diff options
author | root@culturestrings <root@culturestrings> | 2020-05-18 06:33:32 +0000 |
---|---|---|
committer | root@culturestrings <root@culturestrings> | 2020-05-18 06:33:32 +0000 |
commit | 30ef8034920254053b470d048e86690d56c50521 (patch) | |
tree | 6a818a8acb40cbfbbf7fd5618f597a2763868364 | |
parent | 7f660bed1c59e708f9c42de1495706283648aa51 (diff) | |
download | culturestrings-30ef8034920254053b470d048e86690d56c50521.tar.bz2 culturestrings-30ef8034920254053b470d048e86690d56c50521.tar.xz |
firewall: added firehol configuration files.
-rw-r--r-- | public/fs/etc/firehol/firehol.conf | 98 | ||||
-rw-r--r-- | public/fs/etc/firehol/fireqos.conf | 20 |
2 files changed, 118 insertions, 0 deletions
diff --git a/public/fs/etc/firehol/firehol.conf b/public/fs/etc/firehol/firehol.conf new file mode 100644 index 0000000..234d314 --- /dev/null +++ b/public/fs/etc/firehol/firehol.conf @@ -0,0 +1,98 @@ +# Firewall configuration. +# This is actually a bash script. + +version 6 +tcpmss auto + +### +# ipsets to block known malicious hosts -- http://iplists.firehol.org/ +# updated automatically using update-ipsets (systemd timer) +### + +ipv4 ipset create firehol_level1 hash:net +ipv4 ipset addfile firehol_level1 ipsets/firehol_level1.netset + +ipv4 ipset create firehol_level2 hash:net +ipv4 ipset addfile firehol_level2 ipsets/firehol_level2.netset + +ipv4 blacklist full ipset:firehol_level1 ipset:firehol_level2 + + +### +# services +### + +source /root/config/private/fs/etc/server.ports + +server_ssh_ports="tcp/$ssh_port" +client_ssh_ports="default" + +server_openvpn_ports="udp/$vpn_port" +client_openvpn_ports="default" + +server_git_ports="tcp/9418" +client_git_ports="default" + +server_mosh_ports="udp/60000:61000" +client_mosh_ports="default" + +server_qemu_ports="tcp/9001" +client_qemu_ports="default" + +server_znc_ports="tcp/9951" +client_znc_ports="default" + +server_nfslow_ports="tcp/111" +client_nfslow_ports="default" + +server_nfshigh_ports="tcp/2049" +client_nfshigh_ports="default" + + +# ipv6 +ipv6 interface any v6interop proto icmpv6 + policy accept + + +# world +interface eth0 world + protection strong + policy drop + + server ssh accept + server openvpn accept + server ping accept + server git accept + + server http accept + server https accept + + server smtp accept + server smtps accept + + server nfslow accept + server nfshigh accept + + server qemu accept src localhost + server mosh accept src localhost + server znc accept src localhost + + client all accept + + +# openvpn +interface tun0 openvpn + policy accept + + +router4 ipv4vpn inface tun0 outface eth0 + masquerade + route all accept + client all accept + server all accept + + +router6 ipv6vpn inface tun0 outface eth0 + route all accept + client all accept + server all accept diff --git a/public/fs/etc/firehol/fireqos.conf b/public/fs/etc/firehol/fireqos.conf new file mode 100644 index 0000000..ee6bfc7 --- /dev/null +++ b/public/fs/etc/firehol/fireqos.conf @@ -0,0 +1,20 @@ +server_mosh_ports="udp/60000:61000" +client_mosh_ports="default" + +interface eth0 world bidirectional rate 950mbit minrate 100kbit ethernet + class interactive commit 20% + client dns + client ssh + server ssh + client mosh + server mosh + + class web commit 50% + client surfing + server surfing + + class synacks + match tcp syn + match tcp ack + + class default |