Firewall-SOSDG/include/static

101 lines
3.7 KiB
Plaintext
Raw Permalink Normal View History

#!/bin/bash
2010-08-21 20:19:28 -06:00
# By Brielle Bruns <bruns@2mbit.com>
# URL: http://www.sosdg.org/freestuff/firewall
# License: GPLv3
#
# Copyright (C) 2009 - 2010 Brielle Bruns
# Copyright (C) 2009 - 2010 The Summit Open Source Development Group
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#
# This file defines static variables that we will be using. Normally, you
2011-02-18 13:20:55 -07:00
# should not be needing to edit these. You can override them in your options
# file easily, thus avoiding problems with overwriting settings during upgrades.
# You should always make sure this file is from the most recent firewall package,
# as missing variables here could foul up the firewall's ability to setup rules
# correctly.
2010-08-21 20:19:28 -06:00
2010-08-25 12:00:48 -06:00
# These defines are here to help pre-1.0 users easily upgrade, defines critical defaults
# that would otherwise require remaking their options file. I leave this on by default,
# but if you want to make sure you have a current options file, define this to 0.
2010-10-06 12:54:05 -06:00
if [[ "$COMPAT_CONFIG" == "1" ]]; then
2010-08-25 12:00:48 -06:00
MODPROBE=`which modprobe`
PRERUN="$BASEDIR/prerun"
POSTRUN="$BASEDIR/postrun"
2010-08-25 12:00:48 -06:00
fi
2010-08-29 17:33:54 -06:00
2010-08-21 20:19:28 -06:00
# ANSI color sequences
BLUE="\E[34m"
GREEN="\E[32m"
RED="\E[31m"
YELLOW="\E[33m"
PURPLE="\E[35m"
AQUA="\E[36m"
WHITE="\E[1m"
GREY="\E[37m"
2010-08-25 11:43:57 -06:00
DEFAULT_COLOR="\E[39m"
# Module names that we may need to load
MOD_U32="xt_u32"
# Location of the ipv4 network conf in proc
2010-09-26 13:45:51 -06:00
PROC_NET_IPV4="/proc/sys/net/ipv4/conf"
2010-09-26 15:13:54 -06:00
# Multiport options - override in options
NF_MULTIPORT="xt_multiport"
2010-09-29 17:04:48 -06:00
NF_MULTIPORT_MAX_PORTS="7"
# RFC 1918 Space
RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
# By default, use conntrack instead of state
STATE_TYPE="conntrack"
2010-11-25 20:13:46 -07:00
# Auto detect multiport
IPTABLES_MULTIPORT=auto
# Where we store output of cached rules
RULE_CACHE=$BASEDIR/cache/ipt-rules
RULE_CACHE_V6=$BASEDIR/cache/ipt6-rules
EXTIP="auto"
2010-12-18 15:30:57 -07:00
EXTIF="eth0"
EXTIF_FIND="$BASEDIR/bin/get_default_if"
2010-12-18 15:30:57 -07:00
EXTIP_FIND="$BASEDIR/bin/get_default_ip"
2011-02-12 13:20:11 -07:00
# By default, we allow ipv6 critical icmp
IPV6_ICMP_CRITICAL=1
2011-02-18 10:53:36 -07:00
# IPv4 and IPv6 regex matches to determine if entry is valid. These may need
# to be tweaked over time. At the moment, we use by default the pattern here:
# http://stackoverflow.com/questions/53497/regular-expression-that-matches-valid-ipv6-addresses
IPV4_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))"
IPV6_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))"
2011-02-18 10:53:36 -07:00
# At the moment I don't have a valid way of verifying ranges within a certain constraint (ie /0 through /32)
# If anyone wants to write these, feel free to!
IPV4_NETMASK_MATCH=""
IPV6_NETMASK_MATCH=""
# Default policies for IPv4 and IPv6. Make these ACCEPT by default, except for FORWARD,
# since one wrong configuration can lock someone out.
2011-02-18 13:17:13 -07:00
IPV4_PINPUT=ACCEPT
IPV4_POUTPUT=ACCEPT
IPV4_PFORWARD=DROP
IPV6_PINPUT=ACCEPT
IPV6_POUTPUT=ACCEPT
IPV6_PFORWARD=DROP