Tristan PILAT
a432511b04
Add per host output autorisation capability
2020-11-18 18:10:27 +01:00
Tristan PILAT
c59e63d44d
fixup! Update/Add section titles
2020-11-18 18:01:35 +01:00
Tristan PILAT
86ffdfc916
Accept any ICMPv6 input traffic
2020-11-18 18:01:09 +01:00
Tristan PILAT
36634a705f
We have to accepted output ICMP and IGMP since we drop output traffic by default
2020-11-18 18:00:28 +01:00
Tristan PILAT
ba865faf0a
Add IPv6 compatibility
2020-11-18 17:56:11 +01:00
Tristan PILAT
ab2a7e9eb0
Let's use the new ip_type function
2020-11-18 17:54:11 +01:00
Tristan PILAT
519a0f9c60
Add a function to tell whether an IP is a v4 or v6 one
2020-11-18 17:54:11 +01:00
Tristan PILAT
520b8893f0
Delete drop rules for output since it is the default policy now
2020-11-18 17:54:11 +01:00
Tristan PILAT
550af6e21f
Change output default policy to drop
2020-11-18 17:54:10 +01:00
Tristan PILAT
7a1adbdf39
Update/Add section titles
2020-11-18 17:54:10 +01:00
Tristan PILAT
6bc1b75cd2
Update blacklist-countries.sh script to be used with nftables
2020-10-14 17:21:54 +02:00
Tristan PILAT
1b19f7084b
We need flags interval to be able to use CIDR notation in minifirewall_privileged_ips and minifirewall_trusted_ips sets
2020-10-14 17:21:00 +02:00
Tristan PILAT
948a3aeeb2
We want to drop traffic coming to protected TCP/UDP ports
2020-10-14 17:18:03 +02:00
Tristan PILAT
1c1d5480bc
Add rules to redirsct traffic from blocked IPs to protected_tcp_pots and protected_udp_ports chains
2020-10-14 17:16:17 +02:00
Tristan PILAT
6a46ca716b
Add a set for the blocked IP addresses
2020-10-14 17:14:23 +02:00
Tristan PILAT
5af8fad976
It's easier to just accept all icmp
2020-10-14 16:49:23 +02:00
Tristan PILAT
79f6d47a6c
Remove commented and useless rules
2020-10-14 16:48:39 +02:00
Tristan PILAT
4781ef509c
Don't prevent ICMP replies to go out and only drop TCP and UDP
2020-09-07 11:18:52 +02:00
Tristan PILAT
5f4787d3fd
Until we get a nftables version of the Docker rules present for iptables, remove iptables commented out part for Docker.
2020-09-07 11:17:34 +02:00
Tristan PILAT
c7d0d6820b
Simplification of the input ICMP et IGMP rules
2020-09-07 11:14:41 +02:00
Tristan PILAT
9169a9f0b0
Include rules in the if statements + add comments for every output rules
2020-08-31 17:08:30 +02:00
Tristan PILAT
585c16c92e
minifirewall script has been renamed to minifirewall-{start,stop}.sh
2020-08-31 09:48:48 +02:00
Tristan PILAT
286fe62de5
Add initial work for output filtering
2020-08-31 09:47:35 +02:00
Tristan PILAT
129b323f80
First nftables version of minifirewall
2020-08-24 16:59:15 +02:00
Ludovic Poujol
3bcaee5b58
Merge pull request 'Docker handling' ( #5 ) from docker into master
...
Reviewed-on: #5
2020-07-27 10:43:26 +02:00
Ludovic Poujol
7c384a777b
Better handling of Docker to match the usual minifirewall behaviour
...
Revert some changes from 0ec2cb2f4b
like the SERVICESTCP4 SERVICESUDP4
Instead, we'll re-create the usual behaviour of public, privileged and
trusted ports for docker when the variable DOCKER is set to "on"
2020-07-27 10:33:40 +02:00
Ludovic Poujol
0ec2cb2f4b
Make it compatible with docker
...
Add a new variable "DOCKER" that should be set to "on" when this is a
docker machine.
It will
- Disable the nat tables flush on stop/restart
Reason : Not breaking outgoing networking for containers
- Create the "DOCKER-USER" chain, and add a DROP
By default everything is closed and we don't expose services to the
outside world
- Add rules in the "DOCKER-USER" chain to open services to the outside
world.
Untested with swarm
2020-02-25 16:33:24 +01:00
Ludovic Poujol
30041b8949
Fix IPV6 var not being defined on stop
2020-02-21 16:26:41 +01:00
Ludovic Poujol
60ca9f67b2
Update project URL in comment
2020-02-17 10:54:01 +01:00
Victor LABORIE
42e18e57fd
Add a Vagrantfile for testing
2019-06-04 17:43:26 +02:00
Victor LABORIE
326547fba3
Fix typo in install doc
2019-06-04 17:40:26 +02:00
Victor LABORIE
e80979e04d
Minifirewall is now under GPLv3 license
2019-06-04 16:53:34 +02:00
Victor LABORIE
6846263daa
Update README.md
2019-06-04 16:48:27 +02:00
Tristan PILAT
979b7e2d03
Add missing variables in SMTPSECUREOK and SMTPOK loops
2018-08-28 15:39:58 +02:00
Romain Dessort
9ebb5fe748
Add security-cdn.debian.org to HTTPSITES whitelist
...
Debian migrated its security.debian.org repository to Fastly CDN
(security-cdn.debian.org) so we have to whitelist it too to make
security upgrades possible.
2018-01-29 11:22:46 -05:00
Jérémy Lecour
0450c12f5d
Merge branch 'ocsp-letsencrypt'
2017-05-16 09:59:47 +02:00
Jérémy Lecour
afdfc00a67
Add letsencrypt in HTTPSITES
2017-05-16 09:58:16 +02:00
Victor LABORIE
dba28b0679
Remove obsolete srv domain
2016-08-09 12:40:14 +02:00
Gregory Colpart
164d727e8e
Remove obsolete IP addr
2015-12-07 17:20:51 +01:00
Benoît S.
b6a47dea0d
Added quote to $IPV6 variables.
2015-10-21 10:45:39 +02:00
Tristan PILAT
02d6447a10
Fix bug with IPv6.
...
When IPv6=off don't use ip6tables in stop and reset function.
2015-10-19 10:59:00 +02:00
Gregory Colpart
4864872586
Rename README -> README.md for Redmine / Github
2015-09-13 20:40:56 +02:00
Gregory Colpart
2943a7d58c
Improve output messages
2015-09-13 20:31:04 +02:00
Gregory Colpart
52f177303c
Fix bug in old config detection
2015-09-13 20:21:55 +02:00
Gregory Colpart
4ea10ccc83
Improve configuration file
2015-09-13 20:13:05 +02:00
Gregory Colpart
2f561a6172
Improve descriptions / comments (switch all in english, etc.)
2015-09-13 18:37:53 +02:00
Gregory Colpart
9579cfe991
Fix #1565 . Use now /etc/default/minifirewall for config file!
2015-09-13 17:15:40 +02:00
Gregory Colpart
6bc560b66a
Add default rule for IPv6 DNS responses
2015-03-13 01:55:13 +01:00
Benoît S.
283ff1161f
Added SpamAssassin update repo URLs.
2015-01-20 17:17:10 +01:00
Gregory Colpart
2d2fded0ac
use same syntax for all ip6tables rules
2015-01-12 20:54:17 +01:00