From 45f04e322a84432a3fb3c8f235ccf2ce026ba8d8 Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Wed, 12 Jan 2022 12:04:56 +0100
Subject: [PATCH 1/3] Add warning on port opening for docker

---
 README.md         | 9 +++++++++
 minifirewall.conf | 3 +++
 2 files changed, 12 insertions(+)

diff --git a/README.md b/README.md
index 97e78cd..678ac5a 100644
--- a/README.md
+++ b/README.md
@@ -26,6 +26,15 @@ Edit /etc/default/minifirewall file:
 * Configure your authorizations for external services : DNS, HTTP, HTTPS, SMTP, SSH, NTP
 * Add your specific rules
 
+### Docker
+
+To use minifirewall with docker you need to change the variable *DOCKER* from _off_ to _on_
+Then, authorisation for public/semi-public/private ports will also work for dockerized services
+
+
+**WARNING** : When the port mapping on the host is different than in the container (ie: listen on :8090 on the host, but the service in the container listen on :8080)
+you need to use the port used by the container (ie: 8080) in the public/semi-public/private port list
+
 ## Usage
 
 ~~~
diff --git a/minifirewall.conf b/minifirewall.conf
index f5548fc..7dc39c1 100644
--- a/minifirewall.conf
+++ b/minifirewall.conf
@@ -12,6 +12,9 @@ IPV6=on
 # For instance, turning it on will disable nat table purge
 # Also, we'll add the DOCKER-USER chain, in iptable
 DOCKER='off'
+# WARNING : If the port mapping is different between host and container
+# (ie: Listen on :8090 on host but :8080 in container)
+# Then you need to makes the rules with the port used inside the container
 
 # Trusted IPv4 local network
 # ...will be often IP/32 if you don't trust anything

From f52971a173af8295029dfaaadf0e241ab9e406e5 Mon Sep 17 00:00:00 2001
From: Jeremy Dubois <jdubois@evolix.fr>
Date: Mon, 24 Jan 2022 11:09:36 +0100
Subject: [PATCH 2/3] Apply policy of IPv4 to IPv6

We close almost all to be sure that nothing works if we don't configure it
---
 minifirewall.conf | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/minifirewall.conf b/minifirewall.conf
index 7dc39c1..60851f9 100644
--- a/minifirewall.conf
+++ b/minifirewall.conf
@@ -84,11 +84,11 @@ NTPOK='0.0.0.0/0'
 #####################
 
 # Example: allow input HTTP/HTTPS/SMTP/DNS traffic
-/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
-/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
-/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
-/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
-/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
+#/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
+#/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
+#/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
+#/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
+#/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
 
 # Example: allow output DNS, NTP and traceroute traffic
 /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT

From ba12a45d8a2c2ad4ee090d57b0ddbc9148250130 Mon Sep 17 00:00:00 2001
From: Jeremy Dubois <jdubois@evolix.fr>
Date: Thu, 27 Jan 2022 10:15:45 +0100
Subject: [PATCH 3/3] Revert "Apply policy of IPv4 to IPv6"

This reverts commit f52971a173af8295029dfaaadf0e241ab9e406e5
which was a mistake : theses rules match a return packet
incoming on the server, not a new one.
---
 minifirewall.conf | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/minifirewall.conf b/minifirewall.conf
index 60851f9..7dc39c1 100644
--- a/minifirewall.conf
+++ b/minifirewall.conf
@@ -84,11 +84,11 @@ NTPOK='0.0.0.0/0'
 #####################
 
 # Example: allow input HTTP/HTTPS/SMTP/DNS traffic
-#/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
-#/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
-#/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
-#/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
-#/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
+/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
+/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
+/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
+/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
+/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
 
 # Example: allow output DNS, NTP and traceroute traffic
 /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT