From 63bd86a06bdbfa5443ab7ad16e969b01a6a60ee1 Mon Sep 17 00:00:00 2001 From: "srvproxy001.itguys.com.br" Date: Tue, 16 Sep 2025 19:22:23 -0300 Subject: [PATCH] =?UTF-8?q?[Auto-Sync]=20Atualiza=C3=A7=C3=A3o=20das=20con?= =?UTF-8?q?figura=C3=A7=C3=B5es=20em=20srvproxy001.itguys.com.br=20-=20202?= =?UTF-8?q?5-09-16=2019:22:23?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- _automation_scripts/etc/proxy-sinc/paths.conf | 6 + hosts | 9 ++ nginx.service | 30 ++++ nsswitch.conf | 20 +++ override.conf | 2 + resolv.conf | 2 + ufw/after.init | 40 +++++ ufw/after.rules | 30 ++++ ufw/after6.rules | 27 ++++ ufw/applications.d/nginx | 14 ++ ufw/applications.d/openssh-server | 4 + ufw/applications.d/ufw-bittorent | 19 +++ ufw/applications.d/ufw-chat | 35 +++++ ufw/applications.d/ufw-directoryserver | 29 ++++ ufw/applications.d/ufw-dnsserver | 4 + ufw/applications.d/ufw-fileserver | 14 ++ ufw/applications.d/ufw-loginserver | 14 ++ ufw/applications.d/ufw-mailserver | 30 ++++ ufw/applications.d/ufw-printserver | 9 ++ ufw/applications.d/ufw-proxyserver | 9 ++ ufw/applications.d/ufw-webserver | 19 +++ ufw/before.init | 40 +++++ ufw/before.rules | 75 +++++++++ ufw/before6.rules | 142 ++++++++++++++++++ ufw/sysctl.conf | 41 +++++ ufw/ufw.conf | 10 ++ ufw/user.rules | 59 ++++++++ ufw/user6.rules | 53 +++++++ 28 files changed, 786 insertions(+) create mode 100644 hosts create mode 100644 nginx.service create mode 100644 nsswitch.conf create mode 100644 override.conf create mode 100644 resolv.conf create mode 100644 ufw/after.init create mode 100644 ufw/after.rules create mode 100644 ufw/after6.rules create mode 100644 ufw/applications.d/nginx create mode 100644 ufw/applications.d/openssh-server create mode 100644 ufw/applications.d/ufw-bittorent create mode 100644 ufw/applications.d/ufw-chat create mode 100644 ufw/applications.d/ufw-directoryserver create mode 100644 ufw/applications.d/ufw-dnsserver create mode 100644 ufw/applications.d/ufw-fileserver create mode 100644 ufw/applications.d/ufw-loginserver create mode 100644 ufw/applications.d/ufw-mailserver create mode 100644 ufw/applications.d/ufw-printserver create mode 100644 ufw/applications.d/ufw-proxyserver create mode 100644 ufw/applications.d/ufw-webserver create mode 100644 ufw/before.init create mode 100644 ufw/before.rules create mode 100644 ufw/before6.rules create mode 100644 ufw/sysctl.conf create mode 100644 ufw/ufw.conf create mode 100644 ufw/user.rules create mode 100644 ufw/user6.rules diff --git a/_automation_scripts/etc/proxy-sinc/paths.conf b/_automation_scripts/etc/proxy-sinc/paths.conf index 8a4c2a8..39a9d8a 100644 --- a/_automation_scripts/etc/proxy-sinc/paths.conf +++ b/_automation_scripts/etc/proxy-sinc/paths.conf @@ -2,3 +2,9 @@ # Linhas que começam com '#' são ignoradas. /etc/nginx /etc/fail2ban +/etc/resolv.conf +/etc/nsswitch.conf +/etc/hosts +/etc/ufw +/lib/systemd/system/nginx.service +/etc/systemd/system/nginx.service.d/override.conf diff --git a/hosts b/hosts new file mode 100644 index 0000000..877d149 --- /dev/null +++ b/hosts @@ -0,0 +1,9 @@ +127.0.0.1 localhost +172.16.254.1 srvproxy001.itguys.com.br srvproxy001 +10.10.253.128 git.itguys.com.br git +172.16.254.59 zammad.itguys.com.br zammad + +# The following lines are desirable for IPv6 capable hosts +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters diff --git a/nginx.service b/nginx.service new file mode 100644 index 0000000..a63fa0f --- /dev/null +++ b/nginx.service @@ -0,0 +1,30 @@ +# Stop dance for nginx +# ======================= +# +# ExecStop sends SIGQUIT (graceful stop) to the nginx process. +# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control +# and sends SIGTERM (fast shutdown) to the main process. +# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends +# SIGKILL to all the remaining processes in the process group (KillMode=mixed). +# +# nginx signals reference doc: +# http://nginx.org/en/docs/control.html +# +[Unit] +Description=A high performance web server and a reverse proxy server +Documentation=man:nginx(8) +After=network-online.target remote-fs.target nss-lookup.target +Wants=network-online.target + +[Service] +Type=forking +PIDFile=/run/nginx.pid +ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;' +ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;' +ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload +ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid +TimeoutStopSec=5 +KillMode=mixed + +[Install] +WantedBy=multi-user.target diff --git a/nsswitch.conf b/nsswitch.conf new file mode 100644 index 0000000..f20778e --- /dev/null +++ b/nsswitch.conf @@ -0,0 +1,20 @@ +# /etc/nsswitch.conf +# +# Example configuration of GNU Name Service Switch functionality. +# If you have the `glibc-doc-reference' and `info' packages installed, try: +# `info libc "Name Service Switch"' for information about this file. + +passwd: files +group: files +shadow: files +gshadow: files + +hosts: files dns +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis diff --git a/override.conf b/override.conf new file mode 100644 index 0000000..f36c535 --- /dev/null +++ b/override.conf @@ -0,0 +1,2 @@ +[Service] +LimitNOFILE=65535 \ No newline at end of file diff --git a/resolv.conf b/resolv.conf new file mode 100644 index 0000000..4beb250 --- /dev/null +++ b/resolv.conf @@ -0,0 +1,2 @@ +search itguys.com.br +nameserver 172.16.254.252 diff --git a/ufw/after.init b/ufw/after.init new file mode 100644 index 0000000..e89217d --- /dev/null +++ b/ufw/after.init @@ -0,0 +1,40 @@ +#!/bin/sh +# +# after.init: if executable, called by ufw-init. See 'man ufw-framework' for +# details. Note that output from these scripts is not seen via the +# the ufw command, but instead via ufw-init. +# +# Copyright 2013 Canonical Ltd. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 3, +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +set -e + +case "$1" in +start) + # typically required + ;; +stop) + # typically required + ;; +status) + # optional + ;; +flush-all) + # optional + ;; +*) + echo "'$1' not supported" + echo "Usage: after.init {start|stop|flush-all|status}" + ;; +esac diff --git a/ufw/after.rules b/ufw/after.rules new file mode 100644 index 0000000..0d6c646 --- /dev/null +++ b/ufw/after.rules @@ -0,0 +1,30 @@ +# +# rules.input-after +# +# Rules that should be run after the ufw command line added rules. Custom +# rules should be added to one of these chains: +# ufw-after-input +# ufw-after-output +# ufw-after-forward +# + +# Don't delete these required lines, otherwise there will be errors +*filter +:ufw-after-input - [0:0] +:ufw-after-output - [0:0] +:ufw-after-forward - [0:0] +# End required lines + +# don't log noisy services by default +-A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input +-A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input +-A ufw-after-input -p tcp --dport 139 -j ufw-skip-to-policy-input +-A ufw-after-input -p tcp --dport 445 -j ufw-skip-to-policy-input +-A ufw-after-input -p udp --dport 67 -j ufw-skip-to-policy-input +-A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input + +# don't log noisy broadcast +-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input + +# don't delete the 'COMMIT' line or these rules won't be processed +COMMIT diff --git a/ufw/after6.rules b/ufw/after6.rules new file mode 100644 index 0000000..0d99672 --- /dev/null +++ b/ufw/after6.rules @@ -0,0 +1,27 @@ +# +# rules.input-after +# +# Rules that should be run after the ufw command line added rules. Custom +# rules should be added to one of these chains: +# ufw6-after-input +# ufw6-after-output +# ufw6-after-forward +# + +# Don't delete these required lines, otherwise there will be errors +*filter +:ufw6-after-input - [0:0] +:ufw6-after-output - [0:0] +:ufw6-after-forward - [0:0] +# End required lines + +# don't log noisy services by default +-A ufw6-after-input -p udp --dport 137 -j ufw6-skip-to-policy-input +-A ufw6-after-input -p udp --dport 138 -j ufw6-skip-to-policy-input +-A ufw6-after-input -p tcp --dport 139 -j ufw6-skip-to-policy-input +-A ufw6-after-input -p tcp --dport 445 -j ufw6-skip-to-policy-input +-A ufw6-after-input -p udp --dport 546 -j ufw6-skip-to-policy-input +-A ufw6-after-input -p udp --dport 547 -j ufw6-skip-to-policy-input + +# don't delete the 'COMMIT' line or these rules won't be processed +COMMIT diff --git a/ufw/applications.d/nginx b/ufw/applications.d/nginx new file mode 100644 index 0000000..0cb0449 --- /dev/null +++ b/ufw/applications.d/nginx @@ -0,0 +1,14 @@ +[Nginx HTTP] +title=Web Server (Nginx, HTTP) +description=Small, but very powerful and efficient web server +ports=80/tcp + +[Nginx HTTPS] +title=Web Server (Nginx, HTTPS) +description=Small, but very powerful and efficient web server +ports=443/tcp + +[Nginx Full] +title=Web Server (Nginx, HTTP + HTTPS) +description=Small, but very powerful and efficient web server +ports=80,443/tcp diff --git a/ufw/applications.d/openssh-server b/ufw/applications.d/openssh-server new file mode 100644 index 0000000..9bbe906 --- /dev/null +++ b/ufw/applications.d/openssh-server @@ -0,0 +1,4 @@ +[OpenSSH] +title=Secure shell server, an rshd replacement +description=OpenSSH is a free implementation of the Secure Shell protocol. +ports=22/tcp diff --git a/ufw/applications.d/ufw-bittorent b/ufw/applications.d/ufw-bittorent new file mode 100644 index 0000000..171fce2 --- /dev/null +++ b/ufw/applications.d/ufw-bittorent @@ -0,0 +1,19 @@ +[Transmission] +title=Transmission +description=Transmission BitTorrent client +ports=51413 + +[Deluge] +title=Deluge +description=Deluge BitTorrent client +ports=6881:6891/tcp + +[KTorrent] +title=KTorrent +description=KTorrent BitTorrent client +ports=6881/tcp|4444/udp + +[qBittorrent] +title=qBittorrent +description=qBittorrent BitTorrent client +ports=6881/tcp diff --git a/ufw/applications.d/ufw-chat b/ufw/applications.d/ufw-chat new file mode 100644 index 0000000..32b4fe7 --- /dev/null +++ b/ufw/applications.d/ufw-chat @@ -0,0 +1,35 @@ +[PeopleNearby] +title=People Nearby +description=People Nearby (Bonjour/Salut) functionality in Empathy +ports=5353/udp|5298 + +[Bonjour] +title=Bonjour +description=Bonjour protocol +ports=5353/udp|5298 + +[MSN] +title=MSN Chat +description=MSN chat protocol (with file transfer and voice) +ports=1863|6891:6900/tcp|6901 + +[MSN SSL] +title=MSN Chat (SSL) +description=MSN chat protocol (SSL) +ports=443/tcp + +[AIM] +title=AIM Talk +description=AIM talk protocol +ports=5190/tcp + +[Yahoo] +title=Yahoo Chat +description=Yahoo chat protocol +ports=5050 + +[XMPP] +title=XMPP Chat +description=XMPP protocol (Jabber and Google Talk) +ports=5222/tcp|5269/tcp + diff --git a/ufw/applications.d/ufw-directoryserver b/ufw/applications.d/ufw-directoryserver new file mode 100644 index 0000000..90fa2f7 --- /dev/null +++ b/ufw/applications.d/ufw-directoryserver @@ -0,0 +1,29 @@ +[Kerberos KDC] +title=Kerberos v5 KDC server +description=Kerberos v5 KDC server +ports=88 + +[Kerberos Admin] +title=Kerberos v5 admin +description=Kerberos v5 server +ports=749/tcp + +[Kerberos Password] +title=Kerberos v5 password +description=Kerberos v5 password +ports=464/udp + +[Kerberos Full] +title=Kerberos v5 server +description=Kerberos v5 server +ports=88,749/tcp|464/udp + +[LDAP] +title=LDAP server +description=LDAP server +ports=389/tcp + +[LDAPS] +title=LDAP server (LDAPS) +description=LDAP server (LDAPS) +ports=636/tcp diff --git a/ufw/applications.d/ufw-dnsserver b/ufw/applications.d/ufw-dnsserver new file mode 100644 index 0000000..7a61781 --- /dev/null +++ b/ufw/applications.d/ufw-dnsserver @@ -0,0 +1,4 @@ +[DNS] +title=Internet Domain Name Server +description=Internet Domain Name Server +ports=53 diff --git a/ufw/applications.d/ufw-fileserver b/ufw/applications.d/ufw-fileserver new file mode 100644 index 0000000..6cb4c77 --- /dev/null +++ b/ufw/applications.d/ufw-fileserver @@ -0,0 +1,14 @@ +[CIFS] +title=SMB/CIFS server +description=SMB/CIFS server +ports=137,138/udp|139,445/tcp + +[NFS] +title=NFS server +description=NFS and portmap server. Will also need access to mountd, statd and possibly others +ports=2049,111/tcp|2049,111/udp + +[svnserve] +title=Subversion server +description=Subversion server for access to Subversion repositories. +ports=3690/tcp diff --git a/ufw/applications.d/ufw-loginserver b/ufw/applications.d/ufw-loginserver new file mode 100644 index 0000000..5f01853 --- /dev/null +++ b/ufw/applications.d/ufw-loginserver @@ -0,0 +1,14 @@ +[Telnet] +title=Telnet server (insecure) +description=Telnet server (insecure) +ports=23/tcp + +[SSH] +title=SSH server +description=SSH server +ports=22/tcp + +[VNC] +title=VNC server +description=VNC server +ports=5900/tcp diff --git a/ufw/applications.d/ufw-mailserver b/ufw/applications.d/ufw-mailserver new file mode 100644 index 0000000..dd55cc0 --- /dev/null +++ b/ufw/applications.d/ufw-mailserver @@ -0,0 +1,30 @@ +[POP3] +title=Mail server (POP3) +description=Mail server (POP3) +ports=110/tcp + +[POP3S] +title=Secure mail server (POP3S) +description=Secure mail server (POP3S) +ports=995/tcp + +[IMAP] +title=Mail server (IMAP) +description=Mail server (IMAP) +ports=143/tcp + +[IMAPS] +title=Secure mail server (IMAPS) +description=Secure mail server (IMAPS) +ports=993/tcp + +[SMTP] +title=Mail server (SMTP) +description=Mail server (SMTP) +ports=25/tcp + +[Mail submission] +title=Mail server (Submission) +description=Mail server (Submission) +ports=587/tcp + diff --git a/ufw/applications.d/ufw-printserver b/ufw/applications.d/ufw-printserver new file mode 100644 index 0000000..e634b61 --- /dev/null +++ b/ufw/applications.d/ufw-printserver @@ -0,0 +1,9 @@ +[IPP] +title=Cups server (IPP) +description=Cups server (IPP) +ports=631 + +[LPD] +title=LPD server +description=LPD server +ports=515/tcp diff --git a/ufw/applications.d/ufw-proxyserver b/ufw/applications.d/ufw-proxyserver new file mode 100644 index 0000000..a598c98 --- /dev/null +++ b/ufw/applications.d/ufw-proxyserver @@ -0,0 +1,9 @@ +[Socks] +title=Socks proxy +description=Socks proxy +ports=1080/tcp + +[Transparent Proxy] +title=Transparent proxy +description=Transparent proxy +ports=8081/tcp diff --git a/ufw/applications.d/ufw-webserver b/ufw/applications.d/ufw-webserver new file mode 100644 index 0000000..fab4b82 --- /dev/null +++ b/ufw/applications.d/ufw-webserver @@ -0,0 +1,19 @@ +[WWW] +title=Web Server +description=Web server +ports=80/tcp + +[WWW Secure] +title=Web Server (HTTPS) +description=Web Server (HTTPS) +ports=443/tcp + +[WWW Full] +title=Web Server (HTTP,HTTPS) +description=Web Server (HTTP,HTTPS) +ports=80,443/tcp + +[WWW Cache] +title=Web Server (8080) +description=Web Server (8080) +ports=8080/tcp diff --git a/ufw/before.init b/ufw/before.init new file mode 100644 index 0000000..1348cb1 --- /dev/null +++ b/ufw/before.init @@ -0,0 +1,40 @@ +#!/bin/sh +# +# before.init: if executable, called by ufw-init. See 'man ufw-framework' for +# details. Note that output from these scripts is not seen via the +# the ufw command, but instead via ufw-init. +# +# Copyright 2013 Canonical Ltd. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 3, +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +set -e + +case "$1" in +start) + # typically required + ;; +stop) + # typically required + ;; +status) + # optional + ;; +flush-all) + # optional + ;; +*) + echo "'$1' not supported" + echo "Usage: before.init {start|stop|flush-all|status}" + ;; +esac diff --git a/ufw/before.rules b/ufw/before.rules new file mode 100644 index 0000000..23b384e --- /dev/null +++ b/ufw/before.rules @@ -0,0 +1,75 @@ +# +# rules.before +# +# Rules that should be run before the ufw command line added rules. Custom +# rules should be added to one of these chains: +# ufw-before-input +# ufw-before-output +# ufw-before-forward +# + +# Don't delete these required lines, otherwise there will be errors +*filter +:ufw-before-input - [0:0] +:ufw-before-output - [0:0] +:ufw-before-forward - [0:0] +:ufw-not-local - [0:0] +# End required lines + + +# allow all on loopback +-A ufw-before-input -i lo -j ACCEPT +-A ufw-before-output -o lo -j ACCEPT + +# quickly process packets for which we already have a connection +-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# drop INVALID packets (logs these in loglevel medium and higher) +-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny +-A ufw-before-input -m conntrack --ctstate INVALID -j DROP + +# ok icmp codes for INPUT +-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT +-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT +-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT +-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT + +# ok icmp code for FORWARD +-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT +-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT +-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT +-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT + +# allow dhcp client to work +-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT + +# +# ufw-not-local +# +-A ufw-before-input -j ufw-not-local + +# if LOCAL, RETURN +-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN + +# if MULTICAST, RETURN +-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN + +# if BROADCAST, RETURN +-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN + +# all other non-local packets are dropped +-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny +-A ufw-not-local -j DROP + +# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above +# is uncommented) +-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT + +# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above +# is uncommented) +-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT + +# don't delete the 'COMMIT' line or these rules won't be processed +COMMIT diff --git a/ufw/before6.rules b/ufw/before6.rules new file mode 100644 index 0000000..abebbe7 --- /dev/null +++ b/ufw/before6.rules @@ -0,0 +1,142 @@ +# +# rules.before +# +# Rules that should be run before the ufw command line added rules. Custom +# rules should be added to one of these chains: +# ufw6-before-input +# ufw6-before-output +# ufw6-before-forward +# + +# Don't delete these required lines, otherwise there will be errors +*filter +:ufw6-before-input - [0:0] +:ufw6-before-output - [0:0] +:ufw6-before-forward - [0:0] +# End required lines + + +# allow all on loopback +-A ufw6-before-input -i lo -j ACCEPT +-A ufw6-before-output -o lo -j ACCEPT + +# drop packets with RH0 headers +-A ufw6-before-input -m rt --rt-type 0 -j DROP +-A ufw6-before-forward -m rt --rt-type 0 -j DROP +-A ufw6-before-output -m rt --rt-type 0 -j DROP + +# quickly process packets for which we already have a connection +-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A ufw6-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# multicast ping replies are part of the ok icmp codes for INPUT (rfc4890, +# 4.4.1 and 4.4.2), but don't have an associated connection and are otherwise +# be marked INVALID, so allow here instead. +-A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT + +# drop INVALID packets (logs these in loglevel medium and higher) +-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny +-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP + +# ok icmp codes for INPUT (rfc4890, 4.4.1 and 4.4.2) +-A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT +-A ufw6-before-input -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT +# codes 0 and 1 +-A ufw6-before-input -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT +# codes 0-2 (echo-reply needs to be before INVALID, see above) +-A ufw6-before-input -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT +-A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT +-A ufw6-before-input -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT +-A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT +-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT +-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT +# IND solicitation +-A ufw6-before-input -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT +# IND advertisement +-A ufw6-before-input -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT +# MLD query +-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT +# MLD report +-A ufw6-before-input -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT +# MLD done +-A ufw6-before-input -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT +# MLD report v2 +-A ufw6-before-input -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT +# SEND certificate path solicitation +-A ufw6-before-input -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT +# SEND certificate path advertisement +-A ufw6-before-input -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT +# MR advertisement +-A ufw6-before-input -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT +# MR solicitation +-A ufw6-before-input -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT +# MR termination +-A ufw6-before-input -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT + +# ok icmp codes for OUTPUT (rfc4890, 4.4.1 and 4.4.2) +-A ufw6-before-output -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT +-A ufw6-before-output -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT +# codes 0 and 1 +-A ufw6-before-output -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT +# codes 0-2 +-A ufw6-before-output -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT +-A ufw6-before-output -p icmpv6 --icmpv6-type echo-request -j ACCEPT +-A ufw6-before-output -p icmpv6 --icmpv6-type echo-reply -j ACCEPT +-A ufw6-before-output -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT +-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT +-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT +-A ufw6-before-output -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT +# IND solicitation +-A ufw6-before-output -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT +# IND advertisement +-A ufw6-before-output -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT +# MLD query +-A ufw6-before-output -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT +# MLD report +-A ufw6-before-output -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT +# MLD done +-A ufw6-before-output -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT +# MLD report v2 +-A ufw6-before-output -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT +# SEND certificate path solicitation +-A ufw6-before-output -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT +# SEND certificate path advertisement +-A ufw6-before-output -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT +# MR advertisement +-A ufw6-before-output -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT +# MR solicitation +-A ufw6-before-output -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT +# MR termination +-A ufw6-before-output -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT + +# ok icmp codes for FORWARD (rfc4890, 4.3.1) +-A ufw6-before-forward -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT +-A ufw6-before-forward -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT +# codes 0 and 1 +-A ufw6-before-forward -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT +# codes 0-2 +-A ufw6-before-forward -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT +-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-request -j ACCEPT +-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-reply -j ACCEPT +# ok icmp codes for FORWARD (rfc4890, 4.3.2) +# Home Agent Address Discovery Reques +-A ufw6-before-input -p icmpv6 --icmpv6-type 144 -j ACCEPT +# Home Agent Address Discovery Reply +-A ufw6-before-input -p icmpv6 --icmpv6-type 145 -j ACCEPT +# Mobile Prefix Solicitation +-A ufw6-before-input -p icmpv6 --icmpv6-type 146 -j ACCEPT +# Mobile Prefix Advertisement +-A ufw6-before-input -p icmpv6 --icmpv6-type 147 -j ACCEPT + +# allow dhcp client to work +-A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT + +# allow MULTICAST mDNS for service discovery +-A ufw6-before-input -p udp -d ff02::fb --dport 5353 -j ACCEPT + +# allow MULTICAST UPnP for service discovery +-A ufw6-before-input -p udp -d ff02::f --dport 1900 -j ACCEPT + +# don't delete the 'COMMIT' line or these rules won't be processed +COMMIT diff --git a/ufw/sysctl.conf b/ufw/sysctl.conf new file mode 100644 index 0000000..7bebf81 --- /dev/null +++ b/ufw/sysctl.conf @@ -0,0 +1,41 @@ +# +# Configuration file for setting network variables. Please note these settings +# override /etc/sysctl.conf and /etc/sysctl.d. If you prefer to use +# /etc/sysctl.conf, please adjust IPT_SYSCTL in /etc/default/ufw. See +# Documentation/networking/ip-sysctl.txt in the kernel source code for more +# information. +# + +# Uncomment this to allow this host to route packets between interfaces +#net/ipv4/ip_forward=1 +#net/ipv6/conf/default/forwarding=1 +#net/ipv6/conf/all/forwarding=1 + +# Disable ICMP redirects. ICMP redirects are rarely used but can be used in +# MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate +# traffic to those sites. +net/ipv4/conf/all/accept_redirects=0 +net/ipv4/conf/default/accept_redirects=0 +net/ipv6/conf/all/accept_redirects=0 +net/ipv6/conf/default/accept_redirects=0 + +# Ignore bogus ICMP errors +net/ipv4/icmp_echo_ignore_broadcasts=1 +net/ipv4/icmp_ignore_bogus_error_responses=1 +net/ipv4/icmp_echo_ignore_all=0 + +# Don't log Martian Packets (impossible addresses) +# packets +net/ipv4/conf/all/log_martians=0 +net/ipv4/conf/default/log_martians=0 + +#net/ipv4/tcp_fin_timeout=30 +#net/ipv4/tcp_keepalive_intvl=1800 + +# Uncomment this to turn off ipv6 autoconfiguration +#net/ipv6/conf/default/autoconf=1 +#net/ipv6/conf/all/autoconf=1 + +# Uncomment this to enable ipv6 privacy addressing +#net/ipv6/conf/default/use_tempaddr=2 +#net/ipv6/conf/all/use_tempaddr=2 diff --git a/ufw/ufw.conf b/ufw/ufw.conf new file mode 100644 index 0000000..28fe534 --- /dev/null +++ b/ufw/ufw.conf @@ -0,0 +1,10 @@ +# /etc/ufw/ufw.conf +# + +# Set to yes to start on boot. If setting this remotely, be sure to add a rule +# to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp' +ENABLED=yes + +# Please use the 'ufw' command to set the loglevel. Eg: 'ufw logging medium'. +# See 'man ufw' for details. +LOGLEVEL=low diff --git a/ufw/user.rules b/ufw/user.rules new file mode 100644 index 0000000..fd8a72a --- /dev/null +++ b/ufw/user.rules @@ -0,0 +1,59 @@ +*filter +:ufw-user-input - [0:0] +:ufw-user-output - [0:0] +:ufw-user-forward - [0:0] +:ufw-before-logging-input - [0:0] +:ufw-before-logging-output - [0:0] +:ufw-before-logging-forward - [0:0] +:ufw-user-logging-input - [0:0] +:ufw-user-logging-output - [0:0] +:ufw-user-logging-forward - [0:0] +:ufw-after-logging-input - [0:0] +:ufw-after-logging-output - [0:0] +:ufw-after-logging-forward - [0:0] +:ufw-logging-deny - [0:0] +:ufw-logging-allow - [0:0] +:ufw-user-limit - [0:0] +:ufw-user-limit-accept - [0:0] +### RULES ### + +### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +-A ufw-user-input -p tcp --dport 22 -j ACCEPT + +### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in +-A ufw-user-input -p tcp --dport 80 -j ACCEPT + +### tuple ### allow any 443 0.0.0.0/0 any 0.0.0.0/0 in +-A ufw-user-input -p tcp --dport 443 -j ACCEPT +-A ufw-user-input -p udp --dport 443 -j ACCEPT + +### tuple ### allow any any 0.0.0.0/0 any 172.16.254.11 in +-A ufw-user-input -s 172.16.254.11 -j ACCEPT + +### tuple ### allow any any 0.0.0.0/0 any 172.16.254.125 in +-A ufw-user-input -s 172.16.254.125 -j ACCEPT + +### tuple ### allow udp 443 0.0.0.0/0 any 0.0.0.0/0 in +-A ufw-user-input -p udp --dport 443 -j ACCEPT + +### tuple ### allow udp 80 0.0.0.0/0 any 0.0.0.0/0 in +-A ufw-user-input -p udp --dport 80 -j ACCEPT + +### tuple ### allow tcp 10051 0.0.0.0/0 any 0.0.0.0/0 in +-A ufw-user-input -p tcp --dport 10051 -j ACCEPT + +### END RULES ### + +### LOGGING ### +-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 +-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +### END LOGGING ### + +### RATE LIMITING ### +-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] " +-A ufw-user-limit -j REJECT +-A ufw-user-limit-accept -j ACCEPT +### END RATE LIMITING ### +COMMIT diff --git a/ufw/user6.rules b/ufw/user6.rules new file mode 100644 index 0000000..693b335 --- /dev/null +++ b/ufw/user6.rules @@ -0,0 +1,53 @@ +*filter +:ufw6-user-input - [0:0] +:ufw6-user-output - [0:0] +:ufw6-user-forward - [0:0] +:ufw6-before-logging-input - [0:0] +:ufw6-before-logging-output - [0:0] +:ufw6-before-logging-forward - [0:0] +:ufw6-user-logging-input - [0:0] +:ufw6-user-logging-output - [0:0] +:ufw6-user-logging-forward - [0:0] +:ufw6-after-logging-input - [0:0] +:ufw6-after-logging-output - [0:0] +:ufw6-after-logging-forward - [0:0] +:ufw6-logging-deny - [0:0] +:ufw6-logging-allow - [0:0] +:ufw6-user-limit - [0:0] +:ufw6-user-limit-accept - [0:0] +### RULES ### + +### tuple ### allow tcp 22 ::/0 any ::/0 in +-A ufw6-user-input -p tcp --dport 22 -j ACCEPT + +### tuple ### allow tcp 80 ::/0 any ::/0 in +-A ufw6-user-input -p tcp --dport 80 -j ACCEPT + +### tuple ### allow any 443 ::/0 any ::/0 in +-A ufw6-user-input -p tcp --dport 443 -j ACCEPT +-A ufw6-user-input -p udp --dport 443 -j ACCEPT + +### tuple ### allow udp 443 ::/0 any ::/0 in +-A ufw6-user-input -p udp --dport 443 -j ACCEPT + +### tuple ### allow udp 80 ::/0 any ::/0 in +-A ufw6-user-input -p udp --dport 80 -j ACCEPT + +### tuple ### allow tcp 10051 ::/0 any ::/0 in +-A ufw6-user-input -p tcp --dport 10051 -j ACCEPT + +### END RULES ### + +### LOGGING ### +-A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 +-A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +### END LOGGING ### + +### RATE LIMITING ### +-A ufw6-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] " +-A ufw6-user-limit -j REJECT +-A ufw6-user-limit-accept -j ACCEPT +### END RATE LIMITING ### +COMMIT