1. ###############################################################################
  2. # You should put this config-file in /etc/arno-iptables-firewall/ #
  3. ###############################################################################
  4. # --------------------------- Configuration file ------------------------------
  5. # -= Arno's iptables firewall =-
  6. # Single- & multi-homed firewall script with DSL/ADSL support
  7. #
  8. # (C) Copyright 2001-2012 by Arno van Amersfoort
  9. # Co-authors : Lonnie Abelbeck & Philip Prindeville
  10. # Homepage : http://rocky.eld.leidenuniv.nl/
  11. # Freshmeat : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
  12. # Email : arnova AT rocky DOT eld DOT leidenuniv DOT nl
  13. # (note: you must remove all spaces and substitute the @ and the .
  14. # at the proper locations!)
  15. # -----------------------------------------------------------------------------
  16. # This program is free software; you can redistribute it and/or
  17. # modify it under the terms of the GNU General Public License
  18. # version 2 as published by the Free Software Foundation.
  19. # This program is distributed in the hope that it will be useful, but WITHOUT
  20. # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  21. # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
  22. # more details.
  23. # You should have received a copy of the GNU General Public License along with
  24. # this program; if not, write to the Free Software Foundation Inc., 59 Temple
  25. # Place - Suite 330, Boston, MA 02111-1307, USA.
  26. # -----------------------------------------------------------------------------
  27. ###############################################################################
  28. # External (internet) interface settings #
  29. ###############################################################################
  30. # The external interface(s) that will be protected (and used as internet
  31. # connection). This is probably ppp+ or dsl+ for non-transparent(!) (A)DSL
  32. # modems otherwise it's probably "ethX" (eg. eth0). Multiple interfaces should
  33. # be space separated.
  34. # -----------------------------------------------------------------------------
  35. EXT_IF="ppp0"
  36. # Enable if THIS machines (dynamically) obtains its IP through (IPv4) DHCP
  37. # and/or (IPv6) DHCPv6 (from your ISP)
  38. # -----------------------------------------------------------------------------
  39. EXT_IF_DHCP_IP=1
  40. # (EXPERT SETTING!) Here you can specify your external(!) IPv4 subnet(s). You
  41. # should only use this if you for example have a corporate network and/or
  42. # running a DHCP server on your external(!) interface. Home users should
  43. # normally NOT touch this setting. Multiple subnets should be space separated.
  44. # Don't forget to specify a proper subnet masker (eg. /24, /16 or /8)!
  45. # -----------------------------------------------------------------------------
  46. #EXTERNAL_NET=""
  47. # (EXPERT SETTING!) Here you can specify the IPv4 address used for broadcasts
  48. # on your external subnet. You only need to set this option if you want to use
  49. # the BROADCAST_XXX_NOLOG variables AND you use a non-standard broadcast
  50. # address (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
  51. # this empty should work fine. Multiple addresses should be space separated.
  52. # -----------------------------------------------------------------------------
  53. #EXT_NET_BCAST_ADDRESS=""
  54. # Enable this if THIS MACHINE is running an IPv4 DHCP(BOOTP) server for a subnet
  55. # on the external(!) interface. Note that you don't need this for internal
  56. # subnets, as for these nets everything is accepted by default. Don't forget to
  57. # configure the EXTERNAL_NET variable, to make this work. (IPv4 Only)
  58. # -----------------------------------------------------------------------------
  59. EXTERNAL_DHCP_SERVER=0
  60. # Enable this if THIS MACHINE is running an IPv6 DHCPv6 server for a Link-Local
  61. # address on the external(!) interface. Note that you don't need this for internal
  62. # subnets, as for these nets everything is accepted by default. (IPv6 Only)
  63. # -----------------------------------------------------------------------------
  64. EXTERNAL_DHCPV6_SERVER=0
  65. ###############################################################################
  66. # Internal (LAN) interface settings #
  67. ###############################################################################
  68. # Specify here your internal network (LAN) interface(s). Multiple(!) interfaces
  69. # should be space separated. Remark this if you don't have any internal network
  70. # interfaces. Note that by default ALL traffic is accepted from these
  71. # interfaces.
  72. # -----------------------------------------------------------------------------
  73. INT_IF="br0"
  74. # Specify here the internal IPv4 subnet(s) which is/are connected to the
  75. # internal interface(s). For multiple interfaces(!) you can either specify
  76. # multiple subnets here or specify one big subnet for all internal interfaces.
  77. # Note that this variable is mainly used for antispoofing.
  78. # -----------------------------------------------------------------------------
  79. INTERNAL_NET="192.168.0.0/24"
  80. # Set this variable to 0 to disable antispoof checking for the internal nets
  81. # (EXPERT SETTING!)
  82. # -----------------------------------------------------------------------------
  83. INTERNAL_NET_ANTISPOOF=1
  84. # (EXPERT SETTING!) Here you can specify the IPv4 address used for broadcasts
  85. # on your internal subnet. You only need to set this option if you want to use
  86. # the MAC filter AND you use a non-standard broadcast address
  87. # (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
  88. # this empty should work fine. Multiple addresses (if you have multiple
  89. # internal nets) should be space separated.
  90. # -----------------------------------------------------------------------------
  91. #INT_NET_BCAST_ADDRESS=""
  92. ###############################################################################
  93. # DMZ (aka DeMilitarized Zone) settings #
  94. ###############################################################################
  95. # Put in the following variable the network interfaces that are DMZ-classified.
  96. # You can also use this interface if you want to shield your Wireless network
  97. # from your LAN.
  98. # -----------------------------------------------------------------------------
  99. DMZ_IF=""
  100. # Specify here the subnet which is connected to the DMZ interface (DMZ_IF).
  101. # For multiple interfaces(!) you can either specify multiple subnets here or
  102. # specify one big subnet for all DMZ interfaces.
  103. # -----------------------------------------------------------------------------
  104. DMZ_NET=""
  105. # Set this variable to 0 to disable antispoof checking for the dmz nets
  106. # (EXPERT SETTING!)
  107. # -----------------------------------------------------------------------------
  108. DMZ_NET_ANTISPOOF=1
  109. ###############################################################################
  110. # NAT (Masquerade, SNAT, DNAT) settings (IPv4 only!) #
  111. ###############################################################################
  112. # Enable this if you want to perform NAT (masquerading) for your internal
  113. # network (LAN) (eg. share your internet connection with your internal
  114. # net(s) connected to eg. INT_IF)
  115. # -----------------------------------------------------------------------------
  116. NAT=1
  117. # (EXPERT SETTING!) In case you would like to use SNAT instead of
  118. # MASQUERADING then uncomment and set the IP or IPs here of your static
  119. # external address(es). Note that when multiple IPs are specified, SNAT
  120. # multiroute is enabled (load balancing over multiple external (internet)
  121. # interfaces, check the README file for more info). Note that the order of IPs
  122. # should match the order of interfaces (they belong to) in $EXT_IF!
  123. # -----------------------------------------------------------------------------
  124. #NAT_STATIC_IP="193.2.1.1"
  125. # (EXPERT SETTING!) Use this variable only if you want specific subnets or
  126. # hosts to be able to access the internet. When no value is specified, your
  127. # whole internal net will have access. In both cases it's obviously only
  128. # meaningful when NAT is enabled. Note that you can also use this variable if
  129. # you want to use NAT for your DMZ.
  130. # -----------------------------------------------------------------------------
  131. NAT_INTERNAL_NET="$INTERNAL_NET"
  132. # (EXPERT SETTING!) Enable this if you want to be able to redirect local ports
  133. # or protocols on your gateway using NAT forwards.
  134. # -----------------------------------------------------------------------------
  135. NAT_LOCAL_REDIRECT=1
  136. # NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to
  137. # an internal client through (D)NAT. Note that you can also use these
  138. # variables to forward ports to DMZ hosts.
  139. #
  140. # TCP/UDP form:
  141. # "{SRCIP1,SRCIP2,...~}PORT1,PORT2-PORT3,...>DESTIP1{~port} \
  142. # {SRCIP3,...~}PORT3,...>DESTIP2{~port}"
  143. #
  144. # IP form:
  145. # "{SRCIP1,SRCIP2,...~}PROTO1,PROTO2,...>DESTIP1 \
  146. # {SRCIP3~}PROTO3,PROTO4,...>DESTIP2"
  147. #
  148. # TCP/UDP port forward examples:
  149. # Simple (forward port 80 to internal host 192.168.0.10):
  150. # NAT_FORWARD_xxx="80>192.168.0.10 20,21>192.168.0.10"
  151. # Advanced (forward port 20 & 21 to 192.168.0.10 and
  152. # forward from 1.2.3.4 port 81 to 192.168.0.11 port 80:
  153. # NAT_FORWARD_xxx="1.2.3.4~81>192.168.0.11~80"
  154. #
  155. # IP protocol forward example:
  156. # (forward protocols 47 & 48 to 192.168.0.10)
  157. # NAT_FORWARD_IP="47,48>192.168.0.10"
  158. #
  159. # NOTE 1: {~port} is optional. Use it to redirect a specific port to a
  160. # different port on the internal client.
  161. # NOTE 2: {SRCIPx} is optional. Use it to restrict access for specific source
  162. # (inet) IP addresses.
  163. # (IPv4 Only)
  164. # -----------------------------------------------------------------------------
  165. NAT_FORWARD_TCP=""
  166. NAT_FORWARD_UDP=""
  167. NAT_FORWARD_IP=""
  168. # TCP/UDP/IP forwards. Forward IPv6 and non-NAT'ed IPv4 ports or protocols
  169. # from the gateway to an internal client. Note that you can also use these
  170. # variables to forward ports to DMZ hosts.
  171. #
  172. # TCP/UDP form:
  173. # "SRCIP1,SRCIP2,...>DESTIP1{~port} \
  174. # SRCIP3,...>DESTIP2{~port}"
  175. #
  176. # IP form:
  177. # "SRCIP1,SRCIP2,...>DESTIP1~PROTO \
  178. # SRCIP3,...>DESTIP2~PROTO"
  179. #
  180. # TCP/UDP port forward examples:
  181. # Simple (IPv6 forward port 80 to internal host 2001:db8::2):
  182. # INET_FORWARD_TCP="::/0>2001:db8::2~80"
  183. # Simple (IPv4 non-NAT forward port 80 to internal host 192.168.0.10):
  184. # INET_FORWARD_TCP="0/0>192.168.0.10~80"
  185. # Advanced (forward all UDP ports for 2000::/3 net to 2001:db8::/32 net):
  186. # INET_FORWARD_UDP="2000::/3>2001:db8::/32"
  187. #
  188. # IP protocol forward example:
  189. # (forward protocol 58 (ICMPv6) to 2001:db8::2)
  190. # INET_FORWARD_IP="::/0>2001:db8::2~58"
  191. #
  192. # (IPv6 and non-NAT'ed IPv4 Only)
  193. # -----------------------------------------------------------------------------
  194. INET_FORWARD_TCP=""
  195. INET_FORWARD_UDP=""
  196. INET_FORWARD_IP=""
  197. ###############################################################################
  198. # General settings #
  199. ###############################################################################
  200. # (EXPERT SETTING!) Location of the iptables-binary (use 'locate iptables' or
  201. # 'whereis iptables' to manually locate it), required for (default) IPv4 support
  202. # -----------------------------------------------------------------------------
  203. IP4TABLES="/sbin/iptables"
  204. # (EXPERT SETTING!) Location of the ip6tables-binary (use 'locate ip6tables' or
  205. # 'whereis ip6tables' to manually locate it), required for IPv6 support
  206. # -----------------------------------------------------------------------------
  207. IP6TABLES="/sbin/ip6tables"
  208. # (EXPERT SETTING!) Location of the environment file
  209. # -----------------------------------------------------------------------------
  210. ENV_FILE="/usr/libexec/arno-iptables-firewall/environment"
  211. # (EXPERT SETTING!) Location of plugin binary & config files
  212. # -----------------------------------------------------------------------------
  213. PLUGIN_BIN_PATH="/usr/libexec/arno-iptables-firewall/plugins"
  214. PLUGIN_CONF_PATH="/etc/arno-iptables-firewall/plugins"
  215. # Most people don't want to get any firewall logs being spit to the console.
  216. # This option makes the kernel ring buffer only log messages with level
  217. # "panic".
  218. # -----------------------------------------------------------------------------
  219. DMESG_PANIC_ONLY=1
  220. # Enable this if you want TOS mangling (RFC)
  221. # -----------------------------------------------------------------------------
  222. MANGLE_TOS=1
  223. # Enable this if you want to set the maximum packet size via the
  224. # Maximum Segment Size(through MSS field)
  225. # -----------------------------------------------------------------------------
  226. SET_MSS=1
  227. # Enable this if you want to increase the TTL value by one in the prerouting
  228. # chain. This hides the firewall when performing eg. traceroutes to internal
  229. # hosts. (IPv4 only!)
  230. # -----------------------------------------------------------------------------
  231. TTL_INC=0
  232. # (EXPERT SETTING!) Enable this if you want to set the TTL value for packets in
  233. # the OUTPUT & FORWARD chain. Note that this only works with newer 2.6 kernels
  234. # (2.6.14 or better) or patched 2.4 kernels, which have netfilter TTL target
  235. # support. Don't mess with this unless you really know what you are doing!
  236. # (IPv4 only!)
  237. # -----------------------------------------------------------------------------
  238. #PACKET_TTL="64"
  239. # (EXPERT SETTING!) Enable this if you want our internal DNS functions to fail
  240. # "fast". This means a query will be tried only once and times out after 1
  241. # second, the default is 3 tries and a 5 second timeout.
  242. # Note: The command 'dig' is preferred, 'nslookup' will be used if 'dig' is not
  243. # available, though the BusyBox 'nslookup' is not supported with this option.
  244. # -------------------------------------------------------------------------------
  245. DNS_FAST_FAIL=0
  246. # Enable this to support the IRC-protocol.
  247. # -----------------------------------------------------------------------------
  248. USE_IRC=1
  249. # (EXPERT SETTING!) Loosen the forward chain for the external interface(s).
  250. # Enable it to allow the use of protocols like UPnP. Note that it *could* be
  251. # less secure.
  252. # -----------------------------------------------------------------------------
  253. LOOSE_FORWARD=1
  254. # (EXPERT SETTING!) Enable (1) to allow IPv6 Link-Local addresses to be
  255. # forwarded between interfaces. (IPv6 Only)
  256. # -----------------------------------------------------------------------------
  257. FORWARD_LINK_LOCAL=0
  258. # (EXPERT SETTING!) Disable (0) to not drop all IPv6 packets with
  259. # Routing Header Type 0. Enabled by default. (IPv6 Only)
  260. # -----------------------------------------------------------------------------
  261. IPV6_DROP_RH_ZERO=1
  262. # (EXPERT SETTING!) Enable this if you want to drop packets originating from a
  263. # private address.
  264. # Note: To enable logging of dropped private addresses set RESERVED_NET_LOG=1
  265. # -----------------------------------------------------------------------------
  266. RESERVED_NET_DROP=0
  267. # (EXPERT SETTING!) Protect this machine from being abused for a DRDOS-attack
  268. # ("Distributed Reflection Denial Of Service"-attack). (STILL EXPERIMENTAL!)
  269. # -----------------------------------------------------------------------------
  270. DRDOS_PROTECT=0
  271. # Enable (1) if you want to enable mixed IPv4/IPv6 traffic support
  272. # Disable (0) if you want to enable only IPv4 traffic support
  273. # -----------------------------------------------------------------------------
  274. IPV6_SUPPORT=0
  275. # This option fixes problems with SMB broadcasts when using nmblookup
  276. # -----------------------------------------------------------------------------
  277. NMB_BROADCAST_FIX=0
  278. # Set this to 0 to suppress "assuming module is compiled in kernel" messages
  279. # -----------------------------------------------------------------------------
  280. COMPILED_IN_KERNEL_MESSAGES=0
  281. # (EXPERT SETTING!) You can choose the default policy for the INPUT & FORWARD
  282. # chain here (1=DROP, 0=ACCEPT). The default policy is DROP. This means that
  283. # when there are no rule(s) available (yet), the packet will be DROPPED. In
  284. # practice this rule only does something while the firewall is starting. Once
  285. # it's started and all rules are in place, the default policy doesn't do
  286. # anything anymore. People that use eg. NFS and let their clients boot from NFS
  287. # (diskless client systems) probably want to disable this option to fix
  288. # "NFS server not responding" etc. errors on their clients.
  289. # -----------------------------------------------------------------------------
  290. DEFAULT_POLICY_DROP=1
  291. # (EXPERT SETTING!) (Other) trusted network interfaces for which ALL IP
  292. # traffic should be ACCEPTED. (multiple(!) interfaces should be space
  293. # separated). Be warned that anything TO and FROM these interfaces is allowed
  294. # (ACCEPTED) so make sure it's NOT routable(accessible) from the outside world
  295. # (internet)! And of course putting one of your external interfaces here would
  296. # be extremely stupid.
  297. # -----------------------------------------------------------------------------
  298. TRUSTED_IF=""
  299. # (EXPERT SETTING!) Put here the interfaces that should trust
  300. # each other (accept forward traffic). You can use | (piping-sign) to create
  301. # seperate interface groups. And (again) of course putting one of your external
  302. # interfaces here would be extremely stupid.
  303. # -----------------------------------------------------------------------------
  304. IF_TRUSTS=""
  305. # Location of the custom iptables rules file (if any).
  306. # -----------------------------------------------------------------------------
  307. CUSTOM_RULES="/etc/arno-iptables-firewall/custom-rules"
  308. # Location of the local (user/global) configuration file, if used
  309. # -----------------------------------------------------------------------------
  310. LOCAL_CONFIG_FILE=""
  311. # Location of the local directory, if defined, containing *.conf file(s)
  312. # in that directory, and sources them for configuration variables.
  313. # Note: An undefined LOCAL_CONFIG_DIR variable defaults to the default below.
  314. # -----------------------------------------------------------------------------
  315. LOCAL_CONFIG_DIR="/etc/arno-iptables-firewall/conf.d"
  316. # (EXPERT SETTING!) Set this (to 1) to disable the use of iptables-save and
  317. # iptables-restore to add rules in batch rather than one-by-one. Much slower
  318. # when disabled. BLOCK_HOSTS and BLOCK_HOSTS_FILE utilizes this feature.
  319. # -----------------------------------------------------------------------------
  320. DISABLE_IPTABLES_BATCH=0
  321. # (EXPERT SETTING!) Set this (to 1) to enable tracing
  322. # -----------------------------------------------------------------------------
  323. TRACE=0
  324. ###############################################################################
  325. # Logging options - All logging is rate limited to prevent log flooding #
  326. ###############################################################################
  327. # Enable logging for explicitly blocked hosts.
  328. # -----------------------------------------------------------------------------
  329. BLOCKED_HOST_LOG=1
  330. # Enable logging for various stealth scans (reliable).
  331. # -----------------------------------------------------------------------------
  332. SCAN_LOG=1
  333. # Enable logging for possible stealth scans (less reliable).
  334. # -----------------------------------------------------------------------------
  335. POSSIBLE_SCAN_LOG=1
  336. # Enable logging for TCP-packets with bad flags.
  337. # -----------------------------------------------------------------------------
  338. BAD_FLAGS_LOG=1
  339. # Enable logging of invalid TCP packets. Keep disabled (0) by default to reduce
  340. # INVALID packets being logged because of lost (legimate) connections. When
  341. # debugging any problems, you should enable it (temporarily)!
  342. # -----------------------------------------------------------------------------
  343. INVALID_TCP_LOG=0
  344. # Enable logging of invalid UDP packets. Keep disabled (0) by default to reduce
  345. # INVALID packets being logged because of lost (legimate) connections. When
  346. # debugging any problems, you should enable it (temporarily)!
  347. # -----------------------------------------------------------------------------
  348. INVALID_UDP_LOG=0
  349. # Enable logging of invalid ICMP packets. Keep disabled (0) by default to reduce
  350. # INVALID packets being logged because of lost (legimate) connections. When
  351. # debugging any problems, you should enable it (temporarily)!
  352. # -----------------------------------------------------------------------------
  353. INVALID_ICMP_LOG=0
  354. # Enable (1) logging of source IPs with reserved or private addresses.
  355. # -----------------------------------------------------------------------------
  356. RESERVED_NET_LOG=0
  357. # Enable logging of fragmented packets.
  358. # -----------------------------------------------------------------------------
  359. FRAG_LOG=1
  360. # Enable logging of denied local (OUTPUT) connections.
  361. # -----------------------------------------------------------------------------
  362. INET_OUTPUT_DENY_LOG=1
  363. # Enable logging of denied LAN output (FORWARD) connections.
  364. # -----------------------------------------------------------------------------
  365. LAN_OUTPUT_DENY_LOG=1
  366. # Enable logging of denied LAN INPUT connections.
  367. # -----------------------------------------------------------------------------
  368. LAN_INPUT_DENY_LOG=1
  369. # Enable logging of denied DMZ output (FORWARD) connections.
  370. # -----------------------------------------------------------------------------
  371. DMZ_OUTPUT_DENY_LOG=1
  372. # Enable logging of denied DMZ input (FORWARD) connections.
  373. # -----------------------------------------------------------------------------
  374. DMZ_INPUT_DENY_LOG=1
  375. # Enable logging of dropped FORWARD packets.
  376. # -----------------------------------------------------------------------------
  377. FORWARD_DROP_LOG=1
  378. # Enable logging of dropped IPv6 Link-Local forwarded packets.
  379. # Note: requires FORWARD_LINK_LOCAL=0 (IPv6 Only)
  380. # -----------------------------------------------------------------------------
  381. LINK_LOCAL_DROP_LOG=1
  382. # Enable logging of dropped ICMP-request packets (ping).
  383. # -----------------------------------------------------------------------------
  384. ICMP_REQUEST_LOG=1
  385. # Enable logging of dropped "other" ICMP packets.
  386. # -----------------------------------------------------------------------------
  387. ICMP_OTHER_LOG=1
  388. # Enable logging of normal connection attempts to privileged TCP ports.
  389. # -----------------------------------------------------------------------------
  390. PRIV_TCP_LOG=1
  391. # Enable logging of normal connection attempts to privileged UDP ports.
  392. # -----------------------------------------------------------------------------
  393. PRIV_UDP_LOG=1
  394. # Enable logging of normal connection attempts to unprivileged TCP ports.
  395. # -----------------------------------------------------------------------------
  396. UNPRIV_TCP_LOG=1
  397. # Enable logging of normal connection attempts to unprivileged UDP ports.
  398. # -----------------------------------------------------------------------------
  399. UNPRIV_UDP_LOG=1
  400. # Enable logging of IPv4 IGMP packets
  401. # -----------------------------------------------------------------------------
  402. IGMP_LOG=1
  403. # Enable logging of normal connection attempts to "other-IP"-protocols (non
  404. # TCP/UDP/ICMP/IGMP).
  405. # -----------------------------------------------------------------------------
  406. OTHER_IP_LOG=1
  407. # Enable logging for ICMP flooding.
  408. # -----------------------------------------------------------------------------
  409. ICMP_FLOOD_LOG=1
  410. # (EXPERT SETTING!) The location of the dedicated firewall log file. When
  411. # enabled the firewall script will also log start/stop etc. info to this file
  412. # as well. Note that in order to make this work, you should also configure
  413. # syslogd to log firewall messages to this file (see LOGLEVEL below for further
  414. # info).
  415. # -----------------------------------------------------------------------------
  416. #FIREWALL_LOG="/var/log/firewall.log"
  417. # (EXPERT SETTING!) Current log-level ("info": default kernel syslog level)
  418. # "debug": can be used to log to /var/log/firewall.log, but you have to configure
  419. # syslogd accordingly (see included syslogd.conf examples).
  420. # -----------------------------------------------------------------------------
  421. LOGLEVEL="info"
  422. # Put in the following variables which hosts you want to log certain incoming
  423. # connection attempts for.
  424. # TCP/UDP port format (LOG_HOST_INPUT_xxx):
  425. # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  426. #
  427. # IP protocol format (LOG_HOST_INPUT_IP):
  428. # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
  429. # -----------------------------------------------------------------------------
  430. LOG_HOST_INPUT_TCP=""
  431. LOG_HOST_INPUT_UDP=""
  432. LOG_HOST_INPUT_IP=""
  433. # Put in the following variables which hosts you want to log certain outgoing
  434. # connection attempts for.
  435. # TCP/UDP port format (LOG_HOST_OUTPUT_xxx):
  436. # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  437. #
  438. # IP protocol format (LOG_HOST_OUTPUT_IP):
  439. # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
  440. # -----------------------------------------------------------------------------
  441. LOG_HOST_OUTPUT_TCP=""
  442. LOG_HOST_OUTPUT_UDP=""
  443. LOG_HOST_OUTPUT_IP=""
  444. # Put in the following variables which services you want to log incoming
  445. # connection attempts for.
  446. # -----------------------------------------------------------------------------
  447. LOG_INPUT_TCP=""
  448. LOG_INPUT_UDP=""
  449. LOG_INPUT_IP=""
  450. # Put in the following variables which services you want to log outgoing
  451. # connection attempts for.
  452. # -----------------------------------------------------------------------------
  453. LOG_OUTPUT_TCP=""
  454. LOG_OUTPUT_UDP=""
  455. LOG_OUTPUT_IP=""
  456. # Put in the following variable which hosts you want to log incoming connection
  457. # (attempts) for.
  458. # -----------------------------------------------------------------------------
  459. LOG_HOST_INPUT=""
  460. # Put in the following variable which hosts you want to log outgoing connection
  461. # (attempts) to.
  462. # -----------------------------------------------------------------------------
  463. LOG_HOST_OUTPUT=""
  464. ###############################################################################
  465. # sysctl based settings (EXPERT SETTINGS!) #
  466. ###############################################################################
  467. # Enable for synflood protection (through /proc/.../tcp_syncookies).
  468. # -----------------------------------------------------------------------------
  469. SYN_PROT=1
  470. # Enable this to reduce the ability of others DOS'ing your machine.
  471. # -----------------------------------------------------------------------------
  472. REDUCE_DOS_ABILITY=1
  473. # Enable to ignore all ICMP echo-requests (IPv4) on ALL interfaces.
  474. # -----------------------------------------------------------------------------
  475. ECHO_IGNORE=0
  476. # Enable to log packets with impossible addresses to the kernel log.
  477. # -----------------------------------------------------------------------------
  478. LOG_MARTIANS=0
  479. # Only disable this if you're NOT using forwarding (required for NAT etc.) for
  480. # increased security.
  481. # Note: If enabled and IPV6 enabled, local IPv6 autoconf will be disabled.
  482. # -----------------------------------------------------------------------------
  483. IP_FORWARDING=1
  484. # (EXPERT SETTING!) Only disable this if IP_FORWARDING is disabled and
  485. # you do not use autoconf to obtain your IPv6 address.
  486. # Note: This is ignored if IP_FORWARDING is enabled. (IPv6 Only)
  487. # -----------------------------------------------------------------------------
  488. IPV6_AUTO_CONFIGURATION=1
  489. # Enable if you want to accept ICMP redirect messages. Should be set to "0" in
  490. # case of a router.
  491. # -----------------------------------------------------------------------------
  492. ICMP_REDIRECT=0
  493. # Enable/modify this if you want to be a able to handle a larger (or smaller)
  494. # number of simultaneous connections. For high traffic machines I recommend to
  495. # use a value of at least 16384 (note that a higher value (obviously) also uses
  496. # more memory).
  497. # -----------------------------------------------------------------------------
  498. CONNTRACK=65536
  499. # Enable ECN (Explicit Congestion Notification) TCP flag. Disabled by default,
  500. # as some routers are still not compatible with this.
  501. # -----------------------------------------------------------------------------
  502. ECN=0
  503. # Enable to drop connections from non-routable IPs, eg. prevent source
  504. # routing. By default the firewall itself also provides rules against source
  505. # routing. Note than when you use eg. VPN (Freeswan), you should probably
  506. # disable this setting.
  507. # -----------------------------------------------------------------------------
  508. RP_FILTER=1
  509. # Protect against source routed packets. Attackers can use source routing to
  510. # generate traffic pretending to be from inside your network, but which is
  511. # routed back along the path from which it came, namely outside, so attackers
  512. # can compromise your network. Source routing is rarely used for legitimate
  513. # purposes, so normally you should always leave this enabled(1)!
  514. # -----------------------------------------------------------------------------
  515. SOURCE_ROUTE_PROTECTION=1
  516. # Here we set the local port range (ports from which connections are
  517. # initiated from our site). Don't mess with this unless you really know what
  518. # you are doing!
  519. # -----------------------------------------------------------------------------
  520. LOCAL_PORT_RANGE="32768 61000"
  521. # Here you can change the default TTL used for sending packets. The value
  522. # should be between 10 and 255. Don't mess with this unless you really know
  523. # what you are doing!
  524. # -----------------------------------------------------------------------------
  525. DEFAULT_TTL=64
  526. # In most cases pmtu discovery is ok, but in some rare cases (when having
  527. # problems) you might want to disable it.
  528. # -----------------------------------------------------------------------------
  529. NO_PMTU_DISCOVERY=0
  530. ###############################################################################
  531. # Firewall policies for the LAN (EXPERT SETTINGS!) #
  532. ###############################################################################
  533. ###############################################################################
  534. # LAN_xxx = LAN->localhost(this machine) input access rules #
  535. # #
  536. # Note that when both LAN_OPEN_xxx & LAN_HOST_OPEN_xxx are NOT used, the #
  537. # default policy for this chain is accept (unless denied through #
  538. # LAN_DENY_xxx and/or LAN_HOST_DENY_xxx)! #
  539. ###############################################################################
  540. # Disable this (set to "") to automatically set default policy as above.
  541. # When set to "1" the LAN->localhost default policy will always be DROP
  542. # When set to "0" the LAN->localhost default policy will always be ACCEPT
  543. # -----------------------------------------------------------------------------
  544. LAN_DEFAULT_POLICY_DROP=""
  545. # Enable this to allow for ICMP-requests(ping) from your LAN
  546. # -----------------------------------------------------------------------------
  547. LAN_OPEN_ICMP=1
  548. # Put in the following variables the TCP/UDP ports or IP protocols TO
  549. # (remote end-point) which the LAN hosts are permitted to connect to.
  550. # -----------------------------------------------------------------------------
  551. LAN_OPEN_TCP=""
  552. LAN_OPEN_UDP=""
  553. LAN_OPEN_IP=""
  554. # Put in the following variables the TCP/UDP ports or IP protocols TO (remote
  555. # end-point) which LAN hosts are NOT permitted to connect to.
  556. # -----------------------------------------------------------------------------
  557. LAN_DENY_TCP=""
  558. LAN_DENY_UDP=""
  559. LAN_DENY_IP=""
  560. # Put in the following variables the TCP/UDP ports or IP
  561. # protocols TO (remote end-point) which certain LAN hosts are
  562. # permitted to connect to.
  563. #
  564. # TCP/UDP port format (LAN_INPUT_HOST_OPEN_xxx):
  565. # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  566. #
  567. # IP protocol format (LAN_INPUT_HOST_OPEN_xxx):
  568. # "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."
  569. # -----------------------------------------------------------------------------
  570. LAN_HOST_OPEN_TCP=""
  571. LAN_HOST_OPEN_UDP=""
  572. LAN_HOST_OPEN_IP=""
  573. # Put in the following variables the TCP/UDP ports or IP protocols TO (remote
  574. # end-point) which certain LAN hosts are NOT permitted to connect to.
  575. #
  576. # TCP/UDP port format (LAN_INPUT_HOST_DENY_xxx):
  577. # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  578. #
  579. # IP protocol format (LAN_INPUT_HOST_DENY_xxx):
  580. # "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."
  581. # -----------------------------------------------------------------------------
  582. LAN_HOST_DENY_TCP=""
  583. LAN_HOST_DENY_UDP=""
  584. LAN_HOST_DENY_IP=""
  585. ###############################################################################
  586. # LAN_INET_xxx = LAN->internet access rules (forward) #
  587. # #
  588. # Note that when the LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx variables are #
  589. # NOT used, the default policy will be accept for LAN->INET (unless denied #
  590. # through LAN_INET_DENY_xxx and/or LAN_INET_HOST_DENY_xxx)! #
  591. ###############################################################################
  592. # Disable this (set to "") to automatically set default policy as above.
  593. # When set to "1" the LAN->INET default policy will always be DROP
  594. # When set to "0" the LAN->INET default policy will always be ACCEPT
  595. # -----------------------------------------------------------------------------
  596. LAN_INET_DEFAULT_POLICY_DROP=""
  597. # Enable this to allow for ICMP-requests(ping) for LAN->INET
  598. # -----------------------------------------------------------------------------
  599. LAN_INET_OPEN_ICMP=1
  600. # Put in the following variables the TCP/UDP ports or IP
  601. # protocols TO (remote end-point) which the LAN hosts are
  602. # permitted to connect to via the external (internet) interface.
  603. # -----------------------------------------------------------------------------
  604. LAN_INET_OPEN_TCP=""
  605. LAN_INET_OPEN_UDP=""
  606. LAN_INET_OPEN_IP=""
  607. # Put in the following variables the TCP/UDP ports or IP protocols TO (remote
  608. # end-point) which the LAN hosts are NOT permitted to connect to
  609. # via the external (internet) interface. Examples of usage are for blocking
  610. # IRC (TCP 6666:6669) for the internal network.
  611. # -----------------------------------------------------------------------------
  612. LAN_INET_DENY_TCP=""
  613. LAN_INET_DENY_UDP=""
  614. LAN_INET_DENY_IP=""
  615. # Put in the following variables which LAN hosts you want to allow to certain
  616. # hosts/services on the internet. By default all services are allowed.
  617. #
  618. # TCP/UDP form:
  619. # "SRCIP1,SRCIP2,...>DESTIP1~port \
  620. # SRCIP3,...>DESTIP2~port"
  621. #
  622. # IP form:
  623. # "SRCIP1,SRCIP2,...>DESTIP1~protocol \
  624. # SRCIP3,...>DESTIP2~protocol"
  625. #
  626. # TCP/UDP examples:
  627. # Simple:
  628. # (Allow port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)):
  629. # LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4~80"
  630. # Advanced:
  631. # (Allow port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and
  632. # allow port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)):
  633. # LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 192.168.0.10>80"
  634. #
  635. # IP protocol example:
  636. # (Allow protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0))
  637. # LAN_INET_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
  638. #
  639. # NOTE 1: If no SRCIPx is specified, any source host is used
  640. # NOTE 2: If no port is specified, any port is used
  641. # -----------------------------------------------------------------------------
  642. LAN_INET_HOST_OPEN_TCP=""
  643. LAN_INET_HOST_OPEN_UDP=""
  644. LAN_INET_HOST_OPEN_IP=""
  645. # Put in the following variables which DMZ hosts you want to deny to certain
  646. # hosts/services on the internet.
  647. #
  648. # TCP/UDP form:
  649. # "SRCIP1,SRCIP2,...>DESTIP1~port \
  650. # SRCIP3,...>DESTIP2~port"
  651. #
  652. # IP form:
  653. # "SRCIP1,SRCIP2,...>DESTIP1~protocol \
  654. # SRCIP3,...>DESTIP2~protocol"
  655. #
  656. # TCP/UDP examples:
  657. # Simple (Deny port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)):
  658. # LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4~80"
  659. # Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and
  660. # deny port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)):
  661. # LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4~20,21 192.168.0.10>1.2.3.4~80"
  662. #
  663. # IP protocol example:
  664. # (Deny protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0)):
  665. # LAN_INET_HOST_DENY_IP="0/0>1.2.3.4~47,48"
  666. #
  667. # NOTE 1: If no SRCIPx is specified, any source host is used
  668. # NOTE 2: If no port is specified, any port is used
  669. # -----------------------------------------------------------------------------
  670. LAN_INET_HOST_DENY_TCP=""
  671. LAN_INET_HOST_DENY_UDP=""
  672. LAN_INET_HOST_DENY_IP=""
  673. ###############################################################################
  674. # Firewall policies for the DMZ (EXPERT SETTINGS!) #
  675. ###############################################################################
  676. ###############################################################################
  677. # DMZ_xxx = DMZ->localhost(this machine) input access rules #
  678. ###############################################################################
  679. # Enable this to allow ICMP-requests(ping) from the DMZ
  680. # -----------------------------------------------------------------------------
  681. DMZ_OPEN_ICMP=1
  682. # Put in the following variables which DMZ hosts are permitted to connect to
  683. # certain the TCP/UDP ports, IP protocols or ICMP. By default all (local)
  684. # services are blocked for DMZ hosts.
  685. # -----------------------------------------------------------------------------
  686. DMZ_OPEN_TCP=""
  687. DMZ_OPEN_UDP=""
  688. DMZ_OPEN_IP=""
  689. # Put in the following variables which DMZ hosts you want to allow for certain
  690. # services. By default all (local) services are blocked for DMZ hosts.
  691. # TCP/UDP port format (DMZ_HOST_OPEN_TCP & DMZ_HOST_OPEN_UDP):
  692. # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  693. #
  694. # IP protocol format (DMZ_HOST_OPEN_IP):
  695. # "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."
  696. # -----------------------------------------------------------------------------
  697. DMZ_HOST_OPEN_TCP=""
  698. DMZ_HOST_OPEN_UDP=""
  699. DMZ_HOST_OPEN_IP=""
  700. ###############################################################################
  701. # INET_DMZ_xxx = Internet->DMZ access rules (forward) #
  702. # #
  703. # Note: As of Version 2.0.0 the default policy has changed to DROP #
  704. # Previous to Version 2.0.0 the default policy was ACCEPT #
  705. ###############################################################################
  706. # Enable this to make the default policy allow for ICMP(ping) for INET->DMZ
  707. # -----------------------------------------------------------------------------
  708. INET_DMZ_OPEN_ICMP=0
  709. # Put in the following variables which INET hosts are permitted to connect to
  710. # certain the TCP/UDP ports or IP protocols in the DMZ.
  711. # -----------------------------------------------------------------------------
  712. INET_DMZ_OPEN_TCP=""
  713. INET_DMZ_OPEN_UDP=""
  714. INET_DMZ_OPEN_IP=""
  715. # Put in the following variables which INET hosts are NOT permitted to connect
  716. # to certain the TCP/UDP ports or IP protocols in the DMZ.
  717. # -----------------------------------------------------------------------------
  718. INET_DMZ_DENY_TCP=""
  719. INET_DMZ_DENY_UDP=""
  720. INET_DMZ_DENY_IP=""
  721. # Put in the following variables which INET hosts you want to allow to certain
  722. # hosts/services on the DMZ net. By default all services are dropped.
  723. #
  724. # TCP/UDP form:
  725. # "SRCIP1,SRCIP2,...>DESTIP1~port \
  726. # SRCIP3,...>DESTIP2~port"
  727. #
  728. # IP form:
  729. # "SRCIP1,SRCIP2,...>DESTIP1~protocol \
  730. # SRCIP3,...>DESTIP2~protocol"
  731. #
  732. # TCP/UDP examples:
  733. # Simple (Allow port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)):
  734. # INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4~80"
  735. # Advanced (Allow port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and
  736. # allow port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)):
  737. # INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
  738. #
  739. # IP protocol example:
  740. # (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts )
  741. # INET_DMZ_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
  742. #
  743. # NOTE 1: If no SRCIPx is specified, any source host is used
  744. # NOTE 2: If no port is specified, any port is used
  745. # -----------------------------------------------------------------------------
  746. INET_DMZ_HOST_OPEN_TCP=""
  747. INET_DMZ_HOST_OPEN_UDP=""
  748. INET_DMZ_HOST_OPEN_IP=""
  749. # Put in the following variables which INET hosts you want to deny to certain
  750. # hosts/services on the DMZ net.
  751. #
  752. # TCP/UDP form:
  753. # "SRCIP1,SRCIP2,...>DESTIP1~port \
  754. # SRCIP3,...>DESTIP2~port"
  755. #
  756. # IP form:
  757. # "SRCIP1,SRCIP2,...>DESTIP1~protocol \
  758. # SRCIP3,...>DESTIP2~protocol"
  759. #
  760. # TCP/UDP examples:
  761. # Simple (Deny port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)):
  762. # INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4~80"
  763. # Advanced (Deny port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and
  764. # deny port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)):
  765. # INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
  766. #
  767. # IP protocol example:
  768. # (Deny protocols 47 & 48 on DMZ host 1.2.3.4 for all INET hosts):
  769. # INET_DMZ_HOST_DENY_IP="0/0>1.2.3.4~47,48"
  770. #
  771. # NOTE 1: If no SRCIPx is specified, any source host is used
  772. # NOTE 2: If no port is specified, any port is used
  773. # -----------------------------------------------------------------------------
  774. INET_DMZ_HOST_DENY_TCP=""
  775. INET_DMZ_HOST_DENY_UDP=""
  776. INET_DMZ_HOST_DENY_IP=""
  777. ###############################################################################
  778. # DMZ_INET_xxx = DMZ->internet access rules (forward) #
  779. # #
  780. # Note that when the DMZ_INET_OPEN_xxx & DMZ_INET_HOST_OPEN_xxx variables are #
  781. # NOT used, the default policy will be accept for DMZ->INET (unless denied #
  782. # through DMZ_INET_DENY_xxx and/or DMZ_INET_HOST_DENY_xxx)! #
  783. ###############################################################################
  784. # Disable this (set to "") to automatically set default policy as above.
  785. # When set to "1" the DMZ->INET default policy will always be DROP
  786. # When set to "0" the DMZ->INET default policy will always be ACCEPT
  787. # -----------------------------------------------------------------------------
  788. DMZ_INET_DEFAULT_POLICY_DROP=""
  789. # Enable this to make the default policy allow for ICMP(ping) for DMZ->INET
  790. # -----------------------------------------------------------------------------
  791. DMZ_INET_OPEN_ICMP=1
  792. # Put in the following variables the TCP/UDP ports or IP
  793. # protocols TO (remote end-point) which the DMZ hosts are
  794. # permitted to connect to via the external (internet) interface.
  795. # -----------------------------------------------------------------------------
  796. DMZ_INET_OPEN_TCP=""
  797. DMZ_INET_OPEN_UDP=""
  798. DMZ_INET_OPEN_IP=""
  799. # Put in the following variables the TCP/UDP ports or IP protocols TO (remote
  800. # end-point) which the DMZ hosts are NOT permitted to connect to
  801. # via the external (internet) interface. Examples of usage are for blocking
  802. # IRC (TCP 6666:6669) for the internal network.
  803. # -----------------------------------------------------------------------------
  804. DMZ_INET_DENY_TCP=""
  805. DMZ_INET_DENY_UDP=""
  806. DMZ_INET_DENY_IP=""
  807. # Put in the following variables which DMZ hosts you want to allow to certain
  808. # hosts/services on the internet. By default all services are allowed.
  809. #
  810. # TCP/UDP form:
  811. # "SRCIP1,SRCIP2,...>DESTIP1~port \
  812. # SRCIP3,...>DESTIP2~port"
  813. #
  814. # IP form:
  815. # "SRCIP1,SRCIP2,...>DESTIP1~protocol \
  816. # SRCIP3,...>DESTIP2~sprotocol"
  817. #
  818. # TCP/UDP examples:
  819. # Simple (Allow port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
  820. # DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4~80"
  821. # Advanced (Allow port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and
  822. # allow port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)):
  823. # DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
  824. #
  825. # IP protocol example:
  826. # (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts):
  827. # DMZ_INET_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
  828. #
  829. # NOTE 1: If no SRCIPx is specified, any source host is used
  830. # NOTE 2: If no port is specified, any port is used
  831. # -----------------------------------------------------------------------------
  832. DMZ_INET_HOST_OPEN_TCP=""
  833. DMZ_INET_HOST_OPEN_UDP=""
  834. DMZ_INET_HOST_OPEN_IP=""
  835. # Put in the following variables which DMZ hosts you want to deny to certain
  836. # hosts/services on the internet.
  837. #
  838. # TCP/UDP form:
  839. # "SRCIP1,SRCIP2,...>DESTIP1~port \
  840. # SRCIP3,...>DESTIP2~port"
  841. #
  842. # IP form:
  843. # "SRCIP1,SRCIP2,...>DESTIP1~protocol \
  844. # SRCIP3,...>DESTIP2~protocol"
  845. #
  846. # TCP/UDP examples:
  847. # Simple (Deny port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
  848. # DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4~80"
  849. # Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and
  850. # deny port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)):
  851. # DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
  852. #
  853. # IP protocol example:
  854. # (Deny protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
  855. # DMZ_INET_HOST_DENY_IP="0/0>1.2.3.4:47,48"
  856. #
  857. # NOTE 1: If no SRCIPx is specified, any source host is used
  858. # NOTE 2: If no port is specified, any port is used
  859. # -----------------------------------------------------------------------------
  860. DMZ_INET_HOST_DENY_TCP=""
  861. DMZ_INET_HOST_DENY_UDP=""
  862. DMZ_INET_HOST_DENY_IP=""
  863. ###############################################################################
  864. # DMZ_LAN_xxx = DMZ->LAN access rules (forward) #
  865. ###############################################################################
  866. # Enable this to make the default policy allow for ICMP(ping) for DMZ->LAN
  867. # -----------------------------------------------------------------------------
  868. DMZ_LAN_OPEN_ICMP=0
  869. # Put in the following variables which DMZ hosts you want to allow to certain
  870. # hosts/services on the LAN (net).
  871. #
  872. # TCP/UDP form:
  873. # "SRCIP1,SRCIP2,...>DESTIP1~port \
  874. # SRCIP3,...>DESTIP2~port"
  875. #
  876. # IP form:
  877. # "SRCIP1,SRCIP2,...>DESTIP1~protocol \
  878. # SRCIP3,...>DESTIP2~protocol"
  879. #
  880. # TCP/UDP examples:
  881. # Simple (Allow port 80 on LAN host 1.2.3.4 for all DMZ hosts(0/0)):
  882. # DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~80"
  883. # Advanced (Allow port 20 & 21 on LAN host 1.2.3.4 for all DMZ hosts (0/0) and
  884. # allow port 80 for DMZ host 5.6.7.8 (only) on LAN host
  885. # 1.2.3.4):
  886. # DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
  887. #
  888. # IP protocol example:
  889. # (Allow protocols 47 & 48 on LAN host 1.2.3.4 for all DMZ hosts(0/0)):
  890. # DMZ_LAN_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
  891. #
  892. # NOTE 1: If no SRCIPx is specified, any source host is used
  893. # NOTE 2: If no port is specified, any port is used
  894. # -----------------------------------------------------------------------------
  895. DMZ_LAN_HOST_OPEN_TCP=""
  896. DMZ_LAN_HOST_OPEN_UDP=""
  897. DMZ_LAN_HOST_OPEN_IP=""
  898. ###############################################################################
  899. # Firewall policies for the external (inet) interface (default policy = drop) #
  900. ###############################################################################
  901. # Put in the following variable which hosts (subnets) you want have full access
  902. # via your internet (EXT_IF) connection(!). This is especially meant for
  903. # networks/servers which use NIS/NFS, as these protocols require all ports
  904. # to be open.
  905. # NOTE: Don't mistake this variable with the one used for internal nets.
  906. # -----------------------------------------------------------------------------
  907. FULL_ACCESS_HOSTS=""
  908. # Put in the following variable which TCP/UDP ports you don't want to
  909. # see broadcasts from (eg. DHCP (67/68) on your EXTERNAL interface. Note that
  910. # to make this properly work you also need to set "EXTERNAL_NET"!
  911. # -----------------------------------------------------------------------------
  912. BROADCAST_TCP_NOLOG=""
  913. #BROADCAST_UDP_NOLOG="67 68"
  914. # Put in the following variables which hosts you want to allow for certain
  915. # services.
  916. # TCP/UDP port format (HOST_OPEN_TCP & HOST_OPEN_UDP):
  917. # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  918. #
  919. # IP protocol format (HOST_OPEN_IP):
  920. # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
  921. #
  922. # ICMP protocol format (HOST_OPEN_ICMP):
  923. # "host1 host2 ...."
  924. # -----------------------------------------------------------------------------
  925. HOST_OPEN_TCP=""
  926. HOST_OPEN_UDP=""
  927. HOST_OPEN_IP=""
  928. HOST_OPEN_ICMP=""
  929. # Put in the following variables which hosts you want to DENY(DROP) for certain
  930. # services (and logged).
  931. # to DENY(DROP) for certain hosts.
  932. # TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP):
  933. # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  934. #
  935. # IP protocol format (HOST_DENY_IP):
  936. # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
  937. #
  938. # ICMP protocol format (HOST_DENY_ICMP):
  939. # "host1 host2 ...."
  940. # -----------------------------------------------------------------------------
  941. HOST_DENY_TCP=""
  942. HOST_DENY_UDP=""
  943. HOST_DENY_IP=""
  944. HOST_DENY_ICMP=""
  945. # Put in the following variables which hosts you want to DENY(DROP) for certain
  946. # services but NOT logged.
  947. # TCP/UDP port format (HOST_DENY_xxx_NOLOG):
  948. # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  949. #
  950. # IP protocol format (HOST_DENY_IP_NOLOG):
  951. # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
  952. #
  953. # ICMP protocol format (HOST_DENY_ICMP_NOLOG):
  954. # "host1 host2 ...."
  955. # -----------------------------------------------------------------------------
  956. HOST_DENY_TCP_NOLOG=""
  957. HOST_DENY_UDP_NOLOG=""
  958. HOST_DENY_IP_NOLOG=""
  959. HOST_DENY_ICMP_NOLOG=""
  960. # Put in the following variables which hosts you want to REJECT (instead of
  961. # DROP) for certain TCP/UDP ports.
  962. # TCP/UDP port format (HOST_REJECT_xxx):
  963. # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  964. # -----------------------------------------------------------------------------
  965. HOST_REJECT_TCP=""
  966. HOST_REJECT_UDP=""
  967. # Put in the following variables which hosts you want to REJECT (instead of
  968. # DROP) for certain services but NOT logged.
  969. # TCP/UDP port format (HOST_REJECT_xxx_NOLOG):
  970. # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  971. # -----------------------------------------------------------------------------
  972. HOST_REJECT_TCP_NOLOG=""
  973. HOST_REJECT_UDP_NOLOG=""
  974. # Put in the following variables which services THIS machine is NOT
  975. # permitted to connect TO (remote end-point) via the external (internet)
  976. # interface. For example for blocking IRC (tcp 6666:6669).
  977. # -----------------------------------------------------------------------------
  978. DENY_TCP_OUTPUT=""
  979. DENY_UDP_OUTPUT=""
  980. DENY_IP_OUTPUT=""
  981. # Put in the following variables to which hosts THIS machine is NOT
  982. # permitted to connect TO for certain services (remote end-point)
  983. # via the external (internet) interface. In principle you can also
  984. # use this to put your machine in a "virtual-DMZ" by blocking all traffic
  985. # to your local subnet.
  986. # TCP/UDP port format (HOST_DENY_TCP_OUTPUT & HOST_DENY_UDP_OUTPUT):
  987. # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  988. #
  989. # IP protocol format (HOST_DENY_IP_OUTPUT):
  990. # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
  991. # -----------------------------------------------------------------------------
  992. HOST_DENY_TCP_OUTPUT=""
  993. HOST_DENY_UDP_OUTPUT=""
  994. HOST_DENY_IP_OUTPUT=""
  995. # Enable (1) to make the default policy allow for IPv4 ICMP (ping) for INET access
  996. # Note: Other ICMP variables apply to both IPv4 and IPv6 unless otherwise noted.
  997. # -----------------------------------------------------------------------------
  998. OPEN_ICMP=0
  999. # Disable (0) to make the default policy drop IPv6 ICMPv6 for INET access
  1000. # Note: Other ICMP variables apply to both IPv4 and IPv6 unless otherwise noted.
  1001. # -----------------------------------------------------------------------------
  1002. OPEN_ICMPV6=0
  1003. # Put in the following variables which ports or IP protocols you want to leave
  1004. # open to the whole world.
  1005. # -----------------------------------------------------------------------------
  1006. OPEN_TCP="************************************"
  1007. OPEN_UDP="*********************************"
  1008. OPEN_IP=""
  1009. # Put in the following variables the TCP/UDP ports you want to DENY(DROP) for
  1010. # everyone (and logged). Also use these variables if you want to log connection
  1011. # attempts to these ports from everyone (also trusted/full access hosts).
  1012. # In principle you don't need these variables, as everything is already blocked
  1013. # (denied) by default, but just exists for consistency.
  1014. # -----------------------------------------------------------------------------
  1015. DENY_TCP=""
  1016. DENY_UDP=""
  1017. # Put in the following variables which ports you want to DENY(DROP) for
  1018. # everyone but NOT logged. This is very useful if you have constant probes on
  1019. # the same port(s) over and over again (code red worm) and don't want your logs
  1020. # flooded with it.
  1021. # -----------------------------------------------------------------------------
  1022. DENY_TCP_NOLOG=""
  1023. DENY_UDP_NOLOG=""
  1024. # Put in the following variables the TCP/UDP ports you want to REJECT (instead
  1025. # of DROP) for everyone (and logged).
  1026. # -----------------------------------------------------------------------------
  1027. REJECT_TCP=""
  1028. REJECT_UDP=""
  1029. # Put in the following variables the TCP/UDP ports you want to REJECT (instead
  1030. # of DROP) for everyone but NOT logged.
  1031. # -----------------------------------------------------------------------------
  1032. REJECT_TCP_NOLOG=""
  1033. REJECT_UDP_NOLOG=""
  1034. # Put in the following variable which hosts you want to block (blackhole,
  1035. # dropping every packet from the host).
  1036. # -----------------------------------------------------------------------------
  1037. BLOCK_HOSTS=""
  1038. # Blocked Hosts are by default blocked in both Inbound and Outbound directions.
  1039. # If only Inbound blocking is desired, set to 0 to disable bidirectional blocking.
  1040. # -----------------------------------------------------------------------------
  1041. BLOCK_HOSTS_BIDIRECTIONAL=1
  1042. # Uncomment & specify here the location of the file that contains a list of
  1043. # hosts(IPs) that should be BLOCKED. IP ranges can (only) be specified as
  1044. # w.x.y.z1-z2 (eg. 192.168.1.10-15). Note that the last line of this file
  1045. # should always contain a carriage-return (enter)!
  1046. # -----------------------------------------------------------------------------
  1047. #BLOCK_HOSTS_FILE="/etc/arno-iptables-firewall/blocked-hosts"
Comments powered by Disqus