diff options
author | Micah Anderson <micah@riseup.net> | 2022-11-18 16:11:05 -0500 |
---|---|---|
committer | Micah Anderson <micah@riseup.net> | 2022-11-18 16:11:05 -0500 |
commit | 382afed03359df5a61897dedc2e12857609191d0 (patch) | |
tree | 96fffec9c30487c80e12c74a35cbe67c3aa60355 | |
parent | d25723bc19fb295001c43945e9ec3726042e206f (diff) |
firewall: restrict outgoing ports
Our old platform blocked these ports for vpn gateway participants, and at least
port 25 is one we definitely want to block to stop spamming. The others are
various trojans, and are likely very old and maybe this list could be improved.
-rw-r--r-- | config/roles/openvpn/templates/50openvpn.firewall.j2 | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/config/roles/openvpn/templates/50openvpn.firewall.j2 b/config/roles/openvpn/templates/50openvpn.firewall.j2 index d685547..e68c993 100644 --- a/config/roles/openvpn/templates/50openvpn.firewall.j2 +++ b/config/roles/openvpn/templates/50openvpn.firewall.j2 @@ -41,6 +41,26 @@ add_rule6 -A FORWARD -i tun0 -p tcp -o tun0 -j DROP add_rule6 -A FORWARD -i tun1 -p udp -o tun0 -j DROP {% endif %} +# deny outgoing ports that shouldn't be used +# Strict egress filtering: +# SMTP (TCP 25) +# Trivial File Transfer Protocol - TFTP (UDP 69) +# MS RPC (TCP & UDP 135) +# NetBIOS/IP (TCP/UDP 139 & UDP 137, UDP 138) +# Simple Network Management Protocol – SNMP (UDP/TCP 161-162) +# SMB/IP (TCP/UDP 445) +# Syslog (UDP 514) +# Gamqowi trojan: TCP 4661 +# Mneah trojan: TCP 4666 +add_rule4 -A OUTPUT -o tun0 -p tcp -m multiport --dports 25,135,139,161,162,445,4661,4666 -j DROP +add_rule4 -A OUTPUT -o tun1 -p tcp -m multiport --dports 25,135,139,161,162,445,4661,4666 -j DROP +add_rule4 -A OUTPUT -o tun0 -p udp -m multiport --dports 69,135,139,137,138,161,162,445,514 -j DROP +add_rule4 -A OUTPUT -o tun1 -p udp -m multiport --dports 69,135,139,137,138,161,162,445,514 -j DROP +add_rule6 -A OUTPUT -o tun0 -p tcp -m multiport --dports 25,135,139,161,162,445,4661,4666 -j DROP +add_rule6 -A OUTPUT -o tun1 -p tcp -m multiport --dports 25,135,139,161,162,445,4661,4666 -j DROP +add_rule6 -A OUTPUT -o tun0 -p udp -m multiport --dports 69,135,139,137,138,161,162,445,514 -j DROP +add_rule6 -A OUTPUT -o tun1 -p udp -m multiport --dports 69,135,139,137,138,161,162,445,514 -j DROP + # allow tcp vpn clients to resolve DNS (i.e. query knot-resolver) add_rule -A user-input -i tun0 -p udp --dport 53 -j ACCEPT add_rule -A user-input -i tun0 -p tcp --dport 53 -j ACCEPT |