diff --git a/_automation_scripts/etc/proxy-sinc/paths.conf b/_automation_scripts/etc/proxy-sinc/paths.conf
index 8a4c2a8..39a9d8a 100644
--- a/_automation_scripts/etc/proxy-sinc/paths.conf
+++ b/_automation_scripts/etc/proxy-sinc/paths.conf
@@ -2,3 +2,9 @@
# Linhas que começam com '#' são ignoradas.
/etc/nginx
/etc/fail2ban
+/etc/resolv.conf
+/etc/nsswitch.conf
+/etc/hosts
+/etc/ufw
+/lib/systemd/system/nginx.service
+/etc/systemd/system/nginx.service.d/override.conf
diff --git a/hosts b/hosts
new file mode 100644
index 0000000..877d149
--- /dev/null
+++ b/hosts
@@ -0,0 +1,9 @@
+127.0.0.1 localhost
+172.16.254.1 srvproxy001.itguys.com.br srvproxy001
+10.10.253.128 git.itguys.com.br git
+172.16.254.59 zammad.itguys.com.br zammad
+
+# The following lines are desirable for IPv6 capable hosts
+::1 localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
diff --git a/nginx.service b/nginx.service
new file mode 100644
index 0000000..a63fa0f
--- /dev/null
+++ b/nginx.service
@@ -0,0 +1,30 @@
+# Stop dance for nginx
+# =======================
+#
+# ExecStop sends SIGQUIT (graceful stop) to the nginx process.
+# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control
+# and sends SIGTERM (fast shutdown) to the main process.
+# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends
+# SIGKILL to all the remaining processes in the process group (KillMode=mixed).
+#
+# nginx signals reference doc:
+# http://nginx.org/en/docs/control.html
+#
+[Unit]
+Description=A high performance web server and a reverse proxy server
+Documentation=man:nginx(8)
+After=network-online.target remote-fs.target nss-lookup.target
+Wants=network-online.target
+
+[Service]
+Type=forking
+PIDFile=/run/nginx.pid
+ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
+ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
+ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
+ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
+TimeoutStopSec=5
+KillMode=mixed
+
+[Install]
+WantedBy=multi-user.target
diff --git a/nsswitch.conf b/nsswitch.conf
new file mode 100644
index 0000000..f20778e
--- /dev/null
+++ b/nsswitch.conf
@@ -0,0 +1,20 @@
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc-reference' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+passwd: files
+group: files
+shadow: files
+gshadow: files
+
+hosts: files dns
+networks: files
+
+protocols: db files
+services: db files
+ethers: db files
+rpc: db files
+
+netgroup: nis
diff --git a/override.conf b/override.conf
new file mode 100644
index 0000000..f36c535
--- /dev/null
+++ b/override.conf
@@ -0,0 +1,2 @@
+[Service]
+LimitNOFILE=65535
\ No newline at end of file
diff --git a/resolv.conf b/resolv.conf
new file mode 100644
index 0000000..4beb250
--- /dev/null
+++ b/resolv.conf
@@ -0,0 +1,2 @@
+search itguys.com.br
+nameserver 172.16.254.252
diff --git a/ufw/after.init b/ufw/after.init
new file mode 100644
index 0000000..e89217d
--- /dev/null
+++ b/ufw/after.init
@@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# after.init: if executable, called by ufw-init. See 'man ufw-framework' for
+# details. Note that output from these scripts is not seen via the
+# the ufw command, but instead via ufw-init.
+#
+# Copyright 2013 Canonical Ltd.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 3,
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+#
+set -e
+
+case "$1" in
+start)
+ # typically required
+ ;;
+stop)
+ # typically required
+ ;;
+status)
+ # optional
+ ;;
+flush-all)
+ # optional
+ ;;
+*)
+ echo "'$1' not supported"
+ echo "Usage: after.init {start|stop|flush-all|status}"
+ ;;
+esac
diff --git a/ufw/after.rules b/ufw/after.rules
new file mode 100644
index 0000000..0d6c646
--- /dev/null
+++ b/ufw/after.rules
@@ -0,0 +1,30 @@
+#
+# rules.input-after
+#
+# Rules that should be run after the ufw command line added rules. Custom
+# rules should be added to one of these chains:
+# ufw-after-input
+# ufw-after-output
+# ufw-after-forward
+#
+
+# Don't delete these required lines, otherwise there will be errors
+*filter
+:ufw-after-input - [0:0]
+:ufw-after-output - [0:0]
+:ufw-after-forward - [0:0]
+# End required lines
+
+# don't log noisy services by default
+-A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input
+-A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input
+-A ufw-after-input -p tcp --dport 139 -j ufw-skip-to-policy-input
+-A ufw-after-input -p tcp --dport 445 -j ufw-skip-to-policy-input
+-A ufw-after-input -p udp --dport 67 -j ufw-skip-to-policy-input
+-A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input
+
+# don't log noisy broadcast
+-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
+
+# don't delete the 'COMMIT' line or these rules won't be processed
+COMMIT
diff --git a/ufw/after6.rules b/ufw/after6.rules
new file mode 100644
index 0000000..0d99672
--- /dev/null
+++ b/ufw/after6.rules
@@ -0,0 +1,27 @@
+#
+# rules.input-after
+#
+# Rules that should be run after the ufw command line added rules. Custom
+# rules should be added to one of these chains:
+# ufw6-after-input
+# ufw6-after-output
+# ufw6-after-forward
+#
+
+# Don't delete these required lines, otherwise there will be errors
+*filter
+:ufw6-after-input - [0:0]
+:ufw6-after-output - [0:0]
+:ufw6-after-forward - [0:0]
+# End required lines
+
+# don't log noisy services by default
+-A ufw6-after-input -p udp --dport 137 -j ufw6-skip-to-policy-input
+-A ufw6-after-input -p udp --dport 138 -j ufw6-skip-to-policy-input
+-A ufw6-after-input -p tcp --dport 139 -j ufw6-skip-to-policy-input
+-A ufw6-after-input -p tcp --dport 445 -j ufw6-skip-to-policy-input
+-A ufw6-after-input -p udp --dport 546 -j ufw6-skip-to-policy-input
+-A ufw6-after-input -p udp --dport 547 -j ufw6-skip-to-policy-input
+
+# don't delete the 'COMMIT' line or these rules won't be processed
+COMMIT
diff --git a/ufw/applications.d/nginx b/ufw/applications.d/nginx
new file mode 100644
index 0000000..0cb0449
--- /dev/null
+++ b/ufw/applications.d/nginx
@@ -0,0 +1,14 @@
+[Nginx HTTP]
+title=Web Server (Nginx, HTTP)
+description=Small, but very powerful and efficient web server
+ports=80/tcp
+
+[Nginx HTTPS]
+title=Web Server (Nginx, HTTPS)
+description=Small, but very powerful and efficient web server
+ports=443/tcp
+
+[Nginx Full]
+title=Web Server (Nginx, HTTP + HTTPS)
+description=Small, but very powerful and efficient web server
+ports=80,443/tcp
diff --git a/ufw/applications.d/openssh-server b/ufw/applications.d/openssh-server
new file mode 100644
index 0000000..9bbe906
--- /dev/null
+++ b/ufw/applications.d/openssh-server
@@ -0,0 +1,4 @@
+[OpenSSH]
+title=Secure shell server, an rshd replacement
+description=OpenSSH is a free implementation of the Secure Shell protocol.
+ports=22/tcp
diff --git a/ufw/applications.d/ufw-bittorent b/ufw/applications.d/ufw-bittorent
new file mode 100644
index 0000000..171fce2
--- /dev/null
+++ b/ufw/applications.d/ufw-bittorent
@@ -0,0 +1,19 @@
+[Transmission]
+title=Transmission
+description=Transmission BitTorrent client
+ports=51413
+
+[Deluge]
+title=Deluge
+description=Deluge BitTorrent client
+ports=6881:6891/tcp
+
+[KTorrent]
+title=KTorrent
+description=KTorrent BitTorrent client
+ports=6881/tcp|4444/udp
+
+[qBittorrent]
+title=qBittorrent
+description=qBittorrent BitTorrent client
+ports=6881/tcp
diff --git a/ufw/applications.d/ufw-chat b/ufw/applications.d/ufw-chat
new file mode 100644
index 0000000..32b4fe7
--- /dev/null
+++ b/ufw/applications.d/ufw-chat
@@ -0,0 +1,35 @@
+[PeopleNearby]
+title=People Nearby
+description=People Nearby (Bonjour/Salut) functionality in Empathy
+ports=5353/udp|5298
+
+[Bonjour]
+title=Bonjour
+description=Bonjour protocol
+ports=5353/udp|5298
+
+[MSN]
+title=MSN Chat
+description=MSN chat protocol (with file transfer and voice)
+ports=1863|6891:6900/tcp|6901
+
+[MSN SSL]
+title=MSN Chat (SSL)
+description=MSN chat protocol (SSL)
+ports=443/tcp
+
+[AIM]
+title=AIM Talk
+description=AIM talk protocol
+ports=5190/tcp
+
+[Yahoo]
+title=Yahoo Chat
+description=Yahoo chat protocol
+ports=5050
+
+[XMPP]
+title=XMPP Chat
+description=XMPP protocol (Jabber and Google Talk)
+ports=5222/tcp|5269/tcp
+
diff --git a/ufw/applications.d/ufw-directoryserver b/ufw/applications.d/ufw-directoryserver
new file mode 100644
index 0000000..90fa2f7
--- /dev/null
+++ b/ufw/applications.d/ufw-directoryserver
@@ -0,0 +1,29 @@
+[Kerberos KDC]
+title=Kerberos v5 KDC server
+description=Kerberos v5 KDC server
+ports=88
+
+[Kerberos Admin]
+title=Kerberos v5 admin
+description=Kerberos v5 server
+ports=749/tcp
+
+[Kerberos Password]
+title=Kerberos v5 password
+description=Kerberos v5 password
+ports=464/udp
+
+[Kerberos Full]
+title=Kerberos v5 server
+description=Kerberos v5 server
+ports=88,749/tcp|464/udp
+
+[LDAP]
+title=LDAP server
+description=LDAP server
+ports=389/tcp
+
+[LDAPS]
+title=LDAP server (LDAPS)
+description=LDAP server (LDAPS)
+ports=636/tcp
diff --git a/ufw/applications.d/ufw-dnsserver b/ufw/applications.d/ufw-dnsserver
new file mode 100644
index 0000000..7a61781
--- /dev/null
+++ b/ufw/applications.d/ufw-dnsserver
@@ -0,0 +1,4 @@
+[DNS]
+title=Internet Domain Name Server
+description=Internet Domain Name Server
+ports=53
diff --git a/ufw/applications.d/ufw-fileserver b/ufw/applications.d/ufw-fileserver
new file mode 100644
index 0000000..6cb4c77
--- /dev/null
+++ b/ufw/applications.d/ufw-fileserver
@@ -0,0 +1,14 @@
+[CIFS]
+title=SMB/CIFS server
+description=SMB/CIFS server
+ports=137,138/udp|139,445/tcp
+
+[NFS]
+title=NFS server
+description=NFS and portmap server. Will also need access to mountd, statd and possibly others
+ports=2049,111/tcp|2049,111/udp
+
+[svnserve]
+title=Subversion server
+description=Subversion server for access to Subversion repositories.
+ports=3690/tcp
diff --git a/ufw/applications.d/ufw-loginserver b/ufw/applications.d/ufw-loginserver
new file mode 100644
index 0000000..5f01853
--- /dev/null
+++ b/ufw/applications.d/ufw-loginserver
@@ -0,0 +1,14 @@
+[Telnet]
+title=Telnet server (insecure)
+description=Telnet server (insecure)
+ports=23/tcp
+
+[SSH]
+title=SSH server
+description=SSH server
+ports=22/tcp
+
+[VNC]
+title=VNC server
+description=VNC server
+ports=5900/tcp
diff --git a/ufw/applications.d/ufw-mailserver b/ufw/applications.d/ufw-mailserver
new file mode 100644
index 0000000..dd55cc0
--- /dev/null
+++ b/ufw/applications.d/ufw-mailserver
@@ -0,0 +1,30 @@
+[POP3]
+title=Mail server (POP3)
+description=Mail server (POP3)
+ports=110/tcp
+
+[POP3S]
+title=Secure mail server (POP3S)
+description=Secure mail server (POP3S)
+ports=995/tcp
+
+[IMAP]
+title=Mail server (IMAP)
+description=Mail server (IMAP)
+ports=143/tcp
+
+[IMAPS]
+title=Secure mail server (IMAPS)
+description=Secure mail server (IMAPS)
+ports=993/tcp
+
+[SMTP]
+title=Mail server (SMTP)
+description=Mail server (SMTP)
+ports=25/tcp
+
+[Mail submission]
+title=Mail server (Submission)
+description=Mail server (Submission)
+ports=587/tcp
+
diff --git a/ufw/applications.d/ufw-printserver b/ufw/applications.d/ufw-printserver
new file mode 100644
index 0000000..e634b61
--- /dev/null
+++ b/ufw/applications.d/ufw-printserver
@@ -0,0 +1,9 @@
+[IPP]
+title=Cups server (IPP)
+description=Cups server (IPP)
+ports=631
+
+[LPD]
+title=LPD server
+description=LPD server
+ports=515/tcp
diff --git a/ufw/applications.d/ufw-proxyserver b/ufw/applications.d/ufw-proxyserver
new file mode 100644
index 0000000..a598c98
--- /dev/null
+++ b/ufw/applications.d/ufw-proxyserver
@@ -0,0 +1,9 @@
+[Socks]
+title=Socks proxy
+description=Socks proxy
+ports=1080/tcp
+
+[Transparent Proxy]
+title=Transparent proxy
+description=Transparent proxy
+ports=8081/tcp
diff --git a/ufw/applications.d/ufw-webserver b/ufw/applications.d/ufw-webserver
new file mode 100644
index 0000000..fab4b82
--- /dev/null
+++ b/ufw/applications.d/ufw-webserver
@@ -0,0 +1,19 @@
+[WWW]
+title=Web Server
+description=Web server
+ports=80/tcp
+
+[WWW Secure]
+title=Web Server (HTTPS)
+description=Web Server (HTTPS)
+ports=443/tcp
+
+[WWW Full]
+title=Web Server (HTTP,HTTPS)
+description=Web Server (HTTP,HTTPS)
+ports=80,443/tcp
+
+[WWW Cache]
+title=Web Server (8080)
+description=Web Server (8080)
+ports=8080/tcp
diff --git a/ufw/before.init b/ufw/before.init
new file mode 100644
index 0000000..1348cb1
--- /dev/null
+++ b/ufw/before.init
@@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# before.init: if executable, called by ufw-init. See 'man ufw-framework' for
+# details. Note that output from these scripts is not seen via the
+# the ufw command, but instead via ufw-init.
+#
+# Copyright 2013 Canonical Ltd.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 3,
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+#
+set -e
+
+case "$1" in
+start)
+ # typically required
+ ;;
+stop)
+ # typically required
+ ;;
+status)
+ # optional
+ ;;
+flush-all)
+ # optional
+ ;;
+*)
+ echo "'$1' not supported"
+ echo "Usage: before.init {start|stop|flush-all|status}"
+ ;;
+esac
diff --git a/ufw/before.rules b/ufw/before.rules
new file mode 100644
index 0000000..23b384e
--- /dev/null
+++ b/ufw/before.rules
@@ -0,0 +1,75 @@
+#
+# rules.before
+#
+# Rules that should be run before the ufw command line added rules. Custom
+# rules should be added to one of these chains:
+# ufw-before-input
+# ufw-before-output
+# ufw-before-forward
+#
+
+# Don't delete these required lines, otherwise there will be errors
+*filter
+:ufw-before-input - [0:0]
+:ufw-before-output - [0:0]
+:ufw-before-forward - [0:0]
+:ufw-not-local - [0:0]
+# End required lines
+
+
+# allow all on loopback
+-A ufw-before-input -i lo -j ACCEPT
+-A ufw-before-output -o lo -j ACCEPT
+
+# quickly process packets for which we already have a connection
+-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# drop INVALID packets (logs these in loglevel medium and higher)
+-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
+-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
+
+# ok icmp codes for INPUT
+-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
+-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
+-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
+-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
+
+# ok icmp code for FORWARD
+-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
+-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
+-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
+-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
+
+# allow dhcp client to work
+-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
+
+#
+# ufw-not-local
+#
+-A ufw-before-input -j ufw-not-local
+
+# if LOCAL, RETURN
+-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
+
+# if MULTICAST, RETURN
+-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
+
+# if BROADCAST, RETURN
+-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
+
+# all other non-local packets are dropped
+-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
+-A ufw-not-local -j DROP
+
+# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
+# is uncommented)
+-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
+
+# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
+# is uncommented)
+-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
+
+# don't delete the 'COMMIT' line or these rules won't be processed
+COMMIT
diff --git a/ufw/before6.rules b/ufw/before6.rules
new file mode 100644
index 0000000..abebbe7
--- /dev/null
+++ b/ufw/before6.rules
@@ -0,0 +1,142 @@
+#
+# rules.before
+#
+# Rules that should be run before the ufw command line added rules. Custom
+# rules should be added to one of these chains:
+# ufw6-before-input
+# ufw6-before-output
+# ufw6-before-forward
+#
+
+# Don't delete these required lines, otherwise there will be errors
+*filter
+:ufw6-before-input - [0:0]
+:ufw6-before-output - [0:0]
+:ufw6-before-forward - [0:0]
+# End required lines
+
+
+# allow all on loopback
+-A ufw6-before-input -i lo -j ACCEPT
+-A ufw6-before-output -o lo -j ACCEPT
+
+# drop packets with RH0 headers
+-A ufw6-before-input -m rt --rt-type 0 -j DROP
+-A ufw6-before-forward -m rt --rt-type 0 -j DROP
+-A ufw6-before-output -m rt --rt-type 0 -j DROP
+
+# quickly process packets for which we already have a connection
+-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A ufw6-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# multicast ping replies are part of the ok icmp codes for INPUT (rfc4890,
+# 4.4.1 and 4.4.2), but don't have an associated connection and are otherwise
+# be marked INVALID, so allow here instead.
+-A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
+
+# drop INVALID packets (logs these in loglevel medium and higher)
+-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
+-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP
+
+# ok icmp codes for INPUT (rfc4890, 4.4.1 and 4.4.2)
+-A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
+-A ufw6-before-input -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
+# codes 0 and 1
+-A ufw6-before-input -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
+# codes 0-2 (echo-reply needs to be before INVALID, see above)
+-A ufw6-before-input -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
+-A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT
+-A ufw6-before-input -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
+-A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
+-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
+-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
+# IND solicitation
+-A ufw6-before-input -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
+# IND advertisement
+-A ufw6-before-input -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
+# MLD query
+-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
+# MLD report
+-A ufw6-before-input -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
+# MLD done
+-A ufw6-before-input -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
+# MLD report v2
+-A ufw6-before-input -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
+# SEND certificate path solicitation
+-A ufw6-before-input -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
+# SEND certificate path advertisement
+-A ufw6-before-input -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
+# MR advertisement
+-A ufw6-before-input -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
+# MR solicitation
+-A ufw6-before-input -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
+# MR termination
+-A ufw6-before-input -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
+
+# ok icmp codes for OUTPUT (rfc4890, 4.4.1 and 4.4.2)
+-A ufw6-before-output -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
+-A ufw6-before-output -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
+# codes 0 and 1
+-A ufw6-before-output -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
+# codes 0-2
+-A ufw6-before-output -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
+-A ufw6-before-output -p icmpv6 --icmpv6-type echo-request -j ACCEPT
+-A ufw6-before-output -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
+-A ufw6-before-output -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
+-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
+-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
+-A ufw6-before-output -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
+# IND solicitation
+-A ufw6-before-output -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
+# IND advertisement
+-A ufw6-before-output -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
+# MLD query
+-A ufw6-before-output -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
+# MLD report
+-A ufw6-before-output -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
+# MLD done
+-A ufw6-before-output -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
+# MLD report v2
+-A ufw6-before-output -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
+# SEND certificate path solicitation
+-A ufw6-before-output -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
+# SEND certificate path advertisement
+-A ufw6-before-output -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
+# MR advertisement
+-A ufw6-before-output -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
+# MR solicitation
+-A ufw6-before-output -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
+# MR termination
+-A ufw6-before-output -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
+
+# ok icmp codes for FORWARD (rfc4890, 4.3.1)
+-A ufw6-before-forward -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
+-A ufw6-before-forward -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
+# codes 0 and 1
+-A ufw6-before-forward -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
+# codes 0-2
+-A ufw6-before-forward -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
+-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-request -j ACCEPT
+-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
+# ok icmp codes for FORWARD (rfc4890, 4.3.2)
+# Home Agent Address Discovery Reques
+-A ufw6-before-input -p icmpv6 --icmpv6-type 144 -j ACCEPT
+# Home Agent Address Discovery Reply
+-A ufw6-before-input -p icmpv6 --icmpv6-type 145 -j ACCEPT
+# Mobile Prefix Solicitation
+-A ufw6-before-input -p icmpv6 --icmpv6-type 146 -j ACCEPT
+# Mobile Prefix Advertisement
+-A ufw6-before-input -p icmpv6 --icmpv6-type 147 -j ACCEPT
+
+# allow dhcp client to work
+-A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT
+
+# allow MULTICAST mDNS for service discovery
+-A ufw6-before-input -p udp -d ff02::fb --dport 5353 -j ACCEPT
+
+# allow MULTICAST UPnP for service discovery
+-A ufw6-before-input -p udp -d ff02::f --dport 1900 -j ACCEPT
+
+# don't delete the 'COMMIT' line or these rules won't be processed
+COMMIT
diff --git a/ufw/sysctl.conf b/ufw/sysctl.conf
new file mode 100644
index 0000000..7bebf81
--- /dev/null
+++ b/ufw/sysctl.conf
@@ -0,0 +1,41 @@
+#
+# Configuration file for setting network variables. Please note these settings
+# override /etc/sysctl.conf and /etc/sysctl.d. If you prefer to use
+# /etc/sysctl.conf, please adjust IPT_SYSCTL in /etc/default/ufw. See
+# Documentation/networking/ip-sysctl.txt in the kernel source code for more
+# information.
+#
+
+# Uncomment this to allow this host to route packets between interfaces
+#net/ipv4/ip_forward=1
+#net/ipv6/conf/default/forwarding=1
+#net/ipv6/conf/all/forwarding=1
+
+# Disable ICMP redirects. ICMP redirects are rarely used but can be used in
+# MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
+# traffic to those sites.
+net/ipv4/conf/all/accept_redirects=0
+net/ipv4/conf/default/accept_redirects=0
+net/ipv6/conf/all/accept_redirects=0
+net/ipv6/conf/default/accept_redirects=0
+
+# Ignore bogus ICMP errors
+net/ipv4/icmp_echo_ignore_broadcasts=1
+net/ipv4/icmp_ignore_bogus_error_responses=1
+net/ipv4/icmp_echo_ignore_all=0
+
+# Don't log Martian Packets (impossible addresses)
+# packets
+net/ipv4/conf/all/log_martians=0
+net/ipv4/conf/default/log_martians=0
+
+#net/ipv4/tcp_fin_timeout=30
+#net/ipv4/tcp_keepalive_intvl=1800
+
+# Uncomment this to turn off ipv6 autoconfiguration
+#net/ipv6/conf/default/autoconf=1
+#net/ipv6/conf/all/autoconf=1
+
+# Uncomment this to enable ipv6 privacy addressing
+#net/ipv6/conf/default/use_tempaddr=2
+#net/ipv6/conf/all/use_tempaddr=2
diff --git a/ufw/ufw.conf b/ufw/ufw.conf
new file mode 100644
index 0000000..28fe534
--- /dev/null
+++ b/ufw/ufw.conf
@@ -0,0 +1,10 @@
+# /etc/ufw/ufw.conf
+#
+
+# Set to yes to start on boot. If setting this remotely, be sure to add a rule
+# to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp'
+ENABLED=yes
+
+# Please use the 'ufw' command to set the loglevel. Eg: 'ufw logging medium'.
+# See 'man ufw' for details.
+LOGLEVEL=low
diff --git a/ufw/user.rules b/ufw/user.rules
new file mode 100644
index 0000000..fd8a72a
--- /dev/null
+++ b/ufw/user.rules
@@ -0,0 +1,59 @@
+*filter
+:ufw-user-input - [0:0]
+:ufw-user-output - [0:0]
+:ufw-user-forward - [0:0]
+:ufw-before-logging-input - [0:0]
+:ufw-before-logging-output - [0:0]
+:ufw-before-logging-forward - [0:0]
+:ufw-user-logging-input - [0:0]
+:ufw-user-logging-output - [0:0]
+:ufw-user-logging-forward - [0:0]
+:ufw-after-logging-input - [0:0]
+:ufw-after-logging-output - [0:0]
+:ufw-after-logging-forward - [0:0]
+:ufw-logging-deny - [0:0]
+:ufw-logging-allow - [0:0]
+:ufw-user-limit - [0:0]
+:ufw-user-limit-accept - [0:0]
+### RULES ###
+
+### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in
+-A ufw-user-input -p tcp --dport 22 -j ACCEPT
+
+### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in
+-A ufw-user-input -p tcp --dport 80 -j ACCEPT
+
+### tuple ### allow any 443 0.0.0.0/0 any 0.0.0.0/0 in
+-A ufw-user-input -p tcp --dport 443 -j ACCEPT
+-A ufw-user-input -p udp --dport 443 -j ACCEPT
+
+### tuple ### allow any any 0.0.0.0/0 any 172.16.254.11 in
+-A ufw-user-input -s 172.16.254.11 -j ACCEPT
+
+### tuple ### allow any any 0.0.0.0/0 any 172.16.254.125 in
+-A ufw-user-input -s 172.16.254.125 -j ACCEPT
+
+### tuple ### allow udp 443 0.0.0.0/0 any 0.0.0.0/0 in
+-A ufw-user-input -p udp --dport 443 -j ACCEPT
+
+### tuple ### allow udp 80 0.0.0.0/0 any 0.0.0.0/0 in
+-A ufw-user-input -p udp --dport 80 -j ACCEPT
+
+### tuple ### allow tcp 10051 0.0.0.0/0 any 0.0.0.0/0 in
+-A ufw-user-input -p tcp --dport 10051 -j ACCEPT
+
+### END RULES ###
+
+### LOGGING ###
+-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
+-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
+-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
+-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
+### END LOGGING ###
+
+### RATE LIMITING ###
+-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
+-A ufw-user-limit -j REJECT
+-A ufw-user-limit-accept -j ACCEPT
+### END RATE LIMITING ###
+COMMIT
diff --git a/ufw/user6.rules b/ufw/user6.rules
new file mode 100644
index 0000000..693b335
--- /dev/null
+++ b/ufw/user6.rules
@@ -0,0 +1,53 @@
+*filter
+:ufw6-user-input - [0:0]
+:ufw6-user-output - [0:0]
+:ufw6-user-forward - [0:0]
+:ufw6-before-logging-input - [0:0]
+:ufw6-before-logging-output - [0:0]
+:ufw6-before-logging-forward - [0:0]
+:ufw6-user-logging-input - [0:0]
+:ufw6-user-logging-output - [0:0]
+:ufw6-user-logging-forward - [0:0]
+:ufw6-after-logging-input - [0:0]
+:ufw6-after-logging-output - [0:0]
+:ufw6-after-logging-forward - [0:0]
+:ufw6-logging-deny - [0:0]
+:ufw6-logging-allow - [0:0]
+:ufw6-user-limit - [0:0]
+:ufw6-user-limit-accept - [0:0]
+### RULES ###
+
+### tuple ### allow tcp 22 ::/0 any ::/0 in
+-A ufw6-user-input -p tcp --dport 22 -j ACCEPT
+
+### tuple ### allow tcp 80 ::/0 any ::/0 in
+-A ufw6-user-input -p tcp --dport 80 -j ACCEPT
+
+### tuple ### allow any 443 ::/0 any ::/0 in
+-A ufw6-user-input -p tcp --dport 443 -j ACCEPT
+-A ufw6-user-input -p udp --dport 443 -j ACCEPT
+
+### tuple ### allow udp 443 ::/0 any ::/0 in
+-A ufw6-user-input -p udp --dport 443 -j ACCEPT
+
+### tuple ### allow udp 80 ::/0 any ::/0 in
+-A ufw6-user-input -p udp --dport 80 -j ACCEPT
+
+### tuple ### allow tcp 10051 ::/0 any ::/0 in
+-A ufw6-user-input -p tcp --dport 10051 -j ACCEPT
+
+### END RULES ###
+
+### LOGGING ###
+-A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
+-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
+-A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
+-A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
+### END LOGGING ###
+
+### RATE LIMITING ###
+-A ufw6-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
+-A ufw6-user-limit -j REJECT
+-A ufw6-user-limit-accept -j ACCEPT
+### END RATE LIMITING ###
+COMMIT