aboutsummaryrefslogtreecommitdiff
path: root/share/provision/files/ipredator/etc/ferm/ferm.conf
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2019-01-03 17:01:29 -0200
committerSilvio Rhatto <rhatto@riseup.net>2019-01-03 17:01:29 -0200
commit81fbd1a3b93b8ec7abc5af38e9ffa4fa492e3f74 (patch)
tree8c60706bd046ebdb33f8953402772dba160de815 /share/provision/files/ipredator/etc/ferm/ferm.conf
parent35e0621effa975cfe0e64d1bd5c71bda69c65332 (diff)
downloadkvmx-81fbd1a3b93b8ec7abc5af38e9ffa4fa492e3f74.tar.gz
kvmx-81fbd1a3b93b8ec7abc5af38e9ffa4fa492e3f74.tar.bz2
Provision: IPredator: firewall support
Diffstat (limited to 'share/provision/files/ipredator/etc/ferm/ferm.conf')
-rw-r--r--share/provision/files/ipredator/etc/ferm/ferm.conf171
1 files changed, 171 insertions, 0 deletions
diff --git a/share/provision/files/ipredator/etc/ferm/ferm.conf b/share/provision/files/ipredator/etc/ferm/ferm.conf
new file mode 100644
index 0000000..d7b97a3
--- /dev/null
+++ b/share/provision/files/ipredator/etc/ferm/ferm.conf
@@ -0,0 +1,171 @@
+# -*- shell-script -*-
+#
+# Configuration file for ferm(1).
+#
+# V: 0.1
+#
+# ferm manual: http://ferm.foo-projects.org/download/2.2/ferm.html
+# Blog post: https://blog.ipredator.se/linux-firewall-howto.html
+#
+
+# Really make sure that these modules exist and are loaded.
+@hook pre "/sbin/modprobe nf_conntrack_ftp";
+@hook pre "/sbin/modprobe nfnetlink_log";
+
+# Network interfaces.
+#@def $DEV_LAN = eth0;
+@def $DEV_LAN = ens3;
+@def $DEV_LOOPBACK = lo0;
+@def $DEV_VPN = tun0;
+
+# Network definition for the loopback device. This is needed to allow
+# DNS resolution on Ubuntu Linux where the local resolver is bound
+# to 127.0.1.1 - as opposed to the default 127.0.0.1.
+@def $NET_LOOPBACK = 127.0.0.0/8;
+
+# Common application ports.
+@def $PORT_DNS = 53;
+@def $PORT_FTP = ( 20 21 );
+@def $PORT_NTP = 123;
+@def $PORT_SSH = 22;
+@def $PORT_WEB = ( 80 443 );
+
+# The ports we allow OpenVPN to connect to. IPredator allows you
+# to connect on _any_ port. Simply add more ports if desired but
+# stick to only those that you really need.
+@def $PORT_OPENVPN = (1194 1234 1337 2342 5060);
+
+# Public DNS servers and those that are only reachable via VPN.
+# DNS servers are specified in the outbound DNS rules to prevent DNS leaks
+# (https://www.dnsleaktest.com/). The public DNS servers configured on your
+# system should be the IPredator ones (https://www.ipredator.se/page/services#service_dns),
+# but you need to verify this.
+#
+@def $IP_DNS_IPR_PUBLIC = (194.132.32.32/32 46.246.46.246/32);
+
+# Add your ISP name server to this object if you want to restrict
+# which DNS servers can be queried.
+@def $IP_DNS_PUBLIC = 0.0.0.0/0;
+
+# DNS server available within the VPN.
+@def $IP_DNS_VPN = ( 46.246.46.46/32 194.132.32.23/32 );
+
+# Make sure to use the proper VPN interface (e.g. tun0 in this case).
+# Note: You cannot reference $DEV_VPN here, substition does not take
+# place for commands passed to a sub shell.
+@def $VPN_ACTIVE = `ip link show tun0 >/dev/null 2>/dev/null && echo 1 || echo`;
+
+# VPN interface conditional. If true the following rules are loaded.
+@if $VPN_ACTIVE {
+ domain ip {
+ table filter {
+ chain OUTPUT {
+ # Default allowed outbound services on the VPN interface.
+ # If you need more simply add your rules here.
+ outerface $DEV_VPN {
+ proto (tcp udp) daddr ( $IP_DNS_VPN $IP_DNS_IPR_PUBLIC ) dport $PORT_DNS ACCEPT;
+ proto tcp dport $PORT_FTP ACCEPT;
+ proto udp dport $PORT_NTP ACCEPT;
+ proto tcp dport $PORT_SSH ACCEPT;
+ proto tcp dport $PORT_WEB ACCEPT;
+ }
+ }
+ }
+ }
+}
+
+# The main IPv4 rule set.
+domain ip {
+ table filter {
+ chain INPUT {
+ # The default policy for the chain. Usually ACCEPT or DROP or REJECT.
+ policy DROP;
+
+ # Connection tracking.
+ mod state state INVALID DROP;
+ mod state state (ESTABLISHED RELATED) ACCEPT;
+
+ # Allow local traffic to loopback interface.
+ daddr $NET_LOOPBACK ACCEPT;
+
+ # Allow inbound SSH on your LAN interface _only_.
+ interface $DEV_LAN {
+ proto tcp dport $PORT_SSH ACCEPT;
+ }
+
+ # Respond to ping ... makes debugging easier.
+ proto icmp icmp-type echo-request ACCEPT;
+
+ # Log dropped packets.
+ NFLOG nflog-group 1;
+ DROP;
+ }
+
+ chain OUTPUT {
+ policy DROP;
+
+ # Connection tracking.
+ mod state state INVALID DROP;
+ mod state state (ESTABLISHED RELATED) ACCEPT;
+
+ # Allow local traffic from the loopback interface.
+ saddr $NET_LOOPBACK ACCEPT;
+
+ # Respond to ping.
+ proto icmp icmp-type echo-request ACCEPT;
+
+ # Allowed services on the LAN interface.
+ outerface $DEV_LAN {
+ proto (tcp udp) daddr $IP_DNS_PUBLIC dport $PORT_DNS ACCEPT;
+ proto udp dport $PORT_NTP ACCEPT;
+ proto (tcp udp) dport $PORT_OPENVPN ACCEPT;
+ proto tcp dport $PORT_SSH ACCEPT;
+ }
+
+ # Log dropped packets.
+ NFLOG nflog-group 1;
+ DROP;
+ }
+
+ chain FORWARD {
+ policy DROP;
+
+ # If you use your machine to route traffic eg.
+ # from a VM you have to add rules here!
+
+ # Log dropped packets.
+ NFLOG nflog-group 1;
+ DROP;
+ }
+ }
+}
+
+# IPv6 is generally disabled, communication on the loopback device is allowed.
+domain ip6 {
+ table filter {
+ chain INPUT {
+ policy DROP;
+
+ # Allow local traffic.
+ interface $DEV_LOOPBACK ACCEPT;
+
+ # Log dropped packets.
+ NFLOG nflog-group 1;
+ DROP;
+ }
+ chain OUTPUT {
+ policy DROP;
+
+ # Log dropped packets.
+ NFLOG nflog-group 1;
+ DROP;
+ }
+ chain FORWARD {
+ policy DROP;
+
+ # Log dropped packets.
+ NFLOG nflog-group 1;
+ DROP;
+ }
+ }
+}