aboutsummaryrefslogtreecommitdiff
path: root/share/provision/files/njalla-wireguard/etc/ferm/ferm.conf
diff options
context:
space:
mode:
Diffstat (limited to 'share/provision/files/njalla-wireguard/etc/ferm/ferm.conf')
-rw-r--r--share/provision/files/njalla-wireguard/etc/ferm/ferm.conf179
1 files changed, 0 insertions, 179 deletions
diff --git a/share/provision/files/njalla-wireguard/etc/ferm/ferm.conf b/share/provision/files/njalla-wireguard/etc/ferm/ferm.conf
deleted file mode 100644
index 9ef8208..0000000
--- a/share/provision/files/njalla-wireguard/etc/ferm/ferm.conf
+++ /dev/null
@@ -1,179 +0,0 @@
-# -*- shell-script -*-
-#
-# Configuration file for ferm(1).
-#
-# V: 0.1
-#
-# ferm manual: http://ferm.foo-projects.org/download/2.2/ferm.html
-# Blog post: https://blog.ipredator.se/linux-firewall-howto.html
-#
-
-# Really make sure that these modules exist and are loaded.
-@hook pre "/sbin/modprobe nf_conntrack_ftp";
-@hook pre "/sbin/modprobe nfnetlink_log";
-
-# Network interfaces.
-#@def $DEV_LAN = eth0;
-@def $DEV_LAN = ens3;
-@def $DEV_LOOPBACK = lo0;
-@def $DEV_VPN = wg0;
-
-# Network definition for the loopback device. This is needed to allow
-# DNS resolution on Ubuntu Linux where the local resolver is bound
-# to 127.0.1.1 - as opposed to the default 127.0.0.1.
-@def $NET_LOOPBACK = 127.0.0.0/8;
-
-# Common application ports.
-@def $PORT_DNS = 53;
-@def $PORT_FTP = ( 20 21 );
-@def $PORT_NTP = 123;
-@def $PORT_SSH = 22;
-@def $PORT_WEB = ( 80 443 );
-
-# The ports we allow to connect to.
-@def $PORT_WIREGUARD = ( 51820 );
-
-# See https://blog.ipredator.se/howto/restricting-transmission-to-the-vpn-interface-on-ubuntu-linux.html
-# Ports Transmission is allowed to use.
-@def $PORT_TRANSMISSION = 16384:65535;
-
-# Public DNS servers and those that are only reachable via VPN.
-# DNS servers are specified in the outbound DNS rules to prevent DNS leaks
-# (https://www.dnsleaktest.com/). The public DNS servers configured on your
-# system should be the IPredator ones (https://www.ipredator.se/page/services#service_dns),
-# but you need to verify this.
-#
-@def $IP_DNS_IPR_PUBLIC = ( 95.215.19.53/32 );
-
-# Add your ISP name server to this object if you want to restrict
-# which DNS servers can be queried.
-@def $IP_DNS_PUBLIC = 0.0.0.0/0;
-
-# DNS server available within the VPN.
-@def $IP_DNS_VPN = ( 95.215.19.53/32 );
-
-# Make sure to use the proper VPN interface (e.g. wg0 in this case).
-# Note: You cannot reference $DEV_VPN here, substition does not take
-# place for commands passed to a sub shell.
-@def $VPN_ACTIVE = `ip link show wg0 >/dev/null 2>/dev/null && echo 1 || echo`;
-
-# VPN interface conditional. If true the following rules are loaded.
-@if $VPN_ACTIVE {
- domain ip {
- table filter {
- chain INPUT {
- interface $DEV_VPN {
- proto (tcp udp) dport $PORT_TRANSMISSION ACCEPT;
- }
- }
- chain OUTPUT {
- # Default allowed outbound services on the VPN interface.
- # If you need more simply add your rules here.
- outerface $DEV_VPN {
- proto (tcp udp) daddr ( $IP_DNS_VPN $IP_DNS_IPR_PUBLIC ) dport $PORT_DNS ACCEPT;
- proto tcp dport $PORT_FTP ACCEPT;
- proto udp dport $PORT_NTP ACCEPT;
- proto tcp dport $PORT_SSH ACCEPT;
- proto (tcp udp) sport $PORT_TRANSMISSION ACCEPT;
- proto tcp dport $PORT_WEB ACCEPT;
- }
- }
- }
- }
-}
-
-# The main IPv4 rule set.
-domain ip {
- table filter {
- chain INPUT {
- # The default policy for the chain. Usually ACCEPT or DROP or REJECT.
- policy DROP;
-
- # Connection tracking.
- mod state state INVALID DROP;
- mod state state (ESTABLISHED RELATED) ACCEPT;
-
- # Allow local traffic to loopback interface.
- daddr $NET_LOOPBACK ACCEPT;
-
- # Allow inbound SSH on your LAN interface _only_.
- interface $DEV_LAN {
- proto tcp dport $PORT_SSH ACCEPT;
- }
-
- # Respond to ping ... makes debugging easier.
- proto icmp icmp-type echo-request ACCEPT;
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
-
- chain OUTPUT {
- policy DROP;
-
- # Connection tracking.
- mod state state INVALID DROP;
- mod state state (ESTABLISHED RELATED) ACCEPT;
-
- # Allow local traffic from the loopback interface.
- saddr $NET_LOOPBACK ACCEPT;
-
- # Respond to ping.
- proto icmp icmp-type echo-request ACCEPT;
-
- # Allowed services on the LAN interface.
- outerface $DEV_LAN {
- proto (tcp udp) daddr $IP_DNS_PUBLIC dport $PORT_DNS ACCEPT;
- proto udp dport $PORT_NTP ACCEPT;
- proto (tcp udp) dport $PORT_WIREGUARD ACCEPT;
- proto tcp dport $PORT_SSH ACCEPT;
- }
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
-
- chain FORWARD {
- policy DROP;
-
- # If you use your machine to route traffic eg.
- # from a VM you have to add rules here!
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
- }
-}
-
-# IPv6 is generally disabled, communication on the loopback device is allowed.
-domain ip6 {
- table filter {
- chain INPUT {
- policy DROP;
-
- # Allow local traffic.
- interface $DEV_LOOPBACK ACCEPT;
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
- chain OUTPUT {
- policy DROP;
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
- chain FORWARD {
- policy DROP;
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
- }
-}