Update network BLKR

BLKR/ipt-firewall/logging_ipv4.conf

@@ -19,7 +19,7 @@ log_blocked=false
 log_unprotected=false
 log_prohibited=false
 log_voip=false
-log_rejected=true
+log_rejected=false
 
 log_ssh=false
 

BLKR/ipt-firewall/main_ipv4.conf

@@ -8,7 +8,11 @@
 # - IPv4 Addresses Gateway
 # ---
 declare -a gateway_ipv4_address_arr
-read -a gateway_ipv4_address_arr <<<$(ifconfig | grep "inet Ad" | awk '{print$2}' | cut -d':' -f2)
+
+_ips="$(ip a | grep "inet " | awk '{print$2}' | cut -d'/' -f1)"
+for _ip in $_ips ; do
+   gateway_ipv4_address_arr+=("$_ip")
+done
 
 
 # =============
@@ -50,6 +54,97 @@ unprotected_ifs=""
 any_access_to_inet_networks=""
 
 
+# - Allow these networks getting any access from the internet.
+# -
+# - Note:
+# - =====
+# -    Traffic recieved on natted interfaces will be ommitted!
+# -
+# - Blank separated list of networks
+# -
+any_access_from_inet_networks=""
+
+
+
+# =============
+# - Allow local services from given local networks
+# =============
+
+# - allow_local_net_to_local_service
+# - 
+# - allow_local_net_to_local_service="local-net:local-service:port:protocol"
+# -
+# - Note:
+# - =====
+# -    - Only 'tcp' and 'udp' are allowed valuse for protocol.
+# -    - Traffic recieved on natted interfaces will be ommitted!
+# -
+# - Use this parameter to (only) give some local netwoks access to special local 
+# - services (but not for all local networks as you can configure later).
+# -
+# - If you plan to separate networks (see parameter 'separate_local_networks'), but 
+# - to allow these networks some special local services, you can also use this parameter.
+# -
+# - Example:
+# -    allow access from 194.150.169.139 to ssh service at 83.223.73.210 on port 1036
+# -    allow access from 86.73.85.0/24 to https service at 83.223.73.204
+# -
+# -    allow_ext_net_to_local_service="194.150.169.139/32:83.223.73.210:1036:tcp 
+# -                                      86.73.85.0/24:83.223.73.204:$standard_https_port:tcp"
+# -
+# - Blank separated list
+# -
+allow_local_net_to_local_service=""
+
+
+
+# =============
+# - Allow all traffic from extern address/network to local address/network
+# =============
+
+# - allow_ext_net_to_local_net
+# -
+# -    allow_ext_net_to_local_net="<src-ext-net>:<dst-local-net> [<src-ext-net>:<dst-local-net>] [..]"
+# -
+# - All traffic from the given first network to the given second network is allowed
+# -
+# - Note:
+# - =====
+# -    - Traffic recieved on natted interfaces will be ommitted!
+# -    - If you want allow both directions, you have to make two entries - one for evry directions.
+# -
+# - Example:
+# -   allow_ext_net_to_local_net="86.223.85.0/24:86.223.73.192/26
+# -                               83.223.86.96/32:86.223.73.0/24"
+# - 
+# - Blank separated list
+# -
+allow_local_net_to_local_ip=""
+
+
+
+# =============
+# - Block all extern traffic to (given) local network
+# =============
+
+# - block_all_ext_to_local_net
+# -
+# -    block_all_ext_to_local_net="<local-net> [<local-net [<local-net .."
+# -
+# - Blocks all extern traffic to given local network(s)
+# -
+# - Note:
+# - =====
+# -    - Traffic recieved on natted interfaces will be ommitted!
+# -
+# - Example:
+# -    block_all_ext_to_local_net="83.223.73.32/29 83.223.73.48/29"
+# - 
+# - Blank separated list
+# -
+block_all_ext_to_local_net=""
+
+
 
 # =============
 # - Allow local services from given local networks
@@ -276,6 +371,15 @@ vpn_local_net_ports="1194"
 # - DHCP Service
 # ======
 
+# - Ist this Gateway DHCP Client?
+# - 
+# - local_dhcp_client_interfaces="<interface1> [<interface> [.."
+# -
+# - Example:
+# -    dhcp_client_interfaces="$ext_if_static_1"
+# -
+dhcp_client_interfaces=""
+
 # - DHCP Server Gateway
 # -
 local_dhcp_service=true
@@ -409,6 +513,11 @@ http_ports="$standard_http_ports"
 # - Mail Services
 # ======
 
+# - SMTP server (i.e. mail relay service) Gateway
+# -
+local_smtp_service=false
+
+
 # - Mailserver (SMTP(POP/IMAP) Gateway
 # -
 # - NOT YET IMPLEMENTED
@@ -538,10 +647,9 @@ samba_tcp_ports="137 138 139 445"
 
 # - Samba Service local networks
 # -
-# - 192.168.122.10      Samba Fileserver
-# - 192.168.122.20      KVM Windows 7 Freigaben
+# - 192.168.162.10      Samba Fileserver
 # -
-samba_server_local_ips="192.168.122.10 192.168.122.20"
+samba_server_local_ips="192.168.162.10"
 
 # - Samba Service DMZ
 # -
@@ -570,6 +678,8 @@ local_ntp_service=true
 
 # - SNMP services local Networks
 # -
+# - Blank separated list of ip's
+# -
 snmp_server_ips=""
 
 # - SNMP Port
@@ -715,21 +825,59 @@ remote_console_port=5900
 # - Ubiquiti Unifi
 # ======
 
-# - Notice:
-# -    The Accesspoint IP is not needed (i think so), because the 
-# -    AP uses port 8080 for cummunication with the controller, and
-# -    this port will be configured with the rules concerning the 
-# -    controllers.
+# - By default, the UniFi controller will operate on the following ports:
 # -
-# - again: setting unifi_ap_local_ips is not needed
-#unifi_ap_local_ips="192.168.64.50"
+# -    unifi_http_port=8080 (port for UAP to inform controller)
+# -    unifi_https_port=8443 (port for controller GUI / API, as seen in web browser)
+# -    unifi_portal_http_port=8880 (port for HTTP portal redirect - Hotspot)
+# -    unifi_portal_https_port=8843 (port for HTTPS portal redirect - Hotspot)
+# -    unifi_http_port=6789 (port used for throughput measurement)
+# -    unifi_db_port=27117 (local-bound port for DB server)
+# -
+# -
+# - In version 4.5.2 and later, users can also define the port assigned to STUN services, 
+# - for scenarios where two or more separate UniFi instances are desired on the 
+# - same controller machine.
+# -
+# - unifi_stun_port=3478 # UDP port used for STUN
+# -                      # Open Port from controller to Unifi APs
+# -
+# -
+# - Ubiquity Networks uses port 10001/UDP for its AirControl 
+# - management discovery protocol
+# -
+# -    unifi_aircontroll_port=10001
+# -
+# -
+# - Since v3.2.9+ and v4.6.0+, two more ports are being reserved for device redirector. 
+# - There is no need to open firewall for these ports on controller. However, on 
+# - controller, avoid to use these ports:
+# -
+# -    port 8881 for redirector port for wireless clients
+# -    port 8882 for redirector port for wired clients
+# -
+# -
+# - For AP-EDU Broadcasts:
+# -
+# -    UDP ports 5656-5699
+# -
+unify_tcp_ports="8080,8443,8880,8843,6789,27117"
+unify_udp_ports="3478"
+unify_broadcast_udp_ports="10001,5656:5699"
 
-unifi_controller_gateway_ips=""
+# - Unifi Controller at gateway?
+# -
+local_unifi_controller_service=false
+
+# - Unifi Accesspoints (AP's) controlled by UniFi controller at Gateway
+# -
+unifi_ap_local_ips=""
+
+
+# - UniFi Controllers on local network (other than this machine)
+# -
 unify_controller_local_net_ips=""
-unify_controller_ports="8080,8443"
 
-provide_hotspot=true
-hotspot_ports="8880,8843"
 
 
 # ======
@@ -738,21 +886,30 @@ hotspot_ports="8880,8843"
 
 # - IPMI Tools local Networks
 # -
-# - 192.168.122.201     IPMI Fileserver
-# - 192.168.122.202     IPMI Gateway
+# - 192.168.162.15    	IPMI Fileserver
 # -
 # - Blank seoarated list
 # -
-ipmi_server_ips="192.168.122.201 192.168.2.15"
+ipmi_server_ips="192.168.162.15"
 
 # - IPMI Tools Port
 # -
-# - UDP 623:  Access IPMI Programms (as IPMIView or FreeIPMI)
-# - TCP 623:  Virtual Media for Remote Console
-# - TCP 3520: "This is TCP Port 3520 which is also needed in addition to TCP port 5900 to be able to use iKVM."
+# - UDP 161:   SNMP 
+# - UDP 623:   Access IPMI Programms (as IPMIView or FreeIPMI)
+# - 
+# - TCP 80:    Webinterface. 
+# - TCP 161:   SNMP 
+# - TCP 443:   Webinterface (SSL) 
+# - TCP 623:   Virtual Media for Remote Console
+# - TCP 3520:  "This is TCP Port 3520 which is also needed in addition to TCP port 5900 to be able to use iKVM."
+# - TCP 5120:  CD/USB
+# - TCP 5123:  Floppy
+# - TCP 5900:  KVM over IP
+# - TCP 5901:  Video for remote console
+# - TCP 5985:  Wsman
 # -
-ipmi_udp_ports="623 5900"
-ipmi_tcp_ports="80 443 623 3520"
+ipmi_udp_ports="161 623"
+ipmi_tcp_ports="80 161 443 623 3520 5120 5123 5900 5901 5985"
 
 
 # =============
@@ -780,8 +937,6 @@ local_rsync_out=false
 
 # - IP Addresses Printer
 # -
-# - 192.168.122.5       Brother HL-5380DN
-# -
 # - Blank separated list
 # -
 printer_ips=""
@@ -860,10 +1015,27 @@ other_services=""
 # --- Masuqerading
 # =============
 
+# - Masquerade (NAT) networks
+# -
+# -    nat_networks="<src-network>:<output-device> [<src-network>:<output-device>] [.."
+# -
+# - Multiple declarations (blank separated list) are possible
+# -
+# - Example:
+# -    nat_network="172.16.1.0/24:${local_if_2}
+# -                 172.16.63.0/24:${ext_if_static_1}"
+# -
+# - 172.16.1.0/24    Rescue network (routers)
+# -
+nat_networks=""
+
+
 # - Masquerade TCP Connections
 # -
 # -    masquerade_tcp_con="<src-network>:<dst-host>:<dst-port>:<output-device> [<src-network>:<dst-host>:..]"
 # -
+# - Multiple declarations (blank separated list) are possible
+# -
 # - Example:
 # -
 # -    masquerade_tcp_con="192.168.63.0/24:192.168.62.244:80:${local_if_1} 
@@ -944,6 +1116,10 @@ allow_samba_requests_out=true
 allow_vpn_out=true
 vpn_out_ports="1194 1195 1196"
 
+allow_cisco_vpn_out=true
+cisco_vpn_out_ports="$standard_isakmp_port $standard_ipsec_nat_t"
+cisco_vpn_out_protocol="esp"
+
 
 # ===
 # = Services allowed between local networks
@@ -967,7 +1143,7 @@ allow_scanning_between_local_nets=true
 # - Permit internet access to all machines at local network
 # - Does not include this server itself
 # -
-permit_local_net_to_inet=true
+permit_local_net_to_inet=false
 
 # - Do not block any traffic between local machines
 # -