1766 lines
38 KiB
Bash
1766 lines
38 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
## ---------------------------------------------------------
|
|
## --- Main Configurations Ipv6 Firewall Script ipt-firewall
|
|
## ---------------------------------------------------------
|
|
|
|
|
|
# =============
|
|
# --- Interfaces completly blocked
|
|
# =============
|
|
|
|
# - Interfaces to block (note: they will all be blocked)
|
|
# -
|
|
# - For Example: eth2 is used for DSL Line, that becomes an extra
|
|
# - interface (ppp-light). A further use of eth1 (which would
|
|
# - be possible) is not configured at time, so you can block it.
|
|
# -
|
|
blocked_ifs=""
|
|
|
|
|
|
|
|
# =============
|
|
# --- Block UPnP Ports
|
|
# =============
|
|
|
|
# - block_upnp_traffic_in
|
|
# -
|
|
# - Block UPnP traffic (extern) in
|
|
#
|
|
block_upnp_traffic_in=true
|
|
|
|
# - block_upnp_traffic_out
|
|
# -
|
|
# - Block UPnP traffic (extern) out
|
|
#
|
|
block_upnp_traffic_out=true
|
|
|
|
|
|
|
|
# =============
|
|
# --- Block UDP Ports out
|
|
# =============
|
|
|
|
# - UDP Ports to block (only extern out)
|
|
# -
|
|
# - Comma separated list of udp ports
|
|
# -
|
|
block_udp_extern_out_ports=""
|
|
|
|
|
|
# =============
|
|
# --- Block TCP Ports out
|
|
# =============
|
|
|
|
# - TCP Ports to block (only extern out)
|
|
# -
|
|
# - Comma separated list of tcp ports
|
|
# -
|
|
block_tcp_extern_out_ports=""
|
|
|
|
|
|
|
|
# =============
|
|
# --- Interfaces not firewalled
|
|
# =============
|
|
|
|
# - Note:
|
|
# - Can be (for example) an interface, whose (complete) traffic is
|
|
# - protected by a firewall on an other system in the local area
|
|
# -
|
|
# - Here: the static line castle stockhausen
|
|
# -
|
|
unprotected_ifs=""
|
|
|
|
|
|
|
|
# =============
|
|
# --- Networks not firewalled through extern interfaces
|
|
# =============
|
|
|
|
# - Allow these networks any access to the internet.
|
|
# -
|
|
# - Blank separated list of networks
|
|
# -
|
|
any_access_to_inet_networks=""
|
|
|
|
|
|
# - Allow these networks getting any access from the internet.
|
|
# -
|
|
# - Blank separated list of networks
|
|
# -
|
|
any_access_from_inet_networks=""
|
|
|
|
|
|
|
|
# =============
|
|
# - Allow local services from ALL extern netwoks
|
|
# =============
|
|
|
|
# - allow_all_ext_traffic_to_local_service
|
|
# -
|
|
# - allow_all_ext_traffic_to_local_service="local-address,port,protocol [local-address,port,protocol] .."
|
|
# -
|
|
# - Note:
|
|
# - =====
|
|
# - - Only 'tcp' and 'udp' are allowed valuse for protocol.
|
|
# -
|
|
# - Example:
|
|
# - allow extern traffic to service at 2a01:30:1fff:fd00::210 on port 1036
|
|
# - allow extern traffic to https service at 2a01:30:1fff:fd00::204
|
|
# -
|
|
# - allow_ext_net_to_local_service="
|
|
# - 2a01:30:1fff:fd00::210,1036,tcp
|
|
# - 2a01:30:1fff:fd00::204,$standard_https_port,tcp
|
|
# - "
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
allow_all_ext_traffic_to_local_service=""
|
|
|
|
|
|
|
|
# =============
|
|
# - Allow local services from given extern networks
|
|
# =============
|
|
|
|
# - allow_ext_net_to_local_service
|
|
# -
|
|
# - allow_ext_net_to_local_service="ext-net,local-address,port,protocol"
|
|
# -
|
|
# - Only 'tcp' and 'udp' are allowed valuse for protocol.
|
|
# -
|
|
# - Use this parameter to (only) give some local netwoks access to special local
|
|
# - services (but not for all local networks as you can configure later).
|
|
# -
|
|
# - If you plan to separate networks (see parameter 'separate_local_networks'), but
|
|
# - to allow these networks some special local services, you can also use this parameter.
|
|
# -
|
|
# - Example:
|
|
# - allow access from 2001:6f8:107e:63::20/128 to ssh service at 2a01:30:1fff:fd00::210 on port 1036
|
|
# - allow access from 2a01:30:0:13:5054:ff:fe09:2318/64 to https service at 2a01:30:1fff:fd00::204
|
|
# -
|
|
# - allow_ext_net_to_local_service="2001:6f8:107e:63::20/128,2a01:30:1fff:fd00::210,1036,tcp
|
|
# - 2a01:30:0:13:5054:ff:fe09:2318/64,2a01:30:1fff:fd00::204,$standard_https_port,tcp"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
allow_ext_net_to_local_service=""
|
|
|
|
|
|
|
|
# =============
|
|
# - Allow all traffic from extern address/network to local address/network
|
|
# =============
|
|
|
|
# - allow_ext_net_to_local_net
|
|
# -
|
|
# - allow_ext_net_to_local_net="<src-ext-net>,<dst-local-net> [<src-ext-net>,<dst-local-net>] [..]"
|
|
# -
|
|
# - All traffic from the given first network to the given second network is allowed
|
|
# -
|
|
# - Example:
|
|
# - allow_ext_net_to_local_net="2a01:30:0:13:5054:ff:fe09:2318/64,2a01:30:1fff:fd00::0/64
|
|
# - 2001:6f8:107e:63::/64,2a01:30:ff:fd00::204/128"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
allow_ext_net_to_local_net=""
|
|
|
|
|
|
|
|
# =============
|
|
# - Block all extern traffic to (given) local network
|
|
# =============
|
|
|
|
# - block_all_ext_to_local_net
|
|
# -
|
|
# - block_all_ext_to_local_net="<local-net> [<local-net [<local-net .."
|
|
# -
|
|
# - Blocks all extern traffic to given local network(s)
|
|
# -
|
|
# - Example:
|
|
# - block_all_ext_to_local_net="2a01:30:1fff:fd01::1/64 2a01:30:1fff:fd04::1/64"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
block_all_ext_to_local_net=""
|
|
|
|
|
|
|
|
# =============
|
|
# - Allow all traffic from local ip to the internet
|
|
# =============
|
|
|
|
# - allow_local_ip_to_inet
|
|
# -
|
|
# - Example:
|
|
# - allow_local_ip_to_inet="2a01:30:1fff:fd01::1/64 2a01:505:1fff:fd04::1"
|
|
# -
|
|
# - Blank separated list of ip-adresses
|
|
# -
|
|
allow_local_ip_to_inet=""
|
|
|
|
|
|
|
|
# =============
|
|
# - Allow local services from given local networks
|
|
# =============
|
|
|
|
# - allow_local_net_to_local_service
|
|
# -
|
|
# - allow_local_net_to_local_service="local-net,local-service,port,protocol"
|
|
# -
|
|
# - Only 'tcp' and 'udp' are allowed valuse for protocol.
|
|
# -
|
|
# - Use this parameter to (only) give some local netwoks access to special local
|
|
# - services (but not for all local networks as you can configure later).
|
|
# -
|
|
# - If you plan to separate local networks (see parameter 'separate_local_networks'), but
|
|
# - to allow these networks some special local services, you can also use this parameter.
|
|
# -
|
|
# - Example:
|
|
# - allow access from 2001:6f8:107e:64::/64 to https service at 2001:6f8:107e:63::20
|
|
# - allow access from 2001:6f8:107e:64::/64 to ssh service at 2001:6f8:107e:63::20
|
|
# -
|
|
# - allow_local_net_to_local_service="2001:6f8:107e:64::/64,2001:6f8:107e:63::20,$standard_https_port,tcp
|
|
# - 2001:6f8:107e:64::/64,2001:6f8:107e:63::20,$standard_ssh_port,tcp"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
allow_local_net_to_local_service=""
|
|
|
|
|
|
|
|
# =============
|
|
# - Allow all traffic from local network to local ip-address
|
|
# =============
|
|
|
|
# - allow_local_net_to_local_ip
|
|
# -
|
|
# - allow_local_net_to_local_ip="<src-local-net>:<dst-local-ip> [<src-local-net>:<dst-local-ip>] [..]"
|
|
# -
|
|
# - All traffic from the given network to the given ip address is allowed
|
|
# -
|
|
# - Example:
|
|
# - allow_local_net_to_local_ip="2001:6f8:107e:64::/64,2001:6f8:107e:63::20
|
|
# - 2001:6f8:107e:64::/64,2001:6f8:107e:63::10"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
allow_local_net_to_local_ip=""
|
|
|
|
|
|
|
|
# =============
|
|
# - Allow all traffic from local ip-address to local network
|
|
# =============
|
|
|
|
# - allow_local_ip_to_local_net
|
|
# -
|
|
# - allow_local_ip_to_local_net="<src-local-ip>:<dst-local-net> [<src-local-ip>:<dst-local-net>] [..]"
|
|
# -
|
|
# - All traffic from the given ip address to the given network is allowed
|
|
# -
|
|
# - Example:
|
|
# - allow_local_ip_to_local_net="2001:6f8:107e:63::20,2001:6f8:107e:64::/64
|
|
# - 2001:6f8:107e:63::10,2001:6f8:107e:64::/64"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
allow_local_ip_to_local_net=""
|
|
|
|
|
|
|
|
# =============
|
|
# - Allow all traffic from (one) local network to (another) local network
|
|
# =============
|
|
|
|
# - allow_local_net_to_local_net
|
|
# -
|
|
# - allow_local_net_to_local_net="<src-local-net>:<dst-local-net> [<src-local-net>:<dst-local-net>] [..]"
|
|
# -
|
|
# - All traffic from the given first network to the given second network is allowed
|
|
# -
|
|
# - Notice:
|
|
# - If you want allow both directions, you have to make two entries - one for evry directions.
|
|
# -
|
|
# - Example:
|
|
# - allow_local_net_to_local_net="2001:6f8:107e:64::/64,2001:6f8:107e:63::/64
|
|
# - 2001:6f8:107e:63::/64,2001:6f8:107e:64::/64"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
allow_local_net_to_local_net=""
|
|
|
|
|
|
|
|
# =============
|
|
# - Allow local ip address from given local interface
|
|
# =============
|
|
|
|
# - allow_local_if_to_local_ip
|
|
# -
|
|
# - All traffic from the given network interface to the given ip address is allowed
|
|
# -
|
|
# - Example:
|
|
# - allow_local_if_to_local_ip="${local_if_1},2001:6f8:107e:63::20
|
|
# - ${local_if_2},2001:6f8:107e:63::20"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
allow_local_if_to_local_ip=""
|
|
|
|
|
|
|
|
# =============
|
|
# - Allow extern service from given local interface
|
|
# =============
|
|
|
|
# - allow_local_if_to_ext_service
|
|
# -
|
|
# - allow_local_if_to_ext_service="<local-interface>,<extern-ip>,<ext-port>,<protocol> [.."
|
|
# -
|
|
# - All traffic from the given (local) network interface to the given (extern) service is allowed
|
|
# -
|
|
# - Example:
|
|
# - allow_local_if_to_ext_service="${local_if_1},2a01:30:0:13:211:84ff:feb7:7f9c,3306,tcp
|
|
# - ${local_if_2},2a01:30:0:13:211:84ff:feb7:7f9c,3306,tcp"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
allow_local_if_to_ext_service=""
|
|
|
|
|
|
|
|
# =============
|
|
# - Allow extern network from given local interface
|
|
# =============
|
|
|
|
# - allow_local_if_to_ext_net
|
|
# -
|
|
# - allow_local_if_to_ext_net="<local-interface,ext-network> [<local-interface,ext-network> [.."
|
|
# -
|
|
# - All traffic from the given (local) network interface to the given (extern) network is allowed
|
|
# -
|
|
# - Example:
|
|
# - allow_local_if_to_ext_net="${local_if_1},2a01:30:0:13:211:84ff:feb7:7f9c/128
|
|
# - ${local_if_2},2a01:30:0:13:211:84ff:feb7:7f9c/128"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
allow_local_if_to_ext_net=""
|
|
|
|
|
|
|
|
# =============
|
|
# - Allow extern service from given local network
|
|
# =============
|
|
|
|
# - allow_local_net_to_ext_service
|
|
# -
|
|
# - allow_local_net_to_ext_service="<local-net,ext-ip,port,protocol> [<local-net,ext-ip,port,protocol> [.."
|
|
# -
|
|
# - All traffic from the given (local) network to the given (extern) service is allowed
|
|
# -
|
|
# - Example:
|
|
# - allow_local_net_to_ext_service="2003:ec:df10:49fd:fd34:b41c:c667:fe79/64,2a01:30:0:13:211:84ff:feb7:7f9c,3306,tcp
|
|
# - 2003:ec:df10:49fe:ec4:7aff:feac:5ece/64,2a01:30:0:13:211:84ff:feb7:7f9c,3306,tcp"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
allow_local_net_to_ext_service=""
|
|
|
|
|
|
|
|
# =============
|
|
# - Allow extern network from given local network
|
|
# =============
|
|
|
|
# - allow_local_net_to_ext_net
|
|
# -
|
|
# - allow_local_net_to_ext_net="<local-net,ext-net> [<local-net,ext-net> [.."
|
|
# -
|
|
# - All traffic from the given (local) network to the given (extern) network is allowed
|
|
# -
|
|
# - Example:
|
|
# - allow_local_net_to_ext_net="2003:ec:df10:49fd:fd34:b41c:c667:fe79/64,2a01:30:0:13:211:84ff:feb7:7f9c
|
|
# - 2003:ec:df10:49fe:ec4:7aff:feac:5ece/64,2a01:30:0:13:211:84ff:feb7:7f9c"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
allow_local_net_to_ext_net=""
|
|
|
|
|
|
|
|
# =============
|
|
# - Allow extern service
|
|
# =============
|
|
|
|
# - allow_to_ext_service
|
|
# -
|
|
# - Allow all traffic to given extern service
|
|
# -
|
|
# - allow_to_ext_service="<ext-ip,port,protocol> [ext-ip,port,protocol> [.."
|
|
# -
|
|
# - All traffic to the given (extern) service is allowed
|
|
# -
|
|
# - Example:
|
|
# - allow_to_ext_service="2a01:30:0:13:211:84ff:feb7:7f9c,3306,tcp
|
|
# - 2a01:30:0:13:211:84ff:feb7:7f9c,10194,tcp"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
allow_to_ext_service=""
|
|
|
|
|
|
|
|
# =============
|
|
# - Allow extern network
|
|
# =============
|
|
|
|
# - allow_to_ext_net
|
|
# -
|
|
# - Allow all traffic to given extern network
|
|
# -
|
|
# - allow_to_ext_net="<local-net,ext-net> [<local-net,ext-net> [.."
|
|
# -
|
|
# - All traffic from the given (local) network to the given (extern) network is allowed
|
|
# -
|
|
# - Example:
|
|
# - allow_to_ext_net="2a01:30:0:13:211:84ff:feb7:7f9c/64
|
|
# - 2001:678:a40:3000::/64"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
allow_to_ext_net=""
|
|
|
|
|
|
|
|
# =============
|
|
# --- Separate local Networks
|
|
# =============
|
|
|
|
# - Don't allow these networks any connections to other local networks
|
|
# -
|
|
# - Example:
|
|
# - separate_local_networks="2001:6f8:107e:63::/64 2001:6f8:107e:64::/64"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
separate_local_networks=""
|
|
|
|
|
|
|
|
# =============
|
|
# --- Separate local Interfaces
|
|
# =============
|
|
|
|
# - Don't allow these networks any connections to other local networks
|
|
# -
|
|
# - Example:
|
|
# - separate_local_networks="$local_if_1 $local_if_2"
|
|
# -
|
|
separate_local_ifs=""
|
|
|
|
|
|
|
|
# =============
|
|
# --- Traffic Shaping
|
|
# =============
|
|
|
|
TRAFFIC_SHAPING=false
|
|
|
|
RATE_UP=10000
|
|
LIMIT_UP=$(expr $RATE_UP / 100 \* 85)
|
|
|
|
LIMIT_CLASS=$(expr $LIMIT_UP / 7)
|
|
|
|
RTP_PORTS_START=49152
|
|
RTP_PORTS_END=49408
|
|
SIP_PORT_REMOTE=5060
|
|
SIP_PORT_LOCAL=5067
|
|
SIP_LOCAL_IP="2001:6f8:107e:63::240"
|
|
STUN_PORTS=3478
|
|
|
|
TC_DEV=$ext_if_static_1
|
|
|
|
|
|
|
|
# =============
|
|
# ---- Allow Forwarding (private) IPs / IP-Ranges
|
|
# =============
|
|
|
|
# - Maybe useful in case of virtual hosts with private addresses or
|
|
# - if using a vpn network to forward into private areas.
|
|
# -
|
|
# - Note: this rules takes affect before rules to protect against
|
|
# - unwanted packages e.g. blocking private addresses on
|
|
# - externel interfaces.
|
|
# -
|
|
# - Note: you can specify networks using CIDR notation
|
|
# - like "192.168.2.0/24"
|
|
# -
|
|
forward_private_ips=""
|
|
|
|
|
|
|
|
# =============
|
|
# --- Services local machine / local networksa
|
|
# =============
|
|
|
|
# ======
|
|
# - IPv4 over IPv4
|
|
# ======
|
|
|
|
|
|
# ======
|
|
# - VPN Service
|
|
# ======
|
|
|
|
# - VPN Service on Gateway?
|
|
# -
|
|
local_vpn_service=true
|
|
vpn_gw_ports="1194 1195 1196"
|
|
|
|
# - VPN Services DMZ (reachable also from WAN)
|
|
# -
|
|
# - http_server_dmz_arr[<ipv6-address>]=<extern-interface>
|
|
# -
|
|
# - Note:
|
|
# - Each extern interface can have only one thuch service
|
|
# -
|
|
# - vpn_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_static_1
|
|
# - vpn_server_dmz_arr[2001:6f8:107e:63::40]=$ext_if_dsl_1
|
|
# -
|
|
# - Multiple settins of this parameter is possible
|
|
# -
|
|
declare -A vpn_server_dmz_arr
|
|
|
|
# - Local VPN Ports
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
vpn_local_net_ports="1194"
|
|
|
|
# Remote VPN ports
|
|
#
|
|
vpn_out_ports="$standard_vpn_port"
|
|
|
|
|
|
# -----
|
|
# - Restrict VPN Network to local Service
|
|
# -----#
|
|
|
|
# - restrict_vpn_net_to_local_service
|
|
# -
|
|
# - allow_ext_net_to_local_service="vpn-net,local-address,port,protocol [vpn-net,local-address,port,protocol] [..]"
|
|
# -
|
|
# - Note:
|
|
# - =====
|
|
# - - Only 'tcp' and 'udp' are allowed valuse for protocol.
|
|
# -
|
|
# - Example:
|
|
# - restrict_vpn_net_to_local_service="
|
|
# - 2001:sc03:dd:bd2f:a63e:eb5f:86a5:d338/64,2003:ec:df3d:ffd:a63e:eb5f:86a5:d338/64,80,tcp
|
|
# - 2001:sc03:dd:bd2f:a63e:eb5f:86a5:d338/64,2003:ec:df3d:ffd:a63e:eb5f:86a5:d338/64,443,tcp
|
|
# - "
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
restrict_vpn_net_to_local_service=""
|
|
|
|
|
|
# -----
|
|
# - Restrict VPN Network to local (Sub) network
|
|
# -----
|
|
|
|
# - restrict_vpn_net_to_local_subnet
|
|
# -
|
|
# - restrict_vpn_net_to_local_subnet="<src-vpn-net>,<dst-local-net> [<src-vpn-net>,<dst-local-net>} [..]
|
|
# -
|
|
# - Example:
|
|
# - restrict_vpn_net_to_local_subnet="
|
|
# - 2001:sc03:dd:bd2f:a63e:eb5f:86a5:d338/64,2003:ec:df3d:ffd:a63e:eb5f:86a5:d338/64
|
|
# - "
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
restrict_vpn_net_to_local_subnet=""
|
|
|
|
|
|
# ======
|
|
# - WireGuard Service
|
|
# ======
|
|
|
|
# - WireGuard Service on Gateway?
|
|
# -
|
|
local_wg_service=true
|
|
wg_gw_ports="$standard_wg_port"
|
|
|
|
# - WireGuard Services DMZ (reachable also from WAN)
|
|
# -
|
|
# - wg_server_dmz_arr=[<ip-address>]=<dsl-device>
|
|
# -
|
|
# - Note:
|
|
# - Each extern interface can have only one thuch service
|
|
# -
|
|
# - wg_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_dsl_2
|
|
# - wg_server_dmz_arr[2001:6f8:107e:63::40]=$ext_if_dsl_1
|
|
# -
|
|
# - Multiple settins of this parameter is possible
|
|
# -
|
|
declare -A wg_server_dmz_arr
|
|
|
|
# - Local WireGuard Ports
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
wg_local_net_ports="$standard_wg_port"
|
|
|
|
# Remote WireGuard Ports
|
|
#
|
|
wg_out_ports="$standard_wg_port"
|
|
|
|
|
|
# ======
|
|
# - Cisco VPN
|
|
# ======
|
|
|
|
cisco_vpn_out_ports="$standard_isakmp_port $standard_ipsec_nat_t"
|
|
cisco_vpn_out_protocol="esp"
|
|
|
|
|
|
# ======
|
|
# - DHCP Service
|
|
# ======
|
|
|
|
# - Ist this Gateway DHCP Client?
|
|
# -
|
|
# - local_dhcp_client_interfaces="<interface1> [<interface> [.."
|
|
# -
|
|
# - Example:
|
|
# - dhcp_client_interfaces="$ext_if_static_1"
|
|
# -
|
|
dhcp_client_interfaces="$ext_if_static_1"
|
|
|
|
# - DHCP Server Gateway
|
|
# -
|
|
local_dhcp_service=true
|
|
|
|
# - Are DHCP Failover Servers present?
|
|
# -
|
|
# - Balnk separated list
|
|
# -
|
|
dhcp_failover_server_ips=""
|
|
|
|
dhcp_failover_port=647
|
|
|
|
|
|
# ======
|
|
# - DNS Service
|
|
# ======
|
|
|
|
# - DNS Service Gateway
|
|
local_dns_service=true
|
|
|
|
# - DNS Server local Networks
|
|
# -
|
|
# - Blank separated list
|
|
dns_server_ips=""
|
|
|
|
|
|
# ======
|
|
# - SSH
|
|
# ======
|
|
|
|
# - SSH Service Gateway
|
|
# -
|
|
local_ssh_service=true
|
|
|
|
|
|
# - SSH Services local Networks
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
ssh_server_only_local_ips=""
|
|
|
|
|
|
# - SSH Services DMZ (reachable also from WAN)
|
|
# -
|
|
# - ssh_server_dmz_arr[<ip-address>]=<extern-device>
|
|
# -
|
|
# - Note:
|
|
# - Each extern interface can have only one service on a certain port.
|
|
# -
|
|
# - ssh_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_dsl_1
|
|
# - ssh_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_dsl_1
|
|
# -
|
|
# - Multiple settins of this parameter is possible
|
|
# -
|
|
declare -A ssh_server_dmz_arr
|
|
|
|
|
|
# - SSH Ports
|
|
# -
|
|
# - blank separated list
|
|
# -
|
|
ssh_ports="22"
|
|
|
|
|
|
# ======
|
|
# - HTTP(S) Service
|
|
# ======
|
|
|
|
# - HTTP(S) Service Gateway
|
|
# -
|
|
local_http_service=false
|
|
|
|
|
|
# - HTTP(S) Services only locale Networks
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
http_server_only_local_ips=""
|
|
|
|
|
|
# - HTTP(S) Services DMZ (reachable also from WAN)
|
|
# -
|
|
# - http_server_dmz_arr[<ipv6-address>]=<extern-device>
|
|
# -
|
|
# - Example:
|
|
# -
|
|
# - http_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_static_1
|
|
# - http_server_dmz_arr[2001:6f8:107e:63::90]=$ext_if_static_1
|
|
# -
|
|
# - WebServer Luna: 2001:6f8:107e:63::20 (ppp-ckubu = $ext_if_dsl_1)
|
|
# -
|
|
# - Multiple settins of this parameter is possible
|
|
# -
|
|
declare -A http_server_dmz_arr
|
|
|
|
|
|
# - HTTPS Services DMZ only port 443 (reachable also from WAN)
|
|
# -
|
|
# - http_ssl_server_dmz_arr[<ipv6-address>]=<extern-device>
|
|
# -
|
|
# -
|
|
# - http_ssl_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_static1
|
|
# - http_ssl_server_dmz_arr[2001:6f8:107e:64::90]=$ext_if_static_2
|
|
# -
|
|
# - Multiple settins of this parameter is possible
|
|
# -
|
|
declare -A http_ssl_server_dmz_arr
|
|
|
|
|
|
# - HTTP(S) Ports
|
|
# -
|
|
# - comma separated list
|
|
# -
|
|
http_ports="$standard_http_ports"
|
|
|
|
|
|
# ======
|
|
# - Mail Services
|
|
# ======
|
|
|
|
# - SMTP server (i.e. mail relay service) Gateway
|
|
# -
|
|
local_smtp_service=false
|
|
|
|
|
|
# - Mailserver (SMTP(POP/IMAP) Gateway
|
|
# -
|
|
# - NOT YET IMPLEMENTED
|
|
# -
|
|
local_mail_service=false
|
|
|
|
|
|
# - Mail Services smtp,smtps/pop(s)/imap(s) only local Networks
|
|
# -
|
|
# - comma separated list
|
|
# -
|
|
mail_server_only_local_ips=""
|
|
|
|
|
|
# - Mails Services DMZ smtp,smtps/pop(s)/imap(s) (reachable also from WAN)
|
|
# -
|
|
# - mail_server_dmz_arr[<ip-address>]=<extern-device>
|
|
# -
|
|
# - Multiple declarations are possible
|
|
# -
|
|
# - Example:
|
|
# - Mail Server: 2001:6f8:107e:63::20 incomming on ppp-st ($ext_if_static_1)
|
|
# -
|
|
# - mail_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_dsl_2
|
|
# -
|
|
declare -A mail_server_dmz_arr
|
|
|
|
|
|
# - Mail client ports (smtps/pop(s)/imap(s)
|
|
# -
|
|
# - comma separated list
|
|
# -
|
|
mail_user_ports="$standard_mailuser_ports"
|
|
|
|
|
|
# - Mail Server (local Networks) SMTP Port
|
|
# -
|
|
mail_smtp_port="$standard_smtp_port"
|
|
|
|
|
|
# Additional Ports for outgoing smtp traffic
|
|
#
|
|
# comma separated list of ports
|
|
#
|
|
smtpd_additional_outgoung_ports=""
|
|
|
|
|
|
# ======
|
|
# - FTP Service
|
|
# ======
|
|
|
|
# - FTP Service Gateway
|
|
# -
|
|
local_ftp_service=false
|
|
|
|
# - FTP Server at local Networks
|
|
# -
|
|
# - comma separated list
|
|
# -
|
|
ftp_server_only_local_ips=""
|
|
|
|
# - FTP Service DMZ
|
|
# -
|
|
# - Note:
|
|
# - Each extern interface can have only one thuch service
|
|
# -
|
|
# - ftp_server_dmz_arr[<ip-address>]=<extern-device>
|
|
# - ftp_passive_port_range=<first-port:last-port>
|
|
# -
|
|
declare -A ftp_server_dmz_arr
|
|
#ftp_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_static_1
|
|
ftp_passive_port_range="50000:50400"
|
|
|
|
# - FTP Ports
|
|
# -
|
|
# - Hard scriptetd:
|
|
# - FTP Control Port: 21
|
|
# - FTP Data Port: 20
|
|
|
|
|
|
# ======
|
|
# - TFTP Service Gateway
|
|
# ======
|
|
|
|
# - TFTP Server Gateway (Port udp 69)
|
|
local_tftp_service=false
|
|
|
|
# - TFTP Server at local Networks
|
|
# -
|
|
tftp_server_ips=""
|
|
|
|
# - TFTF Ports
|
|
# -
|
|
# - Note: its udp !
|
|
# -
|
|
tftp_udp_port=69
|
|
|
|
|
|
# ======
|
|
# - LDAP Service
|
|
# ======
|
|
|
|
# - Is this a LDAP Server ?
|
|
# -
|
|
local_ldap_service=false
|
|
|
|
# - LDAP Service local Networks
|
|
# -
|
|
# - Ports: 389 udp
|
|
# - 389 tcp
|
|
# -
|
|
# - Ports LDAP SSL: 636 tcp
|
|
# -
|
|
ldap_server_local_ips=""
|
|
ldap_udp_ports="389"
|
|
ldap_tcp_ports="389 636"
|
|
|
|
|
|
# ======
|
|
# - Samba Service
|
|
# ======
|
|
|
|
# - Samba Server Gateway
|
|
# -
|
|
local_samba_service=false
|
|
|
|
# - Samba Service
|
|
# -
|
|
# - Ports: 137,138 udp
|
|
# - 139,445 tcp
|
|
# -
|
|
samba_udp_ports="137:138"
|
|
samba_tcp_ports="137 138 139 445"
|
|
|
|
# - Samba Service local networks
|
|
# -
|
|
samba_server_local_ips=""
|
|
|
|
# - Samba Service DMZ
|
|
# -
|
|
# - Note:
|
|
# - Each extern interface can have only one thuch service
|
|
# -
|
|
# - samba_server_dmz_arr[<ipv6-address>]=<extern-device>
|
|
# -
|
|
# - Multiple settins of this parameter is possible
|
|
# -
|
|
declare -A samba_server_dmz_arr
|
|
|
|
|
|
# ======
|
|
# - NTP Service
|
|
# ======
|
|
|
|
# - NTP Service Gateway
|
|
# -
|
|
local_ntp_service=true
|
|
|
|
|
|
# ======
|
|
# - SNMP Service
|
|
# ======
|
|
|
|
# - SNMP services local Networks
|
|
# -
|
|
snmp_server_ips=""
|
|
|
|
# - SNMP Port
|
|
# -
|
|
# - snmp_port Port Agent
|
|
# - snmp_trap_port Port Management Station
|
|
# -
|
|
snmp_port="$standard_snmp_port"
|
|
snmp_trap_port="$standard_snmp_trap_port"
|
|
|
|
|
|
# ======
|
|
# - FreeIPA Service
|
|
# ======
|
|
|
|
# - FreeIPA services local Networks
|
|
# -
|
|
freeipa_server_ips=""
|
|
|
|
# - FreeIPA (in) Ports
|
|
# -
|
|
freeipa_tcp_in_ports="$standard_freeipa_tcp_in_ports"
|
|
freeipa_udp_in_ports="$standard_freeipa_udp_in_ports"
|
|
|
|
|
|
|
|
# ======
|
|
# - Mumble Service
|
|
# ======
|
|
|
|
# - NOT YET IMPLEMENTED
|
|
|
|
# - Mumble ports
|
|
# -
|
|
mumble_ports="64738"
|
|
|
|
|
|
# ======
|
|
# - IP Camera
|
|
# ======
|
|
|
|
# - IP Camera Ports
|
|
# -
|
|
ip_camera_tcp_ports="$standard_ip_camera_tcp_ports"
|
|
ip_camera_udp_ports="$standard_ip_camera_udp_ports"
|
|
|
|
|
|
# ======
|
|
# - BigBlueButton Video Conference Service
|
|
# ======
|
|
|
|
# - BigBlueButton Video Conference Service Gateway
|
|
# -
|
|
# - NOT YET IMPLEMENTED
|
|
# -
|
|
local_bigbluebutton_video_conference_service=false
|
|
|
|
# - BigBlueButton Video Conference Service Ports
|
|
# -
|
|
# - TCP 80: Webinterface.
|
|
# - TCP 443: Webinterface (SSL)
|
|
# -
|
|
# - UDP 16384-32768: FreeSWITCH/HTML5 RTP streams
|
|
# -
|
|
bigbluebutton_tcp_ports="$standard_bigbluebutton_tcp_ports"
|
|
bigbluebutton_udp_ports="$standard_bigbluebutton_udp_ports"
|
|
|
|
|
|
# ======
|
|
# - Skype for Business Online und Microsoft Teams
|
|
# ======
|
|
|
|
# - Skype for Business Online und Microsoft Teams
|
|
# -
|
|
# - TCP 80,443
|
|
# -
|
|
# - Example:
|
|
# -
|
|
# - standard_ms_skype_teams_tcp_ports="80,443"
|
|
# - standard_ms_skype_teams_udp6_ports="3478,3479,3480,3481"
|
|
# - standard_ms_skype_teams_udp6_hosts="
|
|
# - 2a01:30:0:13:5054:ff:fe9f:422f/64
|
|
# - 2a01:4f8:231:19a7::2/52
|
|
# - "
|
|
# -
|
|
# - Set to default values:
|
|
# - ms_skype_teams_tcp_ports="$standard_ms_skype_teams_tcp_ports"
|
|
# - ms_skype_teams_udp6_ports="$standard_ms_skype_teams_udp6_ports"
|
|
# - ms_skype_teams_udp6_hosts="$standard_ms_skype_teams_udp6_hosts"
|
|
# -
|
|
ms_skype_teams_tcp_ports="$standard_ms_skype_teams_tcp_ports"
|
|
ms_skype_teams_udp6_ports="$standard_ms_skype_teams_udp6_ports"
|
|
ms_skype_teams_udp6_hosts="$standard_ms_skype_teams_udp6_hosts"
|
|
|
|
|
|
# ======
|
|
# - Webex Meeting
|
|
# ======
|
|
|
|
# - Webex Meeting (Videokonferenz)
|
|
# -
|
|
# - TCP 80/443: Outbound Client Zugriffsport und Webes Events (Audiostreaming)
|
|
# -
|
|
# - UDP 9000: Outbound (VoIP and RTP)
|
|
# -
|
|
# - ---
|
|
# -
|
|
# - TCP 5004: Fall-back ports for media connectivity when UDP port 9000
|
|
# - is not open in the firewall
|
|
# -
|
|
webex_tcp_ports="$standard_webex_tcp_ports"
|
|
webex_udp_ports="$standard_webex_udp_ports"
|
|
|
|
webex_tcp_fall_back_ports="$standard_webex_tcp_fall_back_ports"
|
|
|
|
|
|
# ======
|
|
# - Zoom Meeting
|
|
# ======
|
|
|
|
# - Zoom Meeting - Video Conference Service
|
|
# -
|
|
# - TCP 80,443 A ll Zoom Clients and *.zoom.us
|
|
# - Meeting Connector
|
|
# -
|
|
# - TCP 443,8801,8802 All Zoom Clients MeetingConnector.IP
|
|
# - MeetingConnector.IP2
|
|
# - MeetingConnector2.IP
|
|
# - MeetingConnector2.IP2
|
|
# -
|
|
# - UDP 3478,3479,8801, All Zoom Clients MeetingConnector.IP
|
|
# - 8802 MeetingConnector.IP2
|
|
# - MeetingConnector2.IP
|
|
# - MeetingConnector2.IP2
|
|
# -
|
|
zoom_tcp_ports="$standard_zoom_tcp_ports"
|
|
zoom_udp_ports="$standard_zoom_udp_ports"
|
|
|
|
|
|
# ======
|
|
# - Jitsi Video Conference Service
|
|
# ======
|
|
|
|
# - Jitsi Video Conference Service Gateway
|
|
# -
|
|
# - NOT YET IMPLEMENTED
|
|
# -
|
|
local_jitsi_video_conference_service=false
|
|
|
|
|
|
# - Jitsi Video Conference Service only out
|
|
# -
|
|
# - Ports:
|
|
# -
|
|
# - TCP 80: Webinterface.
|
|
# - TCP 443: Webinterface (SSL)
|
|
# -
|
|
# - UDP 10000-20000: Virtual Media for Remote Console
|
|
# -
|
|
# - comma separated list
|
|
# -
|
|
jitsi_tcp_ports="$standard_jitsi_tcp_ports"
|
|
jitsi_udp_ports="$standard_jitsi_udp_ports"
|
|
|
|
|
|
# ======
|
|
# - alfaview - Video Conferencing Systems
|
|
# ======
|
|
|
|
# - alfaview Service Ports
|
|
# -
|
|
alfaview_tcp_ports="$standard_alfaview_service_tcp_ports"
|
|
alfaview_udp_ports="$standard_alfaview_service_udp_ports"
|
|
|
|
|
|
# ======
|
|
# - TURN Server (Stun Server) (for Nextcloud 'talk' app)
|
|
# ======
|
|
|
|
# - TURN Server (Stun Server) (for Nextcloud 'talk' app)
|
|
# -
|
|
# - NOT YET IMPLEMENTED
|
|
# -
|
|
local_nc_turn_service=""
|
|
|
|
# - Ports used by local TURN Server (Stun Server)
|
|
# -
|
|
# - comma separated list
|
|
# -
|
|
nc_turn_ports="$standard_nc_turn_ports"
|
|
nc_turn_udp_ports="$standard_nc_turn_udp_ports"
|
|
|
|
|
|
# ======
|
|
# - XyMon Service
|
|
# ======
|
|
|
|
# - XyMon Service Gateway (usually TCP port 1984)
|
|
# -
|
|
local_xymon_server=false
|
|
|
|
# - XyMon Service (usually TCP port 1984)
|
|
# -
|
|
# - Blank separated list of ip's
|
|
# -
|
|
xymon_server_ips=""
|
|
local_xymon_client=""
|
|
|
|
# - XyMon Ports
|
|
# -
|
|
xymon_port="$standard_xymon_port"
|
|
|
|
|
|
# ======
|
|
# - Munin Service
|
|
# ======
|
|
|
|
# - Munin Service Gateway (usually TCP port 4949)
|
|
# -
|
|
local_munin_server=false
|
|
|
|
|
|
# - If 'local_munin_server=' provide service also to inet?
|
|
# -
|
|
provide_munin_service_to_inet=false
|
|
munin_remote_port="4949"
|
|
|
|
|
|
# - Munin Server local Networks (usually TCP port 4949)
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
munin_local_server_ips=""
|
|
|
|
|
|
# - Munin Remote Server
|
|
# -
|
|
# - Note:
|
|
# - The munin server himself initiates the connection to the concerning clients.
|
|
# - In case of natted (local) networks you have to also nat the incomming
|
|
# - requests from munin server.
|
|
# -
|
|
# - Note:
|
|
# - Each extern interface can have only one thuch service
|
|
# -
|
|
# - munin_local_client_ip_arr[<ipv6-address>]=<extern-device>
|
|
# -
|
|
# - Multiple settins of this parameter is possible
|
|
# -
|
|
#munin_remote_server="2a01:30:1fff:a::163"
|
|
munin_remote_server=""
|
|
|
|
|
|
# - Munin - clients on local network (server is $munin_remote_server)
|
|
# -
|
|
# - Example:
|
|
# - munin_local_client_ip_arr[192.168.63.20]=$ext_if_dsl_1
|
|
# -
|
|
declare -A munin_local_client_ip_arr
|
|
|
|
# - Munin Port
|
|
# -
|
|
munin_local_port=4949
|
|
|
|
|
|
# ======
|
|
# - Checkmk Monitoring Service (local network)
|
|
# ======
|
|
|
|
# - Checkmk Service Gateway (usually TCP port 6556)
|
|
# -
|
|
checkmk_service_gateway=false
|
|
|
|
# - Checkmk Server local Networks (usually TCP port 6556)
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
checkmk_local_server_ips=""
|
|
|
|
# - checkmk Port
|
|
# -
|
|
checkmk_local_port="$standard_checkmk_port"
|
|
|
|
|
|
# ======
|
|
# - PowerChut Network Shutdown (PCNS)
|
|
# ======
|
|
|
|
# - PCNS local Services
|
|
# -
|
|
pcns_server_ips=""
|
|
|
|
# - local USV
|
|
# -
|
|
usv_ip=""
|
|
|
|
# - PCNS Ports
|
|
# -
|
|
# - Webinterface (https): tcp 6547
|
|
# - Connection usv: tcp/udp 3052
|
|
# -
|
|
pcns_tcp_port=3052
|
|
pcns_udp_port=3052
|
|
pcns_web_port=6547
|
|
|
|
|
|
# ======
|
|
# - Remote Console (VNC Service)
|
|
# ======
|
|
|
|
# - VNC Service local network
|
|
#
|
|
# - Blank separated list
|
|
# -
|
|
rm_server_ips=""
|
|
|
|
# - VNC Service DMZ
|
|
# -
|
|
# - Note:
|
|
# - Each extern interface can have only one thuch service
|
|
# -
|
|
# - rm_server_dmz_arr[<ip-address>]=<dsl-device>
|
|
# -
|
|
# - Multiple settins of this parameter is possible
|
|
# -
|
|
declare -A rm_server_dmz_arr
|
|
|
|
# - Remote Console (VNC) Port
|
|
# -
|
|
remote_console_port=5900
|
|
|
|
|
|
# ======
|
|
# - Ubiquiti Unifi
|
|
# ======
|
|
|
|
# - UniFi - Ports Used
|
|
# -
|
|
# - see: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used
|
|
# -
|
|
# - see: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used
|
|
# -
|
|
# - In version 4.5.2 and later, users can also define the port assigned to STUN services,
|
|
# - for scenarios where two or more separate UniFi instances are desired on the
|
|
# - same controller machine.
|
|
# -
|
|
# - unifi_stun_port=3478 # UDP port used for STUN
|
|
# - # Open Port from controller to Unifi APs
|
|
# -
|
|
# -
|
|
# - Ubiquity Networks uses port 10001/UDP for its AirControl
|
|
# - management discovery protocol
|
|
# -
|
|
# - unifi_aircontroll_port=10001
|
|
# -
|
|
# -
|
|
# - Since v3.2.9+ and v4.6.0+, two more ports are being reserved for device redirector.
|
|
# - There is no need to open firewall for these ports on controller. However, on
|
|
# - controller, avoid to use these ports:
|
|
# -
|
|
# - port 8881 for redirector port for wireless clients
|
|
# - port 8882 for redirector port for wired clients
|
|
# -
|
|
# -
|
|
# - For AP-EDU Broadcasts:
|
|
# -
|
|
# - UDP ports 5656-5699
|
|
# -
|
|
# -
|
|
# - Local IN Ports
|
|
# - ==============
|
|
# -
|
|
# - TCP
|
|
# - ===
|
|
# - TCP 8080 used for device and controller communication.
|
|
# - TCP 8443 used for controller GUI/API as seen in a web browser
|
|
# - TCP 8880 used for HTTP portal redirection.
|
|
# - TCP 8843 used for HTTPS portal redirection.
|
|
# - TCP 6789 used for UniFi mobile speed test.
|
|
# - TCP 27117 used for local-bound database communication.
|
|
# -
|
|
# - UDP
|
|
# - ====
|
|
# - UDP 3478 used for STUN.
|
|
# - UDP 5514 used for remote syslog capture.
|
|
# - UDP 5656-5699 used by AP-EDU broadcasting.
|
|
# - UDP 10001 used for device discovery
|
|
# - UDP 1900 used for "Make controller discoverable on L2 network" in controller settings.
|
|
# -
|
|
# -
|
|
# - OUT Ports Required for UniFi Remote Access
|
|
# - ==========================================
|
|
# -
|
|
# - TCP
|
|
# - ===
|
|
# - TCP 8883 used for Remote Access service.
|
|
# - TCP 443 used for Remote Access service.
|
|
# -
|
|
# - UDP
|
|
# - ===
|
|
# - UDP 3478 used for STUN.
|
|
# - UDP 443 used for Remote Access service.
|
|
# -
|
|
unifi_tcp_ctrl_in_ports="$standard_unifi_tcp_ctrl_in_ports"
|
|
unifi_udp_ctrl_in_ports="$standard_unifi_udp_ctrl_in_ports"
|
|
|
|
unifi_tcp_ctrl_out_ports="$standard_unifi_tcp_ctrl_out_ports"
|
|
unifi_udp_ctrl_out_ports="$standard_unifi_udp_ctrl_out_ports"
|
|
|
|
|
|
# - Unifi Controller at gateway?
|
|
# -
|
|
local_unifi_controller_service=false
|
|
|
|
# - Unifi Accesspoints (AP's) controlled by UniFi controller at Gateway
|
|
# -
|
|
unifi_ap_local_ips=""
|
|
|
|
# Note:
|
|
# in contrast to devices at local networks, devices hosted at extern network
|
|
# are only be seen, if the device is part of this array 'unifi_ap_extern_ip_arr'
|
|
#
|
|
unifi_ap_extern_ips=""
|
|
|
|
|
|
# - UniFi Controllers on local network (other than this machine)
|
|
# -
|
|
unify_controller_local_net_ips=""
|
|
|
|
|
|
|
|
# ======
|
|
# - IPMI Tools
|
|
# ======
|
|
|
|
# - IPMI Tools local Networks
|
|
# -
|
|
# - Blank seoarated list
|
|
# -
|
|
ipmi_server_ips=""
|
|
|
|
# - IPMI Tools Port
|
|
# -
|
|
# - UDP 161: SNMP
|
|
# - UDP 623: Access IPMI Programms (as IPMIView or FreeIPMI)
|
|
# -
|
|
# - TCP 80: Webinterface.
|
|
# - TCP 161: SNMP
|
|
# - TCP 443: Webinterface (SSL)
|
|
# - TCP 623: Virtual Media for Remote Console
|
|
# - TCP 3520: "This is TCP Port 3520 which is also needed in addition to TCP port 5900 to be able to use iKVM."
|
|
# - TCP 5120: CD/USB
|
|
# - TCP 5123: Floppy
|
|
# - TCP 5900: KVM over IP
|
|
# - TCP 5901: Video for remote console
|
|
# - TCP 5985: Wsman
|
|
# -
|
|
ipmi_udp_ports="161 623"
|
|
ipmi_tcp_ports="80 161 443 623 3520 5120 5123 5900 5901 5985"
|
|
|
|
|
|
# =============
|
|
# - Rsync Out for given src ip-addresses
|
|
# =============
|
|
|
|
# - Rsync Protocol
|
|
# -
|
|
# - The given server address (from local network) can access rsyncd at (any) remote machine
|
|
# -
|
|
# - Needed for some integrated provider of clamav-unofficial-sigs
|
|
# -
|
|
rsync_out_ips=""
|
|
rsync_ports="873"
|
|
|
|
# - rsync out from this machine?
|
|
# -
|
|
local_rsync_out=false
|
|
|
|
# - forward rsync out for all machine's behind the firewall?
|
|
# -
|
|
forward_rsync_out=false
|
|
|
|
|
|
|
|
# =============
|
|
# - Printer
|
|
# =============
|
|
|
|
# - IP Addresses Printer
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
printer_ips=""
|
|
|
|
|
|
|
|
# =============
|
|
# --- Scanner
|
|
# =============
|
|
|
|
# ======
|
|
# - Brother (brscan)
|
|
# ======
|
|
|
|
# - IP Adresses Brother Scanner
|
|
# -
|
|
# - Blank seoarated list
|
|
# -
|
|
brother_scanner_ips=""
|
|
brscan_port="$standard_brother_brscan_port"
|
|
|
|
# ======
|
|
# - Epson Network Scan
|
|
# ======
|
|
|
|
# - IP Adresses Epson Network Scanner
|
|
# -
|
|
# - Blank seoarated list
|
|
# -
|
|
epson_scanner_ips=""
|
|
epson_scan_port="$standard_epson_network_scan_port"
|
|
|
|
|
|
|
|
# =============
|
|
# --- Telefon Systems
|
|
# =============
|
|
|
|
# - IP Adresses Telephone Systems (Telefonanlagen)
|
|
# -
|
|
# - Dont't foregt to add ip-adresses also to http(s) service if the
|
|
# - systems provide webinterfaces!
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
tele_sys_ips=""
|
|
tele_sys_remote_sip_server_port=5060
|
|
tele_sys_local_sip_server_port=5067
|
|
allow_between_tele_systems=false
|
|
|
|
VOIP_PORTS="69 5000:5099 7775 32000:32512"
|
|
# - TFTP=69 (used from telephones getting their connection data / firmwareupdate )
|
|
# - RTP_PORTS= UDP i.e. 5000:5099 or here
|
|
# - RTP_PORTS_END=5099
|
|
#SIP_PORT_REMOTE=5060
|
|
#SIP_PORT_LOCAL=5067
|
|
#SIP_LOCAL_IP=192.168.63.240
|
|
#STUN_PORTS=3478
|
|
udp_voip_ports="7775 5000:5099"
|
|
|
|
|
|
# =====
|
|
# - Telekom Internet TV (Entertain)
|
|
# =====
|
|
|
|
telekom_internet_tv=false
|
|
tv_ip=""
|
|
tv_extern_if="eth2.8"
|
|
tv_local_if="$local_if_1"
|
|
|
|
|
|
# =====
|
|
# --- Allow special TCP Ports (OUT)
|
|
# =====
|
|
|
|
# - TCP Ports
|
|
# -
|
|
# - Blank separated list of tcp ports
|
|
# -
|
|
tcp_out_ports=""
|
|
|
|
|
|
# =====
|
|
# --- Allow special UDP Ports (OUT)
|
|
# =====
|
|
|
|
# - UDP Ports
|
|
# -
|
|
# - Blank separated list of udp ports
|
|
# -
|
|
udp_out_ports=""
|
|
|
|
|
|
|
|
# ======
|
|
# - Other local Services
|
|
# ======
|
|
|
|
# - You can configure further local services here.
|
|
# -
|
|
# - other_services="<ip-addr-of-service>,<port>,<protocol> [<ip-addr-of-service>,<port>,<protocol> [.."
|
|
# -
|
|
# - Blank seperated list
|
|
# -
|
|
other_services=""
|
|
|
|
|
|
# =============
|
|
# --- Destination NAT
|
|
# =============
|
|
|
|
|
|
# =============
|
|
# --- Portforwarding
|
|
# =============
|
|
|
|
# - Portforwarding TCP
|
|
# -
|
|
# - portforward_tcp="<device-in>,<port-in>,<ip-to-forward>,<port-out>"
|
|
# -
|
|
# - Multiple declarations are possible
|
|
# -
|
|
# - Example:
|
|
# - portforward_tcp="$ext_if_static_1,9997,2001:6f8:107e:63::20,22
|
|
# - $ext_if_static_1,9998,2001:6f8:107e:63::90,22"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
portforward_tcp=""
|
|
|
|
|
|
# - Portforwarding UDP
|
|
# -
|
|
# - portforward_udp="<device-in>,<udp-port-in>,<ip-to-forward>,<udp-port-out>"
|
|
# -
|
|
# - Multiple declarations are possible
|
|
# -
|
|
# - Example:
|
|
# - portforward_udp="$ext_if_static_1,1094,2001:6f8,107e:63::90,1094
|
|
# - $ext_if_static_1,9999,2001:6f8,107e:63::90,1095"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
portforward_udp=""
|
|
|
|
|
|
|
|
# =============
|
|
# - MAC Address Filtering
|
|
# =============
|
|
|
|
# - MAC Addreses alowed to all destinations (gateway, remote, local networks)
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
allow_all_mac_src_addresses=""
|
|
|
|
# - MAC Addreses alowed to local networks (gateway, local networks)
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
allow_local_mac_src_addresses=""
|
|
|
|
|
|
# - MAC Addreses alowed to remote networks
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
allow_remote_mac_src_addresses=""
|
|
|
|
|
|
|
|
# =============
|
|
# - MAC Address Filtering Gaming Devices
|
|
# =============
|
|
|
|
# - MAC adresses here are only allowed connect to internet but NOT to loacl services and networks
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
gaming_device_mac_addresses=""
|
|
|
|
|
|
# =============
|
|
# - IP Address Filtering Gaming Devices
|
|
# =============
|
|
|
|
# - IP adresses here are only allowed connect to internet but NOT to loacl services and networks
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
gaming_device_ip_addresses=""
|
|
|
|
|
|
|
|
# =============
|
|
# --- Basic behavior
|
|
# =============
|
|
|
|
# ===
|
|
# = Services allowed out to the world wide web
|
|
# ===
|
|
|
|
# default values: see default_basic_behavior.conf
|
|
#
|
|
# Only values deviating from the default values have to be specified here.
|
|
|
|
|
|
# ===
|
|
# = Services allowed between local networks
|
|
# ===
|
|
|
|
# default values: see default_basic_behavior.conf
|
|
#
|
|
# Only values deviating from the default values have to be specified here.
|
|
|
|
|
|
# ===
|
|
# = Other Parameters
|
|
# ===
|
|
|
|
# default values: see default_basic_behavior.conf
|
|
#
|
|
# Only values deviating from the default values have to be specified here.
|
|
|
|
|
|
|
|
# =============
|
|
# --- Block IP's / IP-Ranges
|
|
# =============
|
|
|
|
# - Blank separated list
|
|
# -
|
|
blocked_ips=""
|
|
|
|
|
|
# =============
|
|
# --- Block Ports on extern Interfaces
|
|
# =============
|
|
|
|
# - Generally (for all interfaces) block this ports
|
|
# -
|
|
# - Portmapper
|
|
# - tcp 111
|
|
# - udp 111
|
|
# -
|
|
# - Authentication tap ident
|
|
# - tcp 113
|
|
# -
|
|
# - Location Service
|
|
# - tcp 135
|
|
# -
|
|
# - Windows Stuff
|
|
# - tcp 137:139
|
|
# - udp 137:139
|
|
# - tcp 445
|
|
# -
|
|
block_tcp_ports="111 135 631"
|
|
block_udp_ports="111"
|
|
if ! $allow_samba_requests_out ; then
|
|
block_tcp_ports="$block_udp_ports 137:139 445"
|
|
block_udp_ports="$block_udp_ports 137:139"
|
|
fi
|
|
|
|
block_ident=true
|
|
|
|
|
|
# =============
|
|
# - Packets not wanted on gateway on local Interfaces
|
|
# =============
|
|
|
|
not_wanted_on_gw_tcp_ports="111 113 135 631"
|
|
not_wanted_on_gw_udp_ports="111 631"
|
|
if ! $local_samba_service ; then
|
|
not_wanted_on_gw_tcp_ports="$not_wanted_on_gw_tcp_ports 137:139 445"
|
|
not_wanted_on_gw_udp_ports="$not_wanted_on_gw_udp_ports 137:139"
|
|
fi
|
|
|
|
not_wanted_ident=true
|
|
|
|
|
|
# =============
|
|
# --- Router
|
|
# =============
|
|
|
|
# - Set to "true" to secure/tune the kernel
|
|
# -
|
|
#adjust6_kernel_parameters=true
|
|
|
|
# - Protection against several attacks
|
|
# -
|
|
#protect6_against_several_attacks=true
|
|
|
|
# Protection against syn-flooding
|
|
#
|
|
#drop6_syn_flood=false
|
|
|
|
# drop new packages without syn flag
|
|
#
|
|
#drop6_new_not_sync=true
|
|
|
|
# drop invalid packages
|
|
#
|
|
#drop6_invalid_state=true
|
|
|
|
# drop packages with unusal flags
|
|
#
|
|
#drop6_invalid_flags=true
|
|
|
|
# Refuse spoofed packets pretending to be from your IP address.
|
|
#
|
|
#drop6_from_own_ip=true
|
|
|
|
# Refuse private addresses on extern interfaces
|
|
#
|
|
#drop6_spoofed=true
|
|
|
|
|
|
|
|
# =============
|
|
# --- Kernel related - Adjust Kernel Parameters (Security/Tuning)
|
|
# =============
|
|
|
|
# - Disable ip forwarding between interfaces
|
|
# -
|
|
kernel_forward_between_interfaces=true
|
|
|
|
# - Deactivate Source Routed Packets
|
|
# -
|
|
kernel_deactivate_source_route=true
|
|
|
|
# - Deactivate sending ICMP redirects
|
|
# -
|
|
# - ICMP redirects are used by routers to specify better routing paths out of
|
|
# - one network, based on the host choice, so basically it affects the way
|
|
# - packets are routed and destinations.
|
|
# -
|
|
kernel_dont_accept_redirects=true
|
|
|