Skip to content

Instantly share code, notes, and snippets.

@devovh

devovh/README.md

Last active November 22, 2025 19:13
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save devovh/181a4504f61246c31e461a9fde685cce to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save devovh/181a4504f61246c31e461a9fde685cce to your computer and use it in GitHub Desktop.
Download ZIP
Firewall CachyOS
Raw
README.md

Before.rules

*filter

:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]

# --- BLOKADA BROADCAST I MULTICAST ---
# Broadcast IPv4
-A ufw-before-input  -d 255.255.255.255 -j DROP
-A ufw-before-output -d 255.255.255.255 -j DROP

# Multicast IPv4 (224.0.0.0/4)
-A ufw-before-input  -d 224.0.0.0/4 -j DROP
-A ufw-before-output -d 224.0.0.0/4 -j DROP
# --- KONIEC BLOKAD ---

# --- BLOKADA NETBIOS / SMB ---
# NetBIOS UDP
-A ufw-before-input  -p udp --dport 137:139 -j DROP
-A ufw-before-output -p udp --dport 137:139 -j DROP

# NetBIOS TCP
-A ufw-before-input  -p tcp --dport 137:139 -j DROP
-A ufw-before-output -p tcp --dport 137:139 -j DROP

# SMB TCP
-A ufw-before-input  -p tcp --dport 445 -j DROP
-A ufw-before-output -p tcp --dport 445 -j DROP
# --- KONIEC NETBIOS / SMB ---


# -----------------------
# 1. BLOKADA LAN (pełna izolacja)
# -----------------------
-A ufw-before-input -s 192.168.1.0/24 -j DROP
-A ufw-before-output -d 192.168.1.0/24 -j DROP

# -----------------------
# 2. LOOPBACK
# -----------------------
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# -----------------------
# 3. RUCH ISTNIEJĄCY / POWIĄZANY
# -----------------------
-A ufw-before-input   -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output  -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# -----------------------
# 4. ANTY-DDoS / FLOOD (agresywnie)
# -----------------------

# Drop TCP NEW bez SYN
-A ufw-before-input -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

# Limit SYN
-A ufw-before-input -p tcp --syn -m limit --limit 15/s --limit-burst 30 -j ACCEPT

# Drop TCP dziwne flagi
-A ufw-before-input -p tcp --tcp-flags ALL NONE -j DROP
-A ufw-before-input -p tcp --tcp-flags ALL ALL -j DROP
-A ufw-before-input -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
-A ufw-before-input -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# UDP FLOOD
-A ufw-before-input -p udp -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p udp -m conntrack --ctstate NEW -m limit --limit 10/s --limit-burst 20 -j ACCEPT

# Logowanie podejrzanych pakietów
-A ufw-before-input -m limit --limit 3/min --limit-burst 5 -j LOG --log-prefix "UFW-DROPPED: "

# -----------------------
# 5. ICMP (ograniczone agresywnie)
# -----------------------
# echo-request (ping) tylko 1/s, max 2 w burst
-A ufw-before-input -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 2 -j ACCEPT
# inne podstawowe ICMP
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT

# -----------------------
# 6. ufw-not-local (agresywna ochrona lokalnego ruchu)
# -----------------------
-A ufw-before-input -j ufw-not-local
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "UFW-LOCAL-DROP: "
-A ufw-not-local -j DROP

COMMIT

sudo nano /etc/systemd/system/disable-multicast.service

[Unit]
Description=Disable multicast on enp3s0
After=network.target

[Service]
Type=oneshot
ExecStart=/sbin/ip link set dev enp3s0 multicast off
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

sudo systemctl enable disable-multicast.service

sudo systemctl start disable-multicast.service

Delete:

#!/bin/bash
sudo rm /home/alfa/.cargo/registry/cache/index.crates.io-1949cf8c6b5b557f/flate2-1.1.5.crate
sudo rm /home/alfa/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/flate2-1.1.5/tests/multi.gz
sudo rm /root/.cargo/registry/cache/index.crates.io-1949cf8c6b5b557f/flate2-1.1.5.crate
sudo rm /root/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/flate2-1.1.5/tests/multi.gz
sudo rm /home/alfa/.local/share/Steam/steamapps/compatdata/0/pfx/drive_c/windows/system32/kernel32.dll
sudo rm /home/alfa/.local/share/Steam/steamapps/compatdata/0/pfx/drive_c/windows/syswow64/kernel32.dll
sudo rm /usr/share/steam/compatibilitytools.d/proton-cachyos/files/lib/wine/i386-windows/kernel32.dll
sudo rm /usr/share/steam/compatibilitytools.d/proton-cachyos/files/lib/wine/x86_64-windows/kernel32.dll
sudo rm /usr/share/steam/compatibilitytools.d/proton-cachyos-slr/files/lib/wine/i386-windows/kernel32.dll
sudo rm /usr/share/steam/compatibilitytools.d/proton-cachyos-slr/files/lib/wine/x86_64-windows/kernel32.dll
sudo rm /usr/lib/wine/i386-windows/kernel32.dll
sudo rm /usr/lib/wine/x86_64-windows/kernel32.dll
sudo rm /opt/wine-cachyos/lib/wine/i386-windows/kernel32.dll
sudo rm /opt/wine-cachyos/lib/wine/x86_64-windows/kernel32.dll
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment