LDAP(S): forgot to configure ldap/ldaps standard ports.

README.install

@@ -18,7 +18,7 @@ cp -a /usr/local/src/ipt-server/ip6t-firewall-server /usr/local/sbin/
 # -
 mkdir /etc/ipt-firewall
 
-cp /usr/local/src/ipt-server/conf/default_ports.conf \
+cp /usr/local/src/ipt-server/conf/default_settings.conf \
    /usr/local/src/ipt-server/conf/include_functions.conf \
    /usr/local/src/ipt-server/conf/load_modules_ipv4.conf \
    /usr/local/src/ipt-server/conf/load_modules_ipv6.conf \

conf/ban_ipv4.list.sample

@@ -20,3 +20,17 @@
 # -    79.171.81.0/255.255.255
 # -    79.171.81
 
+# CHINANET-JS
+222.184.0.0/13 
+61.160.0.0/16
+
+# CHINANET-GX
+116.8.0.0/14
+
+# BAIDU-HK - Hong Kong
+103.235.44.0/22
+# UNICOM-HE - China Unicom Hebei province network
+110.240.0.0/12
+# CMNET - China Mobile Communications Corporation
+39.128.0.0/10
+

conf/default_settings.conf

@@ -1,5 +1,12 @@
 #!/usr/bin/env bash
 
+# -------------
+# --- Default Parameter / Options
+# -------------
+
+default_per_IP_connection_limit=111
+
+
 # -------------
 # --- Default Ports for Services out
 # -------------
@@ -18,6 +25,10 @@ standard_ident_port=113
 standard_ipp_port=631
 standard_irc_port=6667
 standard_jabber_port=5222
+standard_ldap_port=389
+standard_ldaps_port=636
+standard_mdns_port=5353
+standard_mndp_port=5678
 standard_mumble_port=64738
 standard_munin_port=4949
 standard_mysql_port=3306
@@ -39,6 +50,10 @@ standard_wireguard_port=51820
 standard_whois_port=43
 standard_xymon_port=1984
 
+# - Prometheus services
+# -
+standard_prometheus_ports="9100,9256"
+
 # - Mattermost (MM) Service
 # -
 stansard_mattermost_udp_ports_in="8443"

conf/include_functions.conf

@@ -65,4 +65,20 @@ containsElement () {
    return 1
 }
 
+is_number() {
+
+   return $(test ! -z "${1##*[!0-9]*}" > /dev/null 2>&1);
+
+   # - also possible
+   # -
+   #[[ ! -z "${1##*[!0-9]*}" ]] && return 0 || return 1
+   #return $([[ ! -z "${1##*[!0-9]*}" ]])
+}
+
+trim() {
+    local var="$*"
+    var="${var#"${var%%[![:space:]]*}"}"   # remove leading whitespace characters
+    var="${var%"${var##*[![:space:]]}"}"   # remove trailing whitespace characters
+    echo -n "$var"
+}
 

conf/interfaces_ipv4.conf.sample

@@ -33,7 +33,7 @@ local_ifs="$local_if_1 $local_if_2 $local_if_3"
 
 
 # -------------
-# --- Network Interfaces
+# --- IP-Addresses
 # -------------
 
 # - Extern IP Addresses on this Host
@@ -52,7 +52,33 @@ local_1_ip=""
 # NOT IN USE
 local_2_ip=""
 # NOT IN USE
-local_2_ip=""
+local_3_ip=""
+
+local_ips="$local_1_ip $local_2_ip $local_3_ip"
+
+
+# -------------
+# --- IP-Addresses LXC Guest sSystems
+# -------------
+
+# for _guest in $(lxc-ls) ; do echo ; lxc-info -n $_guest | grep -E "(IP:|Name:)" ; done
+
+# NOT IN USE
+lxc_guest_1_ip=""
+# NOT IN USE
+lxc_guest_2_ip=""
+# NOT IN USE
+lxc_guest_3_ip=""
+# NOT IN USE
+lxc_guest_4_ip=""
+# NOT IN USE
+lxc_guest_5_ip=""
+# NOT IN USE
+lxc_guest_6_ip=""
+# NOT IN USE
+lxc_guest_7_ip=""
+
+lxc_guest_ips="$lxc_guest_1_ip $lxc_guest_2_ip $lxc_guest_3_ip $lxc_guest_4_ip $lxc_guest_5_ip $lxc_guest_6_ip $lxc_guest_7_ip"
 
 
 # - Devices given in list "nat_devices" will be natted

conf/interfaces_ipv6.conf.sample

@@ -52,7 +52,33 @@ local_1_ip=""
 # NOT IN USE
 local_2_ip=""
 # NOT IN USE
-local_2_ip=""
+local_3_ip=""
+
+local_ips="$local_1_ip $local_2_ip $local_3_ip"
+
+
+# -------------
+# --- IP-Addresses LXC Guest sSystems
+# -------------
+
+# for _guest in $(lxc-ls) ; do echo ; lxc-info -n $_guest | grep -E "(IP:|Name:)" ; done
+
+# NOT IN USE
+lxc_guest_1_ip=""
+# NOT IN USE
+lxc_guest_2_ip=""
+# NOT IN USE
+lxc_guest_3_ip=""
+# NOT IN USE
+lxc_guest_4_ip=""
+# NOT IN USE
+lxc_guest_5_ip=""
+# NOT IN USE
+lxc_guest_6_ip=""
+# NOT IN USE
+lxc_guest_7_ip=""
+
+lxc_guest_ips="$lxc_guest_1_ip $lxc_guest_2_ip $lxc_guest_3_ip $lxc_guest_4_ip $lxc_guest_5_ip $lxc_guest_6_ip $lxc_guest_7_ip"
 
 
 # - Devices given in list "nat_devices" will be natted

conf/logging_ipv4.conf

@@ -23,6 +23,8 @@ log_syn_flood=false
 log_port_scanning=false
 log_ssh_brute_force=false
 log_fragments=false
+log_mdns=false
+log_mndp=false
 log_new_not_sync=false
 log_syn_with_suspicious_mss=false
 log_invalid_packets=false
@@ -40,6 +42,8 @@ log_prohibited=false
 log_voip=false
 log_rejected=true
 
+log_blocked_ip=false
+
 log_ssh=false
 
 # - logging messages

conf/logging_ipv6.conf

@@ -23,6 +23,8 @@ log_syn_flood=false
 log_port_scanning=false
 log_ssh_brute_force=false
 log_fragments=false
+log_mdns=false
+log_mndp=false
 log_new_not_sync=false
 log_syn_with_suspicious_mss=false
 log_invalid_packets=false
@@ -40,6 +42,8 @@ log_prohibited=false
 log_voip=false
 log_rejected=true
 
+log_blocked_ip=false
+
 log_ssh=false
 
 # - logging messages
@@ -51,5 +55,9 @@ log_prefix="[ IPv6 ]"
 # - Log all traffic for givven ip address
 # ---
 
+# - You can also give hostname(s)
+# -
+# - Blank seoarated list of ips/hostnames
+# -
 log_ips=""
 

conf/main_ipv4.conf.sample

@@ -20,6 +20,15 @@
 do_not_firewall_bridged_traffic=false
 
 
+# -------------
+# --- Do not firewall traffic from and to LX Gust Systems
+# -------------
+
+# - Traffic to hosted LX containers are not firewalled here.
+# -
+do_not_firewall_lx_guest_systems=false
+
+
 # -------------
 # --- Drop ICMP
 # -------------
@@ -27,11 +36,66 @@ do_not_firewall_bridged_traffic=false
 drop_icmp=false
 
 
+# -------------
+# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
+# --- Drop Tinc VPN Traffic
+# -------------
+
+# Tinc VPN Traffic / Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
+#
+# Der UDP-Port 5678 wird üblicherweise von Tinc VPN verwendet. Tinc ist ein
+# Open-Source-VPN-Softwarepaket, das für die Erstellung von Virtual Private
+# Networks (VPNs) eingesetzt wird, bei denen Netzwerke über das Internet oder
+# andere unsichere Netzwerke miteinander verbunden werden. Es nutzt diesen
+# Port, um Verbindungen zwischen den Knoten (Nodes) des VPNs zu ermöglichen.
+#
+# Der UDP-Port 5678 wird auch von MikroTik RouterOS Neighbor Discovery Protocol
+# (NDP) verwendet. Dieses Protokoll wird von MikroTik-Routern eingesetzt, um
+# benachbarte Geräte im Netzwerk zu entdecken und automatisch zu erkennen. Es
+# hilft dabei, die Kommunikation zwischen MikroTik-Geräten zu erleichtern, ohne
+# dass eine manuelle IP-Konfiguration erforderlich ist.
+#
+# MikroTik Neighbor Discovery über UDP-Port 5678 ist speziell darauf ausgelegt,
+# Router und Geräte im selben lokalen Netzwerk (LAN) zu identifizieren und
+# Informationen über benachbarte MikroTik-Geräte auszutauschen. Dies ist besonders
+# nützlich für die Verwaltung und Konfiguration von MikroTik-Geräten im Netzwerk.
+#
+# Zusammengefasst:
+# Der UDP-Port 5678 wird sowohl für MikroTik RouterOS Neighbor Discovery als auch
+# für Tinc VPN verwendet, je nachdem, welche Technologie zum Einsatz kommt.
+#
+drop_mndp=true
+
+
+# -------------
+# --- Drop Multicast DNS Traffic
+# -------------
+
+# Multicast Domain Name System (mDNS) protocol
+#
+# UDP Port 5353/
+#
+# Der UDP-Port 5353 wird hauptsächlich für Multicast DNS (mDNS) verwendet.
+# mDNS ist ein Protokoll, das es Geräten ermöglicht, sich im lokalen Netzwerk
+# selbst zu identifizieren und ohne zentrale DNS-Server Namen zu registrieren
+# und aufzulösen. Dies wird häufig in lokalen Netzwerken eingesetzt, z.B. bei
+# Geräten, die mit Apple's Bonjour oder Avahi (einer Open-Source-Implementierung
+# von mDNS) kommunizieren.
+#
+# UDP port 5353 is mainly used for multicast DNS (mDNS). mDNS is a protocol that
+# allows devices to identify themselves on the local network and register and
+# resolve names without central DNS servers. This is often used in local
+# networks, e.g. for devices that communicate using Apple's Bonjour or Avahi
+# (an open-source implementation of mDNS).
+#
+drop_mdns=true
+
+
 # -------------
 # --- Allow all outgoing traffic
 # -------------
 
-# - unprotected_ifs
+# - allow_all_outgoing_traffic
 # - 
 # - Posiible values are 'true' and 'false'
 # -
@@ -322,6 +386,19 @@ forward_http_server_ips=""
 http_ports="$standard_http_ports"
 
 
+# - LOG CGI script Traffic out
+# -
+log_cgi_traffic_out=false
+
+# - cgi_script_users
+# -
+# - List of CGI script users (suexec user, php-fpm user. ...)
+# -
+# - Blank separated list
+# -
+cgi_script_users=""
+
+
 # - Mattermost (MM) Service
 # -
 mm_server_ips=""
@@ -338,6 +415,19 @@ mm_udp_ports_out="$stansard_mattermost_udp_ports_out"
 smtpd_ips=""
 forward_smtpd_ips=""
 
+# Additional Ports on which SMTP Service should lsiten
+#
+# blank separated list of ports
+#
+smtpd_additional_listen_ports=""
+
+# Additional Ports for outgoing smtp traffic
+#
+# blank separated list of ports
+#
+smtpd_additional_outgoung_ports=""
+
+
 # - Mail Services (smtps/pop(s)/imap(s)
 # -
 mail_server_ips=""
@@ -486,6 +576,37 @@ nc_turn_udp_ports="$standard_turn_service_udp_ports"
 # -
 tftp_server_ips=""
 
+
+# - Prometheus Monitoring - local Server
+# -
+# - blank separated list of IPv4 addresses
+# -
+prometheus_local_server_ips=""
+
+# - (Remote) prometheus ports
+# -
+# - !! comma separated list of ports
+# -
+prometheus_remote_client_ports="$standard_prometheus_ports"
+
+
+# - Prometheus Monitoring - local Client
+# -
+# - blank separated list of IPv4 addresses
+# -
+prometheus_local_client_ips=""
+
+# - Local prometheus ports
+# -
+# - !! comma separated list of ports
+# -
+prometheus_local_client_ports="$standard_prometheus_ports"
+
+# - blank separated list of IPv4 addresses
+# -
+prometheus_remote_server_ips=""
+
+
 # - Munin Server
 # -
 munin_server_ips=""
@@ -500,7 +621,7 @@ munin_remote_port="$standard_munin_port"
 
 # - Remote Munin Server
 # -
-munin_remote_ip="95.217.64.122"
+munin_remote_ip="37.27.121.227"
 munin_local_port="4949"
 
 # - XyMon Server
@@ -595,7 +716,9 @@ portforward_udp=""
 # -    61.160.0.0/16 - CHINANET-JS
 # -    116.8.0.0/14 CHINANET-GX
 # -
-blocked_ips="222.184.0.0/13 61.160.0.0/16 116.8.0.0/14"
+# - !! Moved to 'ban_ipv4.list'
+# -
+blocked_ips=""
 
 
 # -------------
@@ -655,6 +778,7 @@ protection_against_ssh_brute_force_attacks=true
 # - Limit connections per source IP
 # -
 limit_connections_per_source_IP=true
+per_IP_connection_limit=$default_per_IP_connection_limit
 
 # - Limit RST packets
 # -

conf/main_ipv6.conf.sample

@@ -20,6 +20,15 @@
 do_not_firewall_bridged_traffic=false
 
 
+# -------------
+# --- Do not firewall traffic from and to LX Gust Systems
+# -------------
+
+# - Traffic to hosted LX containers are not firewalled here.
+# -
+do_not_firewall_lx_guest_systems=false
+
+
 # -------------
 # --- Drop ICMP
 # -------------
@@ -27,11 +36,66 @@ do_not_firewall_bridged_traffic=false
 drop_icmp=false
 
 
+# -------------
+# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
+# --- Drop Tinc VPN Traffic
+# -------------
+
+# Tinc VPN Traffic / Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
+#
+# Der UDP-Port 5678 wird üblicherweise von Tinc VPN verwendet. Tinc ist ein
+# Open-Source-VPN-Softwarepaket, das für die Erstellung von Virtual Private
+# Networks (VPNs) eingesetzt wird, bei denen Netzwerke über das Internet oder
+# andere unsichere Netzwerke miteinander verbunden werden. Es nutzt diesen
+# Port, um Verbindungen zwischen den Knoten (Nodes) des VPNs zu ermöglichen.
+#
+# Der UDP-Port 5678 wird auch von MikroTik RouterOS Neighbor Discovery Protocol
+# (NDP) verwendet. Dieses Protokoll wird von MikroTik-Routern eingesetzt, um
+# benachbarte Geräte im Netzwerk zu entdecken und automatisch zu erkennen. Es
+# hilft dabei, die Kommunikation zwischen MikroTik-Geräten zu erleichtern, ohne
+# dass eine manuelle IP-Konfiguration erforderlich ist.
+#
+# MikroTik Neighbor Discovery über UDP-Port 5678 ist speziell darauf ausgelegt,
+# Router und Geräte im selben lokalen Netzwerk (LAN) zu identifizieren und
+# Informationen über benachbarte MikroTik-Geräte auszutauschen. Dies ist besonders
+# nützlich für die Verwaltung und Konfiguration von MikroTik-Geräten im Netzwerk.
+#
+# Zusammengefasst:
+# Der UDP-Port 5678 wird sowohl für MikroTik RouterOS Neighbor Discovery als auch
+# für Tinc VPN verwendet, je nachdem, welche Technologie zum Einsatz kommt.
+#
+drop_mndp=true
+
+
+# -------------
+# --- Drop Multicast DNS Traffic
+# -------------
+
+# Multicast Domain Name System (mDNS) protocol
+#
+# UDP Port 5353/
+#
+# Der UDP-Port 5353 wird hauptsächlich für Multicast DNS (mDNS) verwendet.
+# mDNS ist ein Protokoll, das es Geräten ermöglicht, sich im lokalen Netzwerk
+# selbst zu identifizieren und ohne zentrale DNS-Server Namen zu registrieren
+# und aufzulösen. Dies wird häufig in lokalen Netzwerken eingesetzt, z.B. bei
+# Geräten, die mit Apple's Bonjour oder Avahi (einer Open-Source-Implementierung
+# von mDNS) kommunizieren.
+#
+# UDP port 5353 is mainly used for multicast DNS (mDNS). mDNS is a protocol that
+# allows devices to identify themselves on the local network and register and
+# resolve names without central DNS servers. This is often used in local
+# networks, e.g. for devices that communicate using Apple's Bonjour or Avahi
+# (an open-source implementation of mDNS).
+#
+drop_mdns=true
+
+
 # -------------
 # --- Allow all outgoing traffic
 # -------------
 
-# - unprotected_ifs
+# - allow_all_outgoing_traffic
 # - 
 # - Posiible values are 'true' and 'false'
 # -
@@ -338,6 +402,19 @@ forward_http_server_ips=""
 http_ports="$standard_http_ports"
 
 
+# - LOG CGI script Traffic out
+# -
+log_cgi_traffic_out=false
+
+# - cgi_script_users
+# -
+# - List of CGI script users (suexec user, php-fpm user. ...)
+# -
+# - Blank separated list
+# -
+cgi_script_users=""
+
+
 # - Mattermost (MM) Service
 # -
 mm_server_ips=""
@@ -354,6 +431,19 @@ mm_udp_ports_out="$stansard_mattermost_udp_ports_out"
 smtpd_ips=""
 forward_smtpd_ips=""
 
+# Additional Ports on which SMTP Service should lsiten
+#
+# blank separated list of ports
+#
+smtpd_additional_listen_ports=""
+
+# Additional Ports for outgoing smtp traffic
+#
+# blank separated list of ports
+#
+smtpd_additional_outgoung_ports=""
+
+
 # - Mail Services (smtps/pop(s)/imap(s)
 # -
 mail_server_ips=""
@@ -505,6 +595,37 @@ nc_turn_udp_ports="$standard_turn_service_udp_ports"
 # -
 tftp_server_ips=""
 
+
+# - Prometheus Monitoring - local Server
+# -
+# - blank separated list of IPv6 addresses
+# -
+prometheus_local_server_ips=""
+
+# - (Remote) prometheus ports
+# -
+# - !! comma separated list of ports
+# -
+prometheus_remote_client_ports="$standard_prometheus_ports"
+
+
+# - Prometheus Monitoring - local Client
+# -
+# - blank separated list of IPv6 addresses
+# -
+prometheus_local_client_ips=""
+
+# - Local prometheus ports
+# -
+# - !! comma separated list of ports
+# -
+prometheus_local_client_ports="$standard_prometheus_ports"
+
+# - blank separated list of IPv6 addresses
+# -
+prometheus_remote_server_ips=""
+
+
 # - Munin Server
 # -
 munin_server_ips=""
@@ -519,7 +640,7 @@ munin_remote_port="$standard_munin_port"
 
 # - Remote Munin Server
 # -
-munin_remote_ip="2a01:4f9:4a:2b57::122"
+munin_remote_ip="2a01:4f9:3070:2bda::227"
 munin_local_port="4949"
 
 # - XyMon Server
@@ -671,6 +792,7 @@ protection_against_ssh_brute_force_attacks=true
 # - Limit connections per source IP
 # -
 limit_connections_per_source_IP=true
+per_IP_connection_limit=$default_per_IP_connection_limit
 
 # - Limit RST packets
 # -

conf/post_decalrations.conf

@@ -17,6 +17,26 @@ for _dev in $nat_devices ; do
 done
 
 
+# ---
+# IP Addresses LX Guest System
+# ---
+
+declare -a lxc_guest_ip_arr=()
+for _ip in $lxc_guest_ips ; do
+   lxc_guest_ip_arr+=("$_ip")
+done
+
+
+# ---
+# local Interfaces
+# ---
+
+declare -a local_ip_arr=()
+for _ip in $local_ips ; do
+   local_ip_arr+=("$_ip")
+done
+
+
 # ---
 # - IP Addresses to log
 # ---
@@ -25,6 +45,16 @@ for _ip in $log_ips ; do
    log_ip_arr+=("$_ip")
 done
 
+
+# ---
+# - LOG CGI script Traffic out
+# ---
+declare -a cgi_script_user_arr=()
+for _user in $cgi_script_users ; do
+   cgi_script_user_arr+=($_user)
+done
+
+
 # ---
 # - IP-Addresses (Host, Guests (VServer, LX_Container)
 # ---
@@ -283,6 +313,25 @@ for _ip in $forward_smtpd_ips ; do
 done
 
 
+# ---
+# Additional SMTP Listen Ports
+# ---
+declare -a smtpd_additional_listen_port_arr
+for _port in $smtpd_additional_listen_ports ; do
+   smtpd_additional_listen_port_arr+=("$_port")
+done
+
+
+# ---
+# Additional SMTP Outgoing Ports
+# ---
+declare -a smtpd_additional_outgoung_port_arr
+for _port in $smtpd_additional_outgoung_ports ; do
+   smtpd_additional_outgoung_port_arr+=("$_port")
+done
+
+
+
 # ---
 # - IP Addresses XMPP Service (Jabber - Prosody)
 # ---
@@ -336,8 +385,8 @@ done
 # - (local) Dovecot auth service
 # ---
 declare -a dovecot_auth_allowed_network_arr
-for _port in $dovecot_auth_allowed_networks ; do
-   dovecot_auth_allowed_network_arr+=("$_port")
+for _ip in $dovecot_auth_allowed_networks ; do
+   dovecot_auth_allowed_network_arr+=("$_ip")
 done
 
 # ---
@@ -410,6 +459,27 @@ for _ip in $tel_sys_ips ; do
    tel_sys_ip_arr+=("$_ip")
 done
 
+# ---
+# - Prometheus Monitoring - local Server
+# ---
+declare -a prometheus_local_server_ip_arr
+for _ip in $prometheus_local_server_ips ; do
+   prometheus_local_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - Prometheus Monitoring - local Client
+# ---
+declare -a prometheus_local_client_ip_arr
+for _ip in $prometheus_local_client_ips; do
+   prometheus_local_client_ip_arr+=("$_ip")
+done
+declare -a prometheus_remote_server_ip_arr
+for _ip in $prometheus_remote_server_ips ; do
+   prometheus_remote_server_ip_arr+=("$_ip")
+done
+
+
 # ---
 # - IP Addresses Munin
 # ---

ip6t-firewall-server

@@ -23,7 +23,7 @@ load_modules_file=${ipt_conf_dir}/load_modules_ipv6.conf
 
 conf_logging=${ipt_conf_dir}/logging_ipv6.conf
 conf_interfaces=${ipt_conf_dir}/interfaces_ipv6.conf
-conf_default_ports=${ipt_conf_dir}/default_ports.conf
+conf_default_settings=${ipt_conf_dir}/default_settings.conf
 conf_main=${ipt_conf_dir}/main_ipv6.conf
 conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
 conf_ban_ipv6_list="${ipt_conf_dir}/ban_ipv6.list"
@@ -112,10 +112,10 @@ else
    source $conf_logging
 fi
 
-if [[ ! -f "$conf_default_ports" ]]; then
-   fatal "Missing configuration for default_ports - file '$conf_default_ports'"
+if [[ ! -f "$conf_default_settings" ]]; then
+   fatal "Missing configuration for default_settings - file '$conf_default_settings'"
 else
-   source $conf_default_ports
+   source $conf_default_settings
 fi
 
 if [[ ! -f "$conf_interfaces" ]]; then
@@ -280,6 +280,26 @@ fi
 echo
 
 
+# -------------
+# --- Do not firewall traffic from and to LX Gust Systems
+# -------------
+
+echononl "\tDo not firewall traffic from and to LX Gust Systems"
+if $do_not_firewall_lx_guest_systems && [[ ${#lxc_guest_ip_arr[@]} -gt 0 ]]; then
+
+   for _ip in ${lxc_guest_ip_arr[@]} ; do
+
+      $ip6t -I FORWARD -p all -d $_ip -j ACCEPT
+      $ip6t -I FORWARD -p all -s $_ip -j ACCEPT
+
+   done
+   echo_done
+else
+   echo_skipped
+fi
+echo
+
+
 # -------------
 # ---- Log given IP Addresses
 # -------------
@@ -352,10 +372,12 @@ if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then
       if $log_unprotected || $log_all ; then
          $ip6t -t mangle -A PREROUTING -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
          $ip6t -A OUTPUT -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
+         $ip6t -A INPUT -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
          $ip6t -A FORWARD -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
       fi
       $ip6t -t mangle -A PREROUTING -i $_dev -j ACCEPT
       $ip6t -A OUTPUT -o $_dev -j ACCEPT
+      $ip6t -A INPUT -i $_dev -j ACCEPT
       $ip6t -A FORWARD -o $_dev -j ACCEPT
    done
    echo_done
@@ -525,9 +547,9 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then
 
          for _dev in ${ext_if_arr[@]} ; do
             if $log_blocked_ip || $log_all ; then
-               $ip6t -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked: "
+               $ip6t -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked by ban_ipv6.list: "
                if $kernel_forward_between_interfaces ; then
-                  $ip6t -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked: "
+                  $ip6t -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked by ban_ipv6.list: "
                fi
             fi
 
@@ -697,6 +719,75 @@ else
 fi
 
 
+# -------------
+# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
+# --- Drop Tinc VPN Traffic
+# -------------
+
+[ "${drop_mndp,,}" == "yes" ] && drop_mndp=true
+[ "${drop_mndp,,}" == "no" ] && drop_mndp=false
+
+echononl "\tDrop Tinc VPN / Mikrotik RouterOS Neighbor Discovery Traffic"
+if [[ -n "$drop_mndp" ]] && $drop_mndp ; then
+   for _dev in ${ext_if_arr[@]} ; do
+
+      if $log_mndp || $log_all ; then
+         $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP Out: "
+         $ip6t -A INPUT -i $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP IN: "
+         if $kernel_forward_between_interfaces ; then
+            $ip6t -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd Out: "
+            $ip6t -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd In: "
+         fi
+      fi
+
+      $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j DROP
+      $ip6t -A INPUT -i $_dev -p udp --dport $standard_mndp_port -j DROP
+      if $kernel_forward_between_interfaces ; then
+         $ip6t -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j DROP
+         $ip6t -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j DROP
+      fi
+
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+
+# -------------
+# --- Drop Multicast DNS Traffic
+# -------------
+
+[ "${drop_mdns,,}" == "yes" ] && drop_mdns=true
+[ "${drop_mdns,,}" == "no" ] && drop_mdns=false
+
+echononl "\tDrop Multicast DNS Traffic"
+if [[ -n "$drop_mdns" ]] && ${drop_mdns} ; then
+   for _dev in ${ext_if_arr[@]} ; do
+
+      if $log_mdns || $log_all ; then
+         $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS Out: "
+         $ip6t -A INPUT -i $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS IN: "
+         if $kernel_forward_between_interfaces ; then
+            $ip6t -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd Out: "
+            $ip6t -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd In: "
+         fi
+      fi
+
+      $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j DROP
+      $ip6t -A INPUT -i $_dev -p udp --dport $standard_mdns_port -j DROP
+      if $kernel_forward_between_interfaces ; then
+         $ip6t -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j DROP
+         $ip6t -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j DROP
+      fi
+
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+
 # ---
 # - Don't allow spoofing out from this server
 # ---
@@ -733,6 +824,22 @@ done
 echo_done
 
 
+# -------------
+# --- Traffic generally allowed
+# -------------
+
+echo
+echononl "\tLoopback device generally allowed.."
+
+# ---
+# - Loopback device
+# ---
+
+$ip6t -A INPUT -i lo -j ACCEPT
+$ip6t -A OUTPUT -o lo -j ACCEPT
+
+echo_done
+
 
 # ---
 # - Protection against syn-flooding
@@ -794,10 +901,15 @@ fi
 
 echononl "\tLimit connections per source IP"
 if $limit_connections_per_source_IP ; then
-   if $log_rejected || $log_all ; then
-      $ip6t -A INPUT -p tcp -m connlimit --connlimit-above 111 -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP: "
+
+   if ! is_number $per_IP_connection_limit ; then
+      per_IP_connection_limit=$default_per_IP_connection_limit
    fi
-   $ip6t -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
+
+   if $log_rejected || $log_all ; then
+      $ip6t -A INPUT -p tcp -m connlimit --connlimit-above $per_IP_connection_limit -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP: "
+   fi
+   $ip6t -A INPUT -p tcp -m connlimit --connlimit-above $per_IP_connection_limit -j REJECT --reject-with tcp-reset
    echo_done
 else
    echo_skipped
@@ -954,24 +1066,6 @@ echo_done
 echo
 
 
-# ------------- 
-# --- Traffic generally allowed 
-# ------------- 
- 
-echononl "\tLoopback device generally allowed.." 
- 
-# --- 
-# - Loopback device 
-# --- 
- 
-$ip6t -A INPUT -i lo -j ACCEPT 
-$ip6t -A OUTPUT -o lo -j ACCEPT 
- 
-echo_done
-
-
-echo
-
 # -------------
 # ---- Restrict local Servive to given (extern) IP-Address/Network
 # -------------
@@ -1054,6 +1148,26 @@ fi
 echo_done
 
 
+# ---
+# - LOG CGI script Traffic out
+# ---
+
+echo
+echononl "\tLOG CGI/PHP traffic out."
+
+if $log_cgi_traffic_out && [[ ${#cgi_script_user_arr[@]} -gt 0 ]] ; then
+   for _dev in ${ext_if_arr[@]} ; do
+      for _user in ${cgi_script_user_arr[@]} ; do
+         $ip6t -A OUTPUT -o $_dev -m owner --uid-owner $_user -j $LOG_TARGET $tag_log_prefix "$log_prefix $_user PHP-OUT: "
+      done
+   done
+   echo_done
+else
+   echo_skipped
+fi
+echo
+
+
 # -------------
 # --- Allow all outgoing traffic
 # -------------
@@ -1530,6 +1644,40 @@ done
 echo_done
 
 
+# ---
+# - Prometheus Monitoring - local Server
+# ---
+
+echononl "\t\tLocal Prometheus Service"
+
+if [[ ${#prometheus_local_server_ip_arr[@]} -gt 0 ]] ; then
+   for _ip in ${prometheus_local_server_ip_arr[@]} ; do
+      $ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $prometheus_remote_client_ports -m state --state NEW -j ACCEPT
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+
+# ---
+# - Prometheus Monitoring - local client
+# ---
+
+echononl "\t\tLocal Prometheus Client"
+
+if [[ ${#prometheus_local_client_ip_arr[@]} -gt 0 ]] && [[ ${#prometheus_remote_server_ip_arr[@]} -gt 0 ]]; then
+   for _ip in ${prometheus_local_client_ip_arr[@]} ; do
+      for _ip in ${prometheus_remote_server_ip_arr[@]} ; do
+          $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $prometheus_local_client_ports -m state --state NEW -j ACCEPT
+      done
+   done
+   echo_done
+else
+   echo_skipped
+fi
+      
+
 # ---
 # - Munin remote service
 # ---
@@ -1560,13 +1708,13 @@ if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_munin_server_ip_arr[@
 
    if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] ; then
       for _ip in ${munin_server_ip_arr[@]} ; do
-         $ip6t -A OUTPUT -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT
+         $ip6t -A OUTPUT -p tcp -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT
       done
    fi
 
    if [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
       for _ip in ${forward_munin_server_ip_arr[@]} ; do
-         $ip6t -A FORWARD -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT
+         $ip6t -A FORWARD -p tcp -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT
       done
    fi
 
@@ -1592,6 +1740,29 @@ done
 echo_done
 
 
+# ---
+# - Mail (additional smtp ports OUT)
+# ---
+
+echononl "\t\tMail (additional smtp ports OUT)"
+
+if [[ ${#smtpd_additional_outgoung_port_arr[@]} -gt 0 ]] ; then
+
+   for _port in ${smtpd_additional_outgoung_port_arr[@]} ; do
+      for _dev in ${ext_if_arr[@]} ; do
+         $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
+         if $kernel_forward_between_interfaces ; then
+            $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
+         fi
+      done
+   done
+
+   echo_done
+else
+   echo_skipped
+fi
+
+
 # ---
 # - Mail SMTP Server (Port 25) including Spam Control
 # ---
@@ -1648,6 +1819,29 @@ else
 fi
 
 
+# ---
+# - Mail (additional smtp ports IN)
+# ---
+
+echononl "\t\tMail (additional smtp ports IN)"
+
+if [[ ${#smtpd_additional_listen_port_arr[@]} -gt 0 ]] ; then
+
+   for _port in ${smtpd_additional_listen_port_arr[@]} ; do
+      for _dev in ${ext_if_arr[@]} ; do
+         $ip6t -A INPUT -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
+         if $kernel_forward_between_interfaces ; then
+            $ip6t -A FORWARD -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
+         fi
+      done
+   done
+
+   echo_done
+else
+   echo_skipped
+fi
+
+
 # ---
 # -  Mailservice (Submission/SMTPS/POP/IMAP Server)
 # ---
@@ -2292,6 +2486,38 @@ else
 fi
 
 
+# ---
+# - LDAP out only
+# ---
+
+echononl "\t\tLDAP out only"
+
+for _dev in ${ext_if_arr[@]} ; do
+   $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ldap_port  -m state --state NEW -j ACCEPT
+   if $kernel_forward_between_interfaces ; then
+      $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ldap_port  -m state --state NEW -j ACCEPT
+   fi
+done
+
+echo_done
+
+
+# ---
+# - LDAPS out only
+# ---
+
+echononl "\t\tLDAPS out only"
+
+for _dev in ${ext_if_arr[@]} ; do
+   $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ldaps_port  -m state --state NEW -j ACCEPT
+   if $kernel_forward_between_interfaces ; then
+      $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ldaps_port  -m state --state NEW -j ACCEPT
+   fi
+done
+
+echo_done
+
+
 # ---
 # - Whois out only
 # ---
@@ -2308,6 +2534,22 @@ done
 echo_done
 
 
+# ---
+# - PGP Keyserver  out only
+# ---
+
+echononl "\t\tPGP/GPG Key server - out only"
+
+for _dev in ${ext_if_arr[@]} ; do
+   $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_pgp_keyserver_port  -m state --state NEW -j ACCEPT
+   if $kernel_forward_between_interfaces ; then
+      $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_pgp_keyserver_port  -m state --state NEW -j ACCEPT
+   fi
+done
+
+echo_done
+
+
 # ---
 # - GIT out only
 # ---
@@ -2525,14 +2767,14 @@ echo
 echononl "\tLogging all rejected traffic"
 
 if $log_rejected || $log_all ; then
-   #$ip6t -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
-   #$ip6t -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
-   #$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
-   $ip6t -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
-   $ip6t -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
+
+   $ip6t -A OUTPUT -m limit --limit-burst 5 -p tcp ! --tcp-flags ACK,FIN ACK,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "
+   $ip6t -A OUTPUT -m limit --limit-burst 5 -p udp -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "
+   $ip6t -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "
+
    if $kernel_forward_between_interfaces ; then
       #$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
-      $ip6t -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
+      $ip6t -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "
    fi
    echo_done
 else

ipt-firewall-server

@@ -23,7 +23,7 @@ load_modules_file=${ipt_conf_dir}/load_modules_ipv4.conf
 
 conf_logging=${ipt_conf_dir}/logging_ipv4.conf
 conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf
-conf_default_ports=${ipt_conf_dir}/default_ports.conf
+conf_default_settings=${ipt_conf_dir}/default_settings.conf
 conf_main=${ipt_conf_dir}/main_ipv4.conf
 conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
 conf_ban_ipv4_list="${ipt_conf_dir}/ban_ipv4.list"
@@ -112,10 +112,10 @@ else
    source $conf_logging
 fi
 
-if [[ ! -f "$conf_default_ports" ]]; then
-   fatal "Missing configuration for default_ports - file '$conf_default_ports'"
+if [[ ! -f "$conf_default_settings" ]]; then
+   fatal "Missing configuration for default_settings - file '$conf_default_settings'"
 else
-   source $conf_default_ports
+   source $conf_default_settings
 fi
 
 if [[ ! -f "$conf_interfaces" ]]; then
@@ -340,6 +340,26 @@ fi
 echo
 
 
+# -------------
+# --- Do not firewall traffic from and to LX Gust Systems
+# -------------
+
+echononl "\tDo not firewall traffic from and to LX Gust Systems"
+if $do_not_firewall_lx_guest_systems && [[ ${#lxc_guest_ip_arr[@]} -gt 0 ]]; then
+
+   for _ip in ${lxc_guest_ip_arr[@]} ; do
+
+      $ipt -I FORWARD -p all -d $_ip -j ACCEPT
+      $ipt -I FORWARD -p all -s $_ip -j ACCEPT
+
+   done
+   echo_done
+else
+   echo_skipped
+fi
+echo
+
+
 # -------------
 # ---- Log given IP Addresses
 # -------------
@@ -412,10 +432,12 @@ if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then
       if $log_unprotected || $log_all ; then
          $ipt -t mangle -A PREROUTING -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:"
          $ipt -A OUTPUT -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:"
+         $ipt -A INPUT -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:"
          $ipt -A FORWARD -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:"
       fi
       $ipt -t mangle -A PREROUTING -i $_dev -j ACCEPT
       $ipt -A OUTPUT -o $_dev -j ACCEPT
+      $ipt -A INPUT -i $_dev -j ACCEPT
       $ipt -A FORWARD -o $_dev -j ACCEPT
    done
    echo_done
@@ -653,9 +675,9 @@ if [[ -f "$conf_ban_ipv4_list" ]] ; then
 
          for _dev in ${ext_if_arr[@]} ; do
             if $log_blocked_ip || $log_all ; then
-               $ipt -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked:"
+               $ipt -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked by ban_ipv4.list:"
                if $kernel_activate_forwarding ; then
-                  $ipt -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked:"
+                  $ipt -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked by ban_ipv4.list::"
                fi
             fi
             $ipt -A INPUT -i $_dev -s $_ip -j DROP
@@ -841,6 +863,72 @@ else
 fi
 
 
+# -------------
+# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
+# --- Drop Tinc VPN Traffic
+# -------------
+
+[ "${drop_mndp,,}" == "yes" ] && drop_mndp=true
+[ "${drop_mndp,,}" == "no" ] && drop_mndp=false
+
+echononl "\tDrop Tinc VPN / Mikrotik RouterOS Neighbor Discovery Traffic"
+if [[ -n "$drop_mndp" ]] && ${drop_mndp} ; then
+   for _dev in ${ext_if_arr[@]} ; do
+
+      if $log_mndp || $log_all ; then
+         $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP Out: "
+         $ipt -A INPUT -i $_dev -p udp --sport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP IN: "
+         if $kernel_activate_forwarding ; then
+            $ipt -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd Out: "
+            $ipt -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd In: "
+         fi
+      fi
+
+      $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j DROP
+      $ipt -A INPUT -i $_dev -p udp --sport $standard_mndp_port -j DROP
+      if $kernel_activate_forwarding ; then
+         $ipt -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j DROP
+         $ipt -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j DROP
+      fi
+
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+
+# -------------
+# --- Drop Multicast DNS Traffic
+# -------------
+
+[ "${drop_mdns,,}" == "yes" ] && drop_mdns=true
+[ "${drop_mdns,,}" == "no" ] && drop_mdns=false
+
+echononl "\tDrop Multicast DNS Traffic"
+if [[ -n "$drop_mdns" ]] && ${drop_mdns} ; then
+   for _dev in ${ext_if_arr[@]} ; do
+      if $log_mdns || $log_all ; then
+         $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS Out: "
+         $ipt -A INPUT -i $_dev -p udp --sport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS IN: "
+         if $kernel_activate_forwarding ; then
+            $ipt -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd Out: "
+            $ipt -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd In: "
+         fi
+      fi
+      $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j DROP
+      $ipt -A INPUT -i $_dev -p udp --dport $standard_mdns_port -j DROP
+      if $kernel_activate_forwarding ; then
+         $ipt -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j DROP
+         $ipt -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j DROP
+      fi
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+
 # ---
 # - Don't allow spoofing from that server
 # ---
@@ -886,6 +974,22 @@ done
 echo_done
 
 
+# -------------
+# --- Traffic generally allowed
+# -------------
+
+echo
+echononl "\tLoopback device generally allowed.."
+
+# ---
+# - Loopback device
+# ---
+
+$ipt -A INPUT -i lo -j ACCEPT
+$ipt -A OUTPUT -o lo -j ACCEPT
+
+echo_done
+
 
 # ---
 # - Protection against syn-flooding
@@ -947,10 +1051,15 @@ fi
 
 echononl "\tLimit connections per source IP"
 if $limit_connections_per_source_IP ; then
-   if $log_rejected || $log_all ; then
-      $ipt -A INPUT -p tcp -m connlimit --connlimit-above 111 -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP:"
+
+   if ! is_number $per_IP_connection_limit ; then
+      per_IP_connection_limit=$default_per_IP_connection_limit
    fi
-   $ipt -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
+
+   if $log_rejected || $log_all ; then
+      $ipt -A INPUT -p tcp -m connlimit --connlimit-above $per_IP_connection_limit -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP:"
+   fi
+   $ipt -A INPUT -p tcp -m connlimit --connlimit-above $per_IP_connection_limit -j REJECT --reject-with tcp-reset
    echo_done
 else
    echo_skipped
@@ -1106,25 +1215,6 @@ done
 echo_done
 echo
 
- 
-# ------------- 
-# --- Traffic generally allowed 
-# ------------- 
- 
-echononl "\tLoopback device generally allowed.." 
- 
-# --- 
-# - Loopback device 
-# --- 
- 
-$ipt -A INPUT -i lo -j ACCEPT 
-$ipt -A OUTPUT -o lo -j ACCEPT 
- 
-echo_done
-
-
-echo
-
 # -------------
 # ---- Restrict local Servive to given (extern) IP-Address/Network
 # -------------
@@ -1209,6 +1299,26 @@ fi
 echo_done
 
 
+# ---
+# - LOG CGI script Traffic out
+# ---
+
+echo
+echononl "\tLOG CGI/PHP traffic out."
+
+if $log_cgi_traffic_out && [[ ${#cgi_script_user_arr[@]} -gt 0 ]] ; then
+   for _dev in ${ext_if_arr[@]} ; do
+      for _user in ${cgi_script_user_arr[@]} ; do
+         $ipt -A OUTPUT -o $_dev -m owner --uid-owner $_user -j $LOG_TARGET $tag_log_prefix "$log_prefix $_user PHP-OUT: "
+      done
+   done
+   echo_done
+else
+   echo_skipped
+fi
+echo
+
+
 # -------------
 # --- Allow all outgoing traffic
 # -------------
@@ -1225,12 +1335,6 @@ else
    echo_skipped
 fi
 
-# - unprotected_ifs
-# - 
-# - Posiible values are 'true' and 'false'
-# -
-allow_all_outgoing_traffic=false
-
 
 # ---
 # - Don't allow traffic into private networks
@@ -1703,6 +1807,40 @@ done
 echo_done
 
 
+# ---
+# - Prometheus Monitoring - local Server
+# ---
+
+echononl "\t\tLocal Prometheus Service"
+
+if [[ ${#prometheus_local_server_ip_arr[@]} -gt 0 ]] ; then
+   for _ip in ${prometheus_local_server_ip_arr[@]} ; do
+      $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $prometheus_remote_client_ports -m state --state NEW -j ACCEPT
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+
+# ---
+# - Prometheus Monitoring - local client
+# ---
+
+echononl "\t\tLocal Prometheus Client"
+
+if [[ ${#prometheus_local_client_ip_arr[@]} -gt 0 ]] && [[ ${#prometheus_remote_server_ip_arr[@]} -gt 0 ]]; then
+   for _ip in ${prometheus_local_client_ip_arr[@]} ; do
+      for _ip in ${prometheus_remote_server_ip_arr[@]} ; do
+          $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $prometheus_local_client_ports -m state --state NEW -j ACCEPT
+      done
+   done
+   echo_done
+else
+   echo_skipped
+fi
+      
+
 # ---
 # - Munin remote service
 # ---
@@ -1711,9 +1849,9 @@ echononl "\t\tMunin remote service"
 
 if [ "X$munin_remote_ip" != "X" ]; then
    for _dev in ${ext_if_arr[@]} ; do
-      $ipt -A INPUT -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT
+      $ipt -A INPUT -i $_dev -p tcp -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT
       if $kernel_activate_forwarding ; then
-         $ipt -A FORWARD -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT
+         $ipt -A FORWARD -i $_dev -p tcp -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT
       fi
    done
    echo_done
@@ -1765,6 +1903,29 @@ done
 echo_done
 
 
+# ---
+# - Mail (additional smtp ports OUT)
+# ---
+
+echononl "\t\tMail (additional smtp ports OUT)"
+
+if [[ ${#smtpd_additional_outgoung_port_arr[@]} -gt 0 ]] ; then
+
+   for _port in ${smtpd_additional_outgoung_port_arr[@]} ; do
+      for _dev in ${ext_if_arr[@]} ; do
+         $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
+         if $kernel_activate_forwarding ; then
+            $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
+         fi
+      done
+   done
+
+   echo_done
+else
+   echo_skipped
+fi
+
+
 # ---
 # - Mail SMTP Server (Port 25) including Spam Control
 # ---
@@ -1821,6 +1982,29 @@ else
 fi
 
 
+# ---
+# - Mail (additional smtp ports IN)
+# ---
+
+echononl "\t\tMail (additional smtp ports IN)"
+
+if [[ ${#smtpd_additional_listen_port_arr[@]} -gt 0 ]] ; then
+
+   for _port in ${smtpd_additional_listen_port_arr[@]} ; do
+      for _dev in ${ext_if_arr[@]} ; do
+         $ipt -A INPUT -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
+         if $kernel_activate_forwarding ; then
+            $ipt -A FORWARD -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
+         fi
+      done
+   done
+
+   echo_done
+else
+   echo_skipped
+fi
+
+
 # ---
 # - Mailservice (Submission/SMTPS/POP/IMAP Server)
 # ---
@@ -2463,6 +2647,38 @@ else
 fi
 
 
+# ---
+# - LDAP out only
+# ---
+
+echononl "\t\tLDAP out only"
+
+for _dev in ${ext_if_arr[@]} ; do
+   $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ldap_port -m state --state NEW -j ACCEPT
+   if $kernel_activate_forwarding ; then
+      $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ldap_port -m state --state NEW -j ACCEPT
+   fi
+done
+
+echo_done
+
+
+# ---
+# - LDAPS out only
+# ---
+
+echononl "\t\tLDAPS out only"
+
+for _dev in ${ext_if_arr[@]} ; do
+   $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ldaps_port -m state --state NEW -j ACCEPT
+   if $kernel_activate_forwarding ; then
+      $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ldaps_port -m state --state NEW -j ACCEPT
+   fi
+done
+
+echo_done
+
+
 
 
 # ---
@@ -2481,6 +2697,22 @@ done
 echo_done
 
 
+# ---
+# - PGP Keyserver  out only
+# ---
+
+echononl "\t\tPGP/GPG Key server - out only"
+
+for _dev in ${ext_if_arr[@]} ; do
+   $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m state --state NEW -j ACCEPT
+   if $kernel_activate_forwarding ; then
+      $ipt -A FORWARD -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m state --state NEW -j ACCEPT
+   fi
+done
+
+echo_done
+
+
 # ---
 # - GIT out only
 # ---
@@ -2693,15 +2925,16 @@ echo
 echononl "\tLogging all rejected traffic"
 
 if $log_rejected || $log_all ; then
-   #$ipt -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
-   #$ipt -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
-   #$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
-   $ipt -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
+
+   $ipt -A OUTPUT -m limit --limit-burst 5 -p tcp ! --tcp-flags ACK,FIN ACK,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
+   $ipt -A OUTPUT -m limit --limit-burst 5 -p udp -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
    $ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
+
    if $kernel_activate_forwarding ; then
       #$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
       $ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
    fi
+
    echo_done
 else
    echo_skipped