evolix/minifirewall
21
0
Fork 0
Code Issues 4 Pull requests 3 Releases 1 Activity
80 commits 9 branches 1 tag 249 KiB
Commit graph

80 commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ludovic Poujol 7c384a777b
Better handling of Docker to match the usual minifirewall behaviour 
Revert some changes from 0ec2cb2f4b
like the SERVICESTCP4 SERVICESUDP4

Instead, we'll re-create the usual behaviour of public, privileged and
trusted ports for docker when the variable DOCKER is set to "on"
 2020-07-27 10:33:40 +02:00
Ludovic Poujol 0ec2cb2f4b
Make it compatible with docker 
Add a new variable "DOCKER" that should be set to "on" when this is a
docker machine.

It will
- Disable the nat tables flush on stop/restart
  Reason : Not breaking outgoing networking for containers

- Create the "DOCKER-USER" chain, and add a DROP
  By default everything is closed and we don't expose services to the
  outside world

- Add rules in the "DOCKER-USER" chain to open services to the outside
  world.

Untested with swarm
 2020-02-25 16:33:24 +01:00
Ludovic Poujol 30041b8949
Fix IPV6 var not being defined on stop 2020-02-21 16:26:41 +01:00
Ludovic Poujol 60ca9f67b2
Update project URL in comment 2020-02-17 10:54:01 +01:00
Victor LABORIE 42e18e57fd Add a Vagrantfile for testing 2019-06-04 17:43:26 +02:00
Victor LABORIE 326547fba3 Fix typo in install doc 2019-06-04 17:40:26 +02:00
Victor LABORIE e80979e04d Minifirewall is now under GPLv3 license 2019-06-04 16:53:34 +02:00
Victor LABORIE 6846263daa Update README.md 2019-06-04 16:48:27 +02:00
Tristan PILAT 979b7e2d03 Add missing variables in SMTPSECUREOK and SMTPOK loops 2018-08-28 15:39:58 +02:00
Romain Dessort 9ebb5fe748 Add security-cdn.debian.org to HTTPSITES whitelist 
Debian migrated its security.debian.org repository to Fastly CDN
(security-cdn.debian.org) so we have to whitelist it too to make
security upgrades possible.
 2018-01-29 11:22:46 -05:00
Jérémy Lecour 0450c12f5d Merge branch 'ocsp-letsencrypt' 2017-05-16 09:59:47 +02:00
Jérémy Lecour afdfc00a67 Add letsencrypt in HTTPSITES 2017-05-16 09:58:16 +02:00
Victor LABORIE dba28b0679 Remove obsolete srv domain 2016-08-09 12:40:14 +02:00
Gregory Colpart 164d727e8e Remove obsolete IP addr 2015-12-07 17:20:51 +01:00
Benoît S. b6a47dea0d Added quote to $IPV6 variables. 2015-10-21 10:45:39 +02:00
Tristan PILAT 02d6447a10 Fix bug with IPv6. 
When IPv6=off don't use ip6tables in stop and reset function.
 2015-10-19 10:59:00 +02:00
Gregory Colpart 4864872586 Rename README -> README.md for Redmine / Github 2015-09-13 20:40:56 +02:00
Gregory Colpart 2943a7d58c Improve output messages 2015-09-13 20:31:04 +02:00
Gregory Colpart 52f177303c Fix bug in old config detection 2015-09-13 20:21:55 +02:00
Gregory Colpart 4ea10ccc83 Improve configuration file 2015-09-13 20:13:05 +02:00
Gregory Colpart 2f561a6172 Improve descriptions / comments (switch all in english, etc.) 2015-09-13 18:37:53 +02:00
Gregory Colpart 9579cfe991 Fix #1565. Use now /etc/default/minifirewall for config file! 2015-09-13 17:15:40 +02:00
Gregory Colpart 6bc560b66a Add default rule for IPv6 DNS responses 2015-03-13 01:55:13 +01:00
Benoît S. 283ff1161f Added SpamAssassin update repo URLs. 2015-01-20 17:17:10 +01:00
Gregory Colpart 2d2fded0ac use same syntax for all ip6tables rules 2015-01-12 20:54:17 +01:00
Gregory Colpart ebbee1ac84 Modify URL to track country ip blocks 2015-01-12 20:45:27 +01:00
Benoît S. ec0b8ffef5 Added to HTTPSITES zidane and antismap00. 2015-01-02 14:07:17 +01:00
Arnaud Tomeï 5525ff343f Adding new IP address for Evolix 2014-12-24 16:23:05 +01:00
Gregory Colpart d452c16bc6 Duplicate rule 2014-09-11 23:33:33 +02:00
Benoît S. f3674af0db Allow Input DNS on IPv6. 
Used when a slave respond to a master notification in bind for example.
 2014-07-25 14:21:42 +02:00
Benoît S. 5275f8d7e2 Moves rules from firewall.rc to minifirewall core. 2014-05-22 17:38:00 +02:00
Romain Dessort 57ae4df6e7 Merge branch 'master' of ssh://git.evolix.org/git/evolinux/minifirewall 2014-05-09 11:09:52 +02:00
Romain Dessort 0eda844bba Add delegated CIDR for AFRINIC and LACNIC. 2014-05-09 11:08:32 +02:00
Benoît S. 705c4683a2 Allow all output on lo interface for IPv6. 2014-03-12 16:22:15 +01:00
Benoît S. ce1d628516 Adding rules for DHCPv6. 2013-12-13 11:22:27 +01:00
Benoît S. 8ed3c722ce Adding hwraid.le-vert.net in HTTPSITES 2013-10-31 14:11:07 +01:00
Benoît S. 6c162c516b Fixing typo in HTTPSITES. 2013-06-07 14:43:54 +02:00
Gregory Colpart 6df7c86ccf Add http://backports.debian.org by default 2013-05-06 16:07:53 +02:00
Gregory Colpart 7d3d928e02 Improve new UDP rules to DROP by default 2012-11-14 00:55:35 +01:00
Benoît S. ec14ee9f3e Last committer removed the IPv4 UDP rules?! Re-adding. 2012-11-09 10:05:34 +01:00
Gregory Colpart f84add886a Merge branch 'master' of ssh://git.evolix.org/git/evolinux/minifirewall 
Conflicts:
	firewall.rc
 2012-10-29 12:28:55 +01:00
Gregory Colpart f714700623 Allow SMTP IPv6 2012-10-29 12:25:41 +01:00
Romain Dessort 7795b715e6 Add rules to open traceroute UDP port. 2012-10-24 10:32:05 +02:00
Benoît S. b57dddf917 By default allow outgoing packets on loopback. This is needed since the new 
policy of dropping all outgoing UDP packets, especially when there is a local
bind.
 2012-10-08 16:19:22 +02:00
Benoît S. 44bb5925eb Amelioration added for blocking output UDP. 2012-10-03 14:21:04 +02:00
Benoît S. b5412ce98a Adding rules to block outgoing UDP trafic except for DNS and NTP. 2012-08-22 16:21:28 +02:00
Gregory Colpart e7a7f26951 Patch to have compatibility with poor non-IPv6 server 2011-11-11 15:47:37 +01:00
Gregory Colpart 11ca1d1599 Improve rocks-solid comportment of the firewall script ! 2011-10-21 03:16:40 +02:00
Gregory Colpart b72c47223a IPv6 support 2011-10-21 02:06:50 +02:00
Gregory Colpart 60bf2989c4 Merge branch 'master' of ssh://git.evolix.org/git/evolinux/minifirewall 2011-08-29 14:45:47 +02:00