est installe en local
# mettre 0.0.0.0/0)
# HTTP authorizations
# (you can use DNS names but set cron to reload minifirewall regularly)
# (if you have HTTP proxy, set 0.0.0.0/0)
HTTPSITES='security.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net zidane.evolix.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org'
# HTTPS
# /!\ Possibilite d'utiliser des noms de domaines
# mais il est conseiller de placer un rechargement
# du minifirewall en crontab
# HTTPS authorizations
HTTPSSITES='0.0.0.0/0'
# FTP
# FTP authorizations
FTPSITES=''
# SSH
# SSH authorizations
SSHOK='0.0.0.0/0'
# SMTP
# SMTP authorizations
SMTPOK='0.0.0.0/0'
# SMTP secure (port 465 et 587)
# SMTP secure authorizations (ports TCP/465 and TCP/587)
SMTPSECUREOK=''
# NTP
# NTP authorizations
NTPOK='0.0.0.0/0'
################### IPv6 Specific rules
# /sbin/ip6tables ...
# Allow Input HTTP/HTTPS/SMTP/DNS traffic
# IPv6 Specific rules
#####################
# Example: allow input HTTP/HTTPS/SMTP/DNS traffic
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
# Allow Output DNS, NTP and traceroute traffic
# Example: allow output DNS, NTP and traceroute traffic
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
#/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
# Allow DHCPv6
# Example: allow DHCPv6
/sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT
################### IPv4 Specific rules
# IPv4 Specific rules
#####################
# /sbin/iptables ...
Loading…
Cancel
Save