# Fichiers par défaut, 18 avril 2014, client 13.10 # /etc/ufw/ ip v4 seuls. pour applications.d et ipv6 voir etc-ufw2.txt # /etc/ufw/ufw.conf # # Set to yes to start on boot. If setting this remotely, be sure to add a rule # to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp' ENABLED=yes # Please use the 'ufw' command to set the loglevel. Eg: 'ufw logging medium'. # See 'man ufw' for details. LOGLEVEL=medium # /etc/ufw/sysctl.conf # # Configuration file for setting network variables. Please note these settings # override /etc/sysctl.conf. If you prefer to use /etc/sysctl.conf, please # adjust IPT_SYSCTL in /etc/default/ufw. # # Uncomment this to allow this host to route packets between interfaces #net/ipv4/ip_forward=1 #net/ipv6/conf/default/forwarding=1 #net/ipv6/conf/all/forwarding=1 # Turn on Source Address Verification in all interfaces to prevent some # spoofing attacks net/ipv4/conf/default/rp_filter=1 net/ipv4/conf/all/rp_filter=1 # Do not accept IP source route packets (we are not a router) net/ipv4/conf/default/accept_source_route=0 net/ipv4/conf/all/accept_source_route=0 net/ipv6/conf/default/accept_source_route=0 net/ipv6/conf/all/accept_source_route=0 # Disable ICMP redirects. ICMP redirects are rarely used but can be used in # MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate # traffic to those sites. net/ipv4/conf/default/accept_redirects=0 net/ipv4/conf/all/accept_redirects=0 net/ipv6/conf/default/accept_redirects=0 net/ipv6/conf/all/accept_redirects=0 # Ignore bogus ICMP errors net/ipv4/icmp_echo_ignore_broadcasts=1 net/ipv4/icmp_ignore_bogus_error_responses=1 net/ipv4/icmp_echo_ignore_all=0 # Don't log Martian Packets (impossible packets) net/ipv4/conf/default/log_martians=0 net/ipv4/conf/all/log_martians=0 # Change to '1' to enable TCP/IP SYN cookies This disables TCP Window Scaling # (http://lkml.org/lkml/2008/2/5/167) net/ipv4/tcp_syncookies=0 #net/ipv4/tcp_fin_timeout=30 #net/ipv4/tcp_keepalive_intvl=1800 # normally allowing tcp_sack is ok, but if going through OpenBSD 3.8 RELEASE or # earlier pf firewall, should set this to 0 net/ipv4/tcp_sack=1 # Uncomment this to turn off ipv6 autoconfiguration #net/ipv6/conf/default/autoconf=0 #net/ipv6/conf/all/autoconf=0 # Uncomment this to enable ipv6 privacy addressing #net/ipv6/conf/default/use_tempaddr=2 #net/ipv6/conf/all/use_tempaddr=2 # # rules.before # # Rules that should be run before the ufw command line added rules. Custom # rules should be added to one of these chains: # ufw-before-input # ufw-before-output # ufw-before-forward # # Don't delete these required lines, otherwise there will be errors *filter :ufw-before-input - [0:0] :ufw-before-output - [0:0] :ufw-before-forward - [0:0] :ufw-not-local - [0:0] # End required lines # allow all on loopback -A ufw-before-input -i lo -j ACCEPT -A ufw-before-output -o lo -j ACCEPT # quickly process packets for which we already have a connection -A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT -A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT # drop INVALID packets (logs these in loglevel medium and higher) -A ufw-before-input -m state --state INVALID -j ufw-logging-deny -A ufw-before-input -m state --state INVALID -j DROP # ok icmp codes -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT # allow dhcp client to work -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT # # ufw-not-local # -A ufw-before-input -j ufw-not-local # if LOCAL, RETURN -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN # if MULTICAST, RETURN -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN # if BROADCAST, RETURN -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN # all other non-local packets are dropped -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny -A ufw-not-local -j DROP # allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above # is uncommented) -A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT # allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above # is uncommented) -A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT # don't delete the 'COMMIT' line or these rules won't be processed COMMIT # # rules.input-after # # Rules that should be run after the ufw command line added rules. Custom # rules should be added to one of these chains: # ufw-after-input # ufw-after-output # ufw-after-forward # # Don't delete these required lines, otherwise there will be errors *filter :ufw-after-input - [0:0] :ufw-after-output - [0:0] :ufw-after-forward - [0:0] # End required lines # don't log noisy services by default -A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input -A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input -A ufw-after-input -p tcp --dport 139 -j ufw-skip-to-policy-input -A ufw-after-input -p tcp --dport 445 -j ufw-skip-to-policy-input -A ufw-after-input -p udp --dport 67 -j ufw-skip-to-policy-input -A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input # don't log noisy broadcast -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input # don't delete the 'COMMIT' line or these rules won't be processed COMMIT