From 4ea10ccc83c168e221a1622263376d4e266074a9 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Sun, 13 Sep 2015 20:13:05 +0200 Subject: [PATCH] Improve configuration file --- minifirewall.conf | 89 +++++++++++++++++++++++------------------------ 1 file changed, 44 insertions(+), 45 deletions(-) diff --git a/minifirewall.conf b/minifirewall.conf index 3afb205..5fe3898 100644 --- a/minifirewall.conf +++ b/minifirewall.conf @@ -1,97 +1,96 @@ -# Fichier de configuration -# pour minifirewall - +# Configuration for minifirewall : https://forge.evolix.org/projects/minifirewall +# For fun, we keep last change from first CVS repository: # version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $ -# Interface concernee +# Main interface INT='eth0' +# IPv6 IPV6=on -# IP associee (plus utilisee dans les scripts) -# INTIP='192.168.0.2' -# reseau beneficiant d'acces privilegies -# (sera souvent IP/32) +# Trusted IPv4 local network +# ...will be often IP/32 if you don't trust anything INTLAN='192.168.0.2/32' -# trusted ip addresses -TRUSTEDIPS='62.212.121.90 62.212.111.216 88.179.18.233 85.118.59.4 85.118.59.50 31.170.8.4 31.170.9.129' +# Trusted IPv4 addresses for private and semi-public services +TRUSTEDIPS='62.212.121.90 88.179.18.233 85.118.59.4 31.170.8.4 31.170.9.129' -# privilegied ip addresses -# (trusted ip addresses *are* privilegied) +# Privilegied IPv4 addresses for semi-public services +# (no need to add again TRUSTEDIPS) PRIVILEGIEDIPS='' -# Services "protected" -# a mettre aussi en public si necessaire !! -SERVICESTCP1p='21' + +# Local services IPv4/IPv6 restrictions +####################################### + +# Protected services +# (add also in Public services if needed) +SERVICESTCP1p='22' SERVICESUDP1p='' -# Services "publics" -SERVICESTCP1='20 21 25 53 993 995' +# Public services (IPv4/IPv6) +SERVICESTCP1='25 53 443 993 995 2222' SERVICESUDP1='53' -# Services "semi-publics" -SERVICESTCP2='22 80 110 143 443' +# Semi-public services (IPv4) +SERVICESTCP2='20 21 22 80 110 143' SERVICESUDP2='' -# Services "prives" +# Private services (IPv4) SERVICESTCP3='5666' SERVICESUDP3='' -################### SORTANTS +# Standard output IPv4 access restrictions +########################################## -# DNS -# (Attention, si un serveur DNS est installe en local -# mettre 0.0.0.0/0) +# DNS authorizations +# (if you have local DNS server, set 0.0.0.0/0) DNSSERVEURS='0.0.0.0/0' -# HTTP : security.d.o x3, zidane, modsecurity www.debian.org -# /!\ Possibilite d'utiliser des noms de domaines -# mais il est conseiller de placer un rechargement -# du minifirewall en crontab -# (Attention, si un proxy HTTP est installe en local -# mettre 0.0.0.0/0) +# HTTP authorizations +# (you can use DNS names but set cron to reload minifirewall regularly) +# (if you have HTTP proxy, set 0.0.0.0/0) HTTPSITES='security.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net zidane.evolix.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org' -# HTTPS -# /!\ Possibilite d'utiliser des noms de domaines -# mais il est conseiller de placer un rechargement -# du minifirewall en crontab +# HTTPS authorizations HTTPSSITES='0.0.0.0/0' -# FTP +# FTP authorizations FTPSITES='' -# SSH +# SSH authorizations SSHOK='0.0.0.0/0' -# SMTP +# SMTP authorizations SMTPOK='0.0.0.0/0' -# SMTP secure (port 465 et 587) +# SMTP secure authorizations (ports TCP/465 and TCP/587) SMTPSECUREOK='' -# NTP +# NTP authorizations NTPOK='0.0.0.0/0' -################### IPv6 Specific rules -# /sbin/ip6tables ... -# Allow Input HTTP/HTTPS/SMTP/DNS traffic +# IPv6 Specific rules +##################### + +# Example: allow input HTTP/HTTPS/SMTP/DNS traffic /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT -# Allow Output DNS, NTP and traceroute traffic +# Example: allow output DNS, NTP and traceroute traffic /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT #/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT -# Allow DHCPv6 +# Example: allow DHCPv6 /sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT -################### IPv4 Specific rules +# IPv4 Specific rules +##################### + # /sbin/iptables ...