-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathminifirewall.conf
135 lines (98 loc) · 3.69 KB
/
minifirewall.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
# Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall
# Version 24.11
# shellcheck shell=sh disable=SC2034
# Main interface
INT='eth0'
# IPv6
IPV6='on'
# Docker Mode
# Changes the behaviour of minifirewall to not break the containers' network
# For instance, turning it on will disable nat table purge
# Also, we'll add the DOCKER-USER chain, in iptables
#
# WARNING : If the port mapping is different between the host and the container
# (ie: Listen on :8090 on host, but :8080 in container)
# then you need to give the port used inside the container
DOCKER='off'
# Trusted local network
# ...will be often IPv4/32 or IPv6/128 if you don't trust anything
INTLAN='192.0.2.1/32 2001:db8::1/128'
# Trusted IP addresses for private and semi-public services
TRUSTEDIPS='31.170.9.129 2a01:9500:37:129::/64 31.170.8.4 2a01:9500::fada 82.65.34.85 2a01:e0a:571:2a10::1 46.231.240.96 2a0c:e303:0:6000::/57 54.37.106.210 2001:41d0:8:8b70::210 51.210.84.146 2001:41d0:8:8b70::146'
# Privilegied IP addresses for semi-public services
# (no need to add again TRUSTEDIPS)
PRIVILEGIEDIPS=''
# Local services IP restrictions
#######################################
# Protected services (protected by NEEDRESTRICT chain, to customize in your own way)
# (add also in Public services if needed)
SERVICESTCP1p='22222'
SERVICESUDP1p=''
# Public services (IPv4/IPv6)
SERVICESTCP1='22222'
SERVICESUDP1=''
# Semi-public services (for IPv4/IPv6 from PRIVILEGIEDIPS *and* TRUSTEDIPS)
SERVICESTCP2='22'
SERVICESUDP2=''
# Private services (for IPv4/IPv6 from TRUSTEDIPS only)
SERVICESTCP3='5666'
SERVICESUDP3=''
# Standard output IPv4/IPv6 access restrictions
##########################################
# DNS authorizations
# (if you have local DNS server, set 0.0.0.0/0)
DNSSERVEURS='0.0.0.0/0 ::/0'
# HTTP authorizations
# (you can use DNS names but set cron to reload minifirewall regularly)
# (if you have HTTP proxy, set 0.0.0.0/0)
HTTPSITES='0.0.0.0/0 ::/0'
# HTTPS authorizations
HTTPSSITES='0.0.0.0/0 ::/0'
# FTP authorizations
FTPSITES=''
# SSH authorizations
SSHOK='0.0.0.0/0 ::/0'
# SMTP authorizations
SMTPOK='0.0.0.0/0 ::/0'
# SMTP secure authorizations (ports TCP/465 and TCP/587)
SMTPSECUREOK=''
# NTP authorizations
NTPOK='0.0.0.0/0 ::/0'
# Proxy (Squid)
PROXY='off'
# (proxy port)
PROXYPORT='8888'
# (destinations that bypass the proxy)
PROXYBYPASS="${INTLAN} 127.0.0.0/8 ::1/128"
# Backup servers
# (add IP:PORT for each one, example: '192.168.10.1:1234 192.168.10.2:5678')
BACKUPSERVERS=''
# Includes
#####################
# Files in /etc/minifirewall.d/* (without "." in name)
# are automatically included in alphanumerical order.
#
# Within included files, you can use those helper functions :
# * is_ipv6_enabled: returns true if IPv6 is enabled, or false
# * is_docker_enabled: returns true if Docker mode is enabled, or false
# * is_proxy_enabled: returns true if Proxy mode is enabled , or false
# Custom sysctl values (advanced)
#################################
# In most cases, the default values set by minifirewall are good.
# If you really know what you are doing,
# you can uncomment some lines and customize the values.
# Set 1 to ignore broadcast pings (default)
# SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS='1'
# Set 1 to ignore bogus ICMP responses (default)
# SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES='1'
# Set 0 to disable source routing (default)
# SYSCTL_ACCEPT_SOURCE_ROUTE='0'
# Set 1 to enable TCP SYN cookies (default)
# SYSCTL_TCP_SYNCOOKIES='1'
# Set 0 to disable ICMP redirects (default)
# SYSCTL_ICMP_REDIRECTS='0'
# Set 1 to enable Reverse Path filtering (default)
# Set 0 if VRRP is used
# SYSCTL_RP_FILTER='1'
# Set 1 to log packets with inconsistent address (default)
# SYSCTL_LOG_MARTIANS='1'