# firewall-easy-lib 0.33
#
#	Configuration of firewall-easy
#
#	Copyright (C) 2000:	Manel Marin <manel3@wanadoo.es>
#	Licence:		GNU GPL version >= 2
#
#
#	Please read "man firewall-easy-lib"
#
#
#	REMEMBER: run as root "firewall-easy reload" to activate changes
#


#-------------------------------------------------------------------------------
# AUTHOMATIC CONFIGURATION
#	In /etc/firewall-easy.conf there is an authomatic detection
#	of IP, net/mask, and DNS servers
#
#	You can edit it if you need to put manual values
#-------------------------------------------------------------------------------


# --- DO NOT TOUCH ---
 SPOOF = "$LO_NETS $LOCALNETS $ALL_IPS"		# my local net IPs, iface lo
 FORWARD_IFACES = $LOCALNET_IFACES			# Needed for 2.4



#### IP MASQUERADE #############################################################
# Masquerade clients to Internet (FORWARD is actived only if needed)
#MASQ	Proto	Local <> Remote_iface		Name
#--------------------------------------------------------------------

INTERFACE = $MASQ_IFACES
MASQUERADE *	$LOCALNETS > *			Aply IP masquerade



#### LOOPBACK RULES ############################################################
#NO/>/*	Proto	Local <> Remote			Name
#--------------------------------------------------------------------

INTERFACE = lo
*	*	$LO_NETS <> $LO_NETS		Access to my loopback
*	*	$LOCALNET_IPS <> $LOCALNET_IPS 	Local connections
						# (they do not exit from eth)
*	*	1.1.1.1 > 1.1.1.1		IP alias outputs for autotest



#### INNER LOCAL NETWORK RULES #################################################
# Destination of the packets of my clients
#NO/>/*	Proto	Local <> Remote			Name
#--------------------------------------------------------------------

INTERFACE = $LOCALNET_IFACES
*	*	* <> $LOCALNETS				Access of my local net
*	udp	0.0.0.0:bootps < 255.255.255.255:bootpc	DHCP win requests
						# if we are the DHCP server


#### ADSL ROUTER RULES (IP by DHCP) ############################################
#NO/>/*	Proto	Local <> Remote			Name
#--------------------------------------------------------------------

INTERFACE = $ADSL_IFACES		# This does a loop with every $IFACE
ADSL_IP1="`list-iface-ip $IFACE`"		# Our IPs in one ADSL iface
ADSL_GW1="`list-iface-gw $IFACE`"		# IPs of GW in one ADSL router
*	udp	0.0.0.0:bootpc > 255.255.255.255:bootps     DHCP INIT step one
*	udp	255.255.255.255:bootpc < $ADSL_GW1:bootps   DHCP INIT step two	
>	udp	$ADSL_IP1:bootpc > $ADSL_GW1:bootps  	    DHCP RENEW step one
>	udp	$ADSL_IP1:bootpc < $ADSL_GW1:bootps 	    DHCP RENEW step two

NO	udp	$ADSL_IP1:bootps < $ADSL_GW1:bootpc	ADSL router requests



#### OTHER INTERFACES (INTERNET) RULES #########################################

INTERFACE = *
IPLOCAL = *
IPREMOTE = *


#### ANTI-SPOOF & FORBIDEN IPs #################################################
#NO/>/*	Proto	Local <> Remote			Name
#--------------------------------------------------------------------

NO!	*	* < $SPOOF		IPs trying to pass by me
NO!	*	* < $NO_IP		IPs forbiden expressly
NO	*	* < $NO_PRIV		Private IPs traffic


#### LOCAL SERVICES ACCESIBLES FROM INTERNET ###################################
# closed if they are not opened expressly with "*"
# WARNING: They are not really opened if $ISSH="" (empty variable) 
#NO/>/*	Proto	Local <> Remote			Name
#--------------------------------------------------------------------

*	tcp	ssh <> $ISSH		Secure Shell


#### LOCAL PORTS FORBIDEN ######################################################
#NO/>/*	Proto	Local <> Remote			Name
#--------------------------------------------------------------------

    #OPTIONAL (COUNTING-UP RULES)
NO!	tcp,udp	0 < *			Zero port closed
NO!	tcp	systat <  *		Process and users list
NO!	tcp	ftp < * 		FTP server
NO!	tcp	ssh < *			Secure Shell (tcp & udp?)
NO!	tcp	telnet < *		Telnet	
NO!	tcp	smtp < *		SMTP server
NO!	tcp	time < *		Hour server
NO!	tcp,udp	domain < *		DNS server
NO!	tcp,udp	bootps:bootpc < *	bootp server & client (tcp & udp?)
NO!	udp	tftp < *		tftp server
NO!	tcp	finger <  *		Users information
NO!	tcp	www < *			Web server
NO!	tcp	pop-3 < *		POP-3 server
NO!	tcp	sunrpc < *		Portmap of UDP services
NO!	tcp	auth < *		Authoritation port
NO!	tcp,udp	135 < *			MS DCE RCP mapper for DCOM
NO!	   udp	137 < *			Netbios services
NO!	   udp	139 < *			Netbios services
NO!	tcp	143 < *			Imap4 server
NO!	   udp	161 < *			SMTP conf & performance db
NO!	tcp,udp	512:514 < *		Unix "r" commands (tcp & udp?)
NO!	tcp	snpp < *		Snpp server of hylafax
NO!	tcp	printer < * 		spooler
NO!	   udp	535 < *			RPC CORBA IIOP
NO!	tcp,udp	635 < *			Linux mountd daemon

    #NEEDED ( >1024)
#NO!	tcp	1024 < *		Wdm X displays manager (varies)
NO!	   udp	2049 < *		NFS unix Network File System
NO!	tcp	3128:3130 < *		Proxy web/cache squid
NO!	   udp	3130 < *			Proxy web/cache squid
NO!	tcp	mysql < *		MySQL server
NO!	tcp	4557 < *		FAX hylafax server
NO!	tcp	4559 < *		FAX hylafax server
NO!	   udp	xdmcp < *		xdm server (graphic login)
    # Inputs to X (6000:6000+number of X servers)
NO!	tcp	6000 < *		My X servers
NO!	tcp	7100 < *		xfs fonts server
NO!	tcp	7101 < *		xfstt fonts server
NO!	tcp	8080:8081 < *		wwwoffle web/cache proxy


#### REMOTE PORTS FORBIDEN (EVEN TO LOCAL SERVICES) ############################
#NO/>/*	Proto	Local <> Remote			Name
#--------------------------------------------------------------------

NO!	tcp,udp	* <> 137:139		External netbios services
#NO!	tcp,udp	HI <> ircd		Chat servers


#### OUR USERS CONNECTIONS TO INTERNET SERVICES ################################
# closed if not expressly opened with ">", or ">>"
#NO/>/*	Proto	Local <> Remote			Name
#------------------------------------------------------------------------

>	   udp	HI <> $DNS:domain	DNS servers
>+	tcp	HI <> www		Web servers
>	tcp	HI <> smtp		SMTP servers
>	tcp	HI <> pop-3		POP-3 servers
>	tcp	HI <> nntp		News servers
>	tcp	HI <> time		Hour servers
>	tcp	HI <> https		SSL secure web servers

 #>	   udp	ntp <> $NTP:ntp		NTP (hour) servers
 #>	   udp	HI <> $NTP:ntp		NTP (hour) servers

>	tcp	HI <> 554		Real Audio
>	   udp	6970:7170 < *		Real Audio

>-	tcp	HI <> rsync		Rsync servers


    # traceroute needs 3 UDP ports by node, 166=55 nodes
> 	   udp	* > 33434:33600 	traceroute command

    # ftp in passive mode
>	tcp	HI <> ftp		FTP servers
>-	tcp	HI <> HI		Deflected by ftp passive mode 
    # ftp in active mode
>>-	tcp	HI <> $FTP:ftp-data	Deflected by ftp active mode

>	tcp	HI <> *			Other connections allowed
					# Needed for passive ftp? TO VERIFY


#### OUTPUTS FOR RST ###########################################################
# if $RST_TO defined (with 0/0) allow outputs rejecting connections
#NO/>/*	Proto	Local <> Remote			Name
#------------------------------------------------------------------------
IPREMOTE = $RST_TO
*	tcp	* > *		Allow tcp RST "rejecting" tcp connections
*	icmp	3 > *		Dest-un OUT "rejecting" udp connections
IPREMOTE = *



#### ACTIONS OVER ICMP PACKETS #################################################
# icmp packets are to control of the communication of the other protocols
#NO/>/*	Proto	Local <> Remote			Name
#-------------------------------------------------------------------------------

    # ICMP INPUTS
*	icmp	* < 0		Pong IN		--- to receive PING/BING ---
*	icmp	* < 3		Dest-un	IN 	--- for communications ---
NO!	icmp	* < 4		Quench IN
NO!	icmp	* < 5		Redir IN
NO!	icmp	* < 8		Ping IN
*	icmp	* < 11		Time-ex IN 	--- for traceroute ---
 #NO	icmp	* < 12		Param IN
NO	icmp	* < *		Resto de ICMP

    # ICMP OUTPUTS
NO!	icmp	0 > *		Pong OUT 
NO	icmp	3 > *		Dest-un OUT
 #NO	icmp	4 > *		Quench OUT
 #NO	icmp	5 > *		Redir OUT
*	icmp	8 > *		Ping OUT 	--- to do PING/BING ---
 #NO	icmp	11 > *		Time-ex OUT
NO!	icmp	12 > *		Param OUT
NO	icmp	* > *		Resto de ICMP


#### LOGGING RELATED OPCIONS ###################################################
#NO/>/*	Proto	Local <> Remote			Name
#------------------------------------------------------------------------

    # NO LOG OF KNOWN REPEATED PACKETS
NO	udp	68 > 255.255.255.255:67	Infovia plus when connecting

    # LOG BY DEFAULT OF NOT ALLOWED PACKETS
NO!	tcp,udp	0:1023 <> *		Low ports
NO!	tcp,udp	* <> *			Log by default TCP & UDP
NO!	*	* <> *			Log by default ICMP & others


#### PORT REDIRECTION ##########################################################
#FORWARD/PROXY	Proto	Local < Remote ->Redir(numbers)	Name
#------------------------------------------------------------------------

#FORWARD tcp	$IP_TO_REDIR:www < *	->1.2.3.4:80	Port forwarding
#PROXY	 tcp	www < *			->3128		Transparent proxy
