Blame public/fs/etc/firehol/firehol.conf

root@culturestrings 30ef80
# Firewall configuration.
root@culturestrings 30ef80
# This is actually a bash script.
root@culturestrings 30ef80
root@culturestrings 30ef80
version 6
root@culturestrings 30ef80
tcpmss auto
root@culturestrings 30ef80
root@culturestrings 30ef80
###
root@culturestrings 30ef80
# ipsets to block known malicious hosts -- http://iplists.firehol.org/
root@culturestrings 30ef80
# updated automatically using update-ipsets (systemd timer)
root@culturestrings 30ef80
###
root@culturestrings 30ef80
root@culturestrings 30ef80
ipv4 ipset create   firehol_level1 hash:net
root@culturestrings 30ef80
ipv4 ipset addfile  firehol_level1 ipsets/firehol_level1.netset
root@culturestrings 30ef80
root@culturestrings 30ef80
ipv4 ipset create   firehol_level2 hash:net
root@culturestrings 30ef80
ipv4 ipset addfile  firehol_level2 ipsets/firehol_level2.netset
root@culturestrings 30ef80
root@culturestrings 30ef80
ipv4 blacklist full ipset:firehol_level1 ipset:firehol_level2
root@culturestrings 30ef80
root@culturestrings 30ef80
root@culturestrings 30ef80
###
root@culturestrings 30ef80
# services
root@culturestrings 30ef80
###
root@culturestrings 30ef80
root@culturestrings 30ef80
source /root/config/private/fs/etc/server.ports
root@culturestrings 30ef80
root@culturestrings 30ef80
server_ssh_ports="tcp/$ssh_port"
root@culturestrings 30ef80
client_ssh_ports="default"
root@culturestrings 30ef80
root@culturestrings 30ef80
server_openvpn_ports="udp/$vpn_port"
root@culturestrings 30ef80
client_openvpn_ports="default"
root@culturestrings 30ef80
root@culturestrings 30ef80
server_git_ports="tcp/9418"
root@culturestrings 30ef80
client_git_ports="default"
root@culturestrings 30ef80
root@culturestrings 30ef80
server_mosh_ports="udp/60000:61000"
root@culturestrings 30ef80
client_mosh_ports="default"
root@culturestrings 30ef80
root@culturestrings 30ef80
server_qemu_ports="tcp/9001"
root@culturestrings 30ef80
client_qemu_ports="default"
root@culturestrings 30ef80
root@culturestrings 30ef80
server_znc_ports="tcp/9951"
root@culturestrings 30ef80
client_znc_ports="default"
root@culturestrings 30ef80
root@culturestrings 30ef80
server_nfslow_ports="tcp/111"
root@culturestrings 30ef80
client_nfslow_ports="default"
root@culturestrings 30ef80
root@culturestrings 30ef80
server_nfshigh_ports="tcp/2049"
root@culturestrings 30ef80
client_nfshigh_ports="default"
root@culturestrings 30ef80
root@culturestrings 30ef80
root@culturestrings 30ef80
# ipv6
root@culturestrings 30ef80
ipv6 interface any v6interop proto icmpv6
root@culturestrings 30ef80
    policy accept
root@culturestrings 30ef80
root@culturestrings 30ef80
root@culturestrings 30ef80
# world
root@culturestrings 30ef80
interface eth0 world
root@culturestrings 30ef80
    protection strong
root@culturestrings 30ef80
    policy     drop
root@culturestrings 30ef80
root@culturestrings 30ef80
    server ssh          accept
root@culturestrings 30ef80
    server openvpn      accept
root@culturestrings 30ef80
    server ping         accept
root@culturestrings 30ef80
    server git          accept
root@culturestrings 30ef80
root@culturestrings 30ef80
    server http         accept
root@culturestrings 30ef80
    server https        accept
root@culturestrings 30ef80
root@culturestrings 30ef80
    server smtp         accept
root@culturestrings 30ef80
    server smtps        accept
root@culturestrings 30ef80
root@culturestrings 30ef80
    server nfslow       accept
root@culturestrings 30ef80
    server nfshigh      accept
root@culturestrings 30ef80
root@culturestrings 30ef80
    server qemu         accept src localhost
root@culturestrings 30ef80
    server mosh         accept src localhost
root@culturestrings 30ef80
    server znc          accept src localhost
root@culturestrings 30ef80
root@culturestrings 30ef80
    client all          accept
root@culturestrings 30ef80
root@culturestrings 30ef80
root@culturestrings 30ef80
# openvpn
root@culturestrings 30ef80
interface  tun0 openvpn
root@culturestrings 30ef80
    policy accept
root@culturestrings 30ef80
root@culturestrings 30ef80
root@culturestrings 30ef80
router4 ipv4vpn inface tun0 outface eth0
root@culturestrings 30ef80
        masquerade
root@culturestrings 30ef80
        route  all accept
root@culturestrings 30ef80
        client all accept
root@culturestrings 30ef80
        server all accept
root@culturestrings 30ef80
root@culturestrings 30ef80
root@culturestrings 30ef80
router6 ipv6vpn inface tun0 outface eth0
root@culturestrings 30ef80
        route  all accept
root@culturestrings 30ef80
        client all accept
root@culturestrings 30ef80
        server all accept