2010-08-26 15:49:16 -06:00
|
|
|
# Config file version. Don't change this. Will be used some day to
|
|
|
|
# figure out if we need to alert the user that they need to redo their
|
|
|
|
# config file.
|
|
|
|
CONFIG_VERSION=0.9
|
|
|
|
|
2009-08-13 14:40:41 -06:00
|
|
|
# This is for testing purposes.
|
|
|
|
IPTABLES=/bin/true
|
|
|
|
IP6TABLES=/bin/true
|
2009-08-13 13:53:20 -06:00
|
|
|
|
2009-08-13 14:40:41 -06:00
|
|
|
# Uncomment below to actually activate firewall
|
|
|
|
#IPTABLES=/sbin/iptables
|
|
|
|
#IP6TABLES=/sbin/ip6tables
|
|
|
|
|
2010-08-25 11:43:57 -06:00
|
|
|
#This is important for loading kernel modules
|
|
|
|
MODPROBE=/sbin/modprobe
|
|
|
|
|
2009-08-13 17:21:17 -06:00
|
|
|
# Don't forget to rename this file to 'options'!
|
|
|
|
|
2009-08-13 14:40:41 -06:00
|
|
|
# I'm trying to make this config as simple as possible. Comment out
|
|
|
|
# options you don't want to use, uncomment them to use them.
|
|
|
|
|
|
|
|
# Do we want NAT/Conntrack/Forward features?
|
2010-08-23 19:35:36 -06:00
|
|
|
#NAT=1
|
|
|
|
#CONNTRACK=1
|
|
|
|
#FORWARD=1
|
2009-08-13 14:40:41 -06:00
|
|
|
|
|
|
|
# Blocking incoming connections by default?
|
2010-08-27 15:09:51 -06:00
|
|
|
#BLOCKINCOMING=1
|
2009-08-13 14:40:41 -06:00
|
|
|
|
|
|
|
# Clamp MSS, useful on DSL/VPN links
|
2010-05-15 11:07:40 -06:00
|
|
|
# Space separated list of interfaces to apply this on
|
|
|
|
#CLAMPMSS="ppp0 eth0"
|
2009-08-13 13:53:20 -06:00
|
|
|
|
2009-08-13 15:12:04 -06:00
|
|
|
# Do we run a LAN DHCP server?
|
2009-11-16 13:39:19 -07:00
|
|
|
#LANDHCPSERVER=1
|
|
|
|
|
|
|
|
# Internal Interface
|
|
|
|
#INTINF=ppp+
|
2009-08-13 15:12:04 -06:00
|
|
|
|
2009-08-13 14:40:41 -06:00
|
|
|
# Port forwardings, requires NAT
|
2010-08-27 15:09:51 -06:00
|
|
|
#PORTFW=$BASEDIR/port-forwards
|
2009-08-13 13:53:20 -06:00
|
|
|
|
2009-08-13 14:40:41 -06:00
|
|
|
# TCP/UDP/Protocol to allow
|
2009-08-13 13:53:20 -06:00
|
|
|
TCPPORTS="20 21 22 53 80 113 123 443"
|
|
|
|
UDPPORTS="53"
|
2009-08-13 14:40:41 -06:00
|
|
|
|
|
|
|
# common protocols to allow include ipsec, gre, and ipv6
|
|
|
|
ALLOWEDPROTO="41 47 50 51"
|
|
|
|
|
|
|
|
# IPs that are allowed to bypass firewall
|
2009-08-13 13:53:20 -06:00
|
|
|
TRUSTEDIP="127.0.0.1"
|
2009-08-13 14:40:41 -06:00
|
|
|
|
|
|
|
# Don't track these IPs, useful in some occasions. Don't
|
|
|
|
# use otherwise.
|
2009-08-13 13:53:20 -06:00
|
|
|
DONTTRACK="127.0.0.1"
|
2009-08-13 14:40:41 -06:00
|
|
|
|
|
|
|
# IP range(s) to forward
|
2009-08-13 15:56:21 -06:00
|
|
|
ROUTING=$BASEDIR/ipv4-routing
|
2009-08-13 14:40:41 -06:00
|
|
|
|
2010-09-22 20:17:08 -06:00
|
|
|
# Mark ipv4 packets for advanced purposes
|
|
|
|
IPv4_MARK=$BASEDIR/ipv4-marks
|
2010-08-23 19:35:36 -06:00
|
|
|
|
|
|
|
# Hacks to either block specific kinds of attacks or fix problems
|
|
|
|
#
|
2010-09-24 18:29:17 -06:00
|
|
|
# NS-IN-DDOS - Block DNS DDoS using NS/IN spoof, see:
|
2010-08-23 19:35:36 -06:00
|
|
|
# http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/
|
2010-09-24 18:29:17 -06:00
|
|
|
#
|
|
|
|
# MULTI-NIC-ARP-LOCK - By default, in Linux, arp requests may be answered by interfaces that
|
|
|
|
# do not actually have the IP in question. In some (alot in my case),
|
|
|
|
# I have things going through specific wires for a reason. This fixes
|
|
|
|
# that and makes it behave as expected.
|
2010-08-23 19:35:36 -06:00
|
|
|
#
|
|
|
|
HACK_IPV4="NS-IN-DDOS"
|
|
|
|
|
|
|
|
|
2010-08-21 10:54:46 -06:00
|
|
|
#==============
|
|
|
|
# Obsolete - DO NOT USE ANYMORE. Will be removed in 1.0
|
2009-08-13 14:40:41 -06:00
|
|
|
# IP ranges(s) to NAT using SNAT.
|
2010-08-21 10:54:46 -06:00
|
|
|
#NATRANGE="192.168.1.0/24"
|
2009-08-13 14:40:41 -06:00
|
|
|
# External IP and interface for SNAT
|
2010-08-21 10:54:46 -06:00
|
|
|
#NATEXTIP="172.16.1.1"
|
|
|
|
#NATEXTIF="eth0"
|
|
|
|
#==============
|
|
|
|
|
|
|
|
# IP NAT Rules
|
|
|
|
# SNAT:<INT IF>:<INT IP>:<EXT IF>:<EXT IP>
|
|
|
|
# MASQ:<INT IF>:<INT IP>:<EXT IF>
|
|
|
|
#NAT_RANGE=
|
2009-08-13 14:40:41 -06:00
|
|
|
|
2009-11-16 13:39:19 -07:00
|
|
|
|
2009-08-29 18:52:40 -06:00
|
|
|
# IP Ranges to block all traffic incoming/outgoing
|
|
|
|
BLOCKEDIP=$BASEDIR/blocked
|
|
|
|
|
2010-06-21 22:34:28 -06:00
|
|
|
# Block outgoing traffic on these TCP/UDP ports
|
|
|
|
#BLOCKTCPPORTS="6881"
|
|
|
|
#BLOCKUDPPORTS="6881"
|
|
|
|
|
2010-06-19 15:41:27 -06:00
|
|
|
# Strip ECN off of packets - helps with blackholes
|
|
|
|
# Either individual IPs or 0.0.0.0/0
|
|
|
|
STRIPECN="0.0.0.0/0"
|
|
|
|
|
2009-08-13 14:40:41 -06:00
|
|
|
|
|
|
|
# IPv6 related features. Commenting out IPV6 variable disables ALL
|
|
|
|
# IPv6 related items
|
|
|
|
IPV6=1
|
|
|
|
|
|
|
|
# IPv6 Forwarding
|
|
|
|
#IPV6FORWARD=1
|
|
|
|
|
|
|
|
# Default block all incoming ipv6 connections?
|
|
|
|
IPV6BLOCKINCOMING=1
|
|
|
|
|
|
|
|
# Special case for routers that have ipv6 clients behind them.
|
|
|
|
# Useful if clients do not have proper ipv6 firewalls.
|
|
|
|
#IPV6ROUTEDCLIENTBLOCK=1
|
|
|
|
|
2010-05-15 11:07:40 -06:00
|
|
|
# Clamp MSS, useful on DSL/VPN links
|
|
|
|
# Space separated list of interfaces to apply this on
|
|
|
|
# it may be used eventually.
|
|
|
|
#CLAMPMSSIPV6="he-ipv6"
|
|
|
|
|
2009-08-13 14:40:41 -06:00
|
|
|
# Interface IPv6 comes in on (either tunnel or real network interface)
|
|
|
|
#IPV6INT=he-ipv6
|
|
|
|
|
2009-08-23 16:43:56 -06:00
|
|
|
# LAN interface for IPv6
|
|
|
|
#IPV6LAN=eth1
|
|
|
|
|
2009-08-13 14:40:41 -06:00
|
|
|
# Trusted IPv6 ranges
|
2009-08-13 13:53:20 -06:00
|
|
|
IPV6TRUSTED="::1"
|
2009-08-13 14:40:41 -06:00
|
|
|
|
|
|
|
# Allowed incoming IPv6 ports (for now, use $TCPPORTS and $UDPPORTS to
|
|
|
|
# have same for both ipv4 and ipv6)
|
2009-08-13 13:53:20 -06:00
|
|
|
IPV6TCP=$TCPPORTS
|
|
|
|
IPV6UDP=$UDPPORTS
|
2009-08-13 14:40:41 -06:00
|
|
|
|
|
|
|
# IPv6 range to forward
|
2009-08-13 13:53:20 -06:00
|
|
|
#IPV6FORWARDRANGE=""
|
2010-06-21 22:34:28 -06:00
|
|
|
|
|
|
|
# Block outgoing IPv6 traffic on these TCP/UDP ports
|
|
|
|
#BLOCKIPV6TCPPORTS=$BLOCKTCPPORTS
|
|
|
|
#BLOCKIPV6UDPPORTS=$BLOCKUDPPORTS
|