Improve configuration file

minifirewall.conf

@@ -1,97 +1,96 @@
-# Fichier de configuration
+# Configuration for minifirewall : https://forge.evolix.org/projects/minifirewall
-# pour minifirewall
+# For fun, we keep last change from first CVS repository:
-
 # version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $
 
-# Interface concernee
+# Main interface
 INT='eth0'
 
+# IPv6
 IPV6=on
 
-# IP associee (plus utilisee dans les scripts)
+# Trusted IPv4 local network
-# INTIP='192.168.0.2'
+# ...will be often IP/32 if you don't trust anything
-# reseau beneficiant d'acces privilegies
-# (sera souvent IP/32)
 INTLAN='192.168.0.2/32'
 
-# trusted ip addresses
+# Trusted IPv4 addresses for private and semi-public services
-TRUSTEDIPS='62.212.121.90 62.212.111.216 88.179.18.233 85.118.59.4 85.118.59.50 31.170.8.4 31.170.9.129'
+TRUSTEDIPS='62.212.121.90 88.179.18.233 85.118.59.4 31.170.8.4 31.170.9.129'
 
-# privilegied ip addresses
+# Privilegied IPv4 addresses for semi-public services
-# (trusted ip addresses *are* privilegied)
+# (no need to add again TRUSTEDIPS)
 PRIVILEGIEDIPS=''
 
-# Services "protected"
+
-# a mettre aussi en public si necessaire !!
+# Local services IPv4/IPv6 restrictions
-SERVICESTCP1p='21'
+#######################################
+
+# Protected services
+# (add also in Public services if needed)
+SERVICESTCP1p='22'
 SERVICESUDP1p=''
 
-# Services "publics"
+# Public services (IPv4/IPv6)
-SERVICESTCP1='20 21 25 53 993 995'
+SERVICESTCP1='25 53 443 993 995 2222'
 SERVICESUDP1='53'
 
-# Services "semi-publics"
+# Semi-public services (IPv4)
-SERVICESTCP2='22 80 110 143 443'
+SERVICESTCP2='20 21 22 80 110 143'
 SERVICESUDP2=''
 
-# Services "prives"
+# Private services (IPv4)
 SERVICESTCP3='5666'
 SERVICESUDP3=''
 
-################### SORTANTS
+# Standard output IPv4 access restrictions
+##########################################
 
-# DNS
+# DNS authorizations
-# (Attention, si un serveur DNS est installe en local
+# (if you have local DNS server, set 0.0.0.0/0)
-#  mettre 0.0.0.0/0)
 DNSSERVEURS='0.0.0.0/0'
 
-# HTTP : security.d.o x3, zidane, modsecurity www.debian.org
+# HTTP authorizations
-# /!\ Possibilite d'utiliser des noms de domaines
+# (you can use DNS names but set cron to reload minifirewall regularly)
-#     mais il est conseiller de placer un rechargement
+# (if you have HTTP proxy, set 0.0.0.0/0)
-#     du minifirewall en crontab
-# (Attention, si un proxy HTTP est installe en local
-#  mettre 0.0.0.0/0)
 HTTPSITES='security.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net zidane.evolix.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org'
 
-# HTTPS
+# HTTPS authorizations
-# /!\ Possibilite d'utiliser des noms de domaines
-#     mais il est conseiller de placer un rechargement
-#     du minifirewall en crontab
 HTTPSSITES='0.0.0.0/0'
 
-# FTP
+# FTP authorizations
 FTPSITES=''
 
-# SSH
+# SSH authorizations
 SSHOK='0.0.0.0/0'
 
-# SMTP
+# SMTP authorizations
 SMTPOK='0.0.0.0/0'
 
-# SMTP secure (port 465 et 587)
+# SMTP secure authorizations (ports TCP/465 and TCP/587)
 SMTPSECUREOK=''
 
-# NTP
+# NTP authorizations
 NTPOK='0.0.0.0/0'
 
-################### IPv6 Specific rules
-# /sbin/ip6tables ...
 
-# Allow Input HTTP/HTTPS/SMTP/DNS traffic
+# IPv6 Specific rules
+#####################
+
+# Example: allow input HTTP/HTTPS/SMTP/DNS traffic
 /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
 /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
 /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
 /sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
 /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
 
-# Allow Output DNS, NTP and traceroute traffic
+# Example: allow output DNS, NTP and traceroute traffic
 /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
 /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
 #/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
 
-# Allow DHCPv6
+# Example: allow DHCPv6
 /sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT
 /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT
 
-################### IPv4 Specific rules
+# IPv4 Specific rules
+#####################
+
 # /sbin/iptables ...