# Firewall configuration.
# This is actually a bash script.
version 6
tcpmss auto
###
# ipsets to block known malicious hosts -- http://iplists.firehol.org/
# updated automatically using update-ipsets (systemd timer)
###
ipv4 ipset create firehol_level1 hash:net
ipv4 ipset addfile firehol_level1 ipsets/firehol_level1.netset
ipv4 ipset create firehol_level2 hash:net
ipv4 ipset addfile firehol_level2 ipsets/firehol_level2.netset
ipv4 blacklist full ipset:firehol_level1 ipset:firehol_level2
###
# services
###
source /root/config/private/config/server.ports
server_ssh_ports="tcp/$ssh_port"
client_ssh_ports="default"
server_openvpn_ports="udp/$vpn_port"
client_openvpn_ports="default"
server_git_ports="tcp/9418"
client_git_ports="default"
server_mosh_ports="udp/60000:61000"
client_mosh_ports="default"
server_qemu_ports="tcp/9001"
client_qemu_ports="default"
server_znc_ports="tcp/9951"
client_znc_ports="default"
server_nfslow_ports="tcp/111"
client_nfslow_ports="default"
server_nfshigh_ports="tcp/2049"
client_nfshigh_ports="default"
# ipv6
ipv6 interface any v6interop proto icmpv6
policy accept
# world
interface eth0 world
protection strong
policy drop
server ssh accept
server openvpn accept
server ping accept
server git accept
server http accept
server https accept
server smtp accept
server smtps accept
server imaps accept
server submission accept
server nfslow accept
server nfshigh accept
server qemu accept src localhost
server mosh accept src localhost
server znc accept src localhost
client all accept
# openvpn
interface tun0 openvpn
policy accept
router4 ipv4vpn inface tun0 outface eth0
masquerade
route all accept
client all accept
server all accept
router6 ipv6vpn inface tun0 outface eth0
route all accept
client all accept
server all accept