Improve configuration file
This commit is contained in:
parent
2f561a6172
commit
4ea10ccc83
|
@ -1,97 +1,96 @@
|
||||||
# Fichier de configuration
|
# Configuration for minifirewall : https://forge.evolix.org/projects/minifirewall
|
||||||
# pour minifirewall
|
# For fun, we keep last change from first CVS repository:
|
||||||
|
|
||||||
# version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $
|
# version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $
|
||||||
|
|
||||||
# Interface concernee
|
# Main interface
|
||||||
INT='eth0'
|
INT='eth0'
|
||||||
|
|
||||||
|
# IPv6
|
||||||
IPV6=on
|
IPV6=on
|
||||||
|
|
||||||
# IP associee (plus utilisee dans les scripts)
|
# Trusted IPv4 local network
|
||||||
# INTIP='192.168.0.2'
|
# ...will be often IP/32 if you don't trust anything
|
||||||
# reseau beneficiant d'acces privilegies
|
|
||||||
# (sera souvent IP/32)
|
|
||||||
INTLAN='192.168.0.2/32'
|
INTLAN='192.168.0.2/32'
|
||||||
|
|
||||||
# trusted ip addresses
|
# Trusted IPv4 addresses for private and semi-public services
|
||||||
TRUSTEDIPS='62.212.121.90 62.212.111.216 88.179.18.233 85.118.59.4 85.118.59.50 31.170.8.4 31.170.9.129'
|
TRUSTEDIPS='62.212.121.90 88.179.18.233 85.118.59.4 31.170.8.4 31.170.9.129'
|
||||||
|
|
||||||
# privilegied ip addresses
|
# Privilegied IPv4 addresses for semi-public services
|
||||||
# (trusted ip addresses *are* privilegied)
|
# (no need to add again TRUSTEDIPS)
|
||||||
PRIVILEGIEDIPS=''
|
PRIVILEGIEDIPS=''
|
||||||
|
|
||||||
# Services "protected"
|
|
||||||
# a mettre aussi en public si necessaire !!
|
# Local services IPv4/IPv6 restrictions
|
||||||
SERVICESTCP1p='21'
|
#######################################
|
||||||
|
|
||||||
|
# Protected services
|
||||||
|
# (add also in Public services if needed)
|
||||||
|
SERVICESTCP1p='22'
|
||||||
SERVICESUDP1p=''
|
SERVICESUDP1p=''
|
||||||
|
|
||||||
# Services "publics"
|
# Public services (IPv4/IPv6)
|
||||||
SERVICESTCP1='20 21 25 53 993 995'
|
SERVICESTCP1='25 53 443 993 995 2222'
|
||||||
SERVICESUDP1='53'
|
SERVICESUDP1='53'
|
||||||
|
|
||||||
# Services "semi-publics"
|
# Semi-public services (IPv4)
|
||||||
SERVICESTCP2='22 80 110 143 443'
|
SERVICESTCP2='20 21 22 80 110 143'
|
||||||
SERVICESUDP2=''
|
SERVICESUDP2=''
|
||||||
|
|
||||||
# Services "prives"
|
# Private services (IPv4)
|
||||||
SERVICESTCP3='5666'
|
SERVICESTCP3='5666'
|
||||||
SERVICESUDP3=''
|
SERVICESUDP3=''
|
||||||
|
|
||||||
################### SORTANTS
|
# Standard output IPv4 access restrictions
|
||||||
|
##########################################
|
||||||
|
|
||||||
# DNS
|
# DNS authorizations
|
||||||
# (Attention, si un serveur DNS est installe en local
|
# (if you have local DNS server, set 0.0.0.0/0)
|
||||||
# mettre 0.0.0.0/0)
|
|
||||||
DNSSERVEURS='0.0.0.0/0'
|
DNSSERVEURS='0.0.0.0/0'
|
||||||
|
|
||||||
# HTTP : security.d.o x3, zidane, modsecurity www.debian.org
|
# HTTP authorizations
|
||||||
# /!\ Possibilite d'utiliser des noms de domaines
|
# (you can use DNS names but set cron to reload minifirewall regularly)
|
||||||
# mais il est conseiller de placer un rechargement
|
# (if you have HTTP proxy, set 0.0.0.0/0)
|
||||||
# du minifirewall en crontab
|
|
||||||
# (Attention, si un proxy HTTP est installe en local
|
|
||||||
# mettre 0.0.0.0/0)
|
|
||||||
HTTPSITES='security.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net zidane.evolix.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org'
|
HTTPSITES='security.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net zidane.evolix.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org'
|
||||||
|
|
||||||
# HTTPS
|
# HTTPS authorizations
|
||||||
# /!\ Possibilite d'utiliser des noms de domaines
|
|
||||||
# mais il est conseiller de placer un rechargement
|
|
||||||
# du minifirewall en crontab
|
|
||||||
HTTPSSITES='0.0.0.0/0'
|
HTTPSSITES='0.0.0.0/0'
|
||||||
|
|
||||||
# FTP
|
# FTP authorizations
|
||||||
FTPSITES=''
|
FTPSITES=''
|
||||||
|
|
||||||
# SSH
|
# SSH authorizations
|
||||||
SSHOK='0.0.0.0/0'
|
SSHOK='0.0.0.0/0'
|
||||||
|
|
||||||
# SMTP
|
# SMTP authorizations
|
||||||
SMTPOK='0.0.0.0/0'
|
SMTPOK='0.0.0.0/0'
|
||||||
|
|
||||||
# SMTP secure (port 465 et 587)
|
# SMTP secure authorizations (ports TCP/465 and TCP/587)
|
||||||
SMTPSECUREOK=''
|
SMTPSECUREOK=''
|
||||||
|
|
||||||
# NTP
|
# NTP authorizations
|
||||||
NTPOK='0.0.0.0/0'
|
NTPOK='0.0.0.0/0'
|
||||||
|
|
||||||
################### IPv6 Specific rules
|
|
||||||
# /sbin/ip6tables ...
|
|
||||||
|
|
||||||
# Allow Input HTTP/HTTPS/SMTP/DNS traffic
|
# IPv6 Specific rules
|
||||||
|
#####################
|
||||||
|
|
||||||
|
# Example: allow input HTTP/HTTPS/SMTP/DNS traffic
|
||||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
|
||||||
# Allow Output DNS, NTP and traceroute traffic
|
# Example: allow output DNS, NTP and traceroute traffic
|
||||||
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
|
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
|
||||||
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
|
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
|
||||||
#/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
#/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
||||||
|
|
||||||
# Allow DHCPv6
|
# Example: allow DHCPv6
|
||||||
/sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT
|
/sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT
|
||||||
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT
|
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT
|
||||||
|
|
||||||
################### IPv4 Specific rules
|
# IPv4 Specific rules
|
||||||
|
#####################
|
||||||
|
|
||||||
# /sbin/iptables ...
|
# /sbin/iptables ...
|
||||||
|
|
Loading…
Reference in a new issue