# Fichiers par défaut, 18 avril 2014 # /etc/ufw/ ip v6 et applications.d - pour le principal voir etc-ufw.txt # etc/ufw/applications.d/cups [CUPS] title=Common UNIX Printing System server description=CUPS is a printing system with support for IPP, samba, lpd, and other protocols. ports=631 # etc/ufw/applications.d/samba [Samba] title=LanManager-like file and printer server for Unix description=The Samba software suite is a collection of programs that implements the SMB/CIFS protocol for unix systems, allowing you to serve files and printers to Windows, NT, OS/2 and DOS clients. This protocol is sometimes also referred to as the LanManager or NetBIOS protocol. ports=137,138/udp|139,445/tcp # etc/ufw/before6.rules # # rules.before # # Rules that should be run before the ufw command line added rules. Custom # rules should be added to one of these chains: # ufw6-before-input # ufw6-before-output # ufw6-before-forward # # Don't delete these required lines, otherwise there will be errors *filter :ufw6-before-input - [0:0] :ufw6-before-output - [0:0] :ufw6-before-forward - [0:0] # End required lines # allow all on loopback -A ufw6-before-input -i lo -j ACCEPT -A ufw6-before-output -o lo -j ACCEPT # drop packets with RH0 headers -A ufw6-before-input -m rt --rt-type 0 -j DROP -A ufw6-before-forward -m rt --rt-type 0 -j DROP -A ufw6-before-output -m rt --rt-type 0 -j DROP # for stateless autoconfiguration (restrict NDP messages to hop limit of 255) -A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-input -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT # quickly process packets for which we already have a connection -A ufw6-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT -A ufw6-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT # for multicast ping replies from link-local addresses (these don't have an # associated connection and would otherwise be marked INVALID) -A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -s fe80::/10 -j ACCEPT # drop INVALID packets (logs these in loglevel medium and higher) -A ufw6-before-input -m state --state INVALID -j ufw6-logging-deny -A ufw6-before-input -m state --state INVALID -j DROP # ok icmp codes -A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT -A ufw6-before-input -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT -A ufw6-before-input -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT -A ufw6-before-input -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT -A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT # allow dhcp client to work -A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT # allow MULTICAST mDNS for service discovery -A ufw6-before-input -p udp -d ff02::fb --dport 5353 -j ACCEPT # allow MULTICAST UPnP for service discovery -A ufw6-before-input -p udp -d ff02::f --dport 1900 -j ACCEPT # don't delete the 'COMMIT' line or these rules won't be processed COMMIT # etc/ufw/after6.rules # # rules.input-after # # Rules that should be run after the ufw command line added rules. Custom # rules should be added to one of these chains: # ufw6-after-input # ufw6-after-output # ufw6-after-forward # # Don't delete these required lines, otherwise there will be errors *filter :ufw6-after-input - [0:0] :ufw6-after-output - [0:0] :ufw6-after-forward - [0:0] # End required lines # don't log noisy services by default -A ufw6-after-input -p udp --dport 137 -j ufw6-skip-to-policy-input -A ufw6-after-input -p udp --dport 138 -j ufw6-skip-to-policy-input -A ufw6-after-input -p tcp --dport 139 -j ufw6-skip-to-policy-input -A ufw6-after-input -p tcp --dport 445 -j ufw6-skip-to-policy-input -A ufw6-after-input -p udp --dport 546 -j ufw6-skip-to-policy-input -A ufw6-after-input -p udp --dport 547 -j ufw6-skip-to-policy-input # don't delete the 'COMMIT' line or these rules won't be processed COMMIT