213 lines
4.7 KiB
Bash
213 lines
4.7 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
|
|
# =============
|
|
# --- Basic behavior
|
|
# =============
|
|
|
|
# ---
|
|
# - Services allowed out to the world wide web
|
|
# ---
|
|
|
|
allow_ssh_request_out=true
|
|
allow_http_request_out=true
|
|
allow_smtp_request_out=true
|
|
allow_mail_request_out=true
|
|
allow_ftp_request_out=true
|
|
allow_tftp_request_out=true
|
|
allow_ntp_request_out=true
|
|
allow_timeserver_request_out=true
|
|
allow_pgpserver_request_out=true
|
|
allow_telnet_request_out=true
|
|
allow_whois_request_out=true
|
|
allow_cpan_wait_request_out=true
|
|
allow_hbci_request_out=true
|
|
allow_jabber_request_out=true
|
|
allow_silc_request_out=true
|
|
allow_irc_request_out=true
|
|
allow_mysql_request_out=true
|
|
allow_ipmi_request_out=true
|
|
allow_remote_console_request_out=true
|
|
allow_mumble_request_out=true
|
|
allow_outbound_streaming=true
|
|
allow_echo360_video_streaming=true
|
|
allow_bigbluebutton_video_conference_out=true
|
|
allow_ms_skype_teams_out=true
|
|
allow_webex_video_conference_out=true
|
|
allow_zoom_video_conference_out=true
|
|
allow_jitsi_video_conference_out=true
|
|
allow_alfaview_video_conference_out=true
|
|
allow_nc_turn_video_conference_out=true
|
|
|
|
allow_samba_requests_out=true
|
|
allow_ldap_requests_out=true
|
|
|
|
allow_vpn_out=true
|
|
|
|
# WireGuard
|
|
#
|
|
allow_wg_out=true
|
|
|
|
allow_cisco_vpn_out=true
|
|
|
|
|
|
# Gaming
|
|
#
|
|
# Playstation (PS), Xbox, FiFa
|
|
#
|
|
allow_game_xbox_one_out=false
|
|
allow_game_xbox_360_out=false
|
|
allow_game_ps3_out=false
|
|
allow_game_ps4_out=false
|
|
allow_game_fifa21_out=false
|
|
|
|
# Gameing Steam
|
|
#
|
|
allow_game_steam_out=false
|
|
|
|
|
|
# ---
|
|
# - Services allowed between local networks
|
|
# ---
|
|
|
|
# - These Parameters are only considered, if traffic
|
|
# - between local networks are not permitted, thats
|
|
# - if 'permit_between_local_networks=false' (see below).
|
|
# -
|
|
allow_ssh_between_local_nets=true
|
|
allow_samba_between_local_nets=false
|
|
allow_ldap_between_local_nets=false
|
|
allow_printing_between_local_nets=true
|
|
allow_scanning_between_local_nets=true
|
|
|
|
|
|
# ---
|
|
# - Other Parameters
|
|
# ---
|
|
|
|
# - Permit internet access to all machines at local network
|
|
# - Does not include this server itself
|
|
# -
|
|
permit_local_net_to_inet=false
|
|
|
|
# - Do not block any traffic between local machines
|
|
# -
|
|
permit_between_local_networks=false
|
|
|
|
# - Do not block any ICMP traffic
|
|
# -
|
|
permit_all_icmp_traffic=true
|
|
|
|
# - Access to Mailservices (LAN and WAN) (pop/imap/smtps) from local (gateway) machine.
|
|
# -
|
|
# - Maybe useful for testing purpose with telnet or openssl
|
|
# -
|
|
provide_mailservice_from_local=true
|
|
|
|
# - iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
|
|
# - It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
|
|
# - SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.
|
|
# -
|
|
create_iperf_rules=false
|
|
|
|
|
|
|
|
# =============
|
|
# --- Router IPv4
|
|
# =============
|
|
|
|
# - Set to "true" to secure/tune the kernel
|
|
# -
|
|
adjust_kernel_parameters=true
|
|
|
|
# - Protection against several attacks
|
|
# -
|
|
protect_against_several_attacks=true
|
|
|
|
# Protection against syn-flooding
|
|
#
|
|
drop_syn_flood=true
|
|
|
|
# - I have to say that fragments scare me more than anything.
|
|
# - Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
|
|
# - Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
|
|
# - fragments is very OS-dependent (see this paper for details).
|
|
# - I am not going to trust any fragments.
|
|
# - Log fragments just to see if we get any, and deny them too
|
|
# -
|
|
# - !! 'drop_fragments' does not work within telekom mobile connections !!
|
|
# -
|
|
drop_fragments=true
|
|
|
|
# drop new packages without syn flag
|
|
#
|
|
drop_new_not_sync=true
|
|
|
|
# drop invalid packages
|
|
#
|
|
drop_invalid_state=false
|
|
|
|
# drop packages with unusal flags
|
|
#
|
|
drop_invalid_flags=true
|
|
|
|
# Refuse private addresses on extern interfaces
|
|
#
|
|
# Refuse packets claiming to be from a
|
|
# Class A private network
|
|
# Class B private network
|
|
# Class C private network
|
|
# loopback interface
|
|
# Class D multicast address
|
|
# Class E reserved IP address
|
|
# broadcast address
|
|
drop_spoofed=true
|
|
|
|
# Don't allow spoofing from that server
|
|
#
|
|
drop_spoofed_out=true
|
|
|
|
# Refusing packets claiming to be to the loopback interface protects against
|
|
# source quench, whereby a machine can be told to slow itself down by an icmp source
|
|
# quench to the loopback.
|
|
drop_ext_to_lo=true
|
|
|
|
|
|
|
|
# =============
|
|
# --- Router IPv6
|
|
# =============
|
|
|
|
|
|
# - Set to "true" to secure/tune the kernel
|
|
# -
|
|
adjust6_kernel_parameters=true
|
|
|
|
# - Protection against several attacks
|
|
# -
|
|
protect6_against_several_attacks=true
|
|
|
|
# Protection against syn-flooding
|
|
#
|
|
drop6_syn_flood=true
|
|
|
|
# drop new packages without syn flag
|
|
#
|
|
drop6_new_not_sync=true
|
|
|
|
# drop invalid packages
|
|
#
|
|
drop6_invalid_state=true
|
|
|
|
# drop packages with unusal flags
|
|
#
|
|
drop6_invalid_flags=true
|
|
|
|
# Refuse spoofed packets pretending to be from your IP address.
|
|
#
|
|
drop6_from_own_ip=true
|
|
|
|
# Refuse private addresses on extern interfaces
|
|
#
|
|
drop6_spoofed=true
|