#!/usr/bin/env bash ## --------------------------------------------------------- ## --- Main Configurations Ipv6 Firewall Script ipt-firewall ## --------------------------------------------------------- # ============= # --- Interfaces completly blocked # ============= # - Interfaces to block (note: they will all be blocked) # - # - For Example: eth2 is used for DSL Line, that becomes an extra # - interface (ppp-light). A further use of eth1 (which would # - be possible) is not configured at time, so you can block it. # - blocked_ifs="" # ============= # --- Block UPnP Ports # ============= # - block_upnp_traffic_in # - # - Block UPnP traffic (extern) in # block_upnp_traffic_in=true # - block_upnp_traffic_out # - # - Block UPnP traffic (extern) out # block_upnp_traffic_out=true # ============= # --- Interfaces not firewalled # ============= # - Note: # - Can be (for example) an interface, whose (complete) traffic is # - protected by a firewall on an other system in the local area # - # - Here: the static line castle stockhausen # - unprotected_ifs="" # ============= # --- Networks not firewalled through extern interfaces # ============= # - Allow these networks any access to the internet. # - # - Blank separated list of networks # - any_access_to_inet_networks="" # - Allow these networks getting any access from the internet. # - # - Blank separated list of networks # - any_access_from_inet_networks="" # ============= # - Allow local services from ALL extern netwoks # ============= # - allow_all_ext_traffic_to_local_service # - # - allow_all_ext_traffic_to_local_service="local-address,port,protocol [local-address,port,protocol] .." # - # - Note: # - ===== # - - Only 'tcp' and 'udp' are allowed valuse for protocol. # - # - Example: # - allow extern traffic to service at 2a01:30:1fff:fd00::210 on port 1036 # - allow extern traffic to https service at 2a01:30:1fff:fd00::204 # - # - allow_ext_net_to_local_service=" # - 2a01:30:1fff:fd00::210,1036,tcp # - 2a01:30:1fff:fd00::204,$standard_https_port,tcp # - " # - # - Blank separated list # - allow_all_ext_traffic_to_local_service="" # ============= # - Allow local services from given extern networks # ============= # - allow_ext_net_to_local_service # - # - allow_ext_net_to_local_service="ext-net,local-address,port,protocol" # - # - Only 'tcp' and 'udp' are allowed valuse for protocol. # - # - Use this parameter to (only) give some local netwoks access to special local # - services (but not for all local networks as you can configure later). # - # - If you plan to separate networks (see parameter 'separate_local_networks'), but # - to allow these networks some special local services, you can also use this parameter. # - # - Example: # - allow access from 2001:6f8:107e:63::20/128 to ssh service at 2a01:30:1fff:fd00::210 on port 1036 # - allow access from 2a01:30:0:13:5054:ff:fe09:2318/64 to https service at 2a01:30:1fff:fd00::204 # - # - allow_ext_net_to_local_service="2001:6f8:107e:63::20/128,2a01:30:1fff:fd00::210,1036,tcp # - 2a01:30:0:13:5054:ff:fe09:2318/64,2a01:30:1fff:fd00::204,$standard_https_port,tcp" # - # - Blank separated list # - allow_ext_net_to_local_service="" # ============= # - Allow all traffic from extern address/network to local address/network # ============= # - allow_ext_net_to_local_net # - # - allow_ext_net_to_local_net=", [,] [..]" # - # - All traffic from the given first network to the given second network is allowed # - # - Example: # - allow_ext_net_to_local_net="2a01:30:0:13:5054:ff:fe09:2318/64,2a01:30:1fff:fd00::0/64 # - 2001:6f8:107e:63::/64,2a01:30:ff:fd00::204/128" # - # - Blank separated list # - allow_ext_net_to_local_net="" # ============= # - Block all extern traffic to (given) local network # ============= # - block_all_ext_to_local_net # - # - block_all_ext_to_local_net=" []= # - # - Note: # - Each extern interface can have only one thuch service # - # - vpn_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_static_1 # - vpn_server_dmz_arr[2001:6f8:107e:63::40]=$ext_if_dsl_1 # - # - Multiple settins of this parameter is possible # - declare -A vpn_server_dmz_arr # - Local VPN Ports # - # - Blank separated list # - vpn_local_net_ports="1194" # Remote VPN ports # vpn_out_ports="$standard_vpn_port" # ====== # - WireGuard Service # ====== # - WireGuard Service on Gateway? # - local_wg_service=true wg_gw_ports="$standard_wg_port" # - WireGuard Services DMZ (reachable also from WAN) # - # - wg_server_dmz_arr=[]= # - # - Note: # - Each extern interface can have only one thuch service # - # - wg_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_dsl_2 # - wg_server_dmz_arr[2001:6f8:107e:63::40]=$ext_if_dsl_1 # - # - Multiple settins of this parameter is possible # - declare -A wg_server_dmz_arr # - Local WireGuard Ports # - # - Blank separated list # - wg_local_net_ports="$standard_wg_port" # Remote WireGuard Ports # wg_out_ports="$standard_wg_port" # ====== # - Cisco VPN # ====== cisco_vpn_out_ports="$standard_isakmp_port $standard_ipsec_nat_t" cisco_vpn_out_protocol="esp" # ====== # - DHCP Service # ====== # - Ist this Gateway DHCP Client? # - # - local_dhcp_client_interfaces=" [ [.." # - # - Example: # - dhcp_client_interfaces="$ext_if_static_1" # - dhcp_client_interfaces="$ext_if_static_1" # - DHCP Server Gateway # - local_dhcp_service=true # - Are DHCP Failover Servers present? # - # - Balnk separated list # - dhcp_failover_server_ips="" dhcp_failover_port=647 # ====== # - DNS Service # ====== # - DNS Service Gateway local_dns_service=true # - DNS Server local Networks # - # - Blank separated list dns_server_ips="" # ====== # - SSH # ====== # - SSH Service Gateway # - local_ssh_service=true # - SSH Services local Networks # - # - Blank separated list # - ssh_server_only_local_ips="" # - SSH Services DMZ (reachable also from WAN) # - # - ssh_server_dmz_arr[]= # - # - Note: # - Each extern interface can have only one service on a certain port. # - # - ssh_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_dsl_1 # - ssh_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_dsl_1 # - # - Multiple settins of this parameter is possible # - declare -A ssh_server_dmz_arr # - SSH Ports # - # - blank separated list # - ssh_ports="22" # ====== # - HTTP(S) Service # ====== # - HTTP(S) Service Gateway # - local_http_service=false # - HTTP(S) Services only locale Networks # - # - Blank separated list # - http_server_only_local_ips="" # - HTTP(S) Services DMZ (reachable also from WAN) # - # - http_server_dmz_arr[]= # - # - Example: # - # - http_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_static_1 # - http_server_dmz_arr[2001:6f8:107e:63::90]=$ext_if_static_1 # - # - WebServer Luna: 2001:6f8:107e:63::20 (ppp-ckubu = $ext_if_dsl_1) # - # - Multiple settins of this parameter is possible # - declare -A http_server_dmz_arr # - HTTPS Services DMZ only port 443 (reachable also from WAN) # - # - http_ssl_server_dmz_arr[]= # - # - # - http_ssl_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_static1 # - http_ssl_server_dmz_arr[2001:6f8:107e:64::90]=$ext_if_static_2 # - # - Multiple settins of this parameter is possible # - declare -A http_ssl_server_dmz_arr # - HTTP(S) Ports # - # - comma separated list # - http_ports="$standard_http_ports" # ====== # - Mail Services # ====== # - SMTP server (i.e. mail relay service) Gateway # - local_smtp_service=false # - Mailserver (SMTP(POP/IMAP) Gateway # - # - NOT YET IMPLEMENTED # - local_mail_service=false # - Mail Services smtp,smtps/pop(s)/imap(s) only local Networks # - # - comma separated list # - mail_server_only_local_ips="" # - Mails Services DMZ smtp,smtps/pop(s)/imap(s) (reachable also from WAN) # - # - mail_server_dmz_arr[]= # - # - Multiple declarations are possible # - # - Example: # - Mail Server: 2001:6f8:107e:63::20 incomming on ppp-st ($ext_if_static_1) # - # - mail_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_dsl_2 # - declare -A mail_server_dmz_arr # - Mail client ports (smtps/pop(s)/imap(s) # - # - comma separated list # - mail_user_ports="$standard_mailuser_ports" # - Mail Server (local Networks) SMTP Port # - mail_smtp_port="$standard_smtp_port" # ====== # - FTP Service # ====== # - FTP Service Gateway # - local_ftp_service=false # - FTP Server at local Networks # - # - comma separated list # - ftp_server_only_local_ips="" # - FTP Service DMZ # - # - Note: # - Each extern interface can have only one thuch service # - # - ftp_server_dmz_arr[]= # - ftp_passive_port_range= # - declare -A ftp_server_dmz_arr #ftp_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_static_1 ftp_passive_port_range="50000:50400" # - FTP Ports # - # - Hard scriptetd: # - FTP Control Port: 21 # - FTP Data Port: 20 # ====== # - TFTP Service Gateway # ====== # - TFTP Server Gateway (Port udp 69) local_tftp_service=false # - TFTP Server at local Networks # - tftp_server_ips="" # - TFTF Ports # - # - Note: its udp ! # - tftp_udp_port=69 # ====== # - LDAP Service # ====== # - Is this a LDAP Server ? # - local_ldap_service=false # - LDAP Service local Networks # - # - Ports: 389 udp # - 389 tcp # - # - Ports LDAP SSL: 636 tcp # - ldap_server_local_ips="" ldap_udp_ports="389" ldap_tcp_ports="389 636" # ====== # - Samba Service # ====== # - Samba Server Gateway # - local_samba_service=false # - Samba Service # - # - Ports: 137,138 udp # - 139,445 tcp # - samba_udp_ports="137:138" samba_tcp_ports="137 138 139 445" # - Samba Service local networks # - samba_server_local_ips="" # - Samba Service DMZ # - # - Note: # - Each extern interface can have only one thuch service # - # - samba_server_dmz_arr[]= # - # - Multiple settins of this parameter is possible # - declare -A samba_server_dmz_arr # ====== # - NTP Service # ====== # - NTP Service Gateway # - local_ntp_service=true # ====== # - SNMP Service # ====== # - SNMP services local Networks # - snmp_server_ips="" # - SNMP Port # - # - snmp_port Port Agent # - snmp_trap_port Port Management Station # - snmp_port="$standard_snmp_port" snmp_trap_port="$standard_snmp_trap_port" # ====== # - Mumble Service # ====== # - NOT YET IMPLEMENTED # - Mumble ports # - mumble_ports="64738" # ====== # - BigBlueButton Video Conference Service # ====== # - BigBlueButton Video Conference Service Gateway # - # - NOT YET IMPLEMENTED # - local_bigbluebutton_video_conference_service=false # - BigBlueButton Video Conference Service Ports # - # - TCP 80: Webinterface. # - TCP 443: Webinterface (SSL) # - # - UDP 16384-32768: FreeSWITCH/HTML5 RTP streams # - bigbluebutton_tcp_ports="$standard_bigbluebutton_tcp_ports" bigbluebutton_udp_ports="$standard_bigbluebutton_udp_ports" # ====== # - Skype for Business Online und Microsoft Teams # ====== # - Skype for Business Online und Microsoft Teams # - # - TCP 80,443 # - # - Example: # - # - standard_ms_skype_teams_tcp_ports="80,443" # - standard_ms_skype_teams_udp6_ports="3478,3479,3480,3481" # - standard_ms_skype_teams_udp6_hosts=" # - 2a01:30:0:13:5054:ff:fe9f:422f/64 # - 2a01:4f8:231:19a7::2/52 # - " # - # - Set to default values: # - ms_skype_teams_tcp_ports="$standard_ms_skype_teams_tcp_ports" # - ms_skype_teams_udp6_ports="$standard_ms_skype_teams_udp6_ports" # - ms_skype_teams_udp6_hosts="$standard_ms_skype_teams_udp6_hosts" # - ms_skype_teams_tcp_ports="$standard_ms_skype_teams_tcp_ports" ms_skype_teams_udp6_ports="$standard_ms_skype_teams_udp6_ports" ms_skype_teams_udp6_hosts="$standard_ms_skype_teams_udp6_hosts" # ====== # - Webex Meeting # ====== # - Webex Meeting (Videokonferenz) # - # - TCP 80/443: Outbound Client Zugriffsport und Webes Events (Audiostreaming) # - # - UDP 9000: Outbound (VoIP and RTP) # - # - --- # - # - TCP 5004: Fall-back ports for media connectivity when UDP port 9000 # - is not open in the firewall # - webex_tcp_ports="$standard_webex_tcp_ports" webex_udp_ports="$standard_webex_udp_ports" webex_tcp_fall_back_ports="$standard_webex_tcp_fall_back_ports" # ====== # - Zoom Meeting # ====== # - Zoom Meeting - Video Conference Service # - # - TCP 80,443 A ll Zoom Clients and *.zoom.us # - Meeting Connector # - # - TCP 443,8801,8802 All Zoom Clients MeetingConnector.IP # - MeetingConnector.IP2 # - MeetingConnector2.IP # - MeetingConnector2.IP2 # - # - UDP 3478,3479,8801, All Zoom Clients MeetingConnector.IP # - 8802 MeetingConnector.IP2 # - MeetingConnector2.IP # - MeetingConnector2.IP2 # - zoom_tcp_ports="$standard_zoom_tcp_ports" zoom_udp_ports="$standard_zoom_udp_ports" # ====== # - Jitsi Video Conference Service # ====== # - Jitsi Video Conference Service Gateway # - # - NOT YET IMPLEMENTED # - local_jitsi_video_conference_service=false # - Jitsi Video Conference Service only out # - # - Ports: # - # - TCP 80: Webinterface. # - TCP 443: Webinterface (SSL) # - # - UDP 10000-20000: Virtual Media for Remote Console # - # - comma separated list # - jitsi_tcp_ports="$standard_jitsi_tcp_ports" jitsi_udp_ports="$standard_jitsi_udp_ports" # ====== # - alfaview - Video Conferencing Systems # ====== # - alfaview Service Ports # - alfaview_tcp_ports="$standard_alfaview_service_tcp_ports" alfaview_udp_ports="$standard_alfaview_service_udp_ports" # ====== # - TURN Server (Stun Server) (for Nextcloud 'talk' app) # ====== # - TURN Server (Stun Server) (for Nextcloud 'talk' app) # - # - NOT YET IMPLEMENTED # - local_nc_turn_service="" # - Ports used by local TURN Server (Stun Server) # - # - comma separated list # - nc_turn_ports="$standard_nc_turn_ports" nc_turn_udp_ports="$standard_nc_turn_udp_ports" # ====== # - XyMon Service # ====== # - XyMon Service Gateway (usually TCP port 1984) # - local_xymon_server=false # - XyMon Service (usually TCP port 1984) # - # - Blank separated list of ip's # - xymon_server_ips="" local_xymon_client="" # - XyMon Ports # - xymon_port="$standard_xymon_port" # ====== # - Munin Service # ====== # - Munin Service Gateway (usually TCP port 4949) # - local_munin_server=false # - If 'local_munin_server=' provide service also to inet? # - provide_munin_service_to_inet=false munin_remote_port="4949" # - Munin Server local Networks (usually TCP port 4949) # - # - Blank separated list # - munin_local_server_ips="" # - Munin Remote Server # - # - Note: # - The munin server himself initiates the connection to the concerning clients. # - In case of natted (local) networks you have to also nat the incomming # - requests from munin server. # - # - Note: # - Each extern interface can have only one thuch service # - # - munin_local_client_ip_arr[]= # - # - Multiple settins of this parameter is possible # - #munin_remote_server="2a01:30:1fff:a::163" munin_remote_server="" # - Munin - clients on local network (server is $munin_remote_server) # - # - Example: # - munin_local_client_ip_arr[192.168.63.20]=$ext_if_dsl_1 # - declare -A munin_local_client_ip_arr # - Munin Port # - munin_local_port=4949 # ====== # - Checkmk Monitoring Service (local network) # ====== # - Checkmk Service Gateway (usually TCP port 6556) # - checkmk_service_gateway=false # - Checkmk Server local Networks (usually TCP port 6556) # - # - Blank separated list # - checkmk_local_server_ips="" # - checkmk Port # - checkmk_local_port="$standard_checkmk_port" # ====== # - PowerChut Network Shutdown (PCNS) # ====== # - PCNS local Services # - pcns_server_ips="" # - local USV # - usv_ip="" # - PCNS Ports # - # - Webinterface (https): tcp 6547 # - Connection usv: tcp/udp 3052 # - pcns_tcp_port=3052 pcns_udp_port=3052 pcns_web_port=6547 # ====== # - Remote Console (VNC Service) # ====== # - VNC Service local network # # - Blank separated list # - rm_server_ips="" # - VNC Service DMZ # - # - Note: # - Each extern interface can have only one thuch service # - # - rm_server_dmz_arr[]= # - # - Multiple settins of this parameter is possible # - declare -A rm_server_dmz_arr # - Remote Console (VNC) Port # - remote_console_port=5900 # ====== # - Ubiquiti Unifi # ====== # - UniFi - Ports Used # - # - see: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used # - # - see: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used # - # - In version 4.5.2 and later, users can also define the port assigned to STUN services, # - for scenarios where two or more separate UniFi instances are desired on the # - same controller machine. # - # - unifi_stun_port=3478 # UDP port used for STUN # - # Open Port from controller to Unifi APs # - # - # - Ubiquity Networks uses port 10001/UDP for its AirControl # - management discovery protocol # - # - unifi_aircontroll_port=10001 # - # - # - Since v3.2.9+ and v4.6.0+, two more ports are being reserved for device redirector. # - There is no need to open firewall for these ports on controller. However, on # - controller, avoid to use these ports: # - # - port 8881 for redirector port for wireless clients # - port 8882 for redirector port for wired clients # - # - # - For AP-EDU Broadcasts: # - # - UDP ports 5656-5699 # - # - # - Local IN Ports # - ============== # - # - TCP # - === # - TCP 8080 used for device and controller communication. # - TCP 8443 used for controller GUI/API as seen in a web browser # - TCP 8880 used for HTTP portal redirection. # - TCP 8843 used for HTTPS portal redirection. # - TCP 6789 used for UniFi mobile speed test. # - TCP 27117 used for local-bound database communication. # - # - UDP # - ==== # - UDP 3478 used for STUN. # - UDP 5514 used for remote syslog capture. # - UDP 5656-5699 used by AP-EDU broadcasting. # - UDP 10001 used for device discovery # - UDP 1900 used for "Make controller discoverable on L2 network" in controller settings. # - # - # - OUT Ports Required for UniFi Remote Access # - ========================================== # - # - TCP # - === # - TCP 8883 used for Remote Access service. # - TCP 443 used for Remote Access service. # - # - UDP # - === # - UDP 3478 used for STUN. # - UDP 443 used for Remote Access service. # - unifi_tcp_ctrl_in_ports="$standard_unifi_tcp_ctrl_in_ports" unifi_udp_ctrl_in_ports="$standard_unifi_udp_ctrl_in_ports" unifi_tcp_ctrl_out_ports="$standard_unifi_tcp_ctrl_out_ports" unifi_udp_ctrl_out_ports="$standard_unifi_udp_ctrl_out_ports" # - Unifi Controller at gateway? # - local_unifi_controller_service=false # - Unifi Accesspoints (AP's) controlled by UniFi controller at Gateway # - unifi_ap_local_ips="" # Note: # in contrast to devices at local networks, devices hosted at extern network # are only be seen, if the device is part of this array 'unifi_ap_extern_ip_arr' # unifi_ap_extern_ips="" # - UniFi Controllers on local network (other than this machine) # - unify_controller_local_net_ips="" # ====== # - IPMI Tools # ====== # - IPMI Tools local Networks # - # - Blank seoarated list # - ipmi_server_ips="" # - IPMI Tools Port # - # - UDP 161: SNMP # - UDP 623: Access IPMI Programms (as IPMIView or FreeIPMI) # - # - TCP 80: Webinterface. # - TCP 161: SNMP # - TCP 443: Webinterface (SSL) # - TCP 623: Virtual Media for Remote Console # - TCP 3520: "This is TCP Port 3520 which is also needed in addition to TCP port 5900 to be able to use iKVM." # - TCP 5120: CD/USB # - TCP 5123: Floppy # - TCP 5900: KVM over IP # - TCP 5901: Video for remote console # - TCP 5985: Wsman # - ipmi_udp_ports="161 623" ipmi_tcp_ports="80 161 443 623 3520 5120 5123 5900 5901 5985" # ============= # - Rsync Out for given src ip-addresses # ============= # - Rsync Protocol # - # - The given server address (from local network) can access rsyncd at (any) remote machine # - # - Needed for some integrated provider of clamav-unofficial-sigs # - rsync_out_ips="" rsync_ports="873" # - rsync out from this machine? # - local_rsync_out=false # - forward rsync out for all machine's behind the firewall? # - forward_rsync_out=false # ============= # - Printer # ============= # - IP Addresses Printer # - # - Blank separated list # - printer_ips="" # ============= # --- Scanner # ============= # ====== # - Brother (brscan) # ====== # - IP Adresses Brother Scanner # - # - Blank seoarated list # - brother_scanner_ips="" brscan_port="$standard_brother_brscan_port" # ====== # - Epson Network Scan # ====== # - IP Adresses Epson Network Scanner # - # - Blank seoarated list # - epson_scanner_ips="" epson_scan_port="$standard_epson_network_scan_port" # ============= # --- Telefon Systems # ============= # - IP Adresses Telephone Systems (Telefonanlagen) # - # - Dont't foregt to add ip-adresses also to http(s) service if the # - systems provide webinterfaces! # - # - Blank separated list # - tele_sys_ips="" tele_sys_remote_sip_server_port=5060 tele_sys_local_sip_server_port=5067 allow_between_tele_systems=false VOIP_PORTS="69 5000:5099 7775 32000:32512" # - TFTP=69 (used from telephones getting their connection data / firmwareupdate ) # - RTP_PORTS= UDP i.e. 5000:5099 or here # - RTP_PORTS_END=5099 #SIP_PORT_REMOTE=5060 #SIP_PORT_LOCAL=5067 #SIP_LOCAL_IP=192.168.63.240 #STUN_PORTS=3478 udp_voip_ports="7775 5000:5099" # ===== # - Telekom Internet TV (Entertain) # ===== telekom_internet_tv=false tv_ip="" tv_extern_if="eth2.8" tv_local_if="$local_if_1" # ===== # --- Allow special TCP Ports (OUT) # ===== # - TCP Ports # - # - Blank separated list of tcp ports # - tcp_out_ports="" # ===== # --- Allow special UDP Ports (OUT) # ===== # - UDP Ports # - # - Blank separated list of udp ports # - udp_out_ports="" # ====== # - Other local Services # ====== # - You can configure further local services here. # - # - other_services=",, [,, [.." # - # - Blank seperated list # - other_services="" # ============= # --- Destination NAT # ============= # ============= # --- Portforwarding # ============= # - Portforwarding TCP # - # - portforward_tcp=",,," # - # - Multiple declarations are possible # - # - Example: # - portforward_tcp="$ext_if_static_1,9997,2001:6f8:107e:63::20,22 # - $ext_if_static_1,9998,2001:6f8:107e:63::90,22" # - # - Blank separated list # - portforward_tcp="" # - Portforwarding UDP # - # - portforward_udp=",,," # - # - Multiple declarations are possible # - # - Example: # - portforward_udp="$ext_if_static_1,1094,2001:6f8,107e:63::90,1094 # - $ext_if_static_1,9999,2001:6f8,107e:63::90,1095" # - # - Blank separated list # - portforward_udp="" # ============= # --- Basic behavior # ============= # === # = Services allowed out to the world wide web # === allow_ssh_request_out=true allow_http_request_out=true allow_smtp_request_out=true allow_mail_request_out=true allow_ftp_request_out=true allow_tftp_request_out=true allow_ntp_request_out=true allow_timeserver_request_out=true allow_pgpserver_request_out=true allow_telnet_request_out=true allow_whois_request_out=true allow_cpan_wait_request_out=true allow_hbci_request_out=true allow_jabber_request_out=true allow_silc_request_out=true allow_irc_request_out=true allow_mysql_request_out=true allow_ipmi_request_out=true allow_remote_console_request_out=true allow_mumble_request_out=true allow_outbound_streaming=true allow_echo360_video_streaming=true allow_alfaview_video_conference_out=true allow_bigbluebutton_video_conference_out=true allow_ms_skype_teams_out=true allow_webex_video_conference_out=true allow_zoom_video_conference_out=true allow_jitsi_video_conference_out=true allow_nc_talk_out=true allow_samba_requests_out=true allow_vpn_out=true # WireGuard # allow_wg_out=true allow_cisco_vpn_out=true # === # = Services allowed between local networks # === # - These Parameters are only considered, if traffic # - between local networks are not permitted, thats # - if 'permit_between_local_networks=false' (see below). # - allow_ssh_between_local_nets=true allow_samba_between_local_nets=false allow_ldap_between_local_nets=false allow_printing_between_local_nets=true allow_scanning_between_local_nets=true # === # = Other Parameters # === # - Permit internet access to all machines at local network # - Does not include this server itself # - permit_local_net_to_inet=false # - Do not block any traffic between local machines # - permit_between_local_networks=false # - Do not block any ICMP traffic # - permit_all_icmp_traffic=true # - Access to Mailservices (LAN and WAN) (pop/imap/smtps) from local (gateway) machine. # - # - Maybe useful for testing purpose with telnet or openssl # - provide_mailservice_from_local=true # - iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. # - It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, # - SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. # - create_iperf_rules=false # ============= # - MAC Address Filtering # ============= # - MAC Addreses alowed to all destinations (gateway, remote, local networks) # - # - Blank separated list # - allow_all_mac_src_addresses="" # - MAC Addreses alowed to local networks (gateway, local networks) # - # - Blank separated list # - allow_local_mac_src_addresses="" # - MAC Addreses alowed to remote networks # - # - Blank separated list # - allow_remote_mac_src_addresses="" # ============= # --- Block IP's / IP-Ranges # ============= # - Blank separated list # - blocked_ips="" # ============= # --- Block Ports on extern Interfaces # ============= # - Generally (for all interfaces) block this ports # - # - Portmapper # - tcp 111 # - udp 111 # - # - Authentication tap ident # - tcp 113 # - # - Location Service # - tcp 135 # - # - Windows Stuff # - tcp 137:139 # - udp 137:139 # - tcp 445 # - block_tcp_ports="111 135 631" block_udp_ports="111" if ! $allow_samba_requests_out ; then block_tcp_ports="$block_udp_ports 137:139 445" block_udp_ports="$block_udp_ports 137:139" fi block_ident=true # ============= # - Packets not wanted on gateway on local Interfaces # ============= not_wanted_on_gw_tcp_ports="111 113 135 631" not_wanted_on_gw_udp_ports="111 631" if ! $local_samba_service ; then not_wanted_on_gw_tcp_ports="$not_wanted_on_gw_tcp_ports 137:139 445" not_wanted_on_gw_udp_ports="$not_wanted_on_gw_udp_ports 137:139" fi not_wanted_ident=true # ============= # --- Router # ============= # - Set to "true" to secure/tune the kernel # - adjust_kernel_parameters=true # - Protection against several attacks # - protect_against_several_attacks=true # ============= # --- Kernel related - Adjust Kernel Parameters (Security/Tuning) # ============= # - Disable ip forwarding between interfaces # - kernel_forward_between_interfaces=true # - Deactivate Source Routed Packets # - kernel_deactivate_source_route=true # - Deactivate sending ICMP redirects # - # - ICMP redirects are used by routers to specify better routing paths out of # - one network, based on the host choice, so basically it affects the way # - packets are routed and destinations. # - kernel_dont_accept_redirects=true