+++ /dev/null
-#
-# rules.before
-#
-# Rules that should be run before the ufw command line added rules. Custom
-# rules should be added to one of these chains:
-# ufw-before-input
-# ufw-before-output
-# ufw-before-forward
-#
-
-# Don't delete these required lines, otherwise there will be errors
-*filter
-:ufw-before-input - [0:0]
-:ufw-before-output - [0:0]
-:ufw-before-forward - [0:0]
-:ufw-not-local - [0:0]
-# End required lines
-
-
-# allow all on loopback
--A ufw-before-input -i lo -j ACCEPT
--A ufw-before-output -i lo -j ACCEPT
-
-# connection tracking rules
--A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
-# drop INVALID packets
-# uncomment to log INVALID packets
--A ufw-before-input -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW BLOCK INVALID]: " --log-level err -m limit --limit 3/min --limit-burst 10
--A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-
-## Ingress filter (see RFC 2827) (eth0:LAN<192.168.100.0/24>)
--A ufw-before-forward -i eth0 -s ! 192.168.100.0/24 -j LOG --log-tcp-options --log-ip-options --log-prefix "[UFW BLOCK LOG_INGRESS]: " --log-level err -m limit --limit 3/min --limit-burst 10
--A ufw-before-forward -i eth0 -s ! 192.168.100.0/24 -j DROP
-
-## DROP CIFS(Samba) access from/to WAN(eth1)
--A ufw-before-input -i eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
--A ufw-before-input -i eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
--A ufw-before-forward -i eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
--A ufw-before-forward -i eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
--A ufw-before-forward -o eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
--A ufw-before-forward -o eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
--A ufw-before-output -o eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
--A ufw-before-output -o eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
-
-## Access from LAN
--A ufw-before-input -i eth0 -j ACCEPT
--A ufw-before-forward -i eth0 -j ACCEPT
-
-# connection tracking for outbound
--A ufw-before-output -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
--A ufw-before-output -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-
-# ok icmp codes
--A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
--A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
--A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
--A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
--A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
-
-# allow dhcp client to work
--A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
-
-#
-# ufw-not-local
-#
--A ufw-before-input -j ufw-not-local
-
-# if LOCAL, RETURN
--A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-
-# if MULTICAST, RETURN
--A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-
-# if BROADCAST, RETURN
--A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-
--A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK NOT-TO-ME]: " --log-level err
-
-# all other non-local packets are dropped
--A ufw-not-local -j DROP
-
-# allow MULTICAST, be sure the MULTICAST line above is uncommented
--A ufw-before-input -s 224.0.0.0/4 -j ACCEPT
--A ufw-before-input -d 224.0.0.0/4 -j ACCEPT
-
-
-# don't delete the 'COMMIT' line or these rules won't be processed
-COMMIT
projects / lab.git / blobdiff