From 8caab259646d3bfe9dd18c94494df34fce69bb33 Mon Sep 17 00:00:00 2001 From: Martin Winkler Date: Mon, 19 Dec 2022 22:42:55 +0100 Subject: [PATCH] ufw - extend fritzbox denials --- seqs/ufw.sh | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/seqs/ufw.sh b/seqs/ufw.sh index 3d342a2..e328318 100755 --- a/seqs/ufw.sh +++ b/seqs/ufw.sh @@ -47,7 +47,7 @@ step_20() { exe ufw allow 4190/tcp comment 'Managesieve' } -step_22_info() { echo "Deny multicast from gateway"; } +step_22_info() { echo "Deny multicast from gateway and fritzbox webcheck"; } step_22_options() { echo "[IP]"; } step_22_alias() { echo "multicast"; } step_22() { @@ -59,17 +59,24 @@ step_22() { exe ufw deny in from "${1}" to 224.0.0.0/4 comment 'Broadcast Fritzbox' exe ufw deny in from "${1}" to 239.0.0.0/8 comment 'Broadcast Fritzbox' + exe ufw deny in from "${1}" to any port 80 proto tcp commen 'Webcheck Fritzbox' } -step_24_info() { +step_23_info() { echo "Deny IPv6 multicast"; } +step_23_alias() { echo "multicast6"; } +step_23() { + exe ufw deny in from any to ff02::/16 port 53805 proto udp comment 'Multicast link local' +} + +step_26_info() { echo "Allow cifs mounts on eth0" echoinfo " [PORT] (default 445)" echoinfo " 139 : Cifs version 1.0" echoinfo " 445 : Cifs version 2.0+" } -step_24_options() { echo " [PORT]"; } -step_24_alias() { echo "cifs"; } -step_24() { +step_26_options() { echo " [PORT]"; } +step_26_alias() { echo "cifs"; } +step_26() { shift local destIp=${1:-} local ipregex='^[0-2]*[0-9]{1,2}\.[0-2]*[0-9]{1,2}\.[0-2]*[0-9]{1,2}\.[0-2]*[0-9]{1,2}\/*[0-9]*$' @@ -91,9 +98,9 @@ step_24() { exe ufw allow out on eth0 to "${destIp}" port "${destPort}" proto tcp comment "samba/cifs" } -step_26_info() { echo "Basic secure VPN setup"; } -step_26_alias() { echo "vpn"; } -step_26() { +step_28_info() { echo "Basic secure VPN setup"; } +step_28_alias() { echo "vpn"; } +step_28() { exe ufw --force reset exe ufw allow in on eth0 to any port 22 comment "ssh" exe ufw default deny incoming