# Firewall configuration.
# This is actually a bash script.

version 6
tcpmss auto

###
# ipsets to block known malicious hosts -- http://iplists.firehol.org/
# updated automatically using update-ipsets (systemd timer)
###

ipv4 ipset create   firehol_level1 hash:net
ipv4 ipset addfile  firehol_level1 ipsets/firehol_level1.netset

ipv4 ipset create   firehol_level2 hash:net
ipv4 ipset addfile  firehol_level2 ipsets/firehol_level2.netset

ipv4 blacklist full ipset:firehol_level1 ipset:firehol_level2


###
# services
###

source /root/config/private/config/server.ports

server_ssh_ports="tcp/$ssh_port"
client_ssh_ports="default"

server_openvpn_ports="udp/$vpn_port"
client_openvpn_ports="default"

server_git_ports="tcp/9418"
client_git_ports="default"

server_mosh_ports="udp/60000:61000"
client_mosh_ports="default"

server_qemu_ports="tcp/9001"
client_qemu_ports="default"

server_znc_ports="tcp/9951"
client_znc_ports="default"

server_nfslow_ports="tcp/111"
client_nfslow_ports="default"

server_nfshigh_ports="tcp/2049"
client_nfshigh_ports="default"


# ipv6
ipv6 interface any v6interop proto icmpv6
    policy accept


# world
interface eth0 world
    protection strong
    policy     drop

    server ssh          accept
    server openvpn      accept
    server ping         accept
    server git          accept

    server http         accept
    server https        accept

    server smtp         accept
    server smtps        accept

    server nfslow       accept
    server nfshigh      accept

    server qemu         accept src localhost
    server mosh         accept src localhost
    server znc          accept src localhost

    client all          accept


# openvpn
interface  tun0 openvpn
    policy accept


router4 ipv4vpn inface tun0 outface eth0
        masquerade
        route  all accept
        client all accept
        server all accept


router6 ipv6vpn inface tun0 outface eth0
        route  all accept
        client all accept
        server all accept