#!/usr/bin/env bash # ============= # --- Basic behavior # ============= # --- # - Services allowed out to the world wide web # --- allow_ssh_request_out=true allow_http_request_out=true allow_smtp_request_out=true allow_mail_request_out=true allow_ftp_request_out=true allow_tftp_request_out=true allow_ntp_request_out=true allow_timeserver_request_out=true allow_pgpserver_request_out=true allow_telnet_request_out=true allow_whois_request_out=true allow_cpan_wait_request_out=true allow_hbci_request_out=true allow_jabber_request_out=true allow_silc_request_out=true allow_irc_request_out=true allow_mysql_request_out=true allow_ipmi_request_out=true allow_remote_console_request_out=true allow_mumble_request_out=true allow_outbound_streaming=true allow_echo360_video_streaming=true allow_bigbluebutton_video_conference_out=true allow_ms_skype_teams_out=true allow_webex_video_conference_out=true allow_zoom_video_conference_out=true allow_jitsi_video_conference_out=true allow_alfaview_video_conference_out=true allow_nc_turn_video_conference_out=true allow_samba_requests_out=true allow_ldap_requests_out=true allow_vpn_out=true # WireGuard # allow_wg_out=true allow_cisco_vpn_out=true # Gaming # # Playstation (PS), Xbox, FiFa # allow_game_xbox_one_out=false allow_game_xbox_360_out=false allow_game_ps3_out=false allow_game_ps4_out=false allow_game_fifa21_out=false # Gameing Steam # allow_game_steam_out=false # Gaming Call of Duty # allow_game_call_of_duty=false # --- # - Services allowed between local networks # --- # - These Parameters are only considered, if traffic # - between local networks are not permitted, thats # - if 'permit_between_local_networks=false' (see below). # - allow_ssh_between_local_nets=true allow_samba_between_local_nets=false allow_ldap_between_local_nets=false allow_printing_between_local_nets=true allow_scanning_between_local_nets=true # --- # - Other Parameters # --- # - Permit internet access to all machines at local network # - Does not include this server itself # - permit_local_net_to_inet=false # - Do not block any traffic between local machines # - permit_between_local_networks=false # - Do not block any ICMP traffic # - permit_all_icmp_traffic=true # - Access to Mailservices (LAN and WAN) (pop/imap/smtps) from local (gateway) machine. # - # - Maybe useful for testing purpose with telnet or openssl # - provide_mailservice_from_local=true # - iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. # - It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, # - SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. # - create_iperf_rules=false # ============= # --- Router IPv4 # ============= # - Set to "true" to secure/tune the kernel # - adjust_kernel_parameters=true # - Protection against several attacks # - protect_against_several_attacks=true # Protection against syn-flooding # drop_syn_flood=true # - I have to say that fragments scare me more than anything. # - Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown" # - Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such # - fragments is very OS-dependent (see this paper for details). # - I am not going to trust any fragments. # - Log fragments just to see if we get any, and deny them too # - # - !! 'drop_fragments' does not work within telekom mobile connections !! # - drop_fragments=true # drop new packages without syn flag # drop_new_not_sync=true # drop invalid packages # drop_invalid_state=false # drop packages with unusal flags # drop_invalid_flags=true # Refuse private addresses on extern interfaces # # Refuse packets claiming to be from a # Class A private network # Class B private network # Class C private network # loopback interface # Class D multicast address # Class E reserved IP address # broadcast address drop_spoofed=true # Don't allow spoofing from that server # drop_spoofed_out=true # Refusing packets claiming to be to the loopback interface protects against # source quench, whereby a machine can be told to slow itself down by an icmp source # quench to the loopback. drop_ext_to_lo=true # ============= # --- Router IPv6 # ============= # - Set to "true" to secure/tune the kernel # - adjust6_kernel_parameters=true # - Protection against several attacks # - protect6_against_several_attacks=true # Protection against syn-flooding # drop6_syn_flood=true # drop new packages without syn flag # drop6_new_not_sync=true # drop invalid packages # drop6_invalid_state=true # drop packages with unusal flags # drop6_invalid_flags=true # Refuse spoofed packets pretending to be from your IP address. # drop6_from_own_ip=true # Refuse private addresses on extern interfaces # drop6_spoofed=true