#language en

'''WARNING: [[nftables]] is the default firewall framework since Debian 10 Buster. This page is outdated.'''

This page indexes as many firewall rules for various common purposes as possible.

A module that asks the user to add specific firewall rules when installing packages is conceivable but hasn't been created thus far.

Try to edit the rules for them to be '''as restrictive as possible'''. Register on this Wiki even if you just want to add a word or remove a line on this page.

Note that the order of firewall rules matter.

= iptables =

== Applying the rules ==
 * Install {{{iptables-persistent}}} via apper or {{{apt-get install}}}
 * Edit the rules.v4 file such as by running {{{sudo kate /etc/iptables/rules.v4}}} (or {{{/etc/iptables/rules.v6}}}) and copy any rules you want to add from below into it, then save the file and run {{{sudo iptables-restore < /etc/iptables/rules.v4}}} (or {{{sudo ip6tables-restore < /etc/iptables/rules.v6}}}).
 * Alternatively you can run {{{iptables {rule} from the console}}}

== Restriction ==
{{{#DROP everything by default}}}<<BR>>
{{{:INPUT DROP [0:0]}}}<<BR>>
{{{:FORWARD DROP [0:0]}}}<<BR>>
{{{:OUTPUT DROP [0:0]}}}<<BR>>
/* {{{-A INPUT -j DROP}}}<<BR>> */
/* {{{-A OUTPUT -j DROP}}}<<BR>> */

== Logging ==
{{{#Log 4 dropped packets per minute to /var/log/syslog}}}<<BR>>
{{{-A INPUT -m limit --limit 4/min -j LOG --log-prefix "~~~~IP INPUT DROP: "}}}<<BR>>
{{{#LOG 4 dropped packets per minute to /var/log/syslog}}}<<BR>>
{{{-A OUTPUT -m limit --limit 4/min -j LOG --log-prefix "~~~~IP OUTPUT DROP: "}}}<<BR>>

== Localhost ==
{{{#LOCAL}}}<<BR>>
{{{-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT}}}<<BR>>

== Client ==

=== HTTP ===
{{{#HTTP}}}<<BR>>
{{{-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT}}}<<BR>>
{{{-A INPUT -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT}}}<<BR>>
{{{#-A INPUT -p tcp -m tcp --dport 8080 -m state --state ESTABLISHED -j ACCEPT}}}<<BR>>
{{{#-A INPUT -p tcp -m tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT}}}<<BR>>
{{{#-A OUTPUT -p tcp -m tcp --sport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT}}}<<BR>>
{{{#-A OUTPUT -p tcp -m tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT}}}<<BR>>

=== HTTPS ===
{{{#HTTPS}}}<<BR>>
{{{-A INPUT -p tcp -m tcp --dport 443 -m state --state ESTABLISHED -j ACCEPT}}}<<BR>>
{{{-A INPUT -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -p tcp -m tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT}}}<<BR>>

=== DNS ===
{{{#DNS}}}<<BR>>
{{{-A INPUT -p udp -m udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT}}}<<BR>>
{{{-A INPUT -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT}}}<<BR>>
{{{-A INPUT -p tcp -m tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT}}}<<BR>>
{{{-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -p udp -m udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -p tcp -m tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT}}}<<BR>>

=== PING ===
{{{#PING}}}<<BR>>
{{{-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT}}}<<BR>>

=== KDE Connect ===
{{{#KDE Connect}}}<<BR>>
{{{-A INPUT -p udp -m udp --dport 1714:1764 -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -p udp -m udp --dport 1714:1764 -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -p tcp -m tcp --dport 1714:1764 -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -p udp -m udp --sport 1714:1764 -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -p tcp -m tcp --sport 1714:1764 -j ACCEPT}}}<<BR>>

=== IRC ===
6697

=== Email ===
==== IMAP ====
{{{#IMAP}}}<<BR>>
{{{-A INPUT -p tcp --sport 993 -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -p tcp --dport 993 -j ACCEPT}}}<<BR>>

== Server ==

= UFW =

== Restriction ==

== Applying the rules ==

== Client ==

== Server ==