evolix/minifirewall
21
0
Fork 0
Code Issues 4 Pull requests 3 Releases 1 Activity
105 commits 9 branches 1 tag 259 KiB
Commit graph

105 commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tristan PILAT a432511b04 Add per host output autorisation capability 2020-11-18 18:10:27 +01:00
Tristan PILAT c59e63d44d fixup! Update/Add section titles 2020-11-18 18:01:35 +01:00
Tristan PILAT 86ffdfc916 Accept any ICMPv6 input traffic 2020-11-18 18:01:09 +01:00
Tristan PILAT 36634a705f We have to accepted output ICMP and IGMP since we drop output traffic by default 2020-11-18 18:00:28 +01:00
Tristan PILAT ba865faf0a Add IPv6 compatibility 2020-11-18 17:56:11 +01:00
Tristan PILAT ab2a7e9eb0 Let's use the new ip_type function 2020-11-18 17:54:11 +01:00
Tristan PILAT 519a0f9c60 Add a function to tell whether an IP is a v4 or v6 one 2020-11-18 17:54:11 +01:00
Tristan PILAT 520b8893f0 Delete drop rules for output since it is the default policy now 2020-11-18 17:54:11 +01:00
Tristan PILAT 550af6e21f Change output default policy to drop 2020-11-18 17:54:10 +01:00
Tristan PILAT 7a1adbdf39 Update/Add section titles 2020-11-18 17:54:10 +01:00
Tristan PILAT 6bc1b75cd2 Update blacklist-countries.sh script to be used with nftables 2020-10-14 17:21:54 +02:00
Tristan PILAT 1b19f7084b We need flags interval to be able to use CIDR notation in minifirewall_privileged_ips and minifirewall_trusted_ips sets 2020-10-14 17:21:00 +02:00
Tristan PILAT 948a3aeeb2 We want to drop traffic coming to protected TCP/UDP ports 2020-10-14 17:18:03 +02:00
Tristan PILAT 1c1d5480bc Add rules to redirsct traffic from blocked IPs to protected_tcp_pots and protected_udp_ports chains 2020-10-14 17:16:17 +02:00
Tristan PILAT 6a46ca716b Add a set for the blocked IP addresses 2020-10-14 17:14:23 +02:00
Tristan PILAT 5af8fad976 It's easier to just accept all icmp 2020-10-14 16:49:23 +02:00
Tristan PILAT 79f6d47a6c Remove commented and useless rules 2020-10-14 16:48:39 +02:00
Tristan PILAT 4781ef509c Don't prevent ICMP replies to go out and only drop TCP and UDP 2020-09-07 11:18:52 +02:00
Tristan PILAT 5f4787d3fd Until we get a nftables version of the Docker rules present for iptables, remove iptables commented out part for Docker. 2020-09-07 11:17:34 +02:00
Tristan PILAT c7d0d6820b Simplification of the input ICMP et IGMP rules 2020-09-07 11:14:41 +02:00
Tristan PILAT 9169a9f0b0 Include rules in the if statements + add comments for every output rules 2020-08-31 17:08:30 +02:00
Tristan PILAT 585c16c92e minifirewall script has been renamed to minifirewall-{start,stop}.sh 2020-08-31 09:48:48 +02:00
Tristan PILAT 286fe62de5 Add initial work for output filtering 2020-08-31 09:47:35 +02:00
Tristan PILAT 129b323f80 First nftables version of minifirewall 2020-08-24 16:59:15 +02:00
Ludovic Poujol 3bcaee5b58 Merge pull request 'Docker handling' (#5) from docker into master 
Reviewed-on: #5
 2020-07-27 10:43:26 +02:00
Ludovic Poujol 7c384a777b
Better handling of Docker to match the usual minifirewall behaviour 
Revert some changes from 0ec2cb2f4b
like the SERVICESTCP4 SERVICESUDP4

Instead, we'll re-create the usual behaviour of public, privileged and
trusted ports for docker when the variable DOCKER is set to "on"
 2020-07-27 10:33:40 +02:00
Ludovic Poujol 0ec2cb2f4b
Make it compatible with docker 
Add a new variable "DOCKER" that should be set to "on" when this is a
docker machine.

It will
- Disable the nat tables flush on stop/restart
  Reason : Not breaking outgoing networking for containers

- Create the "DOCKER-USER" chain, and add a DROP
  By default everything is closed and we don't expose services to the
  outside world

- Add rules in the "DOCKER-USER" chain to open services to the outside
  world.

Untested with swarm
 2020-02-25 16:33:24 +01:00
Ludovic Poujol 30041b8949
Fix IPV6 var not being defined on stop 2020-02-21 16:26:41 +01:00
Ludovic Poujol 60ca9f67b2
Update project URL in comment 2020-02-17 10:54:01 +01:00
Victor LABORIE 42e18e57fd Add a Vagrantfile for testing 2019-06-04 17:43:26 +02:00
Victor LABORIE 326547fba3 Fix typo in install doc 2019-06-04 17:40:26 +02:00
Victor LABORIE e80979e04d Minifirewall is now under GPLv3 license 2019-06-04 16:53:34 +02:00
Victor LABORIE 6846263daa Update README.md 2019-06-04 16:48:27 +02:00
Tristan PILAT 979b7e2d03 Add missing variables in SMTPSECUREOK and SMTPOK loops 2018-08-28 15:39:58 +02:00
Romain Dessort 9ebb5fe748 Add security-cdn.debian.org to HTTPSITES whitelist 
Debian migrated its security.debian.org repository to Fastly CDN
(security-cdn.debian.org) so we have to whitelist it too to make
security upgrades possible.
 2018-01-29 11:22:46 -05:00
Jérémy Lecour 0450c12f5d Merge branch 'ocsp-letsencrypt' 2017-05-16 09:59:47 +02:00
Jérémy Lecour afdfc00a67 Add letsencrypt in HTTPSITES 2017-05-16 09:58:16 +02:00
Victor LABORIE dba28b0679 Remove obsolete srv domain 2016-08-09 12:40:14 +02:00
Gregory Colpart 164d727e8e Remove obsolete IP addr 2015-12-07 17:20:51 +01:00
Benoît S. b6a47dea0d Added quote to $IPV6 variables. 2015-10-21 10:45:39 +02:00
Tristan PILAT 02d6447a10 Fix bug with IPv6. 
When IPv6=off don't use ip6tables in stop and reset function.
 2015-10-19 10:59:00 +02:00
Gregory Colpart 4864872586 Rename README -> README.md for Redmine / Github 2015-09-13 20:40:56 +02:00
Gregory Colpart 2943a7d58c Improve output messages 2015-09-13 20:31:04 +02:00
Gregory Colpart 52f177303c Fix bug in old config detection 2015-09-13 20:21:55 +02:00
Gregory Colpart 4ea10ccc83 Improve configuration file 2015-09-13 20:13:05 +02:00
Gregory Colpart 2f561a6172 Improve descriptions / comments (switch all in english, etc.) 2015-09-13 18:37:53 +02:00
Gregory Colpart 9579cfe991 Fix #1565. Use now /etc/default/minifirewall for config file! 2015-09-13 17:15:40 +02:00
Gregory Colpart 6bc560b66a Add default rule for IPv6 DNS responses 2015-03-13 01:55:13 +01:00
Benoît S. 283ff1161f Added SpamAssassin update repo URLs. 2015-01-20 17:17:10 +01:00
Gregory Colpart 2d2fded0ac use same syntax for all ip6tables rules 2015-01-12 20:54:17 +01:00