- ###############################################################################
- # You should put this config-file in /etc/arno-iptables-firewall/ #
- ###############################################################################
- # --------------------------- Configuration file ------------------------------
- # -= Arno's iptables firewall =-
- # Single- & multi-homed firewall script with DSL/ADSL support
- #
- # (C) Copyright 2001-2012 by Arno van Amersfoort
- # Co-authors : Lonnie Abelbeck & Philip Prindeville
- # Homepage : http://rocky.eld.leidenuniv.nl/
- # Freshmeat : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
- # Email : arnova AT rocky DOT eld DOT leidenuniv DOT nl
- # (note: you must remove all spaces and substitute the @ and the .
- # at the proper locations!)
- # -----------------------------------------------------------------------------
- # This program is free software; you can redistribute it and/or
- # modify it under the terms of the GNU General Public License
- # version 2 as published by the Free Software Foundation.
- # This program is distributed in the hope that it will be useful, but WITHOUT
- # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- # more details.
- # You should have received a copy of the GNU General Public License along with
- # this program; if not, write to the Free Software Foundation Inc., 59 Temple
- # Place - Suite 330, Boston, MA 02111-1307, USA.
- # -----------------------------------------------------------------------------
- ###############################################################################
- # External (internet) interface settings #
- ###############################################################################
- # The external interface(s) that will be protected (and used as internet
- # connection). This is probably ppp+ or dsl+ for non-transparent(!) (A)DSL
- # modems otherwise it's probably "ethX" (eg. eth0). Multiple interfaces should
- # be space separated.
- # -----------------------------------------------------------------------------
- EXT_IF="ppp0"
- # Enable if THIS machines (dynamically) obtains its IP through (IPv4) DHCP
- # and/or (IPv6) DHCPv6 (from your ISP)
- # -----------------------------------------------------------------------------
- EXT_IF_DHCP_IP=1
- # (EXPERT SETTING!) Here you can specify your external(!) IPv4 subnet(s). You
- # should only use this if you for example have a corporate network and/or
- # running a DHCP server on your external(!) interface. Home users should
- # normally NOT touch this setting. Multiple subnets should be space separated.
- # Don't forget to specify a proper subnet masker (eg. /24, /16 or /8)!
- # -----------------------------------------------------------------------------
- #EXTERNAL_NET=""
- # (EXPERT SETTING!) Here you can specify the IPv4 address used for broadcasts
- # on your external subnet. You only need to set this option if you want to use
- # the BROADCAST_XXX_NOLOG variables AND you use a non-standard broadcast
- # address (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
- # this empty should work fine. Multiple addresses should be space separated.
- # -----------------------------------------------------------------------------
- #EXT_NET_BCAST_ADDRESS=""
- # Enable this if THIS MACHINE is running an IPv4 DHCP(BOOTP) server for a subnet
- # on the external(!) interface. Note that you don't need this for internal
- # subnets, as for these nets everything is accepted by default. Don't forget to
- # configure the EXTERNAL_NET variable, to make this work. (IPv4 Only)
- # -----------------------------------------------------------------------------
- EXTERNAL_DHCP_SERVER=0
- # Enable this if THIS MACHINE is running an IPv6 DHCPv6 server for a Link-Local
- # address on the external(!) interface. Note that you don't need this for internal
- # subnets, as for these nets everything is accepted by default. (IPv6 Only)
- # -----------------------------------------------------------------------------
- EXTERNAL_DHCPV6_SERVER=0
- ###############################################################################
- # Internal (LAN) interface settings #
- ###############################################################################
- # Specify here your internal network (LAN) interface(s). Multiple(!) interfaces
- # should be space separated. Remark this if you don't have any internal network
- # interfaces. Note that by default ALL traffic is accepted from these
- # interfaces.
- # -----------------------------------------------------------------------------
- INT_IF="br0"
- # Specify here the internal IPv4 subnet(s) which is/are connected to the
- # internal interface(s). For multiple interfaces(!) you can either specify
- # multiple subnets here or specify one big subnet for all internal interfaces.
- # Note that this variable is mainly used for antispoofing.
- # -----------------------------------------------------------------------------
- INTERNAL_NET="192.168.0.0/24"
- # Set this variable to 0 to disable antispoof checking for the internal nets
- # (EXPERT SETTING!)
- # -----------------------------------------------------------------------------
- INTERNAL_NET_ANTISPOOF=1
- # (EXPERT SETTING!) Here you can specify the IPv4 address used for broadcasts
- # on your internal subnet. You only need to set this option if you want to use
- # the MAC filter AND you use a non-standard broadcast address
- # (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
- # this empty should work fine. Multiple addresses (if you have multiple
- # internal nets) should be space separated.
- # -----------------------------------------------------------------------------
- #INT_NET_BCAST_ADDRESS=""
- ###############################################################################
- # DMZ (aka DeMilitarized Zone) settings #
- ###############################################################################
- # Put in the following variable the network interfaces that are DMZ-classified.
- # You can also use this interface if you want to shield your Wireless network
- # from your LAN.
- # -----------------------------------------------------------------------------
- DMZ_IF=""
- # Specify here the subnet which is connected to the DMZ interface (DMZ_IF).
- # For multiple interfaces(!) you can either specify multiple subnets here or
- # specify one big subnet for all DMZ interfaces.
- # -----------------------------------------------------------------------------
- DMZ_NET=""
- # Set this variable to 0 to disable antispoof checking for the dmz nets
- # (EXPERT SETTING!)
- # -----------------------------------------------------------------------------
- DMZ_NET_ANTISPOOF=1
- ###############################################################################
- # NAT (Masquerade, SNAT, DNAT) settings (IPv4 only!) #
- ###############################################################################
- # Enable this if you want to perform NAT (masquerading) for your internal
- # network (LAN) (eg. share your internet connection with your internal
- # net(s) connected to eg. INT_IF)
- # -----------------------------------------------------------------------------
- NAT=1
- # (EXPERT SETTING!) In case you would like to use SNAT instead of
- # MASQUERADING then uncomment and set the IP or IPs here of your static
- # external address(es). Note that when multiple IPs are specified, SNAT
- # multiroute is enabled (load balancing over multiple external (internet)
- # interfaces, check the README file for more info). Note that the order of IPs
- # should match the order of interfaces (they belong to) in $EXT_IF!
- # -----------------------------------------------------------------------------
- #NAT_STATIC_IP="193.2.1.1"
- # (EXPERT SETTING!) Use this variable only if you want specific subnets or
- # hosts to be able to access the internet. When no value is specified, your
- # whole internal net will have access. In both cases it's obviously only
- # meaningful when NAT is enabled. Note that you can also use this variable if
- # you want to use NAT for your DMZ.
- # -----------------------------------------------------------------------------
- NAT_INTERNAL_NET="$INTERNAL_NET"
- # (EXPERT SETTING!) Enable this if you want to be able to redirect local ports
- # or protocols on your gateway using NAT forwards.
- # -----------------------------------------------------------------------------
- NAT_LOCAL_REDIRECT=1
- # NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to
- # an internal client through (D)NAT. Note that you can also use these
- # variables to forward ports to DMZ hosts.
- #
- # TCP/UDP form:
- # "{SRCIP1,SRCIP2,...~}PORT1,PORT2-PORT3,...>DESTIP1{~port} \
- # {SRCIP3,...~}PORT3,...>DESTIP2{~port}"
- #
- # IP form:
- # "{SRCIP1,SRCIP2,...~}PROTO1,PROTO2,...>DESTIP1 \
- # {SRCIP3~}PROTO3,PROTO4,...>DESTIP2"
- #
- # TCP/UDP port forward examples:
- # Simple (forward port 80 to internal host 192.168.0.10):
- # NAT_FORWARD_xxx="80>192.168.0.10 20,21>192.168.0.10"
- # Advanced (forward port 20 & 21 to 192.168.0.10 and
- # forward from 1.2.3.4 port 81 to 192.168.0.11 port 80:
- # NAT_FORWARD_xxx="1.2.3.4~81>192.168.0.11~80"
- #
- # IP protocol forward example:
- # (forward protocols 47 & 48 to 192.168.0.10)
- # NAT_FORWARD_IP="47,48>192.168.0.10"
- #
- # NOTE 1: {~port} is optional. Use it to redirect a specific port to a
- # different port on the internal client.
- # NOTE 2: {SRCIPx} is optional. Use it to restrict access for specific source
- # (inet) IP addresses.
- # (IPv4 Only)
- # -----------------------------------------------------------------------------
- NAT_FORWARD_TCP=""
- NAT_FORWARD_UDP=""
- NAT_FORWARD_IP=""
- # TCP/UDP/IP forwards. Forward IPv6 and non-NAT'ed IPv4 ports or protocols
- # from the gateway to an internal client. Note that you can also use these
- # variables to forward ports to DMZ hosts.
- #
- # TCP/UDP form:
- # "SRCIP1,SRCIP2,...>DESTIP1{~port} \
- # SRCIP3,...>DESTIP2{~port}"
- #
- # IP form:
- # "SRCIP1,SRCIP2,...>DESTIP1~PROTO \
- # SRCIP3,...>DESTIP2~PROTO"
- #
- # TCP/UDP port forward examples:
- # Simple (IPv6 forward port 80 to internal host 2001:db8::2):
- # INET_FORWARD_TCP="::/0>2001:db8::2~80"
- # Simple (IPv4 non-NAT forward port 80 to internal host 192.168.0.10):
- # INET_FORWARD_TCP="0/0>192.168.0.10~80"
- # Advanced (forward all UDP ports for 2000::/3 net to 2001:db8::/32 net):
- # INET_FORWARD_UDP="2000::/3>2001:db8::/32"
- #
- # IP protocol forward example:
- # (forward protocol 58 (ICMPv6) to 2001:db8::2)
- # INET_FORWARD_IP="::/0>2001:db8::2~58"
- #
- # (IPv6 and non-NAT'ed IPv4 Only)
- # -----------------------------------------------------------------------------
- INET_FORWARD_TCP=""
- INET_FORWARD_UDP=""
- INET_FORWARD_IP=""
- ###############################################################################
- # General settings #
- ###############################################################################
- # (EXPERT SETTING!) Location of the iptables-binary (use 'locate iptables' or
- # 'whereis iptables' to manually locate it), required for (default) IPv4 support
- # -----------------------------------------------------------------------------
- IP4TABLES="/sbin/iptables"
- # (EXPERT SETTING!) Location of the ip6tables-binary (use 'locate ip6tables' or
- # 'whereis ip6tables' to manually locate it), required for IPv6 support
- # -----------------------------------------------------------------------------
- IP6TABLES="/sbin/ip6tables"
- # (EXPERT SETTING!) Location of the environment file
- # -----------------------------------------------------------------------------
- ENV_FILE="/usr/libexec/arno-iptables-firewall/environment"
- # (EXPERT SETTING!) Location of plugin binary & config files
- # -----------------------------------------------------------------------------
- PLUGIN_BIN_PATH="/usr/libexec/arno-iptables-firewall/plugins"
- PLUGIN_CONF_PATH="/etc/arno-iptables-firewall/plugins"
- # Most people don't want to get any firewall logs being spit to the console.
- # This option makes the kernel ring buffer only log messages with level
- # "panic".
- # -----------------------------------------------------------------------------
- DMESG_PANIC_ONLY=1
- # Enable this if you want TOS mangling (RFC)
- # -----------------------------------------------------------------------------
- MANGLE_TOS=1
- # Enable this if you want to set the maximum packet size via the
- # Maximum Segment Size(through MSS field)
- # -----------------------------------------------------------------------------
- SET_MSS=1
- # Enable this if you want to increase the TTL value by one in the prerouting
- # chain. This hides the firewall when performing eg. traceroutes to internal
- # hosts. (IPv4 only!)
- # -----------------------------------------------------------------------------
- TTL_INC=0
- # (EXPERT SETTING!) Enable this if you want to set the TTL value for packets in
- # the OUTPUT & FORWARD chain. Note that this only works with newer 2.6 kernels
- # (2.6.14 or better) or patched 2.4 kernels, which have netfilter TTL target
- # support. Don't mess with this unless you really know what you are doing!
- # (IPv4 only!)
- # -----------------------------------------------------------------------------
- #PACKET_TTL="64"
- # (EXPERT SETTING!) Enable this if you want our internal DNS functions to fail
- # "fast". This means a query will be tried only once and times out after 1
- # second, the default is 3 tries and a 5 second timeout.
- # Note: The command 'dig' is preferred, 'nslookup' will be used if 'dig' is not
- # available, though the BusyBox 'nslookup' is not supported with this option.
- # -------------------------------------------------------------------------------
- DNS_FAST_FAIL=0
- # Enable this to support the IRC-protocol.
- # -----------------------------------------------------------------------------
- USE_IRC=1
- # (EXPERT SETTING!) Loosen the forward chain for the external interface(s).
- # Enable it to allow the use of protocols like UPnP. Note that it *could* be
- # less secure.
- # -----------------------------------------------------------------------------
- LOOSE_FORWARD=1
- # (EXPERT SETTING!) Enable (1) to allow IPv6 Link-Local addresses to be
- # forwarded between interfaces. (IPv6 Only)
- # -----------------------------------------------------------------------------
- FORWARD_LINK_LOCAL=0
- # (EXPERT SETTING!) Disable (0) to not drop all IPv6 packets with
- # Routing Header Type 0. Enabled by default. (IPv6 Only)
- # -----------------------------------------------------------------------------
- IPV6_DROP_RH_ZERO=1
- # (EXPERT SETTING!) Enable this if you want to drop packets originating from a
- # private address.
- # Note: To enable logging of dropped private addresses set RESERVED_NET_LOG=1
- # -----------------------------------------------------------------------------
- RESERVED_NET_DROP=0
- # (EXPERT SETTING!) Protect this machine from being abused for a DRDOS-attack
- # ("Distributed Reflection Denial Of Service"-attack). (STILL EXPERIMENTAL!)
- # -----------------------------------------------------------------------------
- DRDOS_PROTECT=0
- # Enable (1) if you want to enable mixed IPv4/IPv6 traffic support
- # Disable (0) if you want to enable only IPv4 traffic support
- # -----------------------------------------------------------------------------
- IPV6_SUPPORT=0
- # This option fixes problems with SMB broadcasts when using nmblookup
- # -----------------------------------------------------------------------------
- NMB_BROADCAST_FIX=0
- # Set this to 0 to suppress "assuming module is compiled in kernel" messages
- # -----------------------------------------------------------------------------
- COMPILED_IN_KERNEL_MESSAGES=0
- # (EXPERT SETTING!) You can choose the default policy for the INPUT & FORWARD
- # chain here (1=DROP, 0=ACCEPT). The default policy is DROP. This means that
- # when there are no rule(s) available (yet), the packet will be DROPPED. In
- # practice this rule only does something while the firewall is starting. Once
- # it's started and all rules are in place, the default policy doesn't do
- # anything anymore. People that use eg. NFS and let their clients boot from NFS
- # (diskless client systems) probably want to disable this option to fix
- # "NFS server not responding" etc. errors on their clients.
- # -----------------------------------------------------------------------------
- DEFAULT_POLICY_DROP=1
- # (EXPERT SETTING!) (Other) trusted network interfaces for which ALL IP
- # traffic should be ACCEPTED. (multiple(!) interfaces should be space
- # separated). Be warned that anything TO and FROM these interfaces is allowed
- # (ACCEPTED) so make sure it's NOT routable(accessible) from the outside world
- # (internet)! And of course putting one of your external interfaces here would
- # be extremely stupid.
- # -----------------------------------------------------------------------------
- TRUSTED_IF=""
- # (EXPERT SETTING!) Put here the interfaces that should trust
- # each other (accept forward traffic). You can use | (piping-sign) to create
- # seperate interface groups. And (again) of course putting one of your external
- # interfaces here would be extremely stupid.
- # -----------------------------------------------------------------------------
- IF_TRUSTS=""
- # Location of the custom iptables rules file (if any).
- # -----------------------------------------------------------------------------
- CUSTOM_RULES="/etc/arno-iptables-firewall/custom-rules"
- # Location of the local (user/global) configuration file, if used
- # -----------------------------------------------------------------------------
- LOCAL_CONFIG_FILE=""
- # Location of the local directory, if defined, containing *.conf file(s)
- # in that directory, and sources them for configuration variables.
- # Note: An undefined LOCAL_CONFIG_DIR variable defaults to the default below.
- # -----------------------------------------------------------------------------
- LOCAL_CONFIG_DIR="/etc/arno-iptables-firewall/conf.d"
- # (EXPERT SETTING!) Set this (to 1) to disable the use of iptables-save and
- # iptables-restore to add rules in batch rather than one-by-one. Much slower
- # when disabled. BLOCK_HOSTS and BLOCK_HOSTS_FILE utilizes this feature.
- # -----------------------------------------------------------------------------
- DISABLE_IPTABLES_BATCH=0
- # (EXPERT SETTING!) Set this (to 1) to enable tracing
- # -----------------------------------------------------------------------------
- TRACE=0
- ###############################################################################
- # Logging options - All logging is rate limited to prevent log flooding #
- ###############################################################################
- # Enable logging for explicitly blocked hosts.
- # -----------------------------------------------------------------------------
- BLOCKED_HOST_LOG=1
- # Enable logging for various stealth scans (reliable).
- # -----------------------------------------------------------------------------
- SCAN_LOG=1
- # Enable logging for possible stealth scans (less reliable).
- # -----------------------------------------------------------------------------
- POSSIBLE_SCAN_LOG=1
- # Enable logging for TCP-packets with bad flags.
- # -----------------------------------------------------------------------------
- BAD_FLAGS_LOG=1
- # Enable logging of invalid TCP packets. Keep disabled (0) by default to reduce
- # INVALID packets being logged because of lost (legimate) connections. When
- # debugging any problems, you should enable it (temporarily)!
- # -----------------------------------------------------------------------------
- INVALID_TCP_LOG=0
- # Enable logging of invalid UDP packets. Keep disabled (0) by default to reduce
- # INVALID packets being logged because of lost (legimate) connections. When
- # debugging any problems, you should enable it (temporarily)!
- # -----------------------------------------------------------------------------
- INVALID_UDP_LOG=0
- # Enable logging of invalid ICMP packets. Keep disabled (0) by default to reduce
- # INVALID packets being logged because of lost (legimate) connections. When
- # debugging any problems, you should enable it (temporarily)!
- # -----------------------------------------------------------------------------
- INVALID_ICMP_LOG=0
- # Enable (1) logging of source IPs with reserved or private addresses.
- # -----------------------------------------------------------------------------
- RESERVED_NET_LOG=0
- # Enable logging of fragmented packets.
- # -----------------------------------------------------------------------------
- FRAG_LOG=1
- # Enable logging of denied local (OUTPUT) connections.
- # -----------------------------------------------------------------------------
- INET_OUTPUT_DENY_LOG=1
- # Enable logging of denied LAN output (FORWARD) connections.
- # -----------------------------------------------------------------------------
- LAN_OUTPUT_DENY_LOG=1
- # Enable logging of denied LAN INPUT connections.
- # -----------------------------------------------------------------------------
- LAN_INPUT_DENY_LOG=1
- # Enable logging of denied DMZ output (FORWARD) connections.
- # -----------------------------------------------------------------------------
- DMZ_OUTPUT_DENY_LOG=1
- # Enable logging of denied DMZ input (FORWARD) connections.
- # -----------------------------------------------------------------------------
- DMZ_INPUT_DENY_LOG=1
- # Enable logging of dropped FORWARD packets.
- # -----------------------------------------------------------------------------
- FORWARD_DROP_LOG=1
- # Enable logging of dropped IPv6 Link-Local forwarded packets.
- # Note: requires FORWARD_LINK_LOCAL=0 (IPv6 Only)
- # -----------------------------------------------------------------------------
- LINK_LOCAL_DROP_LOG=1
- # Enable logging of dropped ICMP-request packets (ping).
- # -----------------------------------------------------------------------------
- ICMP_REQUEST_LOG=1
- # Enable logging of dropped "other" ICMP packets.
- # -----------------------------------------------------------------------------
- ICMP_OTHER_LOG=1
- # Enable logging of normal connection attempts to privileged TCP ports.
- # -----------------------------------------------------------------------------
- PRIV_TCP_LOG=1
- # Enable logging of normal connection attempts to privileged UDP ports.
- # -----------------------------------------------------------------------------
- PRIV_UDP_LOG=1
- # Enable logging of normal connection attempts to unprivileged TCP ports.
- # -----------------------------------------------------------------------------
- UNPRIV_TCP_LOG=1
- # Enable logging of normal connection attempts to unprivileged UDP ports.
- # -----------------------------------------------------------------------------
- UNPRIV_UDP_LOG=1
- # Enable logging of IPv4 IGMP packets
- # -----------------------------------------------------------------------------
- IGMP_LOG=1
- # Enable logging of normal connection attempts to "other-IP"-protocols (non
- # TCP/UDP/ICMP/IGMP).
- # -----------------------------------------------------------------------------
- OTHER_IP_LOG=1
- # Enable logging for ICMP flooding.
- # -----------------------------------------------------------------------------
- ICMP_FLOOD_LOG=1
- # (EXPERT SETTING!) The location of the dedicated firewall log file. When
- # enabled the firewall script will also log start/stop etc. info to this file
- # as well. Note that in order to make this work, you should also configure
- # syslogd to log firewall messages to this file (see LOGLEVEL below for further
- # info).
- # -----------------------------------------------------------------------------
- #FIREWALL_LOG="/var/log/firewall.log"
- # (EXPERT SETTING!) Current log-level ("info": default kernel syslog level)
- # "debug": can be used to log to /var/log/firewall.log, but you have to configure
- # syslogd accordingly (see included syslogd.conf examples).
- # -----------------------------------------------------------------------------
- LOGLEVEL="info"
- # Put in the following variables which hosts you want to log certain incoming
- # connection attempts for.
- # TCP/UDP port format (LOG_HOST_INPUT_xxx):
- # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
- #
- # IP protocol format (LOG_HOST_INPUT_IP):
- # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
- # -----------------------------------------------------------------------------
- LOG_HOST_INPUT_TCP=""
- LOG_HOST_INPUT_UDP=""
- LOG_HOST_INPUT_IP=""
- # Put in the following variables which hosts you want to log certain outgoing
- # connection attempts for.
- # TCP/UDP port format (LOG_HOST_OUTPUT_xxx):
- # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
- #
- # IP protocol format (LOG_HOST_OUTPUT_IP):
- # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
- # -----------------------------------------------------------------------------
- LOG_HOST_OUTPUT_TCP=""
- LOG_HOST_OUTPUT_UDP=""
- LOG_HOST_OUTPUT_IP=""
- # Put in the following variables which services you want to log incoming
- # connection attempts for.
- # -----------------------------------------------------------------------------
- LOG_INPUT_TCP=""
- LOG_INPUT_UDP=""
- LOG_INPUT_IP=""
- # Put in the following variables which services you want to log outgoing
- # connection attempts for.
- # -----------------------------------------------------------------------------
- LOG_OUTPUT_TCP=""
- LOG_OUTPUT_UDP=""
- LOG_OUTPUT_IP=""
- # Put in the following variable which hosts you want to log incoming connection
- # (attempts) for.
- # -----------------------------------------------------------------------------
- LOG_HOST_INPUT=""
- # Put in the following variable which hosts you want to log outgoing connection
- # (attempts) to.
- # -----------------------------------------------------------------------------
- LOG_HOST_OUTPUT=""
- ###############################################################################
- # sysctl based settings (EXPERT SETTINGS!) #
- ###############################################################################
- # Enable for synflood protection (through /proc/.../tcp_syncookies).
- # -----------------------------------------------------------------------------
- SYN_PROT=1
- # Enable this to reduce the ability of others DOS'ing your machine.
- # -----------------------------------------------------------------------------
- REDUCE_DOS_ABILITY=1
- # Enable to ignore all ICMP echo-requests (IPv4) on ALL interfaces.
- # -----------------------------------------------------------------------------
- ECHO_IGNORE=0
- # Enable to log packets with impossible addresses to the kernel log.
- # -----------------------------------------------------------------------------
- LOG_MARTIANS=0
- # Only disable this if you're NOT using forwarding (required for NAT etc.) for
- # increased security.
- # Note: If enabled and IPV6 enabled, local IPv6 autoconf will be disabled.
- # -----------------------------------------------------------------------------
- IP_FORWARDING=1
- # (EXPERT SETTING!) Only disable this if IP_FORWARDING is disabled and
- # you do not use autoconf to obtain your IPv6 address.
- # Note: This is ignored if IP_FORWARDING is enabled. (IPv6 Only)
- # -----------------------------------------------------------------------------
- IPV6_AUTO_CONFIGURATION=1
- # Enable if you want to accept ICMP redirect messages. Should be set to "0" in
- # case of a router.
- # -----------------------------------------------------------------------------
- ICMP_REDIRECT=0
- # Enable/modify this if you want to be a able to handle a larger (or smaller)
- # number of simultaneous connections. For high traffic machines I recommend to
- # use a value of at least 16384 (note that a higher value (obviously) also uses
- # more memory).
- # -----------------------------------------------------------------------------
- CONNTRACK=65536
- # Enable ECN (Explicit Congestion Notification) TCP flag. Disabled by default,
- # as some routers are still not compatible with this.
- # -----------------------------------------------------------------------------
- ECN=0
- # Enable to drop connections from non-routable IPs, eg. prevent source
- # routing. By default the firewall itself also provides rules against source
- # routing. Note than when you use eg. VPN (Freeswan), you should probably
- # disable this setting.
- # -----------------------------------------------------------------------------
- RP_FILTER=1
- # Protect against source routed packets. Attackers can use source routing to
- # generate traffic pretending to be from inside your network, but which is
- # routed back along the path from which it came, namely outside, so attackers
- # can compromise your network. Source routing is rarely used for legitimate
- # purposes, so normally you should always leave this enabled(1)!
- # -----------------------------------------------------------------------------
- SOURCE_ROUTE_PROTECTION=1
- # Here we set the local port range (ports from which connections are
- # initiated from our site). Don't mess with this unless you really know what
- # you are doing!
- # -----------------------------------------------------------------------------
- LOCAL_PORT_RANGE="32768 61000"
- # Here you can change the default TTL used for sending packets. The value
- # should be between 10 and 255. Don't mess with this unless you really know
- # what you are doing!
- # -----------------------------------------------------------------------------
- DEFAULT_TTL=64
- # In most cases pmtu discovery is ok, but in some rare cases (when having
- # problems) you might want to disable it.
- # -----------------------------------------------------------------------------
- NO_PMTU_DISCOVERY=0
- ###############################################################################
- # Firewall policies for the LAN (EXPERT SETTINGS!) #
- ###############################################################################
- ###############################################################################
- # LAN_xxx = LAN->localhost(this machine) input access rules #
- # #
- # Note that when both LAN_OPEN_xxx & LAN_HOST_OPEN_xxx are NOT used, the #
- # default policy for this chain is accept (unless denied through #
- # LAN_DENY_xxx and/or LAN_HOST_DENY_xxx)! #
- ###############################################################################
- # Disable this (set to "") to automatically set default policy as above.
- # When set to "1" the LAN->localhost default policy will always be DROP
- # When set to "0" the LAN->localhost default policy will always be ACCEPT
- # -----------------------------------------------------------------------------
- LAN_DEFAULT_POLICY_DROP=""
- # Enable this to allow for ICMP-requests(ping) from your LAN
- # -----------------------------------------------------------------------------
- LAN_OPEN_ICMP=1
- # Put in the following variables the TCP/UDP ports or IP protocols TO
- # (remote end-point) which the LAN hosts are permitted to connect to.
- # -----------------------------------------------------------------------------
- LAN_OPEN_TCP=""
- LAN_OPEN_UDP=""
- LAN_OPEN_IP=""
- # Put in the following variables the TCP/UDP ports or IP protocols TO (remote
- # end-point) which LAN hosts are NOT permitted to connect to.
- # -----------------------------------------------------------------------------
- LAN_DENY_TCP=""
- LAN_DENY_UDP=""
- LAN_DENY_IP=""
- # Put in the following variables the TCP/UDP ports or IP
- # protocols TO (remote end-point) which certain LAN hosts are
- # permitted to connect to.
- #
- # TCP/UDP port format (LAN_INPUT_HOST_OPEN_xxx):
- # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
- #
- # IP protocol format (LAN_INPUT_HOST_OPEN_xxx):
- # "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."
- # -----------------------------------------------------------------------------
- LAN_HOST_OPEN_TCP=""
- LAN_HOST_OPEN_UDP=""
- LAN_HOST_OPEN_IP=""
- # Put in the following variables the TCP/UDP ports or IP protocols TO (remote
- # end-point) which certain LAN hosts are NOT permitted to connect to.
- #
- # TCP/UDP port format (LAN_INPUT_HOST_DENY_xxx):
- # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
- #
- # IP protocol format (LAN_INPUT_HOST_DENY_xxx):
- # "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."
- # -----------------------------------------------------------------------------
- LAN_HOST_DENY_TCP=""
- LAN_HOST_DENY_UDP=""
- LAN_HOST_DENY_IP=""
- ###############################################################################
- # LAN_INET_xxx = LAN->internet access rules (forward) #
- # #
- # Note that when the LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx variables are #
- # NOT used, the default policy will be accept for LAN->INET (unless denied #
- # through LAN_INET_DENY_xxx and/or LAN_INET_HOST_DENY_xxx)! #
- ###############################################################################
- # Disable this (set to "") to automatically set default policy as above.
- # When set to "1" the LAN->INET default policy will always be DROP
- # When set to "0" the LAN->INET default policy will always be ACCEPT
- # -----------------------------------------------------------------------------
- LAN_INET_DEFAULT_POLICY_DROP=""
- # Enable this to allow for ICMP-requests(ping) for LAN->INET
- # -----------------------------------------------------------------------------
- LAN_INET_OPEN_ICMP=1
- # Put in the following variables the TCP/UDP ports or IP
- # protocols TO (remote end-point) which the LAN hosts are
- # permitted to connect to via the external (internet) interface.
- # -----------------------------------------------------------------------------
- LAN_INET_OPEN_TCP=""
- LAN_INET_OPEN_UDP=""
- LAN_INET_OPEN_IP=""
- # Put in the following variables the TCP/UDP ports or IP protocols TO (remote
- # end-point) which the LAN hosts are NOT permitted to connect to
- # via the external (internet) interface. Examples of usage are for blocking
- # IRC (TCP 6666:6669) for the internal network.
- # -----------------------------------------------------------------------------
- LAN_INET_DENY_TCP=""
- LAN_INET_DENY_UDP=""
- LAN_INET_DENY_IP=""
- # Put in the following variables which LAN hosts you want to allow to certain
- # hosts/services on the internet. By default all services are allowed.
- #
- # TCP/UDP form:
- # "SRCIP1,SRCIP2,...>DESTIP1~port \
- # SRCIP3,...>DESTIP2~port"
- #
- # IP form:
- # "SRCIP1,SRCIP2,...>DESTIP1~protocol \
- # SRCIP3,...>DESTIP2~protocol"
- #
- # TCP/UDP examples:
- # Simple:
- # (Allow port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)):
- # LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4~80"
- # Advanced:
- # (Allow port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and
- # allow port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)):
- # LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 192.168.0.10>80"
- #
- # IP protocol example:
- # (Allow protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0))
- # LAN_INET_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
- #
- # NOTE 1: If no SRCIPx is specified, any source host is used
- # NOTE 2: If no port is specified, any port is used
- # -----------------------------------------------------------------------------
- LAN_INET_HOST_OPEN_TCP=""
- LAN_INET_HOST_OPEN_UDP=""
- LAN_INET_HOST_OPEN_IP=""
- # Put in the following variables which DMZ hosts you want to deny to certain
- # hosts/services on the internet.
- #
- # TCP/UDP form:
- # "SRCIP1,SRCIP2,...>DESTIP1~port \
- # SRCIP3,...>DESTIP2~port"
- #
- # IP form:
- # "SRCIP1,SRCIP2,...>DESTIP1~protocol \
- # SRCIP3,...>DESTIP2~protocol"
- #
- # TCP/UDP examples:
- # Simple (Deny port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)):
- # LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4~80"
- # Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and
- # deny port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)):
- # LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4~20,21 192.168.0.10>1.2.3.4~80"
- #
- # IP protocol example:
- # (Deny protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0)):
- # LAN_INET_HOST_DENY_IP="0/0>1.2.3.4~47,48"
- #
- # NOTE 1: If no SRCIPx is specified, any source host is used
- # NOTE 2: If no port is specified, any port is used
- # -----------------------------------------------------------------------------
- LAN_INET_HOST_DENY_TCP=""
- LAN_INET_HOST_DENY_UDP=""
- LAN_INET_HOST_DENY_IP=""
- ###############################################################################
- # Firewall policies for the DMZ (EXPERT SETTINGS!) #
- ###############################################################################
- ###############################################################################
- # DMZ_xxx = DMZ->localhost(this machine) input access rules #
- ###############################################################################
- # Enable this to allow ICMP-requests(ping) from the DMZ
- # -----------------------------------------------------------------------------
- DMZ_OPEN_ICMP=1
- # Put in the following variables which DMZ hosts are permitted to connect to
- # certain the TCP/UDP ports, IP protocols or ICMP. By default all (local)
- # services are blocked for DMZ hosts.
- # -----------------------------------------------------------------------------
- DMZ_OPEN_TCP=""
- DMZ_OPEN_UDP=""
- DMZ_OPEN_IP=""
- # Put in the following variables which DMZ hosts you want to allow for certain
- # services. By default all (local) services are blocked for DMZ hosts.
- # TCP/UDP port format (DMZ_HOST_OPEN_TCP & DMZ_HOST_OPEN_UDP):
- # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
- #
- # IP protocol format (DMZ_HOST_OPEN_IP):
- # "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."
- # -----------------------------------------------------------------------------
- DMZ_HOST_OPEN_TCP=""
- DMZ_HOST_OPEN_UDP=""
- DMZ_HOST_OPEN_IP=""
- ###############################################################################
- # INET_DMZ_xxx = Internet->DMZ access rules (forward) #
- # #
- # Note: As of Version 2.0.0 the default policy has changed to DROP #
- # Previous to Version 2.0.0 the default policy was ACCEPT #
- ###############################################################################
- # Enable this to make the default policy allow for ICMP(ping) for INET->DMZ
- # -----------------------------------------------------------------------------
- INET_DMZ_OPEN_ICMP=0
- # Put in the following variables which INET hosts are permitted to connect to
- # certain the TCP/UDP ports or IP protocols in the DMZ.
- # -----------------------------------------------------------------------------
- INET_DMZ_OPEN_TCP=""
- INET_DMZ_OPEN_UDP=""
- INET_DMZ_OPEN_IP=""
- # Put in the following variables which INET hosts are NOT permitted to connect
- # to certain the TCP/UDP ports or IP protocols in the DMZ.
- # -----------------------------------------------------------------------------
- INET_DMZ_DENY_TCP=""
- INET_DMZ_DENY_UDP=""
- INET_DMZ_DENY_IP=""
- # Put in the following variables which INET hosts you want to allow to certain
- # hosts/services on the DMZ net. By default all services are dropped.
- #
- # TCP/UDP form:
- # "SRCIP1,SRCIP2,...>DESTIP1~port \
- # SRCIP3,...>DESTIP2~port"
- #
- # IP form:
- # "SRCIP1,SRCIP2,...>DESTIP1~protocol \
- # SRCIP3,...>DESTIP2~protocol"
- #
- # TCP/UDP examples:
- # Simple (Allow port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)):
- # INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4~80"
- # Advanced (Allow port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and
- # allow port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)):
- # INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
- #
- # IP protocol example:
- # (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts )
- # INET_DMZ_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
- #
- # NOTE 1: If no SRCIPx is specified, any source host is used
- # NOTE 2: If no port is specified, any port is used
- # -----------------------------------------------------------------------------
- INET_DMZ_HOST_OPEN_TCP=""
- INET_DMZ_HOST_OPEN_UDP=""
- INET_DMZ_HOST_OPEN_IP=""
- # Put in the following variables which INET hosts you want to deny to certain
- # hosts/services on the DMZ net.
- #
- # TCP/UDP form:
- # "SRCIP1,SRCIP2,...>DESTIP1~port \
- # SRCIP3,...>DESTIP2~port"
- #
- # IP form:
- # "SRCIP1,SRCIP2,...>DESTIP1~protocol \
- # SRCIP3,...>DESTIP2~protocol"
- #
- # TCP/UDP examples:
- # Simple (Deny port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)):
- # INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4~80"
- # Advanced (Deny port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and
- # deny port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)):
- # INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
- #
- # IP protocol example:
- # (Deny protocols 47 & 48 on DMZ host 1.2.3.4 for all INET hosts):
- # INET_DMZ_HOST_DENY_IP="0/0>1.2.3.4~47,48"
- #
- # NOTE 1: If no SRCIPx is specified, any source host is used
- # NOTE 2: If no port is specified, any port is used
- # -----------------------------------------------------------------------------
- INET_DMZ_HOST_DENY_TCP=""
- INET_DMZ_HOST_DENY_UDP=""
- INET_DMZ_HOST_DENY_IP=""
- ###############################################################################
- # DMZ_INET_xxx = DMZ->internet access rules (forward) #
- # #
- # Note that when the DMZ_INET_OPEN_xxx & DMZ_INET_HOST_OPEN_xxx variables are #
- # NOT used, the default policy will be accept for DMZ->INET (unless denied #
- # through DMZ_INET_DENY_xxx and/or DMZ_INET_HOST_DENY_xxx)! #
- ###############################################################################
- # Disable this (set to "") to automatically set default policy as above.
- # When set to "1" the DMZ->INET default policy will always be DROP
- # When set to "0" the DMZ->INET default policy will always be ACCEPT
- # -----------------------------------------------------------------------------
- DMZ_INET_DEFAULT_POLICY_DROP=""
- # Enable this to make the default policy allow for ICMP(ping) for DMZ->INET
- # -----------------------------------------------------------------------------
- DMZ_INET_OPEN_ICMP=1
- # Put in the following variables the TCP/UDP ports or IP
- # protocols TO (remote end-point) which the DMZ hosts are
- # permitted to connect to via the external (internet) interface.
- # -----------------------------------------------------------------------------
- DMZ_INET_OPEN_TCP=""
- DMZ_INET_OPEN_UDP=""
- DMZ_INET_OPEN_IP=""
- # Put in the following variables the TCP/UDP ports or IP protocols TO (remote
- # end-point) which the DMZ hosts are NOT permitted to connect to
- # via the external (internet) interface. Examples of usage are for blocking
- # IRC (TCP 6666:6669) for the internal network.
- # -----------------------------------------------------------------------------
- DMZ_INET_DENY_TCP=""
- DMZ_INET_DENY_UDP=""
- DMZ_INET_DENY_IP=""
- # Put in the following variables which DMZ hosts you want to allow to certain
- # hosts/services on the internet. By default all services are allowed.
- #
- # TCP/UDP form:
- # "SRCIP1,SRCIP2,...>DESTIP1~port \
- # SRCIP3,...>DESTIP2~port"
- #
- # IP form:
- # "SRCIP1,SRCIP2,...>DESTIP1~protocol \
- # SRCIP3,...>DESTIP2~sprotocol"
- #
- # TCP/UDP examples:
- # Simple (Allow port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
- # DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4~80"
- # Advanced (Allow port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and
- # allow port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)):
- # DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
- #
- # IP protocol example:
- # (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts):
- # DMZ_INET_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
- #
- # NOTE 1: If no SRCIPx is specified, any source host is used
- # NOTE 2: If no port is specified, any port is used
- # -----------------------------------------------------------------------------
- DMZ_INET_HOST_OPEN_TCP=""
- DMZ_INET_HOST_OPEN_UDP=""
- DMZ_INET_HOST_OPEN_IP=""
- # Put in the following variables which DMZ hosts you want to deny to certain
- # hosts/services on the internet.
- #
- # TCP/UDP form:
- # "SRCIP1,SRCIP2,...>DESTIP1~port \
- # SRCIP3,...>DESTIP2~port"
- #
- # IP form:
- # "SRCIP1,SRCIP2,...>DESTIP1~protocol \
- # SRCIP3,...>DESTIP2~protocol"
- #
- # TCP/UDP examples:
- # Simple (Deny port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
- # DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4~80"
- # Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and
- # deny port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)):
- # DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
- #
- # IP protocol example:
- # (Deny protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
- # DMZ_INET_HOST_DENY_IP="0/0>1.2.3.4:47,48"
- #
- # NOTE 1: If no SRCIPx is specified, any source host is used
- # NOTE 2: If no port is specified, any port is used
- # -----------------------------------------------------------------------------
- DMZ_INET_HOST_DENY_TCP=""
- DMZ_INET_HOST_DENY_UDP=""
- DMZ_INET_HOST_DENY_IP=""
- ###############################################################################
- # DMZ_LAN_xxx = DMZ->LAN access rules (forward) #
- ###############################################################################
- # Enable this to make the default policy allow for ICMP(ping) for DMZ->LAN
- # -----------------------------------------------------------------------------
- DMZ_LAN_OPEN_ICMP=0
- # Put in the following variables which DMZ hosts you want to allow to certain
- # hosts/services on the LAN (net).
- #
- # TCP/UDP form:
- # "SRCIP1,SRCIP2,...>DESTIP1~port \
- # SRCIP3,...>DESTIP2~port"
- #
- # IP form:
- # "SRCIP1,SRCIP2,...>DESTIP1~protocol \
- # SRCIP3,...>DESTIP2~protocol"
- #
- # TCP/UDP examples:
- # Simple (Allow port 80 on LAN host 1.2.3.4 for all DMZ hosts(0/0)):
- # DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~80"
- # Advanced (Allow port 20 & 21 on LAN host 1.2.3.4 for all DMZ hosts (0/0) and
- # allow port 80 for DMZ host 5.6.7.8 (only) on LAN host
- # 1.2.3.4):
- # DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
- #
- # IP protocol example:
- # (Allow protocols 47 & 48 on LAN host 1.2.3.4 for all DMZ hosts(0/0)):
- # DMZ_LAN_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
- #
- # NOTE 1: If no SRCIPx is specified, any source host is used
- # NOTE 2: If no port is specified, any port is used
- # -----------------------------------------------------------------------------
- DMZ_LAN_HOST_OPEN_TCP=""
- DMZ_LAN_HOST_OPEN_UDP=""
- DMZ_LAN_HOST_OPEN_IP=""
- ###############################################################################
- # Firewall policies for the external (inet) interface (default policy = drop) #
- ###############################################################################
- # Put in the following variable which hosts (subnets) you want have full access
- # via your internet (EXT_IF) connection(!). This is especially meant for
- # networks/servers which use NIS/NFS, as these protocols require all ports
- # to be open.
- # NOTE: Don't mistake this variable with the one used for internal nets.
- # -----------------------------------------------------------------------------
- FULL_ACCESS_HOSTS=""
- # Put in the following variable which TCP/UDP ports you don't want to
- # see broadcasts from (eg. DHCP (67/68) on your EXTERNAL interface. Note that
- # to make this properly work you also need to set "EXTERNAL_NET"!
- # -----------------------------------------------------------------------------
- BROADCAST_TCP_NOLOG=""
- #BROADCAST_UDP_NOLOG="67 68"
- # Put in the following variables which hosts you want to allow for certain
- # services.
- # TCP/UDP port format (HOST_OPEN_TCP & HOST_OPEN_UDP):
- # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
- #
- # IP protocol format (HOST_OPEN_IP):
- # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
- #
- # ICMP protocol format (HOST_OPEN_ICMP):
- # "host1 host2 ...."
- # -----------------------------------------------------------------------------
- HOST_OPEN_TCP=""
- HOST_OPEN_UDP=""
- HOST_OPEN_IP=""
- HOST_OPEN_ICMP=""
- # Put in the following variables which hosts you want to DENY(DROP) for certain
- # services (and logged).
- # to DENY(DROP) for certain hosts.
- # TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP):
- # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
- #
- # IP protocol format (HOST_DENY_IP):
- # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
- #
- # ICMP protocol format (HOST_DENY_ICMP):
- # "host1 host2 ...."
- # -----------------------------------------------------------------------------
- HOST_DENY_TCP=""
- HOST_DENY_UDP=""
- HOST_DENY_IP=""
- HOST_DENY_ICMP=""
- # Put in the following variables which hosts you want to DENY(DROP) for certain
- # services but NOT logged.
- # TCP/UDP port format (HOST_DENY_xxx_NOLOG):
- # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
- #
- # IP protocol format (HOST_DENY_IP_NOLOG):
- # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
- #
- # ICMP protocol format (HOST_DENY_ICMP_NOLOG):
- # "host1 host2 ...."
- # -----------------------------------------------------------------------------
- HOST_DENY_TCP_NOLOG=""
- HOST_DENY_UDP_NOLOG=""
- HOST_DENY_IP_NOLOG=""
- HOST_DENY_ICMP_NOLOG=""
- # Put in the following variables which hosts you want to REJECT (instead of
- # DROP) for certain TCP/UDP ports.
- # TCP/UDP port format (HOST_REJECT_xxx):
- # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
- # -----------------------------------------------------------------------------
- HOST_REJECT_TCP=""
- HOST_REJECT_UDP=""
- # Put in the following variables which hosts you want to REJECT (instead of
- # DROP) for certain services but NOT logged.
- # TCP/UDP port format (HOST_REJECT_xxx_NOLOG):
- # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
- # -----------------------------------------------------------------------------
- HOST_REJECT_TCP_NOLOG=""
- HOST_REJECT_UDP_NOLOG=""
- # Put in the following variables which services THIS machine is NOT
- # permitted to connect TO (remote end-point) via the external (internet)
- # interface. For example for blocking IRC (tcp 6666:6669).
- # -----------------------------------------------------------------------------
- DENY_TCP_OUTPUT=""
- DENY_UDP_OUTPUT=""
- DENY_IP_OUTPUT=""
- # Put in the following variables to which hosts THIS machine is NOT
- # permitted to connect TO for certain services (remote end-point)
- # via the external (internet) interface. In principle you can also
- # use this to put your machine in a "virtual-DMZ" by blocking all traffic
- # to your local subnet.
- # TCP/UDP port format (HOST_DENY_TCP_OUTPUT & HOST_DENY_UDP_OUTPUT):
- # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
- #
- # IP protocol format (HOST_DENY_IP_OUTPUT):
- # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
- # -----------------------------------------------------------------------------
- HOST_DENY_TCP_OUTPUT=""
- HOST_DENY_UDP_OUTPUT=""
- HOST_DENY_IP_OUTPUT=""
- # Enable (1) to make the default policy allow for IPv4 ICMP (ping) for INET access
- # Note: Other ICMP variables apply to both IPv4 and IPv6 unless otherwise noted.
- # -----------------------------------------------------------------------------
- OPEN_ICMP=0
- # Disable (0) to make the default policy drop IPv6 ICMPv6 for INET access
- # Note: Other ICMP variables apply to both IPv4 and IPv6 unless otherwise noted.
- # -----------------------------------------------------------------------------
- OPEN_ICMPV6=0
- # Put in the following variables which ports or IP protocols you want to leave
- # open to the whole world.
- # -----------------------------------------------------------------------------
- OPEN_TCP="************************************"
- OPEN_UDP="*********************************"
- OPEN_IP=""
- # Put in the following variables the TCP/UDP ports you want to DENY(DROP) for
- # everyone (and logged). Also use these variables if you want to log connection
- # attempts to these ports from everyone (also trusted/full access hosts).
- # In principle you don't need these variables, as everything is already blocked
- # (denied) by default, but just exists for consistency.
- # -----------------------------------------------------------------------------
- DENY_TCP=""
- DENY_UDP=""
- # Put in the following variables which ports you want to DENY(DROP) for
- # everyone but NOT logged. This is very useful if you have constant probes on
- # the same port(s) over and over again (code red worm) and don't want your logs
- # flooded with it.
- # -----------------------------------------------------------------------------
- DENY_TCP_NOLOG=""
- DENY_UDP_NOLOG=""
- # Put in the following variables the TCP/UDP ports you want to REJECT (instead
- # of DROP) for everyone (and logged).
- # -----------------------------------------------------------------------------
- REJECT_TCP=""
- REJECT_UDP=""
- # Put in the following variables the TCP/UDP ports you want to REJECT (instead
- # of DROP) for everyone but NOT logged.
- # -----------------------------------------------------------------------------
- REJECT_TCP_NOLOG=""
- REJECT_UDP_NOLOG=""
- # Put in the following variable which hosts you want to block (blackhole,
- # dropping every packet from the host).
- # -----------------------------------------------------------------------------
- BLOCK_HOSTS=""
- # Blocked Hosts are by default blocked in both Inbound and Outbound directions.
- # If only Inbound blocking is desired, set to 0 to disable bidirectional blocking.
- # -----------------------------------------------------------------------------
- BLOCK_HOSTS_BIDIRECTIONAL=1
- # Uncomment & specify here the location of the file that contains a list of
- # hosts(IPs) that should be BLOCKED. IP ranges can (only) be specified as
- # w.x.y.z1-z2 (eg. 192.168.1.10-15). Note that the last line of this file
- # should always contain a carriage-return (enter)!
- # -----------------------------------------------------------------------------
- #BLOCK_HOSTS_FILE="/etc/arno-iptables-firewall/blocked-hosts"