firewall/ipt-gateway
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
c2d62b72bd
ipt-gateway/conf/main_ipv4.conf.sample

1975 lines
43 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
## ---------------------------------------------------------
## --- Main Configurations Ipv4 Firewall Script ipt-firewall
## ---------------------------------------------------------
# =============
# --- Interfaces completly blocked
# =============
# - Interfaces to block (note: they will all be blocked)
# -
# - For Example: eth1 is used for DSL Line, that becomes an extra
# - interface (ppp-light). A further use of eth1 (which would
# - be possible) is not configured at time, so you can block it.
# -
blocked_ifs=""
# =============
# --- Block UPnP Ports
# =============
# - block_upnp_traffic_in
# -
# - Block UPnP traffic (extern) in
#
block_upnp_traffic_in=true
# - block_upnp_traffic_out
# -
# - Block UPnP traffic (extern) out
#
block_upnp_traffic_out=true
# =============
# --- Block UDP Ports out
# =============
# - UDP Ports to block (only extern out)
# -
# - Comma separated list of udp ports
# -
block_udp_extern_out_ports=""
# =============
# --- Block TCP Ports out
# =============
# - TCP Ports to block (only extern out)
# -
# - Comma separated list of tcp ports
# -
block_tcp_extern_out_ports=""
# =============
# --- Interfaces not firewalled
# =============
# - Note:
# - Can be (for example) an interface, whose (complete) traffic is
# - protected by a firewall on an other system in the local area
# -
# - Here: the static line castle stockhausen
# -
unprotected_ifs=""
# =============
# --- Networks not firewalled through extern interfaces
# =============
# - Allow these networks any access to the internet.
# -
# - Blank separated list of networks
# -
any_access_to_inet_networks=""
# - Allow these networks getting any access from the internet.
# -
# - Note:
# - =====
# - Traffic recieved on natted interfaces will be ommitted!
# -
# - Blank separated list of networks
# -
any_access_from_inet_networks=""
# =============
# - Allow local services from ALL extern netwoks
# =============
# - allow_all_ext_traffic_to_local_service
# -
# - allow_all_ext_traffic_to_local_service="local-address:port:protocol [local-address:port:protocol] .."
# -
# - Note:
# - =====
# - - Only 'tcp' and 'udp' are allowed valuse for protocol.
# -
# - Example:
# - allow extern traffic to service at 83.223.73.210 on port 1036
# - allow extern traffic to https service at 83.223.73.204
# -
# - allow_ext_net_to_local_service="
# - 83.223.73.210:1036:tcp
# - 83.223.73.204:$standard_https_port:tcp
# - "
# -
# - Blank separated list
# -
allow_all_ext_traffic_to_local_service=""
# =============
# - Allow local services from given extern networks
# =============
# - allow_ext_net_to_local_service
# -
# - allow_ext_net_to_local_service="ext-net:local-address:port:protocol"
# -
# - Note:
# - =====
# - - Only 'tcp' and 'udp' are allowed valuse for protocol.
# - - Traffic recieved on natted interfaces will be ommitted!
# -
# - Use this parameter to (only) give some local netwoks access to special local
# - services (but not for all local networks as you can configure later).
# -
# - If you plan to separate networks (see parameter 'separate_local_networks'), but
# - to allow these networks some special local services, you can also use this parameter.
# -
# - Example:
# - allow access from 194.150.169.139 to ssh service at 83.223.73.210 on port 1036
# - allow access from 86.73.85.0/24 to https service at 83.223.73.204
# -
# - allow_ext_net_to_local_service="194.150.169.139/32:83.223.73.210:1036:tcp
# - 6.73.85.0/24:83.223.73.204:$standard_https_port:tcp"
# -
# - Blank separated list
# -
allow_ext_net_to_local_service=""
# =============
# - Allow all traffic from extern address/network to local address/network
# =============
# - allow_ext_net_to_local_net
# -
# - allow_ext_net_to_local_net="<src-ext-net>:<dst-local-net> [<src-ext-net>:<dst-local-net>] [..]"
# -
# - All traffic from the given first network to the given second network is allowed
# -
# - Note:
# - =====
# - - Traffic recieved on natted interfaces will be ommitted!
# - - If you want allow both directions, you have to make two entries - one for evry directions.
# -
# - Example:
# - allow_ext_net_to_local_net="86.223.85.0/24:86.223.73.192/26
# - 83.223.86.96/32:86.223.73.0/24"
# -
# - Blank separated list
# -
allow_ext_net_to_local_net=""
# =============
# - Block all extern traffic to (given) local network
# =============
# - block_all_ext_to_local_net
# -
# - block_all_ext_to_local_net="<local-net> [<local-net [<local-net .."
# -
# - Blocks all extern traffic to given local network(s)
# -
# - Note:
# - =====
# - - Traffic recieved on natted interfaces will be ommitted!
# -
# - Example:
# - block_all_ext_to_local_net="83.223.73.32/29 83.223.73.48/29"
# -
# - Blank separated list
# -
block_all_ext_to_local_net=""
# =============
# - Allow all traffic from local ip to the internet
# =============
# - allow_local_ip_to_inet
# -
# - Blank separated list of ip-adresses
# -
allow_local_ip_to_inet=""
# =============
# - Allow local services from given local networks
# =============
# - allow_local_net_to_local_service
# -
# - allow_local_net_to_local_service="local-net:local-service:port:protocol"
# -
# - Only 'tcp' and 'udp' are allowed valuse for protocol.
# -
# - Use this parameter to (only) give some local netwoks access to special local
# - services (but not for all local networks as you can configure later).
# -
# - If you plan to separate local networks (see parameter 'separate_local_networks'), but
# - to allow these networks some special local services, you can also use this parameter.
# -
# - Example:
# - allow access from 10.113.0.0/16 to https service at 192.168.10.1
# - allow access from 10.113.0.0/16 to https service at 192.168.10.13
# -
# - allow_local_net_to_local_service="10.113.0.0/16:192.168.10.1:$standard_https_port:tcp
# - 10.113.0.0/16192.168.10.13:$standard_https_port:tcp"
# -
# - Blank separated list
# -
allow_local_net_to_local_service=""
# =============
# - Allow all traffic from local network to local ip-address
# =============
# - allow_local_net_to_local_ip
# -
# - allow_local_net_to_local_ip="<src-local-net>:<dst-local-ip> [<src-local-net>:<dst-local-ip>] [..]"
# -
# - All traffic from the given network to the given ip address is allowed
# -
# - Example:
# - allow_local_net_to_local_ip="10.113.0.0/16:192.168.10.1
# - 10.113.0.0/16:192.168.10.13"
# -
# - Blank separated list
# -
allow_local_net_to_local_ip=""
# =============
# - Allow all traffic from local ip-address to local network
# =============
# - allow_local_ip_to_local_net
# -
# - allow_local_ip_to_local_net="<src-local-ip>:<dst-local-net> [<src-local-ip>:<dst-local-net>] [..]"
# -
# - All traffic from the given ip address to the given network is allowed
# -
# - Example:
# - allow_local_ip_to_local_net="192.168.10.9:10.10.10.0/24
# - 192.168.10.16:10.10.10.0/24"
# -
# - Blank separated list
# -
allow_local_ip_to_local_net=""
# =============
# - Allow all traffic from (one) local network to (another) local network
# =============
# - allow_local_net_to_local_net
# -
# - allow_local_net_to_local_net="<src-local-net>:<dst-local-net> [<src-local-net>:<dst-local-net>] [..]"
# -
# - All traffic from the given first network to the given second network is allowed
# -
# - Notice:
# - If you want allow both directions, you have to make two entries - one for evry directions.
# -
# - Example:
# - allow_local_net_to_local_net="192.168.11.0/24:10.10.11.0/24
# - 192.168.78.0/24:10.10.11.0/24"
# -
# - Blank separated list
# -
allow_local_net_to_local_net=""
# =============
# - Allow local ip address from given local interface
# =============
# - allow_local_if_to_local_ip
# -
# - All traffic from the given network interface to the given ip address is allowed
# -
# - Example:
# - allow_local_if_to_local_ip="${local_if_1}:192.168.10.1
# - ${local_if_2}:192.168.10.13"
# -
# - Blank separated list
# -
allow_local_if_to_local_ip=""
# =============
# - Allow extern service from given local interface
# =============
# - allow_local_if_to_ext_service
# -
# - allow_local_if_to_ext_service="<local-interface>:<extern-ip>:<ext-port>:<protocol> [.."
# -
# - All traffic from the given (local) network interface to the given (extern) service is allowed
# -
# - Example:
# - allow_local_if_to_ext_service="${local_if_1}:83.223.86.98:3306:tcp
# - ${local_if_2}:83.223.86.98:3306:tcp"
# -
# - Blank separated list
# -
allow_local_if_to_ext_service=""
# =============
# - Allow extern network from given local interface
# =============
# - allow_local_if_to_ext_net
# -
# - allow_local_if_to_ext_net="<local-interface>:ext-network> [<local-interface>:ext-network> [.."
# -
# - All traffic from the given (local) network interface to the given (extern) network is allowed
# -
# - Example:
# - allow_local_if_to_ext_net="${local_if_1}:83.223.86.98/32
# - ${local_if_2}:83.223.86.98/32"
# -
# - Blank separated list
# -
allow_local_if_to_ext_net=""
# =============
# - Allow extern service from given local network
# =============
# - allow_local_net_to_ext_service
# -
# - allow_local_net_to_ext_service="<local-net:ext-ip:port:protocol> [<local-net:ext-ip:port:protocol> [.."
# -
# - All traffic from the given (local) network to the given (extern) service is allowed
# -
# - Example:
# - allow_local_net_to_ext_service="192.168.63.0/24:83.223.86.98:3306:tcp
# - 192.168.64.0/24:83.223.86.98:3306:tcp"
# -
# - Blank separated list
# -
allow_local_net_to_ext_service=""
# =============
# - Allow extern network from given local network
# =============
# - allow_local_net_to_ext_net
# -
# - allow_local_net_to_ext_net="<local-net:ext-net> [<local-net:ext-net> [.."
# -
# - All traffic from the given (local) network to the given (extern) network is allowed
# -
# - Example:
# - allow_local_net_to_ext_net="192.168.63.0/24:83.223.86.98/32
# - 192.168.63.0/24:83.223.86.98/32"
# -
# - Blank separated list
# -
allow_local_net_to_ext_net=""
# =============
# - Allow extern service
# =============
# - allow_to_ext_service
# -
# - allow_to_ext_service="<ext-ip:port:protocol> [ext-ip:port:protocol> [.."
# -
# - All traffic to the given (extern) service is allowed
# -
# - Example:
# - allow_to_ext_service="83.223.86.98:3306:tcp
# - 83.223.86.98:10194:udp"
# -
# - Blank separated list
# -
allow_to_ext_service=""
# =============
# - Allow extern network
# =============
# - allow_to_ext_net
# -
# - Allow all traffic to given extern network
# -
# - allow_to_ext_net="<ext-net> [<ext-net> [.."
# -
# - All traffic to the given (extern) network is allowed
# -
# - Example:
# - allow_to_ext_net="83.223.86.98/32
# - 83.223.86.101/32
# - 192.68.11.81/27"
# -
# - Blank separated list
# -
allow_to_ext_net=""
# =============
# --- Separate local Networks
# =============
# - Don't allow these networks any connections to other local networks
# -
# - Example:
# - separate_local_networks="10.113.1.0/24 10.113.2.0/24"
# -
# - Blank separated list
# -
separate_local_networks=""
# =============
# --- Separate local Interfaces
# =============
# - Don't allow these networks any connections to other local networks
# -
# - Example:
# - separate_local_networks="$local_if_1 $local_if_2"
# -
separate_local_ifs=""
# =============
# --- Traffic Shaping
# =============
TRAFFIC_SHAPING=false
RATE_UP=10000
LIMIT_UP=$(expr $RATE_UP / 100 \* 85)
LIMIT_CLASS=$(expr $LIMIT_UP / 7)
RTP_PORTS_START=49152
RTP_PORTS_END=49408
SIP_PORT_REMOTE=5060
SIP_PORT_LOCAL=5067
SIP_LOCAL_IP=192.168.63.240
STUN_PORTS=3478
TC_DEV=$ext_if_dsl_1
# =============
# ---- Allow Forwarding (private) IPs / IP-Ranges
# =============
# - Maybe useful in case of virtual hosts with private addresses or
# - if using a vpn network to forward into private areas.
# -
# - Note: this rules takes affect before rules to protect against
# - unwanted packages e.g. blocking private addresses on
# - externel interfaces.
# -
# - Note: you can specify networks using CIDR notation
# - like "192.168.2.0/24"
# -
forward_private_ips=""
# =============
# --- Services local machine / local networksa
# =============
# ======
# - IPv6 over IPv4 (SixXS)
# ======
local_sixxs_service=false
tic_server=tic.sixxs.net
six_pop_server=deham01.sixxs.net
# ======
# - VPN Service
# ======
# - VPN Service on Gateway?
# -
local_vpn_service=true
vpn_gw_ports="1194 1195 1196"
# - VPN Services DMZ (reachable also from WAN)
# -
# - vpn_server_dmz_arr=[<ip-address>]=<dsl-device>
# -
# - Note:
# - Each extern interface can have only one thuch service
# -
# - vpn_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2
# - vpn_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1
# -
# - Multiple settins of this parameter is possible
# -
declare -A vpn_server_dmz_arr
# - Local VPN Ports
# -
# - Blank separated list
# -
vpn_local_net_ports="1194"
# Remote VPN ports
#
vpn_out_ports="$standard_vpn_port"
# -----
# - Restrict VPN Network to local Service
# -----#
# - restrict_vpn_net_to_local_service
# -
# - allow_ext_net_to_local_service="vpn-net:local-address:port:protocol [vpn-net:local-address:port:protocol] [..]"
# -
# - Note:
# - =====
# - - Only 'tcp' and 'udp' are allowed valuse for protocol.
# -
# - Example:
# - restrict_vpn_net_to_local_service="
# - 10.100.112.0/24:192.168.112.192/27:80:tcp
# - 10.100.112.0/24:192.168.112.192/27:443:tcp
# - "
# -
# - Blank separated list
# -
restrict_vpn_net_to_local_service=""
# -----
# - Restrict VPN Network to local (Sub) network
# -----
# - restrict_vpn_net_to_local_subnet
# -
# - restrict_vpn_net_to_local_subnet="<src-vpn-net>:<dst-local-net> [<src-vpn-net>:<dst-local-net>} [..]
# -
# - Example:
# - restrict_vpn_net_to_local_subnet="
# - 10.100.112.0/24:192.168.112.192/27
# - "
# -
# - Blank separated list
# -
restrict_vpn_net_to_local_subnet=""
# ======
# - WireGuard Service
# ======
# - WireGuard Service on Gateway?
# -
local_wg_service=true
wg_gw_ports="$standard_wg_port"
# - WireGuard Services DMZ (reachable also from WAN)
# -
# - wg_server_dmz_arr=[<ip-address>]=<dsl-device>
# -
# - Note:
# - Each extern interface can have only one thuch service
# -
# - wg_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2
# - wg_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1
# -
# - Multiple settins of this parameter is possible
# -
declare -A wg_server_dmz_arr
# - Local WireGuard Ports
# -
# - Blank separated list
# -
wg_local_net_ports="$standard_wg_port"
# Remote WireGuard Ports
#
wg_out_ports="$standard_wg_port"
# ======
# - Cisco VPN
# ======
cisco_vpn_out_ports="$standard_isakmp_port $standard_ipsec_nat_t"
cisco_vpn_out_protocol="esp"
# ======
# - DHCP Service
# ======
# - Ist this Gateway DHCP Client?
# -
# - local_dhcp_client_interfaces="<interface1> [<interface> [.."
# -
# - Example:
# - dhcp_client_interfaces="$ext_if_static_1"
# -
dhcp_client_interfaces=""
# - DHCP Server Gateway
# -
local_dhcp_service=true
# - Are DHCP Failover Servers present?
# -
# - Balnk separated list
# -
dhcp_failover_server_ips=""
dhcp_failover_port=647
# ======
# - DNS Service
# ======
# - DNS Service Gateway
# -
local_dns_service=true
# - DNS Server local Networks
# -
# - Blank separated list
# -
dns_server_ips=""
# ======
# - SSH
# ======
# - SSH Service Gateway
# -
local_ssh_service=true
# - SSH Services local Networks
# -
# - Blank separated list
# -
ssh_server_only_local_ips=""
# - SSH Services DMZ (reachable also from WAN)
# -
# - ssh_server_dmz_arr[<ip-address>]=<extern-device>
# -
# - Note:
# - Each extern interface can have only one service on a certain port.
# -
# - ssh_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2
# - ssh_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1
# -
# - Multiple settins of this parameter is possible
# -
declare -A ssh_server_dmz_arr
# - SSH Ports used on Gateway and also local machines
# -
# - blank separated list
# -
ssh_ports="22"
# ======
# - HTTP(S) Service
# ======
# - HTTP(S) Service Gateway
# -
local_http_service=false
# - HTTP(S) Services only locale Networks
# -
# - Blank separated list
# -
http_server_only_local_ips=""
# - HTTP(S) Services DMZ (reachable also from WAN)
# -
# - http_server_dmz_arr[<ip-address>]=<dsl-device>
# -
# - Note:
# - Each extern interface can have only one service on a certain port.
# -
# - Example:
# - Mail Server: 192.168.10.1 incomming on ppp-st ($ext_if_dsl_2)
# - Citrix Server: 192.168.10.13 incomming on ppp-surf1 ($ext_if_dsl_1)
# -
# - http_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2
# - http_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1
# -
# - WebServer Luna: 192.168.63.20 (ppp-ckubu = $ext_if_dsl_1)
# -
# - Multiple settins of this parameter is possible
# -
declare -A http_server_dmz_arr
# - HTTPS Services DMZ only port 443 (reachable also from WAN)
# -
# - http__ssl_server_dmz_arr[<ip-address>]=<dsl-device>
# -
# - Note:
# - Each extern interface can have only one thuch service
# -
# - Example:
# - Mail Server: 192.168.10.1 incomming on ppp-st ($ext_if_dsl_2)
# - Citrix Server: 192.168.10.13 incomming on ppp-surf1 ($ext_if_dsl_1)
# -
# - http_ssl_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2
# - http_ssl_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1
# -
# - Multiple settins of this parameter is possible
# -
declare -A http_ssl_server_dmz_arr
# - HTTP(S) Ports
# -
# - comma separated list
# -
http_ports="$standard_http_ports"
# ======
# - Mail Services
# ======
# - SMTP server (i.e. mail relay service) Gateway
# -
local_smtp_service=false
# - Mailserver (SMTP(POP/IMAP) Gateway
# -
# - NOT YET IMPLEMENTED
# -
local_mail_service=false
# - Mail Services smtp,smtps/pop(s)/imap(s) only local Networks
# -
# - comma separated list
# -
mail_server_only_local_ips=""
# - Mails Services DMZ smtp,smtps/pop(s)/imap(s) (reachable also from WAN)
# -
# - mail_server_dmz_arr[<ip-address>]=<dsl-device>
# -
# - Multiple declarations are possible
# -
# - Example:
# - Mail Server: 192.168.10.1 incomming on ppp-st ($ext_if_dsl_2)
# -
# - mail_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2
# -
declare -A mail_server_dmz_arr
# - Mail client ports (smtps/pop(s)/imap(s)
# -
# - comma separated list
# -
mail_user_ports="$standard_mailuser_ports"
# - Mail Server (local Networks) SMTP Port
# -
mail_smtp_port="$standard_smtp_port"
# Additional Ports for outgoing smtp traffic
#
# comma separated list of ports
#
smtpd_additional_outgoung_ports=""
# ======
# - FTP Service
# ======
# - FTP Service Gateway
# -
local_ftp_service=false
# - FTP Server at local Networks
# -
# - comma separated list
# -
ftp_server_only_local_ips=""
# - FTP Service DMZ
# -
# - Note:
# - Each extern interface can have only one thuch service
# -
# - ftp_server_dmz_arr[<ip-address>]=<dsl-device>
# - ftp_passive_port_range=<first-port:last-port>
# -
declare -A ftp_server_dmz_arr
#ftp_server_dmz_arr[192.168.63.20]=$ext_if_dsl_1
ftp_passive_port_range="50000:50400"
# - FTP Ports
# -
# - Hard scriptetd:
# - FTP Control Port: 21
# - FTP Data Port: 20
# ======
# - TFTP Service Gateway
# ======
# - TFTP Server Gateway (Port udp 69)
local_tftp_service=false
# - TFTP Server at local Networks
# -
tftp_server_ips=""
# - TFTF Ports
# -
# - Note: its udp !
# -
tftp_udp_port=69
# ======
# - LDAP Service
# ======
# - Is this a LDAP Server ?
# -
local_ldap_service=false
# - LDAP Service local Networks
# -
# - Ports: 389 udp
# - 389 tcp
# -
# - Ports LDAP SSL: 636 tcp
# -
ldap_server_local_ips=""
ldap_udp_ports="389"
ldap_tcp_ports="389 636"
# ======
# - Samba Service
# ======
# - Samba Server Gateway
# -
local_samba_service=false
# - Samba Service
# -
# - Ports: 137,138 udp
# - 139,445 tcp
# -
samba_udp_ports="137:138"
samba_tcp_ports="137 138 139 445"
# - Samba Service local networks
# -
samba_server_local_ips=""
# - Samba Service DMZ
# -
# - samba_server_dmz_arr[<ip-address>]=<dsl-device>
# -
# - Note:
# - Each extern interface can have only one thuch service
# -
# - Multiple settins of this parameter is possible
# -
declare -A samba_server_dmz_arr
# ======
# - NTP Service
# ======
# - NTP Service Gateway
# -
local_ntp_service=true
# ======
# - SNMP Service
# ======
# - SNMP services local Networks
# -
# - Blank separated list of ip's
# -
snmp_server_ips=""
# - SNMP Port
# -
# - snmp_port Port Agent
# - snmp_trap_port Port Management Station
# -
snmp_port="$standard_snmp_port"
snmp_trap_port="$standard_snmp_trap_port"
# ======
# - FreeIPA Service
# ======
# - FreeIPA services local Networks
# -
freeipa_server_ips=""
# - FreeIPA (in) Ports
# -
freeipa_tcp_in_ports="$standard_freeipa_tcp_in_ports"
freeipa_udp_in_ports="$standard_freeipa_udp_in_ports"
# ======
# - Mumble Service
# ======
# - NOT YET IMPLEMENTED
# - Mumble ports
# -
mumble_ports="64738"
# ======
# - IP Camera
# ======
# - IP Camera Ports
# -
ip_camera_tcp_ports="$standard_ip_camera_tcp_ports"
ip_camera_udp_ports="$standard_ip_camera_udp_ports"
# ======
# - BigBlueButton Video Conference Service
# ======
# - BigBlueButton Video Conference Service Gateway
# -
# - NOT YET IMPLEMENTED
# -
local_bigbluebutton_video_conference_service=false
# - BigBlueButton Video Conference Service Ports
# -
# - TCP 80: Webinterface.
# - TCP 443: Webinterface (SSL)
# -
# - UDP 16384-32768: FreeSWITCH/HTML5 RTP streams
# -
bigbluebutton_tcp_ports="$standard_bigbluebutton_tcp_ports"
bigbluebutton_udp_ports="$standard_bigbluebutton_udp_ports"
# ======
# - Skype for Business Online und Microsoft Teams
# ======
# - Skype for Business Online und Microsoft Teams
# -
# - TCP 80,443
# -
# - UDP 3478,3479,3480,3481 --> 13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14
# -
# - Example:
# -
# - standard_ms_skype_teams_tcp_ports="80,443"
# - standard_ms_skype_teams_udp4_ports="3478,3479,3480,3481"
# - standard_ms_skype_teams_udp4_hosts="
# - 13.107.64.0/18
# - 52.112.0.0/14
# - 52.120.0.0/14
# - "
# -
# - Set to default values:
# - ms_skype_teams_tcp_ports="$standard_ms_skype_teams_tcp_ports"
# - ms_skype_teams_udp4_ports="$standard_ms_skype_teams_udp4_ports"
# - ms_skype_teams_udp4_hosts="$standard_ms_skype_teams_udp4_hosts"
# -
ms_skype_teams_tcp_ports="$standard_ms_skype_teams_tcp_ports"
ms_skype_teams_udp4_ports="$standard_ms_skype_teams_udp4_ports"
ms_skype_teams_udp4_hosts="$standard_ms_skype_teams_udp4_hosts"
# ======
# - Webex Meeting
# ======
# - Webex Meeting (Videokonferenz)
# -
# - TCP 80/443: Outbound Client Zugriffsport und Webes Events (Audiostreaming)
# -
# - UDP 9000: Outbound (VoIP and RTP)
# -
# - ---
# -
# - TCP 5004: Fall-back ports for media connectivity when UDP port 9000
# - is not open in the firewall
# -
webex_tcp_ports="$standard_webex_tcp_ports"
webex_udp_ports="$standard_webex_udp_ports"
webex_tcp_fall_back_ports="$standard_webex_tcp_fall_back_ports"
# ======
# - Zoom Meeting
# ======
# - Zoom Meeting - Video Conference Service
# -
# - TCP 80,443 A ll Zoom Clients and *.zoom.us
# - Meeting Connector
# -
# - TCP 443,8801,8802 All Zoom Clients MeetingConnector.IP
# - MeetingConnector.IP2
# - MeetingConnector2.IP
# - MeetingConnector2.IP2
# -
# - UDP 3478,3479,8801, All Zoom Clients MeetingConnector.IP
# - 8802 MeetingConnector.IP2
# - MeetingConnector2.IP
# - MeetingConnector2.IP2
# -
zoom_tcp_ports="$standard_zoom_tcp_ports"
zoom_udp_ports="$standard_zoom_udp_ports"
# ======
# - Jitsi Video Conference Service
# ======
# - Jitsi Video Conference Service Gateway
# -
# - NOT YET IMPLEMENTED
# -
local_jitsi_video_conference_service=false
# - Jitsi Video Conference Service Ports
# -
# - TCP 80: Webinterface.
# - TCP 443: Webinterface (SSL)
# -
# - UDP 10000-20000: Virtual Media for Remote Console
# -
jitsi_tcp_ports="$standard_jitsi_tcp_ports"
jitsi_udp_ports="$standard_jitsi_udp_ports"
# ======
# - alfaview - Video Conferencing Systems
# ======
# - alfaview Service Ports
# -
alfaview_tcp_ports="$standard_alfaview_service_tcp_ports"
alfaview_udp_ports="$standard_alfaview_service_udp_ports"
# ======
# - TURN Server (Stun Server) (for Nextcloud 'talk' app)
# ======
# - TURN Server (Stun Server) (for Nextcloud 'talk' app)
# -
# - NOT YET IMPLEMENTED
# -
local_nc_turn_service=""
# - Ports used by local TURN Server (Stun Server)
# -
# - comma separated list
# -
nc_turn_ports="$standard_nc_turn_ports"
nc_turn_udp_ports="$standard_nc_turn_udp_ports"
# ======
# - XyMon Service
# ======
# - XyMon Service Gateway (usually TCP port 1984)
# -
local_xymon_server=false
# - XyMon Service (usually TCP port 1984)
# -
# - Blank separated list of ip's
# -
xymon_server_ips=""
local_xymon_client=""
# - XyMon Ports
# -
xymon_port="$standard_xymon_port"
# ======
# - Munin Service
# ======
# - Munin Service Gateway (usually TCP port 4949)
# -
local_munin_server=false
# - If 'local_munin_server=' provide service also to inet?
# -
provide_munin_service_to_inet=true
munin_remote_port="4949"
# - Munin Server local Networks (usually TCP port 4949)
# -
# - Blank separated list
# -
munin_local_server_ips=""
# - Munin Remote Server
# -
# - Note:
# - The munin server himself initiates the connection to the concerning clients.
# - In case of natted (local) networks you have to also nat the incomming
# - requests from munin server.
# -
# - Note:
# - Each extern interface can have only one thuch service
# -
# - munin_local_client_ip_arr[<ip-address>]=<dsl-device>
# -
# - Multiple settins of this parameter is possible
# -
#munin_remote_server="83.223.86.163"
munin_remote_server=""
# - Munin - clients on local network (server is $munin_remote_server)
# -
# - Example:
# - munin_local_client_ip_arr[192.168.63.20]=$ext_if_dsl_1
# -
declare -A munin_local_client_ip_arr
# - Munin Port
# -
munin_local_port=4949
# ======
# - Checkmk Monitoring Service (local network)
# ======
# - Checkmk Service Gateway (usually TCP port 6556)
# -
checkmk_service_gateway=false
# - Checkmk Server local Networks (usually TCP port 6556)
# -
# - Blank separated list
# -
checkmk_local_server_ips=""
# - checkmk Port
# -
checkmk_local_port="$standard_checkmk_port"
# ======
# - PowerChut Network Shutdown (PCNS)
# ======
# - PCNS local Services
# -
pcns_server_ips=""
# - local USV
# -
usv_ip=""
# - PCNS Ports
# -
# - Webinterface (https): tcp 6547
# - Connection usv: tcp/udp 3052
# -
pcns_tcp_port=3052
pcns_udp_port=3052
pcns_web_port=6547
# ======
# - Remote Console (VNC Service)
# ======
# - VNC Service local network
#
# - Blank separated list
# -
rm_server_ips=""
# - VNC Service DMZ
# -
# - Note:
# - Each extern interface can have only one thuch service
# -
# - rm_server_dmz_arr[<ip-address>]=<dsl-device>
# -
declare -A rm_server_dmz_arr
#rm_server_dmz_arr[192.168.63.20]=$ext_if_dsl_1
# - Remote Console (VNC) Port
# -
remote_console_port=5900
# ======
# - Ubiquiti Unifi
# ======
# - UniFi - Ports Used
# -
# - see: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used
# -
# - see: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used
# -
# - In version 4.5.2 and later, users can also define the port assigned to STUN services,
# - for scenarios where two or more separate UniFi instances are desired on the
# - same controller machine.
# -
# - unifi_stun_port=3478 # UDP port used for STUN
# - # Open Port from controller to Unifi APs
# -
# -
# - Ubiquity Networks uses port 10001/UDP for its AirControl
# - management discovery protocol
# -
# - unifi_aircontroll_port=10001
# -
# -
# - Since v3.2.9+ and v4.6.0+, two more ports are being reserved for device redirector.
# - There is no need to open firewall for these ports on controller. However, on
# - controller, avoid to use these ports:
# -
# - port 8881 for redirector port for wireless clients
# - port 8882 for redirector port for wired clients
# -
# -
# - For AP-EDU Broadcasts:
# -
# - UDP ports 5656-5699
# -
# -
# - Local IN Ports
# - ==============
# -
# - TCP
# - ===
# - TCP 8080 used for device and controller communication.
# - TCP 8443 used for controller GUI/API as seen in a web browser
# - TCP 8880 used for HTTP portal redirection.
# - TCP 8843 used for HTTPS portal redirection.
# - TCP 6789 used for UniFi mobile speed test.
# - TCP 27117 used for local-bound database communication.
# -
# - UDP
# - ====
# - UDP 3478 used for STUN.
# - UDP 5514 used for remote syslog capture.
# - UDP 5656-5699 used by AP-EDU broadcasting.
# - UDP 10001 used for device discovery
# - UDP 1900 used for "Make controller discoverable on L2 network" in controller settings.
# -
# -
# - OUT Ports Required for UniFi Remote Access
# - ==========================================
# -
# - TCP
# - ===
# - TCP 8883 used for Remote Access service.
# - TCP 443 used for Remote Access service.
# -
# - UDP
# - ===
# - UDP 3478 used for STUN.
# - UDP 443 used for Remote Access service.
# -
unifi_tcp_ctrl_in_ports="$standard_unifi_tcp_ctrl_in_ports"
unifi_udp_ctrl_in_ports="$standard_unifi_udp_ctrl_in_ports"
unifi_tcp_ctrl_out_ports="$standard_unifi_tcp_ctrl_out_ports"
unifi_udp_ctrl_out_ports="$standard_unifi_udp_ctrl_out_ports"
# - Unifi Controller at gateway?
# -
local_unifi_controller_service=false
# - Unifi Accesspoints (AP's) controlled by UniFi controller at Gateway
# -
unifi_ap_local_ips=""
# Note:
# in contrast to devices at local networks, devices hosted at extern network
# are only be seen, if the device is part of this array 'unifi_ap_extern_ip_arr'
#
unifi_ap_extern_ips=""
# - UniFi Controllers on local network (other than this machine)
# -
unify_controller_local_net_ips=""
# ======
# - IPMI Tools
# ======
# - IPMI Tools local Networks
# -
# - Blank seoarated list
# -
ipmi_server_ips=""
# - IPMI Tools Port
# -
# - UDP 161: SNMP
# - UDP 623: Access IPMI Programms (as IPMIView or FreeIPMI)
# -
# - TCP 80: Webinterface.
# - TCP 161: SNMP
# - TCP 443: Webinterface (SSL)
# - TCP 623: Virtual Media for Remote Console
# - TCP 3520: "This is TCP Port 3520 which is also needed in addition to TCP port 5900 to be able to use iKVM."
# - TCP 5120: CD/USB
# - TCP 5123: Floppy
# - TCP 5900: KVM over IP
# - TCP 5901: Video for remote console
# - TCP 5985: Wsman
# -
ipmi_udp_ports="161 623"
ipmi_tcp_ports="80 161 443 623 3520 5120 5123 5900 5901 5985"
# =============
# - Rsync Out for given src ip-addresses
# =============
# - Rsync Protocol
# -
# - The given server address (from local network) can access rsyncd at (any) remote machine
# -
# - Needed for some integrated provider of clamav-unofficial-sigs
# -
rsync_out_ips=""
rsync_ports="873"
# - rsync out from this machine?
# -
local_rsync_out=false
# - forward rsync out for all machine's behind the firewall?
# -
forward_rsync_out=false
# =============
# - Printer
# =============
# - IP Addresses Printer
# -
# - Blank separated list
# -
printer_ips=""
# =============
# --- Scanner
# =============
# ======
# - Brother (brscan)
# ======
# - IP Adresses Brother Scanner
# -
# - Blank seoarated list
# -
brother_scanner_ips=""
brscan_port="$standard_brother_brscan_port"
# ======
# - Epson Network Scan
# ======
# - IP Adresses Epson Network Scanner
# -
# - Blank seoarated list
# -
epson_scanner_ips=""
epson_scan_port="$standard_epson_network_scan_port"
# =============
# --- Telefon Systems
# =============
# - IP Adresses Telephone Systems (Telefonanlagen)
# -
# - Dont't foregt to add ip-adresses also to http(s) service if the
# - systems provide webinterfaces!
# -
# - Blank seoarated list
# -
tele_sys_ips=""
tele_sys_remote_sip_server_port=5060
tele_sys_local_sip_server_port=5067
allow_between_tele_systems=false
VOIP_PORTS="69 5000:5099 7775 32000:32512"
# - TFTP=69 (used from telephones getting their connection data / firmwareupdate )
# - RTP_PORTS= UDP i.e. 5000:5099 or here
# - RTP_PORTS_END=5099
#SIP_PORT_REMOTE=5060
#SIP_PORT_LOCAL=5067
#SIP_LOCAL_IP=192.168.63.240
#STUN_PORTS=3478
udp_voip_ports="7775 5000:5099"
# =====
# - Telekom Internet TV (Entertain)
# =====
telekom_internet_tv=false
tv_ip="192.168.63.5"
tv_extern_if="eth2.8"
tv_local_if="$local_if_1"
# =====
# --- Allow special TCP Ports (OUT)
# =====
# - TCP Ports
# -
# - Blank separated list of tcp ports
# -
tcp_out_ports=""
# =====
# --- Allow special UDP Ports (OUT)
# =====
# - UDP Ports
# -
# - Blank separated list udp ports
# -
udp_out_ports=""
# ======
# - Other local Services
# ======
# - You can configure further local services here.
# -
# - other_services="<ip-addr-of-service>:<port>:<protocol> [<ip-addr-of-service>:<port>:<protocol> [.."
# -
# - Blank seperated list
# -
other_services=""
# =============
# --- Masuqerading
# =============
# - Masquerade (NAT) networks
# -
# - nat_networks="<src-network>:<output-device> [<src-network>:<output-device>] [.."
# -
# - Multiple declarations (blank separated list) are possible
# -
# - Example:
# - nat_network="172.16.1.0/24:${local_if_2}
# - 172.16.63.0/24:${ext_if_static_1}"
# -
# - 172.16.1.0/24 Rescue network (routers)
# -
nat_networks=""
# - Masquerade TCP Connections
# -
# - masquerade_tcp_con="<src-network>:<dst-host>:<dst-port>:<output-device> [<src-network>:<dst-host>:..]"
# -
# - Multiple declarations (blank separated list) are possible
# -
# - Example:
# -
# - masquerade_tcp_con="192.168.63.0/24:192.168.62.244:80:${local_if_1}
# - 10.0.0.0/8:192.168.62.244:443:${local_if_1}"
# -
# - 192.168.64.55: Repeater TP-Link TL-WA850RE
# -
# - Blank separated list
# -
masquerade_tcp_cons=""
# - Masquerade UDP Connections
# -
# - masquerade_udp_con="<src-network>:<dst-host>:<dst-port>:<output-device> [<src-network>:<dst-host>: ..]"
# -
# - Example:
# -
# - masquerade_udp_con="192.168.63.0/24:192.168.62.244:123"
# - 10.0.0.0/8:192.168.62.244:161"
# -
# -
# - Blank separated list
# -
masquerade_udp_cons=""
# - Masquerade ICMP Connections
# -
# - masquerade_icmp_cons="<src-network>:<dst-host> [<src-network>:<dst-host>] .."
# -
# - 192.168.81.249: Switch
# -
# - Blank separated list
# -
masquerade_icmp_cons=""
# =============
# --- Portforwarding
# =============
# - Portforwarding TCP
# -
# - portforward_tcp="<device-in>:<port-in>:<ip-to-forward>:<port-out>"
# -
# - Multiple declarations (blank separated list) are possible
# -
# - Example:
# - portforward_tcp="$ext_if_dsl_1:9997:192.168.52.25:22
# - $ext_if_dsl_1:9998:192.168.53.24:22"
# -
# - Blank separated list
# -
portforward_tcp=""
# - Portforwarding UDP
# -
# - portforward_udp="<device-in>:<udp-port-in>:<ip-to-forward>:<udp-port-out>"
# -
# - Multiple declarations (blank separated list) are possible
# -
# - Example:
# - portforward_udp="$ext_if_dsl_1:1094:192.168.52.25:1094
# - $ext_if_dsl_1:9999:192.168.53.24:1095"
# -
# - Blank separated list
# -
portforward_udp=""
# =============
# - MAC Address Filtering
# =============
# - MAC Addreses alowed to all destinations (gateway, remote, local networks)
# -
# - Blank separated list
# -
allow_all_mac_src_addresses=""
# - MAC Addreses alowed to local networks (gateway, local networks)
# -
# - Blank separated list
# -
allow_local_mac_src_addresses=""
# - MAC Addreses alowed to remote networks
# -
# - Blank separated list
# -
allow_remote_mac_src_addresses=""
# =============
# - MAC Address Filtering Gaming Devices
# =============
# - MAC adresses here are only allowed connect to internet but NOT to loacl services and networks
# -
# - Blank separated list
# -
gaming_device_mac_addresses=""
# =============
# - IP Address Filtering Gaming Devices
# =============
# - IP adresses here are only allowed connect to internet but NOT to loacl services and networks
# -
# - Blank separated list
# -
gaming_device_ip_addresses=""
# =============
# --- Basic behavior - overwrites settings from 'default_basic_behavior.conf'
# =============
# ---
# - Services allowed out to the world wide web
# ---
#allow_samba_requests_out=true
# ---
# - Services allowed between local networks
# ---
# - These Parameters are only considered, if traffic
# - between local networks are not permitted, thats
# - if 'permit_between_local_networks=false' (see below).
# -
#allow_ssh_between_local_nets=true
#allow_samba_between_local_nets=false
#allow_ldap_between_local_nets=false
#allow_printing_between_local_nets=true
#allow_scanning_between_local_nets=true
# ---
# - Other Parameters
# ---
# - Permit internet access to all machines at local network
# - Does not include this server itself
# -
#permit_local_net_to_inet=false
# - Do not block any traffic between local machines
# -
#permit_between_local_networks=false
# - Do not block any ICMP traffic
# -
#permit_all_icmp_traffic=true
# - Access to Mailservices (LAN and WAN) (pop/imap/smtps) from local (gateway) machine.
# -
# - Maybe useful for testing purpose with telnet or openssl
# -
#provide_mailservice_from_local=true
# - iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
# - It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
# - SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.
# -
#create_iperf_rules=false
# =============
# --- Block IP's / IP-Ranges
# =============
# - 222.184.0.0/13 CHINANET-JS
# - 61.160.0.0/16 - CHINANET-JS
# - 116.8.0.0/14 CHINANET-GX
# -
# - Blank separated list
# -
# - !! Moved to 'ban_ipv4.list'
# -
blocked_ips=""
# =============
# --- Block Ports on extern Interfaces
# =============
# - Generally (for all interfaces) block this ports
# -
# - Portmapper
# - tcp 111
# - udp 111
# -
# - Authentication tap ident
# - tcp 113
# -
# - Location Service
# - tcp 135
# -
# - Windows Stuff
# - tcp 137:139
# - udp 137:139
# - tcp 445
# -
block_tcp_ports="111 135 631"
block_udp_ports="111"
if ! $allow_samba_requests_out ; then
block_tcp_ports="$block_udp_ports 137:139 445"
block_udp_ports="$block_udp_ports 137:139"
fi
block_ident=true
# =============
# - Packets not wanted on gateway on local Interfaces
# =============
not_wanted_on_gw_tcp_ports="111 113 135 631"
not_wanted_on_gw_udp_ports="111 631"
if ! $local_samba_service ; then
not_wanted_on_gw_tcp_ports="$not_wanted_on_gw_tcp_ports 137:139 445"
not_wanted_on_gw_udp_ports="$not_wanted_on_gw_udp_ports 137:139"
fi
not_wanted_ident=true
# =============
# --- Router
# =============
# - Set to "true" to secure/tune the kernel
# -
#adjust_kernel_parameters=true
# - Protection against several attacks
# -
#protect_against_several_attacks=true
# Protection against syn-flooding
#
#drop_syn_flood=false
# - I have to say that fragments scare me more than anything.
# - Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
# - Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
# - fragments is very OS-dependent (see this paper for details).
# - I am not going to trust any fragments.
# - Log fragments just to see if we get any, and deny them too
# -
# - !! 'drop_fragments' does not work within telekom mobile connections !!
# -
#drop_fragments=true
# drop new packages without syn flag
#
#drop_new_not_sync=true
# drop invalid packages
#
#drop_invalid_state=true
# drop packages with unusal flags
#
#drop_invalid_flags=true
# Refuse private addresses on extern interfaces
#
# Refuse packets claiming to be from a
# Class A private network
# Class B private network
# Class C private network
# loopback interface
# Class D multicast address
# Class E reserved IP address
# broadcast address
#drop_spoofed=true
# Don't allow spoofing from that server
#
#drop_spoofed_out=true
# Refusing packets claiming to be to the loopback interface protects against
# source quench, whereby a machine can be told to slow itself down by an icmp source
# quench to the loopback.
#drop_ext_to_lo=true
# =============
# --- Kernel related - Adjust Kernel Parameters (Security/Tuning)
# =============
# - Activate forwarding
# -
# - Enable/disable forwarding to and between interfaces
# -
kernel_activate_forwarding=true
# - Activate kernel support for dynamic IP adresses
# - (not needed in case of static IP)
# -
# - see also https://www.frozentux.net/iptables-tutorial/other/ip_dynaddr.txt
# -
# - The values for the ip_dynaddr sysctl are [*]:
# -
# - 1: To enable:
# - 2: To enable verbosity:
# - 4: To enable RST-provoking:
# - 8: To enable asymetric routing work-around [**]
# -
# - [*] At boot, by default no address rewriting is attempted.
# - [**] This code is currently totaly untested.
# -
# - Flags can be combined by adding them. Common settings
# - would be:
# -
# - To enable rewriting in quiet mode:
# - # echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# - To enable rewriting in verbose mode:
# - # echo 3 > /proc/sys/net/ipv4/ip_dynaddr
# - To enable quiet RST-provoking mode (1+4):
# - # echo 5 > /proc/sys/net/ipv4/ip_dynaddr
# - ...
# -
kernel_support_dynaddr=true
dynaddr_flag="5"
# - Reduce DoS'ing ability by reducing timeouts
# -
kernel_reduce_timeouts=true
# - Hardening TCP/IP Stack Against SYN Floods
# -
# - Enable syn cookies prevents against the common 'syn flood attack'
# -
kernel_tcp_syncookies=true
# - Protection against ICMP bogus error responses
# -
kernel_protect_against_icmp_bogus_messages=true
# - Ignore Broadcast Pings
# -
kernel_ignore_broadcast_ping=true
# - Deactivate Source Routed Packets
# -
kernel_deactivate_source_route=true
# - Deactivate sending ICMP redirects
# -
# - Note: IP TV requires sending ICMP redirects. So if IP TV is provided, this
# - Parameter will be set to "false"
# -
# - ICMP redirects are used by routers to specify better routing paths out of
# - one network, based on the host choice, so basically it affects the way
# - packets are routed and destinations.
# -
kernel_dont_accept_redirects=true
# - Activate Reverse Path Filtering (Antispoofing)
# -
# - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen
# - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen,
# - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat
# - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für
# - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle
# - nicht voll funktionsfähig ist.
# -
kernel_activate_rp_filter=true
# - Logging of spoofed (source routed" and "redirect") packets
# -
kernel_log_martians=false
Reference in New Issue View Git Blame Copy Permalink