New: allow_all_outgoing_traffic (true/false)

conf/load_modules_ipv4.conf

@@ -55,5 +55,5 @@ nf_nat_ftp
 # - Note: 
 # -    netfilter userspace logging daemon (ulogd/ulogd2) is required
 # -
-nf_log
+nf_log_common
 nf_log_ipv4

conf/load_modules_ipv6.conf

@@ -7,3 +7,6 @@ ip6table_filter
 ip6t_REJECT
 
 ip6table_mangle
+
+nf_log_common
+nf_log_ipv6

conf/main_ipv4.conf.sample

@@ -5,6 +5,46 @@
 ## --- Main Configurations Ipv4 Firewall Script ipt-firewall-server
 ## ----------------------------------------------------------------
 
+
+# -------------
+# --- Define Ports for Services
+# -------------
+
+# - Web Server Ports
+# -
+http_ports="80,443"
+
+# - FTP Servers Passive Portrange
+# -
+ftp_passive_port_range="50000:50400"
+
+# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS)
+# -
+mail_user_ports="587,465,110,995,143,993"
+
+# - SSH Ports
+# -
+# - comma separated list
+ssh_ports="22"
+
+# - VPN Service
+vpn_ports="1194 1195"
+
+# - Mumble Server
+# -
+mumble_ports="64738"
+
+# - XyMon Service (usually TCP port 1984)
+# -
+# - NOT YET IMPLEMENTED
+# -
+xymon_port=1984
+
+# - Munin Server Port (usually TCP port 4949)
+# -
+munin_remote_port="4949"
+
+
 # -------------
 # --- Prevent bridged traffic getting pushed through the host's iptables rules
 # -------------
@@ -16,6 +56,17 @@
 do_not_firewall_bridged_traffic=false
 
 
+# -------------
+# --- Allow all outgoing traffic
+# -------------
+
+# - unprotected_ifs
+# - 
+# - Posiible values are 'true' and 'false'
+# -
+allow_all_outgoing_traffic=false
+
+
 # -------------
 # --- Interfaces completly blocked
 # -------------
@@ -58,45 +109,6 @@ unprotected_ifs=""
 forward_private_ips=""
 
 
-# -------------
-# --- Define Ports for Services
-# -------------
-
-# - Web Server Ports
-# -
-http_ports="80,443"
-
-# - FTP Servers Passive Portrange
-# -
-ftp_passive_port_range="50000:50400"
-
-# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS)
-# -
-mail_user_ports="587,465,110,995,143,993"
-
-# - SSH Ports
-# -
-# - comma separated list
-ssh_ports="22"
-
-# - VPN Service
-vpn_ports="1194 1195"
-
-# - Mumble Server
-# -
-mumble_ports="64738"
-
-# - XyMon Service (usually TCP port 1984)
-# -
-# - NOT YET IMPLEMENTED
-# -
-xymon_port=1984
-
-# - Munin Server Port (usually TCP port 4949)
-# -
-munin_remote_port="4949"
-
-
 # -------------
 # ---- Restrict local Servive to given (extern) IP-Address/Network
 # -------------

conf/main_ipv6.conf.sample

@@ -35,6 +35,17 @@ loopback="::1/128"
 do_not_firewall_bridged_traffic=false
 
 
+# -------------
+# --- Allow all outgoing traffic
+# -------------
+
+# - unprotected_ifs
+# - 
+# - Posiible values are 'true' and 'false'
+# -
+allow_all_outgoing_traffic=false
+
+
 # -------------
 # --- Interfaces completly blocked
 # -------------

ip6t-firewall-server

@@ -780,6 +780,23 @@ fi
 echo_done
 
 
+# -------------
+# --- Allow all outgoing traffic
+# -------------
+echononl "\tAllow all outgoing traffic.."
+if [[ -n "$allow_all_outgoing_traffic" ]] && $allow_all_outgoing_traffic ; then
+   for _dev in ${ext_if_arr[@]} ; do
+      $ip6t -A OUTPUT -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT
+      if $kernel_forward_between_interfaces ; then
+         $ip6t -A FORWARD -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT
+      fi
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+
 # ---
 # - Permit all traffic through VPN lines
 # ---

ipt-firewall-server

@@ -1016,6 +1016,29 @@ fi
 echo_done
 
 
+# -------------
+# --- Allow all outgoing traffic
+# -------------
+echononl "\tAllow all outgoing traffic.."
+if [[ -n "$allow_all_outgoing_traffic" ]] && $allow_all_outgoing_traffic ; then
+   for _dev in ${ext_if_arr[@]} ; do
+      $ipt -A OUTPUT -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT
+      if $kernel_activate_forwarding ; then
+         $ipt -A FORWARD -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT
+      fi
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+# - unprotected_ifs
+# - 
+# - Posiible values are 'true' and 'false'
+# -
+allow_all_outgoing_traffic=false
+
+
 # ---
 # - Permit all traffic through VPN lines
 # ---