# Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall # Version 23.07 # shellcheck shell=sh disable=SC2034 # Main interface INT='eth0' # IPv6 IPV6='on' # Docker Mode # Changes the behaviour of minifirewall to not break the containers' network # For instance, turning it on will disable nat table purge # Also, we'll add the DOCKER-USER chain, in iptables # # WARNING : If the port mapping is different between the host and the container # (ie: Listen on :8090 on host, but :8080 in container) # then you need to give the port used inside the container DOCKER='off' # Trusted local network # ...will be often IPv4/32 or IPv6/128 if you don't trust anything INTLAN='192.0.2.1/32 2001:db8::1/128' # Trusted IP addresses for private and semi-public services # TODO: add all our IPv6 adresses TRUSTEDIPS='31.170.9.129 2a01:9500:37:129::/64 31.170.8.4 2a01:9500::fada 82.65.34.85 2a01:e0a:571:2a10::1 54.37.106.210 51.210.84.146' # Privilegied IP addresses for semi-public services # (no need to add again TRUSTEDIPS) PRIVILEGIEDIPS='' # Local services IP restrictions ####################################### # Protected services # (add also in Public services if needed) SERVICESTCP1p='22222' SERVICESUDP1p='' # Public services (IPv4/IPv6) SERVICESTCP1='22222' SERVICESUDP1='' # Semi-public services (IPv4) SERVICESTCP2='22' SERVICESUDP2='' # Private services (IPv4) SERVICESTCP3='5666' SERVICESUDP3='' # Standard output IPv4/IPv6 access restrictions ########################################## # DNS authorizations # (if you have local DNS server, set 0.0.0.0/0) DNSSERVEURS='0.0.0.0/0 ::/0' # HTTP authorizations # (you can use DNS names but set cron to reload minifirewall regularly) # (if you have HTTP proxy, set 0.0.0.0/0) HTTPSITES='0.0.0.0/0 ::/0' # HTTPS authorizations HTTPSSITES='0.0.0.0/0 ::/0' # FTP authorizations FTPSITES='' # SSH authorizations SSHOK='0.0.0.0/0 ::/0' # SMTP authorizations SMTPOK='0.0.0.0/0 ::/0' # SMTP secure authorizations (ports TCP/465 and TCP/587) SMTPSECUREOK='' # NTP authorizations NTPOK='0.0.0.0/0 ::/0' # Proxy (Squid) PROXY='off' # (proxy port) PROXYPORT='8888' # (destinations that bypass the proxy) PROXYBYPASS="${INTLAN} 127.0.0.0/8 ::1/128" # Backup servers # (add IP:PORT for each one, example: '192.168.10.1:1234 192.168.10.2:5678') BACKUPSERVERS='' # Includes ##################### # Files in /etc/minifirewall.d/* (without "." in name) # are automatically included in alphanumerical order. # # Within included files, you can use those helper functions : # * is_ipv6_enabled: returns true if IPv6 is enabled, or false # * is_docker_enabled: returns true if Docker mode is eabled, or false # * is_proxy_enabled: returns true if Proxy mode is enabled , or false # Custom sysctl values (advanced) ################################# # In most cases, the default values set by minifirewall are good. # If you really know what you are doing, # you can uncomment some lines and customize the values. # Set 1 to ignore broadcast pings (default) # SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS='1' # Set 1 to ignore bogus ICMP responses (default) # SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES='1' # Set 0 to disable source routing (default) # SYSCTL_ACCEPT_SOURCE_ROUTE='0' # Set 1 to enable TCP SYN cookies (default) # SYSCTL_TCP_SYNCOOKIES='1' # Set 0 to disable ICMP redirects (default) # SYSCTL_ICMP_REDIRECTS='0' # Set 1 to enable Reverse Path filtering (default) # Set 0 if VRRP is used # SYSCTL_RP_FILTER='1' # Set 1 to log packets with inconsistent address (default) # SYSCTL_LOG_MARTIANS='1'