[Auto-Sync] Atualização das configurações em srvproxy001.itguys.com.br - 2025-09-16 19:22:23

_automation_scripts/etc/proxy-sinc/paths.conf

@@ -2,3 +2,9 @@
 # Linhas que começam com '#' são ignoradas.
 /etc/nginx
 /etc/fail2ban
+/etc/resolv.conf
+/etc/nsswitch.conf
+/etc/hosts
+/etc/ufw
+/lib/systemd/system/nginx.service
+/etc/systemd/system/nginx.service.d/override.conf

hosts

@@ -0,0 +1,9 @@
+127.0.0.1	localhost
+172.16.254.1	srvproxy001.itguys.com.br	srvproxy001
+10.10.253.128   git.itguys.com.br               git
+172.16.254.59   zammad.itguys.com.br            zammad
+
+# The following lines are desirable for IPv6 capable hosts
+::1     localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters

nginx.service

@@ -0,0 +1,30 @@
+# Stop dance for nginx
+# =======================
+#
+# ExecStop sends SIGQUIT (graceful stop) to the nginx process.
+# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control
+# and sends SIGTERM (fast shutdown) to the main process.
+# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends
+# SIGKILL to all the remaining processes in the process group (KillMode=mixed).
+#
+# nginx signals reference doc:
+# http://nginx.org/en/docs/control.html
+#
+[Unit]
+Description=A high performance web server and a reverse proxy server
+Documentation=man:nginx(8)
+After=network-online.target remote-fs.target nss-lookup.target
+Wants=network-online.target
+
+[Service]
+Type=forking
+PIDFile=/run/nginx.pid
+ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
+ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
+ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
+ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
+TimeoutStopSec=5
+KillMode=mixed
+
+[Install]
+WantedBy=multi-user.target

nsswitch.conf

@@ -0,0 +1,20 @@
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc-reference' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+passwd:         files
+group:          files
+shadow:         files
+gshadow:        files
+
+hosts:          files dns
+networks:       files
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis

override.conf

@@ -0,0 +1,2 @@
+[Service]
+LimitNOFILE=65535

resolv.conf

@@ -0,0 +1,2 @@
+search itguys.com.br
+nameserver 172.16.254.252

ufw/after.init

@@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# after.init: if executable, called by ufw-init. See 'man ufw-framework' for
+#             details. Note that output from these scripts is not seen via the
+#             the ufw command, but instead via ufw-init.
+#
+# Copyright 2013 Canonical Ltd.
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License version 3,
+#    as published by the Free Software Foundation.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+set -e
+
+case "$1" in
+start)
+    # typically required
+    ;;
+stop)
+    # typically required
+    ;;
+status)
+    # optional
+    ;;
+flush-all)
+    # optional
+    ;;
+*)
+    echo "'$1' not supported"
+    echo "Usage: after.init {start|stop|flush-all|status}"
+    ;;
+esac

ufw/after.rules

@@ -0,0 +1,30 @@
+#
+# rules.input-after
+#
+# Rules that should be run after the ufw command line added rules. Custom
+# rules should be added to one of these chains:
+#   ufw-after-input
+#   ufw-after-output
+#   ufw-after-forward
+#
+
+# Don't delete these required lines, otherwise there will be errors
+*filter
+:ufw-after-input - [0:0]
+:ufw-after-output - [0:0]
+:ufw-after-forward - [0:0]
+# End required lines
+
+# don't log noisy services by default
+-A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input
+-A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input
+-A ufw-after-input -p tcp --dport 139 -j ufw-skip-to-policy-input
+-A ufw-after-input -p tcp --dport 445 -j ufw-skip-to-policy-input
+-A ufw-after-input -p udp --dport 67 -j ufw-skip-to-policy-input
+-A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input
+
+# don't log noisy broadcast
+-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
+
+# don't delete the 'COMMIT' line or these rules won't be processed
+COMMIT

ufw/after6.rules

@@ -0,0 +1,27 @@
+#
+# rules.input-after
+#
+# Rules that should be run after the ufw command line added rules. Custom
+# rules should be added to one of these chains:
+#   ufw6-after-input
+#   ufw6-after-output
+#   ufw6-after-forward
+#
+
+# Don't delete these required lines, otherwise there will be errors
+*filter
+:ufw6-after-input - [0:0]
+:ufw6-after-output - [0:0]
+:ufw6-after-forward - [0:0]
+# End required lines
+
+# don't log noisy services by default
+-A ufw6-after-input -p udp --dport 137 -j ufw6-skip-to-policy-input
+-A ufw6-after-input -p udp --dport 138 -j ufw6-skip-to-policy-input
+-A ufw6-after-input -p tcp --dport 139 -j ufw6-skip-to-policy-input
+-A ufw6-after-input -p tcp --dport 445 -j ufw6-skip-to-policy-input
+-A ufw6-after-input -p udp --dport 546 -j ufw6-skip-to-policy-input
+-A ufw6-after-input -p udp --dport 547 -j ufw6-skip-to-policy-input
+
+# don't delete the 'COMMIT' line or these rules won't be processed
+COMMIT

ufw/applications.d/nginx

@@ -0,0 +1,14 @@
+[Nginx HTTP]
+title=Web Server (Nginx, HTTP)
+description=Small, but very powerful and efficient web server
+ports=80/tcp
+
+[Nginx HTTPS]
+title=Web Server (Nginx, HTTPS)
+description=Small, but very powerful and efficient web server
+ports=443/tcp
+
+[Nginx Full]
+title=Web Server (Nginx, HTTP + HTTPS)
+description=Small, but very powerful and efficient web server
+ports=80,443/tcp

ufw/applications.d/openssh-server

@@ -0,0 +1,4 @@
+[OpenSSH]
+title=Secure shell server, an rshd replacement
+description=OpenSSH is a free implementation of the Secure Shell protocol.
+ports=22/tcp

ufw/applications.d/ufw-bittorent

@@ -0,0 +1,19 @@
+[Transmission]
+title=Transmission
+description=Transmission BitTorrent client
+ports=51413
+
+[Deluge]
+title=Deluge
+description=Deluge BitTorrent client
+ports=6881:6891/tcp
+
+[KTorrent]
+title=KTorrent
+description=KTorrent BitTorrent client
+ports=6881/tcp|4444/udp
+
+[qBittorrent]
+title=qBittorrent
+description=qBittorrent BitTorrent client
+ports=6881/tcp

ufw/applications.d/ufw-chat

@@ -0,0 +1,35 @@
+[PeopleNearby]
+title=People Nearby
+description=People Nearby (Bonjour/Salut) functionality in Empathy
+ports=5353/udp|5298
+
+[Bonjour]
+title=Bonjour
+description=Bonjour protocol
+ports=5353/udp|5298
+
+[MSN]
+title=MSN Chat
+description=MSN chat protocol (with file transfer and voice)
+ports=1863|6891:6900/tcp|6901
+
+[MSN SSL]
+title=MSN Chat (SSL)
+description=MSN chat protocol (SSL)
+ports=443/tcp
+
+[AIM]
+title=AIM Talk
+description=AIM talk protocol
+ports=5190/tcp
+
+[Yahoo]
+title=Yahoo Chat
+description=Yahoo chat protocol
+ports=5050
+
+[XMPP]
+title=XMPP Chat
+description=XMPP protocol (Jabber and Google Talk)
+ports=5222/tcp|5269/tcp
+

ufw/applications.d/ufw-directoryserver

@@ -0,0 +1,29 @@
+[Kerberos KDC]
+title=Kerberos v5 KDC server
+description=Kerberos v5 KDC server
+ports=88
+
+[Kerberos Admin]
+title=Kerberos v5 admin
+description=Kerberos v5 server
+ports=749/tcp
+
+[Kerberos Password]
+title=Kerberos v5 password
+description=Kerberos v5 password
+ports=464/udp
+
+[Kerberos Full]
+title=Kerberos v5 server
+description=Kerberos v5 server
+ports=88,749/tcp|464/udp
+
+[LDAP]
+title=LDAP server
+description=LDAP server
+ports=389/tcp
+
+[LDAPS]
+title=LDAP server (LDAPS)
+description=LDAP server (LDAPS)
+ports=636/tcp

ufw/applications.d/ufw-dnsserver

@@ -0,0 +1,4 @@
+[DNS]
+title=Internet Domain Name Server
+description=Internet Domain Name Server
+ports=53

ufw/applications.d/ufw-fileserver

@@ -0,0 +1,14 @@
+[CIFS]
+title=SMB/CIFS server
+description=SMB/CIFS server
+ports=137,138/udp|139,445/tcp
+
+[NFS]
+title=NFS server
+description=NFS and portmap server. Will also need access to mountd, statd and possibly others
+ports=2049,111/tcp|2049,111/udp
+
+[svnserve]
+title=Subversion server
+description=Subversion server for access to Subversion repositories.
+ports=3690/tcp

ufw/applications.d/ufw-loginserver

@@ -0,0 +1,14 @@
+[Telnet]
+title=Telnet server (insecure)
+description=Telnet server (insecure)
+ports=23/tcp
+
+[SSH]
+title=SSH server
+description=SSH server
+ports=22/tcp
+
+[VNC]
+title=VNC server
+description=VNC server
+ports=5900/tcp

ufw/applications.d/ufw-mailserver

@@ -0,0 +1,30 @@
+[POP3]
+title=Mail server (POP3)
+description=Mail server (POP3)
+ports=110/tcp
+
+[POP3S]
+title=Secure mail server (POP3S)
+description=Secure mail server (POP3S)
+ports=995/tcp
+
+[IMAP]
+title=Mail server (IMAP)
+description=Mail server (IMAP)
+ports=143/tcp
+
+[IMAPS]
+title=Secure mail server (IMAPS)
+description=Secure mail server (IMAPS)
+ports=993/tcp
+
+[SMTP]
+title=Mail server (SMTP)
+description=Mail server (SMTP)
+ports=25/tcp
+
+[Mail submission]
+title=Mail server (Submission)
+description=Mail server (Submission)
+ports=587/tcp
+

ufw/applications.d/ufw-printserver

@@ -0,0 +1,9 @@
+[IPP]
+title=Cups server (IPP)
+description=Cups server (IPP)
+ports=631
+
+[LPD]
+title=LPD server
+description=LPD server
+ports=515/tcp

ufw/applications.d/ufw-proxyserver

@@ -0,0 +1,9 @@
+[Socks]
+title=Socks proxy
+description=Socks proxy
+ports=1080/tcp
+
+[Transparent Proxy]
+title=Transparent proxy
+description=Transparent proxy
+ports=8081/tcp

ufw/applications.d/ufw-webserver

@@ -0,0 +1,19 @@
+[WWW]
+title=Web Server
+description=Web server
+ports=80/tcp
+
+[WWW Secure]
+title=Web Server (HTTPS)
+description=Web Server (HTTPS)
+ports=443/tcp
+
+[WWW Full]
+title=Web Server (HTTP,HTTPS)
+description=Web Server (HTTP,HTTPS)
+ports=80,443/tcp
+
+[WWW Cache]
+title=Web Server (8080)
+description=Web Server (8080)
+ports=8080/tcp

ufw/before.init

@@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# before.init: if executable, called by ufw-init. See 'man ufw-framework' for
+#              details. Note that output from these scripts is not seen via the
+#              the ufw command, but instead via ufw-init.
+#
+# Copyright 2013 Canonical Ltd.
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License version 3,
+#    as published by the Free Software Foundation.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+set -e
+
+case "$1" in
+start)
+    # typically required
+    ;;
+stop)
+    # typically required
+    ;;
+status)
+    # optional
+    ;;
+flush-all)
+    # optional
+    ;;
+*)
+    echo "'$1' not supported"
+    echo "Usage: before.init {start|stop|flush-all|status}"
+    ;;
+esac

ufw/before.rules

@@ -0,0 +1,75 @@
+#
+# rules.before
+#
+# Rules that should be run before the ufw command line added rules. Custom
+# rules should be added to one of these chains:
+#   ufw-before-input
+#   ufw-before-output
+#   ufw-before-forward
+#
+
+# Don't delete these required lines, otherwise there will be errors
+*filter
+:ufw-before-input - [0:0]
+:ufw-before-output - [0:0]
+:ufw-before-forward - [0:0]
+:ufw-not-local - [0:0]
+# End required lines
+
+
+# allow all on loopback
+-A ufw-before-input -i lo -j ACCEPT
+-A ufw-before-output -o lo -j ACCEPT
+
+# quickly process packets for which we already have a connection
+-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# drop INVALID packets (logs these in loglevel medium and higher)
+-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
+-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
+
+# ok icmp codes for INPUT
+-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
+-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
+-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
+-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
+
+# ok icmp code for FORWARD
+-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
+-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
+-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
+-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
+
+# allow dhcp client to work
+-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
+
+#
+# ufw-not-local
+#
+-A ufw-before-input -j ufw-not-local
+
+# if LOCAL, RETURN
+-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
+
+# if MULTICAST, RETURN
+-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
+
+# if BROADCAST, RETURN
+-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
+
+# all other non-local packets are dropped
+-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
+-A ufw-not-local -j DROP
+
+# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
+# is uncommented)
+-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
+
+# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
+# is uncommented)
+-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
+
+# don't delete the 'COMMIT' line or these rules won't be processed
+COMMIT

ufw/before6.rules

@@ -0,0 +1,142 @@
+#
+# rules.before
+#
+# Rules that should be run before the ufw command line added rules. Custom
+# rules should be added to one of these chains:
+#   ufw6-before-input
+#   ufw6-before-output
+#   ufw6-before-forward
+#
+
+# Don't delete these required lines, otherwise there will be errors
+*filter
+:ufw6-before-input - [0:0]
+:ufw6-before-output - [0:0]
+:ufw6-before-forward - [0:0]
+# End required lines
+
+
+# allow all on loopback
+-A ufw6-before-input -i lo -j ACCEPT
+-A ufw6-before-output -o lo -j ACCEPT
+
+# drop packets with RH0 headers
+-A ufw6-before-input -m rt --rt-type 0 -j DROP
+-A ufw6-before-forward -m rt --rt-type 0 -j DROP
+-A ufw6-before-output -m rt --rt-type 0 -j DROP
+
+# quickly process packets for which we already have a connection
+-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A ufw6-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# multicast ping replies are part of the ok icmp codes for INPUT (rfc4890,
+# 4.4.1 and 4.4.2), but don't have an associated connection and are otherwise
+# be marked INVALID, so allow here instead.
+-A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
+
+# drop INVALID packets (logs these in loglevel medium and higher)
+-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
+-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP
+
+# ok icmp codes for INPUT (rfc4890, 4.4.1 and 4.4.2)
+-A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
+-A ufw6-before-input -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
+# codes 0 and 1
+-A ufw6-before-input -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
+# codes 0-2 (echo-reply needs to be before INVALID, see above)
+-A ufw6-before-input -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
+-A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT
+-A ufw6-before-input -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
+-A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
+-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
+-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
+# IND solicitation
+-A ufw6-before-input -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
+# IND advertisement
+-A ufw6-before-input -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
+# MLD query
+-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
+# MLD report
+-A ufw6-before-input -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
+# MLD done
+-A ufw6-before-input -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
+# MLD report v2
+-A ufw6-before-input -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
+# SEND certificate path solicitation
+-A ufw6-before-input -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
+# SEND certificate path advertisement
+-A ufw6-before-input -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
+# MR advertisement
+-A ufw6-before-input -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
+# MR solicitation
+-A ufw6-before-input -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
+# MR termination
+-A ufw6-before-input -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
+
+# ok icmp codes for OUTPUT (rfc4890, 4.4.1 and 4.4.2)
+-A ufw6-before-output -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
+-A ufw6-before-output -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
+# codes 0 and 1
+-A ufw6-before-output -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
+# codes 0-2
+-A ufw6-before-output -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
+-A ufw6-before-output -p icmpv6 --icmpv6-type echo-request -j ACCEPT
+-A ufw6-before-output -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
+-A ufw6-before-output -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
+-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
+-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
+-A ufw6-before-output -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
+# IND solicitation
+-A ufw6-before-output -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
+# IND advertisement
+-A ufw6-before-output -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
+# MLD query
+-A ufw6-before-output -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
+# MLD report
+-A ufw6-before-output -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
+# MLD done
+-A ufw6-before-output -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
+# MLD report v2
+-A ufw6-before-output -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
+# SEND certificate path solicitation
+-A ufw6-before-output -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
+# SEND certificate path advertisement
+-A ufw6-before-output -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
+# MR advertisement
+-A ufw6-before-output -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
+# MR solicitation
+-A ufw6-before-output -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
+# MR termination
+-A ufw6-before-output -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
+
+# ok icmp codes for FORWARD (rfc4890, 4.3.1)
+-A ufw6-before-forward -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
+-A ufw6-before-forward -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
+# codes 0 and 1
+-A ufw6-before-forward -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
+# codes 0-2
+-A ufw6-before-forward -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
+-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-request -j ACCEPT
+-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
+# ok icmp codes for FORWARD (rfc4890, 4.3.2)
+# Home Agent Address Discovery Reques
+-A ufw6-before-input -p icmpv6 --icmpv6-type 144 -j ACCEPT
+# Home Agent Address Discovery Reply
+-A ufw6-before-input -p icmpv6 --icmpv6-type 145 -j ACCEPT
+# Mobile Prefix Solicitation
+-A ufw6-before-input -p icmpv6 --icmpv6-type 146 -j ACCEPT
+# Mobile Prefix Advertisement
+-A ufw6-before-input -p icmpv6 --icmpv6-type 147 -j ACCEPT
+
+# allow dhcp client to work
+-A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT
+
+# allow MULTICAST mDNS for service discovery
+-A ufw6-before-input -p udp -d ff02::fb --dport 5353 -j ACCEPT
+
+# allow MULTICAST UPnP for service discovery
+-A ufw6-before-input -p udp -d ff02::f --dport 1900 -j ACCEPT
+
+# don't delete the 'COMMIT' line or these rules won't be processed
+COMMIT

ufw/sysctl.conf

@@ -0,0 +1,41 @@
+#
+# Configuration file for setting network variables. Please note these settings
+# override /etc/sysctl.conf and /etc/sysctl.d. If you prefer to use
+# /etc/sysctl.conf, please adjust IPT_SYSCTL in /etc/default/ufw. See
+# Documentation/networking/ip-sysctl.txt in the kernel source code for more
+# information.
+#
+
+# Uncomment this to allow this host to route packets between interfaces
+#net/ipv4/ip_forward=1
+#net/ipv6/conf/default/forwarding=1
+#net/ipv6/conf/all/forwarding=1
+
+# Disable ICMP redirects. ICMP redirects are rarely used but can be used in
+# MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
+# traffic to those sites.
+net/ipv4/conf/all/accept_redirects=0
+net/ipv4/conf/default/accept_redirects=0
+net/ipv6/conf/all/accept_redirects=0
+net/ipv6/conf/default/accept_redirects=0
+
+# Ignore bogus ICMP errors
+net/ipv4/icmp_echo_ignore_broadcasts=1
+net/ipv4/icmp_ignore_bogus_error_responses=1
+net/ipv4/icmp_echo_ignore_all=0
+
+# Don't log Martian Packets (impossible addresses)
+# packets
+net/ipv4/conf/all/log_martians=0
+net/ipv4/conf/default/log_martians=0
+
+#net/ipv4/tcp_fin_timeout=30
+#net/ipv4/tcp_keepalive_intvl=1800
+
+# Uncomment this to turn off ipv6 autoconfiguration
+#net/ipv6/conf/default/autoconf=1
+#net/ipv6/conf/all/autoconf=1
+
+# Uncomment this to enable ipv6 privacy addressing
+#net/ipv6/conf/default/use_tempaddr=2
+#net/ipv6/conf/all/use_tempaddr=2

ufw/ufw.conf

@@ -0,0 +1,10 @@
+# /etc/ufw/ufw.conf
+#
+
+# Set to yes to start on boot. If setting this remotely, be sure to add a rule
+# to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp'
+ENABLED=yes
+
+# Please use the 'ufw' command to set the loglevel. Eg: 'ufw logging medium'.
+# See 'man ufw' for details.
+LOGLEVEL=low

ufw/user.rules

@@ -0,0 +1,59 @@
+*filter
+:ufw-user-input - [0:0]
+:ufw-user-output - [0:0]
+:ufw-user-forward - [0:0]
+:ufw-before-logging-input - [0:0]
+:ufw-before-logging-output - [0:0]
+:ufw-before-logging-forward - [0:0]
+:ufw-user-logging-input - [0:0]
+:ufw-user-logging-output - [0:0]
+:ufw-user-logging-forward - [0:0]
+:ufw-after-logging-input - [0:0]
+:ufw-after-logging-output - [0:0]
+:ufw-after-logging-forward - [0:0]
+:ufw-logging-deny - [0:0]
+:ufw-logging-allow - [0:0]
+:ufw-user-limit - [0:0]
+:ufw-user-limit-accept - [0:0]
+### RULES ###
+
+### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in
+-A ufw-user-input -p tcp --dport 22 -j ACCEPT
+
+### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in
+-A ufw-user-input -p tcp --dport 80 -j ACCEPT
+
+### tuple ### allow any 443 0.0.0.0/0 any 0.0.0.0/0 in
+-A ufw-user-input -p tcp --dport 443 -j ACCEPT
+-A ufw-user-input -p udp --dport 443 -j ACCEPT
+
+### tuple ### allow any any 0.0.0.0/0 any 172.16.254.11 in
+-A ufw-user-input -s 172.16.254.11 -j ACCEPT
+
+### tuple ### allow any any 0.0.0.0/0 any 172.16.254.125 in
+-A ufw-user-input -s 172.16.254.125 -j ACCEPT
+
+### tuple ### allow udp 443 0.0.0.0/0 any 0.0.0.0/0 in
+-A ufw-user-input -p udp --dport 443 -j ACCEPT
+
+### tuple ### allow udp 80 0.0.0.0/0 any 0.0.0.0/0 in
+-A ufw-user-input -p udp --dport 80 -j ACCEPT
+
+### tuple ### allow tcp 10051 0.0.0.0/0 any 0.0.0.0/0 in
+-A ufw-user-input -p tcp --dport 10051 -j ACCEPT
+
+### END RULES ###
+
+### LOGGING ###
+-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
+-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
+-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
+-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
+### END LOGGING ###
+
+### RATE LIMITING ###
+-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
+-A ufw-user-limit -j REJECT
+-A ufw-user-limit-accept -j ACCEPT
+### END RATE LIMITING ###
+COMMIT

ufw/user6.rules

@@ -0,0 +1,53 @@
+*filter
+:ufw6-user-input - [0:0]
+:ufw6-user-output - [0:0]
+:ufw6-user-forward - [0:0]
+:ufw6-before-logging-input - [0:0]
+:ufw6-before-logging-output - [0:0]
+:ufw6-before-logging-forward - [0:0]
+:ufw6-user-logging-input - [0:0]
+:ufw6-user-logging-output - [0:0]
+:ufw6-user-logging-forward - [0:0]
+:ufw6-after-logging-input - [0:0]
+:ufw6-after-logging-output - [0:0]
+:ufw6-after-logging-forward - [0:0]
+:ufw6-logging-deny - [0:0]
+:ufw6-logging-allow - [0:0]
+:ufw6-user-limit - [0:0]
+:ufw6-user-limit-accept - [0:0]
+### RULES ###
+
+### tuple ### allow tcp 22 ::/0 any ::/0 in
+-A ufw6-user-input -p tcp --dport 22 -j ACCEPT
+
+### tuple ### allow tcp 80 ::/0 any ::/0 in
+-A ufw6-user-input -p tcp --dport 80 -j ACCEPT
+
+### tuple ### allow any 443 ::/0 any ::/0 in
+-A ufw6-user-input -p tcp --dport 443 -j ACCEPT
+-A ufw6-user-input -p udp --dport 443 -j ACCEPT
+
+### tuple ### allow udp 443 ::/0 any ::/0 in
+-A ufw6-user-input -p udp --dport 443 -j ACCEPT
+
+### tuple ### allow udp 80 ::/0 any ::/0 in
+-A ufw6-user-input -p udp --dport 80 -j ACCEPT
+
+### tuple ### allow tcp 10051 ::/0 any ::/0 in
+-A ufw6-user-input -p tcp --dport 10051 -j ACCEPT
+
+### END RULES ###
+
+### LOGGING ###
+-A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
+-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
+-A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
+-A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
+### END LOGGING ###
+
+### RATE LIMITING ###
+-A ufw6-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
+-A ufw6-user-limit -j REJECT
+-A ufw6-user-limit-accept -j ACCEPT
+### END RATE LIMITING ###
+COMMIT