/ufw/before.rules

http://github.com/brinkman83/bashrc · Snakemake · 66 lines · 26 code · 15 blank · 25 comment · 0 complexity · 8e482ff92456fcb9ea15ecbd96ea8cf5 MD5 · raw file

  1. #
  2. # rules.before
  3. #
  4. # Rules that should be run before the ufw command line added rules. Custom
  5. # rules should be added to one of these chains:
  6. # ufw-before-input
  7. # ufw-before-output
  8. # ufw-before-forward
  9. #
  10. # Don't delete these required lines, otherwise there will be errors
  11. *filter
  12. :ufw-before-input - [0:0]
  13. :ufw-before-output - [0:0]
  14. :ufw-before-forward - [0:0]
  15. :ufw-not-local - [0:0]
  16. # End required lines
  17. # allow all on loopback
  18. -A ufw-before-input -i lo -j ACCEPT
  19. -A ufw-before-output -o lo -j ACCEPT
  20. # quickly process packets for which we already have a connection
  21. -A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
  22. -A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
  23. # drop INVALID packets (logs these in loglevel medium and higher)
  24. -A ufw-before-input -m state --state INVALID -j ufw-logging-deny
  25. -A ufw-before-input -m state --state INVALID -j DROP
  26. # ok icmp codes
  27. -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
  28. -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
  29. -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
  30. -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
  31. -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
  32. # allow dhcp client to work
  33. -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
  34. #
  35. # ufw-not-local
  36. #
  37. -A ufw-before-input -j ufw-not-local
  38. # if LOCAL, RETURN
  39. -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
  40. # if MULTICAST, RETURN
  41. -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
  42. # if BROADCAST, RETURN
  43. -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
  44. # all other non-local packets are dropped
  45. -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
  46. -A ufw-not-local -j DROP
  47. # allow MULTICAST, be sure the MULTICAST line above is uncommented
  48. -A ufw-before-input -s 224.0.0.0/4 -j ACCEPT
  49. -A ufw-before-input -d 224.0.0.0/4 -j ACCEPT
  50. # don't delete the 'COMMIT' line or these rules won't be processed
  51. COMMIT