###############################################################################

# You should put this config-file in /etc/arno-iptables-firewall/ #

###############################################################################

# --------------------------- Configuration file ------------------------------

# -= Arno's iptables firewall =-

# Single- & multi-homed firewall script with DSL/ADSL support

#

# (C) Copyright 2001-2012 by Arno van Amersfoort

# Co-authors : Lonnie Abelbeck & Philip Prindeville

# Homepage : http://rocky.eld.leidenuniv.nl/

# Freshmeat : http://freshmeat.net/projects/iptables-firewall/?topic_id=151

# Email : arnova AT rocky DOT eld DOT leidenuniv DOT nl

# (note: you must remove all spaces and substitute the @ and the .

# at the proper locations!)

# -----------------------------------------------------------------------------

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# version 2 as published by the Free Software Foundation.

# This program is distributed in the hope that it will be useful, but WITHOUT

# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for

# more details.

# You should have received a copy of the GNU General Public License along with

# this program; if not, write to the Free Software Foundation Inc., 59 Temple

# Place - Suite 330, Boston, MA 02111-1307, USA.

# -----------------------------------------------------------------------------

###############################################################################

# External (internet) interface settings #

###############################################################################

# The external interface(s) that will be protected (and used as internet

# connection). This is probably ppp+ or dsl+ for non-transparent(!) (A)DSL

# modems otherwise it's probably "ethX" (eg. eth0). Multiple interfaces should

# be space separated.

# -----------------------------------------------------------------------------

EXT_IF="ppp0"

# Enable if THIS machines (dynamically) obtains its IP through (IPv4) DHCP

# and/or (IPv6) DHCPv6 (from your ISP)

# -----------------------------------------------------------------------------

EXT_IF_DHCP_IP=1

# (EXPERT SETTING!) Here you can specify your external(!) IPv4 subnet(s). You

# should only use this if you for example have a corporate network and/or

# running a DHCP server on your external(!) interface. Home users should

# normally NOT touch this setting. Multiple subnets should be space separated.

# Don't forget to specify a proper subnet masker (eg. /24, /16 or /8)!

# -----------------------------------------------------------------------------

#EXTERNAL_NET=""

# (EXPERT SETTING!) Here you can specify the IPv4 address used for broadcasts

# on your external subnet. You only need to set this option if you want to use

# the BROADCAST_XXX_NOLOG variables AND you use a non-standard broadcast

# address (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving

# this empty should work fine. Multiple addresses should be space separated.

# -----------------------------------------------------------------------------

#EXT_NET_BCAST_ADDRESS=""

# Enable this if THIS MACHINE is running an IPv4 DHCP(BOOTP) server for a subnet

# on the external(!) interface. Note that you don't need this for internal

# subnets, as for these nets everything is accepted by default. Don't forget to

# configure the EXTERNAL_NET variable, to make this work. (IPv4 Only)

# -----------------------------------------------------------------------------

EXTERNAL_DHCP_SERVER=0

# Enable this if THIS MACHINE is running an IPv6 DHCPv6 server for a Link-Local

# address on the external(!) interface. Note that you don't need this for internal

# subnets, as for these nets everything is accepted by default. (IPv6 Only)

# -----------------------------------------------------------------------------

EXTERNAL_DHCPV6_SERVER=0

###############################################################################

# Internal (LAN) interface settings #

###############################################################################

# Specify here your internal network (LAN) interface(s). Multiple(!) interfaces

# should be space separated. Remark this if you don't have any internal network

# interfaces. Note that by default ALL traffic is accepted from these

# interfaces.

# -----------------------------------------------------------------------------

INT_IF="br0"

# Specify here the internal IPv4 subnet(s) which is/are connected to the

# internal interface(s). For multiple interfaces(!) you can either specify

# multiple subnets here or specify one big subnet for all internal interfaces.

# Note that this variable is mainly used for antispoofing.

# -----------------------------------------------------------------------------

INTERNAL_NET="192.168.0.0/24"

# Set this variable to 0 to disable antispoof checking for the internal nets

# (EXPERT SETTING!)

# -----------------------------------------------------------------------------

INTERNAL_NET_ANTISPOOF=1

# (EXPERT SETTING!) Here you can specify the IPv4 address used for broadcasts

# on your internal subnet. You only need to set this option if you want to use

# the MAC filter AND you use a non-standard broadcast address

# (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving

# this empty should work fine. Multiple addresses (if you have multiple

# internal nets) should be space separated.

# -----------------------------------------------------------------------------

#INT_NET_BCAST_ADDRESS=""

###############################################################################

# DMZ (aka DeMilitarized Zone) settings #

###############################################################################

# Put in the following variable the network interfaces that are DMZ-classified.

# You can also use this interface if you want to shield your Wireless network

# from your LAN.

# -----------------------------------------------------------------------------

DMZ_IF=""

# Specify here the subnet which is connected to the DMZ interface (DMZ_IF).

# For multiple interfaces(!) you can either specify multiple subnets here or

# specify one big subnet for all DMZ interfaces.

# -----------------------------------------------------------------------------

DMZ_NET=""

# Set this variable to 0 to disable antispoof checking for the dmz nets

# (EXPERT SETTING!)

# -----------------------------------------------------------------------------

DMZ_NET_ANTISPOOF=1

###############################################################################

# NAT (Masquerade, SNAT, DNAT) settings (IPv4 only!) #

###############################################################################

# Enable this if you want to perform NAT (masquerading) for your internal

# network (LAN) (eg. share your internet connection with your internal

# net(s) connected to eg. INT_IF)

# -----------------------------------------------------------------------------

NAT=1

# (EXPERT SETTING!) In case you would like to use SNAT instead of

# MASQUERADING then uncomment and set the IP or IPs here of your static

# external address(es). Note that when multiple IPs are specified, SNAT

# multiroute is enabled (load balancing over multiple external (internet)

# interfaces, check the README file for more info). Note that the order of IPs

# should match the order of interfaces (they belong to) in $EXT_IF!

# -----------------------------------------------------------------------------

#NAT_STATIC_IP="193.2.1.1"

# (EXPERT SETTING!) Use this variable only if you want specific subnets or

# hosts to be able to access the internet. When no value is specified, your

# whole internal net will have access. In both cases it's obviously only

# meaningful when NAT is enabled. Note that you can also use this variable if

# you want to use NAT for your DMZ.

# -----------------------------------------------------------------------------

NAT_INTERNAL_NET="$INTERNAL_NET"

# (EXPERT SETTING!) Enable this if you want to be able to redirect local ports

# or protocols on your gateway using NAT forwards.

# -----------------------------------------------------------------------------

NAT_LOCAL_REDIRECT=1

# NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to

# an internal client through (D)NAT. Note that you can also use these

# variables to forward ports to DMZ hosts.

#

# TCP/UDP form:

# "{SRCIP1,SRCIP2,...~}PORT1,PORT2-PORT3,...>DESTIP1{~port} \

# {SRCIP3,...~}PORT3,...>DESTIP2{~port}"

#

# IP form:

# "{SRCIP1,SRCIP2,...~}PROTO1,PROTO2,...>DESTIP1 \

# {SRCIP3~}PROTO3,PROTO4,...>DESTIP2"

#

# TCP/UDP port forward examples:

# Simple (forward port 80 to internal host 192.168.0.10):

# NAT_FORWARD_xxx="80>192.168.0.10 20,21>192.168.0.10"

# Advanced (forward port 20 & 21 to 192.168.0.10 and

# forward from 1.2.3.4 port 81 to 192.168.0.11 port 80:

# NAT_FORWARD_xxx="1.2.3.4~81>192.168.0.11~80"

#

# IP protocol forward example:

# (forward protocols 47 & 48 to 192.168.0.10)

# NAT_FORWARD_IP="47,48>192.168.0.10"

#

# NOTE 1: {~port} is optional. Use it to redirect a specific port to a

# different port on the internal client.

# NOTE 2: {SRCIPx} is optional. Use it to restrict access for specific source

# (inet) IP addresses.

# (IPv4 Only)

# -----------------------------------------------------------------------------

NAT_FORWARD_TCP=""

NAT_FORWARD_UDP=""

NAT_FORWARD_IP=""

# TCP/UDP/IP forwards. Forward IPv6 and non-NAT'ed IPv4 ports or protocols

# from the gateway to an internal client. Note that you can also use these

# variables to forward ports to DMZ hosts.

#

# TCP/UDP form:

# "SRCIP1,SRCIP2,...>DESTIP1{~port} \

# SRCIP3,...>DESTIP2{~port}"

#

# IP form:

# "SRCIP1,SRCIP2,...>DESTIP1~PROTO \

# SRCIP3,...>DESTIP2~PROTO"

#

# TCP/UDP port forward examples:

# Simple (IPv6 forward port 80 to internal host 2001:db8::2):

# INET_FORWARD_TCP="::/0>2001:db8::2~80"

# Simple (IPv4 non-NAT forward port 80 to internal host 192.168.0.10):

# INET_FORWARD_TCP="0/0>192.168.0.10~80"

# Advanced (forward all UDP ports for 2000::/3 net to 2001:db8::/32 net):

# INET_FORWARD_UDP="2000::/3>2001:db8::/32"

#

# IP protocol forward example:

# (forward protocol 58 (ICMPv6) to 2001:db8::2)

# INET_FORWARD_IP="::/0>2001:db8::2~58"

#

# (IPv6 and non-NAT'ed IPv4 Only)

# -----------------------------------------------------------------------------

INET_FORWARD_TCP=""

INET_FORWARD_UDP=""

INET_FORWARD_IP=""

###############################################################################

# General settings #

###############################################################################

# (EXPERT SETTING!) Location of the iptables-binary (use 'locate iptables' or

# 'whereis iptables' to manually locate it), required for (default) IPv4 support

# -----------------------------------------------------------------------------

IP4TABLES="/sbin/iptables"

# (EXPERT SETTING!) Location of the ip6tables-binary (use 'locate ip6tables' or

# 'whereis ip6tables' to manually locate it), required for IPv6 support

# -----------------------------------------------------------------------------

IP6TABLES="/sbin/ip6tables"

# (EXPERT SETTING!) Location of the environment file

# -----------------------------------------------------------------------------

ENV_FILE="/usr/libexec/arno-iptables-firewall/environment"

# (EXPERT SETTING!) Location of plugin binary & config files

# -----------------------------------------------------------------------------

PLUGIN_BIN_PATH="/usr/libexec/arno-iptables-firewall/plugins"

PLUGIN_CONF_PATH="/etc/arno-iptables-firewall/plugins"

# Most people don't want to get any firewall logs being spit to the console.

# This option makes the kernel ring buffer only log messages with level

# "panic".

# -----------------------------------------------------------------------------

DMESG_PANIC_ONLY=1

# Enable this if you want TOS mangling (RFC)

# -----------------------------------------------------------------------------

MANGLE_TOS=1

# Enable this if you want to set the maximum packet size via the

# Maximum Segment Size(through MSS field)

# -----------------------------------------------------------------------------

SET_MSS=1

# Enable this if you want to increase the TTL value by one in the prerouting

# chain. This hides the firewall when performing eg. traceroutes to internal

# hosts. (IPv4 only!)

# -----------------------------------------------------------------------------

TTL_INC=0

# (EXPERT SETTING!) Enable this if you want to set the TTL value for packets in

# the OUTPUT & FORWARD chain. Note that this only works with newer 2.6 kernels

# (2.6.14 or better) or patched 2.4 kernels, which have netfilter TTL target

# support. Don't mess with this unless you really know what you are doing!

# (IPv4 only!)

# -----------------------------------------------------------------------------

#PACKET_TTL="64"

# (EXPERT SETTING!) Enable this if you want our internal DNS functions to fail

# "fast". This means a query will be tried only once and times out after 1

# second, the default is 3 tries and a 5 second timeout.

# Note: The command 'dig' is preferred, 'nslookup' will be used if 'dig' is not

# available, though the BusyBox 'nslookup' is not supported with this option.

# -------------------------------------------------------------------------------

DNS_FAST_FAIL=0

# Enable this to support the IRC-protocol.

# -----------------------------------------------------------------------------

USE_IRC=1

# (EXPERT SETTING!) Loosen the forward chain for the external interface(s).

# Enable it to allow the use of protocols like UPnP. Note that it *could* be

# less secure.

# -----------------------------------------------------------------------------

LOOSE_FORWARD=1

# (EXPERT SETTING!) Enable (1) to allow IPv6 Link-Local addresses to be

# forwarded between interfaces. (IPv6 Only)

# -----------------------------------------------------------------------------

FORWARD_LINK_LOCAL=0

# (EXPERT SETTING!) Disable (0) to not drop all IPv6 packets with

# Routing Header Type 0. Enabled by default. (IPv6 Only)

# -----------------------------------------------------------------------------

IPV6_DROP_RH_ZERO=1

# (EXPERT SETTING!) Enable this if you want to drop packets originating from a

# private address.

# Note: To enable logging of dropped private addresses set RESERVED_NET_LOG=1

# -----------------------------------------------------------------------------

RESERVED_NET_DROP=0

# (EXPERT SETTING!) Protect this machine from being abused for a DRDOS-attack

# ("Distributed Reflection Denial Of Service"-attack). (STILL EXPERIMENTAL!)

# -----------------------------------------------------------------------------

DRDOS_PROTECT=0

# Enable (1) if you want to enable mixed IPv4/IPv6 traffic support

# Disable (0) if you want to enable only IPv4 traffic support

# -----------------------------------------------------------------------------

IPV6_SUPPORT=0

# This option fixes problems with SMB broadcasts when using nmblookup

# -----------------------------------------------------------------------------

NMB_BROADCAST_FIX=0

# Set this to 0 to suppress "assuming module is compiled in kernel" messages

# -----------------------------------------------------------------------------

COMPILED_IN_KERNEL_MESSAGES=0

# (EXPERT SETTING!) You can choose the default policy for the INPUT & FORWARD

# chain here (1=DROP, 0=ACCEPT). The default policy is DROP. This means that

# when there are no rule(s) available (yet), the packet will be DROPPED. In

# practice this rule only does something while the firewall is starting. Once

# it's started and all rules are in place, the default policy doesn't do

# anything anymore. People that use eg. NFS and let their clients boot from NFS

# (diskless client systems) probably want to disable this option to fix

# "NFS server not responding" etc. errors on their clients.

# -----------------------------------------------------------------------------

DEFAULT_POLICY_DROP=1

# (EXPERT SETTING!) (Other) trusted network interfaces for which ALL IP

# traffic should be ACCEPTED. (multiple(!) interfaces should be space

# separated). Be warned that anything TO and FROM these interfaces is allowed

# (ACCEPTED) so make sure it's NOT routable(accessible) from the outside world

# (internet)! And of course putting one of your external interfaces here would

# be extremely stupid.

# -----------------------------------------------------------------------------

TRUSTED_IF=""

# (EXPERT SETTING!) Put here the interfaces that should trust

# each other (accept forward traffic). You can use | (piping-sign) to create

# seperate interface groups. And (again) of course putting one of your external

# interfaces here would be extremely stupid.

# -----------------------------------------------------------------------------

IF_TRUSTS=""

# Location of the custom iptables rules file (if any).

# -----------------------------------------------------------------------------

CUSTOM_RULES="/etc/arno-iptables-firewall/custom-rules"

# Location of the local (user/global) configuration file, if used

# -----------------------------------------------------------------------------

LOCAL_CONFIG_FILE=""

# Location of the local directory, if defined, containing *.conf file(s)

# in that directory, and sources them for configuration variables.

# Note: An undefined LOCAL_CONFIG_DIR variable defaults to the default below.

# -----------------------------------------------------------------------------

LOCAL_CONFIG_DIR="/etc/arno-iptables-firewall/conf.d"

# (EXPERT SETTING!) Set this (to 1) to disable the use of iptables-save and

# iptables-restore to add rules in batch rather than one-by-one. Much slower

# when disabled. BLOCK_HOSTS and BLOCK_HOSTS_FILE utilizes this feature.

# -----------------------------------------------------------------------------

DISABLE_IPTABLES_BATCH=0

# (EXPERT SETTING!) Set this (to 1) to enable tracing

# -----------------------------------------------------------------------------

TRACE=0

###############################################################################

# Logging options - All logging is rate limited to prevent log flooding #

###############################################################################

# Enable logging for explicitly blocked hosts.

# -----------------------------------------------------------------------------

BLOCKED_HOST_LOG=1

# Enable logging for various stealth scans (reliable).

# -----------------------------------------------------------------------------

SCAN_LOG=1

# Enable logging for possible stealth scans (less reliable).

# -----------------------------------------------------------------------------

POSSIBLE_SCAN_LOG=1

# Enable logging for TCP-packets with bad flags.

# -----------------------------------------------------------------------------

BAD_FLAGS_LOG=1

# Enable logging of invalid TCP packets. Keep disabled (0) by default to reduce

# INVALID packets being logged because of lost (legimate) connections. When

# debugging any problems, you should enable it (temporarily)!

# -----------------------------------------------------------------------------

INVALID_TCP_LOG=0

# Enable logging of invalid UDP packets. Keep disabled (0) by default to reduce

# INVALID packets being logged because of lost (legimate) connections. When

# debugging any problems, you should enable it (temporarily)!

# -----------------------------------------------------------------------------

INVALID_UDP_LOG=0

# Enable logging of invalid ICMP packets. Keep disabled (0) by default to reduce

# INVALID packets being logged because of lost (legimate) connections. When

# debugging any problems, you should enable it (temporarily)!

# -----------------------------------------------------------------------------

INVALID_ICMP_LOG=0

# Enable (1) logging of source IPs with reserved or private addresses.

# -----------------------------------------------------------------------------

RESERVED_NET_LOG=0

# Enable logging of fragmented packets.

# -----------------------------------------------------------------------------

FRAG_LOG=1

# Enable logging of denied local (OUTPUT) connections.

# -----------------------------------------------------------------------------

INET_OUTPUT_DENY_LOG=1

# Enable logging of denied LAN output (FORWARD) connections.

# -----------------------------------------------------------------------------

LAN_OUTPUT_DENY_LOG=1

# Enable logging of denied LAN INPUT connections.

# -----------------------------------------------------------------------------

LAN_INPUT_DENY_LOG=1

# Enable logging of denied DMZ output (FORWARD) connections.

# -----------------------------------------------------------------------------

DMZ_OUTPUT_DENY_LOG=1

# Enable logging of denied DMZ input (FORWARD) connections.

# -----------------------------------------------------------------------------

DMZ_INPUT_DENY_LOG=1

# Enable logging of dropped FORWARD packets.

# -----------------------------------------------------------------------------

FORWARD_DROP_LOG=1

# Enable logging of dropped IPv6 Link-Local forwarded packets.

# Note: requires FORWARD_LINK_LOCAL=0 (IPv6 Only)

# -----------------------------------------------------------------------------

LINK_LOCAL_DROP_LOG=1

# Enable logging of dropped ICMP-request packets (ping).

# -----------------------------------------------------------------------------

ICMP_REQUEST_LOG=1

# Enable logging of dropped "other" ICMP packets.

# -----------------------------------------------------------------------------

ICMP_OTHER_LOG=1

# Enable logging of normal connection attempts to privileged TCP ports.

# -----------------------------------------------------------------------------

PRIV_TCP_LOG=1

# Enable logging of normal connection attempts to privileged UDP ports.

# -----------------------------------------------------------------------------

PRIV_UDP_LOG=1

# Enable logging of normal connection attempts to unprivileged TCP ports.

# -----------------------------------------------------------------------------

UNPRIV_TCP_LOG=1

# Enable logging of normal connection attempts to unprivileged UDP ports.

# -----------------------------------------------------------------------------

UNPRIV_UDP_LOG=1

# Enable logging of IPv4 IGMP packets

# -----------------------------------------------------------------------------

IGMP_LOG=1

# Enable logging of normal connection attempts to "other-IP"-protocols (non

# TCP/UDP/ICMP/IGMP).

# -----------------------------------------------------------------------------

OTHER_IP_LOG=1

# Enable logging for ICMP flooding.

# -----------------------------------------------------------------------------

ICMP_FLOOD_LOG=1

# (EXPERT SETTING!) The location of the dedicated firewall log file. When

# enabled the firewall script will also log start/stop etc. info to this file

# as well. Note that in order to make this work, you should also configure

# syslogd to log firewall messages to this file (see LOGLEVEL below for further

# info).

# -----------------------------------------------------------------------------

#FIREWALL_LOG="/var/log/firewall.log"

# (EXPERT SETTING!) Current log-level ("info": default kernel syslog level)

# "debug": can be used to log to /var/log/firewall.log, but you have to configure

# syslogd accordingly (see included syslogd.conf examples).

# -----------------------------------------------------------------------------

LOGLEVEL="info"

# Put in the following variables which hosts you want to log certain incoming

# connection attempts for.

# TCP/UDP port format (LOG_HOST_INPUT_xxx):

# "host1,host2~port1,port2 host3,host4~port3,port4 ..."

#

# IP protocol format (LOG_HOST_INPUT_IP):

# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."

# -----------------------------------------------------------------------------

LOG_HOST_INPUT_TCP=""

LOG_HOST_INPUT_UDP=""

LOG_HOST_INPUT_IP=""

# Put in the following variables which hosts you want to log certain outgoing

# connection attempts for.

# TCP/UDP port format (LOG_HOST_OUTPUT_xxx):

# "host1,host2~port1,port2 host3,host4~port3,port4 ..."

#

# IP protocol format (LOG_HOST_OUTPUT_IP):

# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."

# -----------------------------------------------------------------------------

LOG_HOST_OUTPUT_TCP=""

LOG_HOST_OUTPUT_UDP=""

LOG_HOST_OUTPUT_IP=""

# Put in the following variables which services you want to log incoming

# connection attempts for.

# -----------------------------------------------------------------------------

LOG_INPUT_TCP=""

LOG_INPUT_UDP=""

LOG_INPUT_IP=""

# Put in the following variables which services you want to log outgoing

# connection attempts for.

# -----------------------------------------------------------------------------

LOG_OUTPUT_TCP=""

LOG_OUTPUT_UDP=""

LOG_OUTPUT_IP=""

# Put in the following variable which hosts you want to log incoming connection

# (attempts) for.

# -----------------------------------------------------------------------------

LOG_HOST_INPUT=""

# Put in the following variable which hosts you want to log outgoing connection

# (attempts) to.

# -----------------------------------------------------------------------------

LOG_HOST_OUTPUT=""

###############################################################################

# sysctl based settings (EXPERT SETTINGS!) #

###############################################################################

# Enable for synflood protection (through /proc/.../tcp_syncookies).

# -----------------------------------------------------------------------------

SYN_PROT=1

# Enable this to reduce the ability of others DOS'ing your machine.

# -----------------------------------------------------------------------------

REDUCE_DOS_ABILITY=1

# Enable to ignore all ICMP echo-requests (IPv4) on ALL interfaces.

# -----------------------------------------------------------------------------

ECHO_IGNORE=0

# Enable to log packets with impossible addresses to the kernel log.

# -----------------------------------------------------------------------------

LOG_MARTIANS=0

# Only disable this if you're NOT using forwarding (required for NAT etc.) for

# increased security.

# Note: If enabled and IPV6 enabled, local IPv6 autoconf will be disabled.

# -----------------------------------------------------------------------------

IP_FORWARDING=1

# (EXPERT SETTING!) Only disable this if IP_FORWARDING is disabled and

# you do not use autoconf to obtain your IPv6 address.

# Note: This is ignored if IP_FORWARDING is enabled. (IPv6 Only)

# -----------------------------------------------------------------------------

IPV6_AUTO_CONFIGURATION=1

# Enable if you want to accept ICMP redirect messages. Should be set to "0" in

# case of a router.

# -----------------------------------------------------------------------------

ICMP_REDIRECT=0

# Enable/modify this if you want to be a able to handle a larger (or smaller)

# number of simultaneous connections. For high traffic machines I recommend to

# use a value of at least 16384 (note that a higher value (obviously) also uses

# more memory).

# -----------------------------------------------------------------------------

CONNTRACK=65536

# Enable ECN (Explicit Congestion Notification) TCP flag. Disabled by default,

# as some routers are still not compatible with this.

# -----------------------------------------------------------------------------

ECN=0

# Enable to drop connections from non-routable IPs, eg. prevent source

# routing. By default the firewall itself also provides rules against source

# routing. Note than when you use eg. VPN (Freeswan), you should probably

# disable this setting.

# -----------------------------------------------------------------------------

RP_FILTER=1

# Protect against source routed packets. Attackers can use source routing to

# generate traffic pretending to be from inside your network, but which is

# routed back along the path from which it came, namely outside, so attackers

# can compromise your network. Source routing is rarely used for legitimate

# purposes, so normally you should always leave this enabled(1)!

# -----------------------------------------------------------------------------

SOURCE_ROUTE_PROTECTION=1

# Here we set the local port range (ports from which connections are

# initiated from our site). Don't mess with this unless you really know what

# you are doing!

# -----------------------------------------------------------------------------

LOCAL_PORT_RANGE="32768 61000"

# Here you can change the default TTL used for sending packets. The value

# should be between 10 and 255. Don't mess with this unless you really know

# what you are doing!

# -----------------------------------------------------------------------------

DEFAULT_TTL=64

# In most cases pmtu discovery is ok, but in some rare cases (when having

# problems) you might want to disable it.

# -----------------------------------------------------------------------------

NO_PMTU_DISCOVERY=0

###############################################################################

# Firewall policies for the LAN (EXPERT SETTINGS!) #

###############################################################################

###############################################################################

# LAN_xxx = LAN->localhost(this machine) input access rules #

# #

# Note that when both LAN_OPEN_xxx & LAN_HOST_OPEN_xxx are NOT used, the #

# default policy for this chain is accept (unless denied through #

# LAN_DENY_xxx and/or LAN_HOST_DENY_xxx)! #

###############################################################################

# Disable this (set to "") to automatically set default policy as above.

# When set to "1" the LAN->localhost default policy will always be DROP

# When set to "0" the LAN->localhost default policy will always be ACCEPT

# -----------------------------------------------------------------------------

LAN_DEFAULT_POLICY_DROP=""

# Enable this to allow for ICMP-requests(ping) from your LAN

# -----------------------------------------------------------------------------

LAN_OPEN_ICMP=1

# Put in the following variables the TCP/UDP ports or IP protocols TO

# (remote end-point) which the LAN hosts are permitted to connect to.

# -----------------------------------------------------------------------------

LAN_OPEN_TCP=""

LAN_OPEN_UDP=""

LAN_OPEN_IP=""

# Put in the following variables the TCP/UDP ports or IP protocols TO (remote

# end-point) which LAN hosts are NOT permitted to connect to.

# -----------------------------------------------------------------------------

LAN_DENY_TCP=""

LAN_DENY_UDP=""

LAN_DENY_IP=""

# Put in the following variables the TCP/UDP ports or IP

# protocols TO (remote end-point) which certain LAN hosts are

# permitted to connect to.

#

# TCP/UDP port format (LAN_INPUT_HOST_OPEN_xxx):

# "host1,host2~port1,port2 host3,host4~port3,port4 ..."

#

# IP protocol format (LAN_INPUT_HOST_OPEN_xxx):

# "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."

# -----------------------------------------------------------------------------

LAN_HOST_OPEN_TCP=""

LAN_HOST_OPEN_UDP=""

LAN_HOST_OPEN_IP=""

# Put in the following variables the TCP/UDP ports or IP protocols TO (remote

# end-point) which certain LAN hosts are NOT permitted to connect to.

#

# TCP/UDP port format (LAN_INPUT_HOST_DENY_xxx):

# "host1,host2~port1,port2 host3,host4~port3,port4 ..."

#

# IP protocol format (LAN_INPUT_HOST_DENY_xxx):

# "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."

# -----------------------------------------------------------------------------

LAN_HOST_DENY_TCP=""

LAN_HOST_DENY_UDP=""

LAN_HOST_DENY_IP=""

###############################################################################

# LAN_INET_xxx = LAN->internet access rules (forward) #

# #

# Note that when the LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx variables are #

# NOT used, the default policy will be accept for LAN->INET (unless denied #

# through LAN_INET_DENY_xxx and/or LAN_INET_HOST_DENY_xxx)! #

###############################################################################

# Disable this (set to "") to automatically set default policy as above.

# When set to "1" the LAN->INET default policy will always be DROP

# When set to "0" the LAN->INET default policy will always be ACCEPT

# -----------------------------------------------------------------------------

LAN_INET_DEFAULT_POLICY_DROP=""

# Enable this to allow for ICMP-requests(ping) for LAN->INET

# -----------------------------------------------------------------------------

LAN_INET_OPEN_ICMP=1

# Put in the following variables the TCP/UDP ports or IP

# protocols TO (remote end-point) which the LAN hosts are

# permitted to connect to via the external (internet) interface.

# -----------------------------------------------------------------------------

LAN_INET_OPEN_TCP=""

LAN_INET_OPEN_UDP=""

LAN_INET_OPEN_IP=""

# Put in the following variables the TCP/UDP ports or IP protocols TO (remote

# end-point) which the LAN hosts are NOT permitted to connect to

# via the external (internet) interface. Examples of usage are for blocking

# IRC (TCP 6666:6669) for the internal network.

# -----------------------------------------------------------------------------

LAN_INET_DENY_TCP=""

LAN_INET_DENY_UDP=""

LAN_INET_DENY_IP=""

# Put in the following variables which LAN hosts you want to allow to certain

# hosts/services on the internet. By default all services are allowed.

#

# TCP/UDP form:

# "SRCIP1,SRCIP2,...>DESTIP1~port \

# SRCIP3,...>DESTIP2~port"

#

# IP form:

# "SRCIP1,SRCIP2,...>DESTIP1~protocol \

# SRCIP3,...>DESTIP2~protocol"

#

# TCP/UDP examples:

# Simple:

# (Allow port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)):

# LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4~80"

# Advanced:

# (Allow port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and

# allow port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)):

# LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 192.168.0.10>80"

#

# IP protocol example:

# (Allow protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0))

# LAN_INET_HOST_OPEN_IP="0/0>1.2.3.4~47,48"

#

# NOTE 1: If no SRCIPx is specified, any source host is used

# NOTE 2: If no port is specified, any port is used

# -----------------------------------------------------------------------------

LAN_INET_HOST_OPEN_TCP=""

LAN_INET_HOST_OPEN_UDP=""

LAN_INET_HOST_OPEN_IP=""

# Put in the following variables which DMZ hosts you want to deny to certain

# hosts/services on the internet.

#

# TCP/UDP form:

# "SRCIP1,SRCIP2,...>DESTIP1~port \

# SRCIP3,...>DESTIP2~port"

#

# IP form:

# "SRCIP1,SRCIP2,...>DESTIP1~protocol \

# SRCIP3,...>DESTIP2~protocol"

#

# TCP/UDP examples:

# Simple (Deny port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)):

# LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4~80"

# Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and

# deny port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)):

# LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4~20,21 192.168.0.10>1.2.3.4~80"

#

# IP protocol example:

# (Deny protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0)):

# LAN_INET_HOST_DENY_IP="0/0>1.2.3.4~47,48"

#

# NOTE 1: If no SRCIPx is specified, any source host is used

# NOTE 2: If no port is specified, any port is used

# -----------------------------------------------------------------------------

LAN_INET_HOST_DENY_TCP=""

LAN_INET_HOST_DENY_UDP=""

LAN_INET_HOST_DENY_IP=""

###############################################################################

# Firewall policies for the DMZ (EXPERT SETTINGS!) #

###############################################################################

###############################################################################

# DMZ_xxx = DMZ->localhost(this machine) input access rules #

###############################################################################

# Enable this to allow ICMP-requests(ping) from the DMZ

# -----------------------------------------------------------------------------

DMZ_OPEN_ICMP=1

# Put in the following variables which DMZ hosts are permitted to connect to

# certain the TCP/UDP ports, IP protocols or ICMP. By default all (local)

# services are blocked for DMZ hosts.

# -----------------------------------------------------------------------------

DMZ_OPEN_TCP=""

DMZ_OPEN_UDP=""

DMZ_OPEN_IP=""

# Put in the following variables which DMZ hosts you want to allow for certain

# services. By default all (local) services are blocked for DMZ hosts.

# TCP/UDP port format (DMZ_HOST_OPEN_TCP & DMZ_HOST_OPEN_UDP):

# "host1,host2~port1,port2 host3,host4~port3,port4 ..."

#

# IP protocol format (DMZ_HOST_OPEN_IP):

# "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."

# -----------------------------------------------------------------------------

DMZ_HOST_OPEN_TCP=""

DMZ_HOST_OPEN_UDP=""

DMZ_HOST_OPEN_IP=""

###############################################################################

# INET_DMZ_xxx = Internet->DMZ access rules (forward) #

# #

# Note: As of Version 2.0.0 the default policy has changed to DROP #

# Previous to Version 2.0.0 the default policy was ACCEPT #

###############################################################################

# Enable this to make the default policy allow for ICMP(ping) for INET->DMZ

# -----------------------------------------------------------------------------

INET_DMZ_OPEN_ICMP=0

# Put in the following variables which INET hosts are permitted to connect to

# certain the TCP/UDP ports or IP protocols in the DMZ.

# -----------------------------------------------------------------------------

INET_DMZ_OPEN_TCP=""

INET_DMZ_OPEN_UDP=""

INET_DMZ_OPEN_IP=""

# Put in the following variables which INET hosts are NOT permitted to connect

# to certain the TCP/UDP ports or IP protocols in the DMZ.

# -----------------------------------------------------------------------------

INET_DMZ_DENY_TCP=""

INET_DMZ_DENY_UDP=""

INET_DMZ_DENY_IP=""

# Put in the following variables which INET hosts you want to allow to certain

# hosts/services on the DMZ net. By default all services are dropped.

#

# TCP/UDP form:

# "SRCIP1,SRCIP2,...>DESTIP1~port \

# SRCIP3,...>DESTIP2~port"

#

# IP form:

# "SRCIP1,SRCIP2,...>DESTIP1~protocol \

# SRCIP3,...>DESTIP2~protocol"

#

# TCP/UDP examples:

# Simple (Allow port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)):

# INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4~80"

# Advanced (Allow port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and

# allow port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)):

# INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"

#

# IP protocol example:

# (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts )

# INET_DMZ_HOST_OPEN_IP="0/0>1.2.3.4~47,48"

#

# NOTE 1: If no SRCIPx is specified, any source host is used

# NOTE 2: If no port is specified, any port is used

# -----------------------------------------------------------------------------

INET_DMZ_HOST_OPEN_TCP=""

INET_DMZ_HOST_OPEN_UDP=""

INET_DMZ_HOST_OPEN_IP=""

# Put in the following variables which INET hosts you want to deny to certain

# hosts/services on the DMZ net.

#

# TCP/UDP form:

# "SRCIP1,SRCIP2,...>DESTIP1~port \

# SRCIP3,...>DESTIP2~port"

#

# IP form:

# "SRCIP1,SRCIP2,...>DESTIP1~protocol \

# SRCIP3,...>DESTIP2~protocol"

#

# TCP/UDP examples:

# Simple (Deny port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)):

# INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4~80"

# Advanced (Deny port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and

# deny port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)):

# INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"

#

# IP protocol example:

# (Deny protocols 47 & 48 on DMZ host 1.2.3.4 for all INET hosts):

# INET_DMZ_HOST_DENY_IP="0/0>1.2.3.4~47,48"

#

# NOTE 1: If no SRCIPx is specified, any source host is used

# NOTE 2: If no port is specified, any port is used

# -----------------------------------------------------------------------------

INET_DMZ_HOST_DENY_TCP=""

INET_DMZ_HOST_DENY_UDP=""

INET_DMZ_HOST_DENY_IP=""

###############################################################################

# DMZ_INET_xxx = DMZ->internet access rules (forward) #

# #

# Note that when the DMZ_INET_OPEN_xxx & DMZ_INET_HOST_OPEN_xxx variables are #

# NOT used, the default policy will be accept for DMZ->INET (unless denied #

# through DMZ_INET_DENY_xxx and/or DMZ_INET_HOST_DENY_xxx)! #

###############################################################################

# Disable this (set to "") to automatically set default policy as above.

# When set to "1" the DMZ->INET default policy will always be DROP

# When set to "0" the DMZ->INET default policy will always be ACCEPT

# -----------------------------------------------------------------------------

DMZ_INET_DEFAULT_POLICY_DROP=""

# Enable this to make the default policy allow for ICMP(ping) for DMZ->INET

# -----------------------------------------------------------------------------

DMZ_INET_OPEN_ICMP=1

# Put in the following variables the TCP/UDP ports or IP

# protocols TO (remote end-point) which the DMZ hosts are

# permitted to connect to via the external (internet) interface.

# -----------------------------------------------------------------------------

DMZ_INET_OPEN_TCP=""

DMZ_INET_OPEN_UDP=""

DMZ_INET_OPEN_IP=""

# Put in the following variables the TCP/UDP ports or IP protocols TO (remote

# end-point) which the DMZ hosts are NOT permitted to connect to

# via the external (internet) interface. Examples of usage are for blocking

# IRC (TCP 6666:6669) for the internal network.

# -----------------------------------------------------------------------------

DMZ_INET_DENY_TCP=""

DMZ_INET_DENY_UDP=""

DMZ_INET_DENY_IP=""

# Put in the following variables which DMZ hosts you want to allow to certain

# hosts/services on the internet. By default all services are allowed.

#

# TCP/UDP form:

# "SRCIP1,SRCIP2,...>DESTIP1~port \

# SRCIP3,...>DESTIP2~port"

#

# IP form:

# "SRCIP1,SRCIP2,...>DESTIP1~protocol \

# SRCIP3,...>DESTIP2~sprotocol"

#

# TCP/UDP examples:

# Simple (Allow port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)):

# DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4~80"

# Advanced (Allow port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and

# allow port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)):

# DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"

#

# IP protocol example:

# (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts):

# DMZ_INET_HOST_OPEN_IP="0/0>1.2.3.4~47,48"

#

# NOTE 1: If no SRCIPx is specified, any source host is used

# NOTE 2: If no port is specified, any port is used

# -----------------------------------------------------------------------------

DMZ_INET_HOST_OPEN_TCP=""

DMZ_INET_HOST_OPEN_UDP=""

DMZ_INET_HOST_OPEN_IP=""

# Put in the following variables which DMZ hosts you want to deny to certain

# hosts/services on the internet.

#

# TCP/UDP form:

# "SRCIP1,SRCIP2,...>DESTIP1~port \

# SRCIP3,...>DESTIP2~port"

#

# IP form:

# "SRCIP1,SRCIP2,...>DESTIP1~protocol \

# SRCIP3,...>DESTIP2~protocol"

#

# TCP/UDP examples:

# Simple (Deny port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)):

# DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4~80"

# Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and

# deny port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)):

# DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"

#

# IP protocol example:

# (Deny protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts(0/0)):

# DMZ_INET_HOST_DENY_IP="0/0>1.2.3.4:47,48"

#

# NOTE 1: If no SRCIPx is specified, any source host is used

# NOTE 2: If no port is specified, any port is used

# -----------------------------------------------------------------------------

DMZ_INET_HOST_DENY_TCP=""

DMZ_INET_HOST_DENY_UDP=""

DMZ_INET_HOST_DENY_IP=""

###############################################################################

# DMZ_LAN_xxx = DMZ->LAN access rules (forward) #

###############################################################################

# Enable this to make the default policy allow for ICMP(ping) for DMZ->LAN

# -----------------------------------------------------------------------------

DMZ_LAN_OPEN_ICMP=0

# Put in the following variables which DMZ hosts you want to allow to certain

# hosts/services on the LAN (net).

#

# TCP/UDP form:

# "SRCIP1,SRCIP2,...>DESTIP1~port \

# SRCIP3,...>DESTIP2~port"

#

# IP form:

# "SRCIP1,SRCIP2,...>DESTIP1~protocol \

# SRCIP3,...>DESTIP2~protocol"

#

# TCP/UDP examples:

# Simple (Allow port 80 on LAN host 1.2.3.4 for all DMZ hosts(0/0)):

# DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~80"

# Advanced (Allow port 20 & 21 on LAN host 1.2.3.4 for all DMZ hosts (0/0) and

# allow port 80 for DMZ host 5.6.7.8 (only) on LAN host

# 1.2.3.4):

# DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"

#

# IP protocol example:

# (Allow protocols 47 & 48 on LAN host 1.2.3.4 for all DMZ hosts(0/0)):

# DMZ_LAN_HOST_OPEN_IP="0/0>1.2.3.4~47,48"

#

# NOTE 1: If no SRCIPx is specified, any source host is used

# NOTE 2: If no port is specified, any port is used

# -----------------------------------------------------------------------------

DMZ_LAN_HOST_OPEN_TCP=""

DMZ_LAN_HOST_OPEN_UDP=""

DMZ_LAN_HOST_OPEN_IP=""

###############################################################################

# Firewall policies for the external (inet) interface (default policy = drop) #

###############################################################################

# Put in the following variable which hosts (subnets) you want have full access

# via your internet (EXT_IF) connection(!). This is especially meant for

# networks/servers which use NIS/NFS, as these protocols require all ports

# to be open.

# NOTE: Don't mistake this variable with the one used for internal nets.

# -----------------------------------------------------------------------------

FULL_ACCESS_HOSTS=""

# Put in the following variable which TCP/UDP ports you don't want to

# see broadcasts from (eg. DHCP (67/68) on your EXTERNAL interface. Note that

# to make this properly work you also need to set "EXTERNAL_NET"!

# -----------------------------------------------------------------------------

BROADCAST_TCP_NOLOG=""

#BROADCAST_UDP_NOLOG="67 68"

# Put in the following variables which hosts you want to allow for certain

# services.

# TCP/UDP port format (HOST_OPEN_TCP & HOST_OPEN_UDP):

# "host1,host2~port1,port2 host3,host4~port3,port4 ..."

#

# IP protocol format (HOST_OPEN_IP):

# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."

#

# ICMP protocol format (HOST_OPEN_ICMP):

# "host1 host2 ...."

# -----------------------------------------------------------------------------

HOST_OPEN_TCP=""

HOST_OPEN_UDP=""

HOST_OPEN_IP=""

HOST_OPEN_ICMP=""

# Put in the following variables which hosts you want to DENY(DROP) for certain

# services (and logged).

# to DENY(DROP) for certain hosts.

# TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP):

# "host1,host2~port1,port2 host3,host4~port3,port4 ..."

#

# IP protocol format (HOST_DENY_IP):

# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."

#

# ICMP protocol format (HOST_DENY_ICMP):

# "host1 host2 ...."

# -----------------------------------------------------------------------------

HOST_DENY_TCP=""

HOST_DENY_UDP=""

HOST_DENY_IP=""

HOST_DENY_ICMP=""

# Put in the following variables which hosts you want to DENY(DROP) for certain

# services but NOT logged.

# TCP/UDP port format (HOST_DENY_xxx_NOLOG):

# "host1,host2~port1,port2 host3,host4~port3,port4 ..."

#

# IP protocol format (HOST_DENY_IP_NOLOG):

# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."

#

# ICMP protocol format (HOST_DENY_ICMP_NOLOG):

# "host1 host2 ...."

# -----------------------------------------------------------------------------

HOST_DENY_TCP_NOLOG=""

HOST_DENY_UDP_NOLOG=""

HOST_DENY_IP_NOLOG=""

HOST_DENY_ICMP_NOLOG=""

# Put in the following variables which hosts you want to REJECT (instead of

# DROP) for certain TCP/UDP ports.

# TCP/UDP port format (HOST_REJECT_xxx):

# "host1,host2~port1,port2 host3,host4~port3,port4 ..."

# -----------------------------------------------------------------------------

HOST_REJECT_TCP=""

HOST_REJECT_UDP=""

# Put in the following variables which hosts you want to REJECT (instead of

# DROP) for certain services but NOT logged.

# TCP/UDP port format (HOST_REJECT_xxx_NOLOG):

# "host1,host2~port1,port2 host3,host4~port3,port4 ..."

# -----------------------------------------------------------------------------

HOST_REJECT_TCP_NOLOG=""

HOST_REJECT_UDP_NOLOG=""

# Put in the following variables which services THIS machine is NOT

# permitted to connect TO (remote end-point) via the external (internet)

# interface. For example for blocking IRC (tcp 6666:6669).

# -----------------------------------------------------------------------------

DENY_TCP_OUTPUT=""

DENY_UDP_OUTPUT=""

DENY_IP_OUTPUT=""

# Put in the following variables to which hosts THIS machine is NOT

# permitted to connect TO for certain services (remote end-point)

# via the external (internet) interface. In principle you can also

# use this to put your machine in a "virtual-DMZ" by blocking all traffic

# to your local subnet.

# TCP/UDP port format (HOST_DENY_TCP_OUTPUT & HOST_DENY_UDP_OUTPUT):

# "host1,host2~port1,port2 host3,host4~port3,port4 ..."

#

# IP protocol format (HOST_DENY_IP_OUTPUT):

# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."

# -----------------------------------------------------------------------------

HOST_DENY_TCP_OUTPUT=""

HOST_DENY_UDP_OUTPUT=""

HOST_DENY_IP_OUTPUT=""

# Enable (1) to make the default policy allow for IPv4 ICMP (ping) for INET access

# Note: Other ICMP variables apply to both IPv4 and IPv6 unless otherwise noted.

# -----------------------------------------------------------------------------

OPEN_ICMP=0

# Disable (0) to make the default policy drop IPv6 ICMPv6 for INET access

# Note: Other ICMP variables apply to both IPv4 and IPv6 unless otherwise noted.

# -----------------------------------------------------------------------------

OPEN_ICMPV6=0

# Put in the following variables which ports or IP protocols you want to leave

# open to the whole world.

# -----------------------------------------------------------------------------

OPEN_TCP="************************************"

OPEN_UDP="*********************************"

OPEN_IP=""

# Put in the following variables the TCP/UDP ports you want to DENY(DROP) for

# everyone (and logged). Also use these variables if you want to log connection

# attempts to these ports from everyone (also trusted/full access hosts).

# In principle you don't need these variables, as everything is already blocked

# (denied) by default, but just exists for consistency.

# -----------------------------------------------------------------------------

DENY_TCP=""

DENY_UDP=""

# Put in the following variables which ports you want to DENY(DROP) for

# everyone but NOT logged. This is very useful if you have constant probes on

# the same port(s) over and over again (code red worm) and don't want your logs

# flooded with it.

# -----------------------------------------------------------------------------

DENY_TCP_NOLOG=""

DENY_UDP_NOLOG=""

# Put in the following variables the TCP/UDP ports you want to REJECT (instead

# of DROP) for everyone (and logged).

# -----------------------------------------------------------------------------

REJECT_TCP=""

REJECT_UDP=""

# Put in the following variables the TCP/UDP ports you want to REJECT (instead

# of DROP) for everyone but NOT logged.

# -----------------------------------------------------------------------------

REJECT_TCP_NOLOG=""

REJECT_UDP_NOLOG=""

# Put in the following variable which hosts you want to block (blackhole,

# dropping every packet from the host).

# -----------------------------------------------------------------------------

BLOCK_HOSTS=""

# Blocked Hosts are by default blocked in both Inbound and Outbound directions.

# If only Inbound blocking is desired, set to 0 to disable bidirectional blocking.

# -----------------------------------------------------------------------------

BLOCK_HOSTS_BIDIRECTIONAL=1

# Uncomment & specify here the location of the file that contains a list of

# hosts(IPs) that should be BLOCKED. IP ranges can (only) be specified as

# w.x.y.z1-z2 (eg. 192.168.1.10-15). Note that the last line of this file

# should always contain a carriage-return (enter)!

# -----------------------------------------------------------------------------

#BLOCK_HOSTS_FILE="/etc/arno-iptables-firewall/blocked-hosts"