# Fichier de configuration
# pour minifirewall

# version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $

# Interface concernee
INT='eth0'

IPV6=on

# IP associee (plus utilisee dans les scripts)
# INTIP='192.168.0.2'
# reseau beneficiant d'acces privilegies
# (sera souvent IP/32)
INTLAN='192.168.0.2/32'

# trusted ip addresses
TRUSTEDIPS='62.212.121.90 62.212.111.216 88.179.18.233 85.118.59.4 85.118.59.50 31.170.8.4 31.170.9.129'

# privilegied ip addresses
# (trusted ip addresses *are* privilegied)
PRIVILEGIEDIPS=''

# Services "protected"
# a mettre aussi en public si necessaire !!
SERVICESTCP1p='21'
SERVICESUDP1p=''

# Services "publics"
SERVICESTCP1='20 21 25 53 993 995'
SERVICESUDP1='53'

# Services "semi-publics"
SERVICESTCP2='22 80 110 143 443'
SERVICESUDP2=''

# Services "prives"
SERVICESTCP3='5666'
SERVICESUDP3=''

################### SORTANTS

# DNS
# (Attention, si un serveur DNS est installe en local
#  mettre 0.0.0.0/0)
DNSSERVEURS='0.0.0.0/0'

# HTTP : security.d.o x3, zidane, modsecurity www.debian.org
# /!\ Possibilite d'utiliser des noms de domaines
#     mais il est conseiller de placer un rechargement
#     du minifirewall en crontab
# (Attention, si un proxy HTTP est installe en local
#  mettre 0.0.0.0/0)
HTTPSITES='security.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net zidane.evolix.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org'

# HTTPS
# /!\ Possibilite d'utiliser des noms de domaines
#     mais il est conseiller de placer un rechargement
#     du minifirewall en crontab
HTTPSSITES='0.0.0.0/0'

# FTP
FTPSITES=''

# SSH
SSHOK='0.0.0.0/0'

# SMTP
SMTPOK='0.0.0.0/0'

# SMTP secure (port 465 et 587)
SMTPSECUREOK=''

# NTP
NTPOK='0.0.0.0/0'

################### IPv6 Specific rules
# /sbin/ip6tables ...

# Allow Input HTTP/HTTPS/SMTP/DNS traffic
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT

# Allow Output DNS, NTP and traceroute traffic
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
#/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT

# Allow DHCPv6
/sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT

################### IPv4 Specific rules
# /sbin/iptables ...