From 30ef8034920254053b470d048e86690d56c50521 Mon Sep 17 00:00:00 2001 From: "root@culturestrings" Date: Mon, 18 May 2020 06:33:32 +0000 Subject: firewall: added firehol configuration files. --- public/fs/etc/firehol/firehol.conf | 98 ++++++++++++++++++++++++++++++++++++++ public/fs/etc/firehol/fireqos.conf | 20 ++++++++ 2 files changed, 118 insertions(+) create mode 100644 public/fs/etc/firehol/firehol.conf create mode 100644 public/fs/etc/firehol/fireqos.conf diff --git a/public/fs/etc/firehol/firehol.conf b/public/fs/etc/firehol/firehol.conf new file mode 100644 index 0000000..234d314 --- /dev/null +++ b/public/fs/etc/firehol/firehol.conf @@ -0,0 +1,98 @@ +# Firewall configuration. +# This is actually a bash script. + +version 6 +tcpmss auto + +### +# ipsets to block known malicious hosts -- http://iplists.firehol.org/ +# updated automatically using update-ipsets (systemd timer) +### + +ipv4 ipset create firehol_level1 hash:net +ipv4 ipset addfile firehol_level1 ipsets/firehol_level1.netset + +ipv4 ipset create firehol_level2 hash:net +ipv4 ipset addfile firehol_level2 ipsets/firehol_level2.netset + +ipv4 blacklist full ipset:firehol_level1 ipset:firehol_level2 + + +### +# services +### + +source /root/config/private/fs/etc/server.ports + +server_ssh_ports="tcp/$ssh_port" +client_ssh_ports="default" + +server_openvpn_ports="udp/$vpn_port" +client_openvpn_ports="default" + +server_git_ports="tcp/9418" +client_git_ports="default" + +server_mosh_ports="udp/60000:61000" +client_mosh_ports="default" + +server_qemu_ports="tcp/9001" +client_qemu_ports="default" + +server_znc_ports="tcp/9951" +client_znc_ports="default" + +server_nfslow_ports="tcp/111" +client_nfslow_ports="default" + +server_nfshigh_ports="tcp/2049" +client_nfshigh_ports="default" + + +# ipv6 +ipv6 interface any v6interop proto icmpv6 + policy accept + + +# world +interface eth0 world + protection strong + policy drop + + server ssh accept + server openvpn accept + server ping accept + server git accept + + server http accept + server https accept + + server smtp accept + server smtps accept + + server nfslow accept + server nfshigh accept + + server qemu accept src localhost + server mosh accept src localhost + server znc accept src localhost + + client all accept + + +# openvpn +interface tun0 openvpn + policy accept + + +router4 ipv4vpn inface tun0 outface eth0 + masquerade + route all accept + client all accept + server all accept + + +router6 ipv6vpn inface tun0 outface eth0 + route all accept + client all accept + server all accept diff --git a/public/fs/etc/firehol/fireqos.conf b/public/fs/etc/firehol/fireqos.conf new file mode 100644 index 0000000..ee6bfc7 --- /dev/null +++ b/public/fs/etc/firehol/fireqos.conf @@ -0,0 +1,20 @@ +server_mosh_ports="udp/60000:61000" +client_mosh_ports="default" + +interface eth0 world bidirectional rate 950mbit minrate 100kbit ethernet + class interactive commit 20% + client dns + client ssh + server ssh + client mosh + server mosh + + class web commit 50% + client surfing + server surfing + + class synacks + match tcp syn + match tcp ack + + class default -- cgit v1.2.3