evolix/minifirewall
21
0
Fork 0
Code Issues 4 Pull requests 3 Releases 1 Activity
83 commits 9 branches 1 tag 249 KiB
Commit graph

34 commits

Author SHA1 Message Date
Ludovic Poujol 7c384a777b
Better handling of Docker to match the usual minifirewall behaviour 
Revert some changes from 0ec2cb2f4b
like the SERVICESTCP4 SERVICESUDP4

Instead, we'll re-create the usual behaviour of public, privileged and
trusted ports for docker when the variable DOCKER is set to "on"
 2020-07-27 10:33:40 +02:00
Ludovic Poujol 0ec2cb2f4b
Make it compatible with docker 
Add a new variable "DOCKER" that should be set to "on" when this is a
docker machine.

It will
- Disable the nat tables flush on stop/restart
  Reason : Not breaking outgoing networking for containers

- Create the "DOCKER-USER" chain, and add a DROP
  By default everything is closed and we don't expose services to the
  outside world

- Add rules in the "DOCKER-USER" chain to open services to the outside
  world.

Untested with swarm
 2020-02-25 16:33:24 +01:00
Ludovic Poujol 30041b8949
Fix IPV6 var not being defined on stop 2020-02-21 16:26:41 +01:00
Ludovic Poujol 60ca9f67b2
Update project URL in comment 2020-02-17 10:54:01 +01:00
Victor LABORIE e80979e04d Minifirewall is now under GPLv3 license 2019-06-04 16:53:34 +02:00
Tristan PILAT 979b7e2d03 Add missing variables in SMTPSECUREOK and SMTPOK loops 2018-08-28 15:39:58 +02:00
Benoît S. b6a47dea0d Added quote to $IPV6 variables. 2015-10-21 10:45:39 +02:00
Tristan PILAT 02d6447a10 Fix bug with IPv6. 
When IPv6=off don't use ip6tables in stop and reset function.
 2015-10-19 10:59:00 +02:00
Gregory Colpart 2943a7d58c Improve output messages 2015-09-13 20:31:04 +02:00
Gregory Colpart 52f177303c Fix bug in old config detection 2015-09-13 20:21:55 +02:00
Gregory Colpart 2f561a6172 Improve descriptions / comments (switch all in english, etc.) 2015-09-13 18:37:53 +02:00
Gregory Colpart 9579cfe991 Fix #1565. Use now /etc/default/minifirewall for config file! 2015-09-13 17:15:40 +02:00
Benoît S. 5275f8d7e2 Moves rules from firewall.rc to minifirewall core. 2014-05-22 17:38:00 +02:00
Benoît S. 705c4683a2 Allow all output on lo interface for IPv6. 2014-03-12 16:22:15 +01:00
Gregory Colpart 7d3d928e02 Improve new UDP rules to DROP by default 2012-11-14 00:55:35 +01:00
Benoît S. b57dddf917 By default allow outgoing packets on loopback. This is needed since the new 
policy of dropping all outgoing UDP packets, especially when there is a local
bind.
 2012-10-08 16:19:22 +02:00
Benoît S. 44bb5925eb Amelioration added for blocking output UDP. 2012-10-03 14:21:04 +02:00
Gregory Colpart e7a7f26951 Patch to have compatibility with poor non-IPv6 server 2011-11-11 15:47:37 +01:00
Gregory Colpart 11ca1d1599 Improve rocks-solid comportment of the firewall script ! 2011-10-21 03:16:40 +02:00
Gregory Colpart b72c47223a IPv6 support 2011-10-21 02:06:50 +02:00
Gregory Colpart 2495c3270f Remove limit on ICMP pings... 2011-08-29 14:45:14 +02:00
Gregory Colpart 1a17daeba4 Fix a bug with var name, and remove _ (uniformization) 2011-06-03 11:53:51 +02:00
Gregory Colpart 47fd56a25a Improve copyrigth and infos 2011-04-02 12:12:49 +02:00
Colin Darie 57135c932d Make minifirewall executable 
Signed-off-by: Gregory Colpart <reg@evolix.fr>
 2011-04-02 12:01:59 +02:00
Colin Darie 821af4d12f Added a SMTP_SECURE_OK rule (port 465) 
Signed-off-by: Gregory Colpart <reg@evolix.fr>
 2011-04-02 12:01:58 +02:00
Colin Darie fc4f8194ae Fix warning d'une syntaxe iptable dépréciée 
Signed-off-by: Gregory Colpart <reg@evolix.fr>
 2011-04-02 12:01:58 +02:00
Colin Darie dc7c45c43f LSBization de l'init script 
Signed-off-by: Gregory Colpart <reg@evolix.fr>
 2011-04-02 12:01:26 +02:00
Colin Darie 089fa24606 fix syntaxe dépréciée dans le nouveau iptables 
le message renvoyé était le suivant:
Using intrapositioned negation (`--option ! this`) is deprecated in
favor of extrapositioned (`! --option this`)

Signed-off-by: Gregory Colpart <reg@evolix.fr>
 2011-04-02 12:00:28 +02:00
Thomas Martin ac9400aa8c check correct sourcing of configuration file, and exit if it fails 2011-04-02 12:00:28 +02:00
Gregory Colpart f07fe301ba Bug !!! Conf file is source twice... 2010-03-02 20:16:02 +01:00
Gregory Colpart 63108ad27d Modifications avec spalma : 
- Activation des regles en "-t nat"
- Flush des regles specifiques lors du stop avant leurs destructions
 2010-02-19 16:56:32 +01:00
Gregory Colpart 3c7c7d8490 On ne DROP pas le FORWARD par defaut (pas d'interet en general, et utile pour les dom0) 2009-08-29 18:59:58 +02:00
Gregory Colpart c3a66eb333 Add NEEDRESTRICT chain to deny some services by free rules 
Somes improvements
 2009-08-12 13:21:53 +02:00
Gregory Colpart b3fb2ce6b9 Import files from http://www.gcolpart.com/hacks/ 2009-08-10 19:02:09 +02:00