PageRenderTime 72ms CodeModel.GetById 50ms app.highlight 1ms RepoModel.GetById 19ms app.codeStats 0ms

/ufw/before.rules

http://github.com/brinkman83/bashrc
Unknown | 66 lines | 51 code | 15 blank | 0 comment | 0 complexity | 8e482ff92456fcb9ea15ecbd96ea8cf5 MD5 | raw file 
 1#
 2# rules.before
 3#
 4# Rules that should be run before the ufw command line added rules. Custom
 5# rules should be added to one of these chains:
 6#   ufw-before-input
 7#   ufw-before-output
 8#   ufw-before-forward
 9#
10
11# Don't delete these required lines, otherwise there will be errors
12*filter
13:ufw-before-input - [0:0]
14:ufw-before-output - [0:0]
15:ufw-before-forward - [0:0]
16:ufw-not-local - [0:0]
17# End required lines
18
19
20# allow all on loopback
21-A ufw-before-input -i lo -j ACCEPT
22-A ufw-before-output -o lo -j ACCEPT
23
24# quickly process packets for which we already have a connection
25-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
26-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
27
28# drop INVALID packets (logs these in loglevel medium and higher)
29-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
30-A ufw-before-input -m state --state INVALID -j DROP
31
32# ok icmp codes
33-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
34-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
35-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
36-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
37-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
38
39# allow dhcp client to work
40-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
41
42#
43# ufw-not-local
44#
45-A ufw-before-input -j ufw-not-local
46
47# if LOCAL, RETURN
48-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
49
50# if MULTICAST, RETURN
51-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
52
53# if BROADCAST, RETURN
54-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
55
56# all other non-local packets are dropped
57-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
58-A ufw-not-local -j DROP
59
60# allow MULTICAST, be sure the MULTICAST line above is uncommented
61-A ufw-before-input -s 224.0.0.0/4 -j ACCEPT
62-A ufw-before-input -d 224.0.0.0/4 -j ACCEPT
63
64
65# don't delete the 'COMMIT' line or these rules won't be processed
66COMMIT