Firewall-SOSDG/options.default

# Config file version.  Don't change this.  Will be used some day to
# figure out if we need to alert the user that they need to redo their
# config file.
CONFIG_VERSION=0.9

# This is for testing purposes.
IPTABLES=/bin/true
IP6TABLES=/bin/true

# Uncomment below to actually activate firewall
#IPTABLES=/sbin/iptables
#IP6TABLES=/sbin/ip6tables

#This is important for loading kernel modules
MODPROBE=/sbin/modprobe

# Don't forget to rename this file to 'options'!

# I'm trying to make this config as simple as possible.  Comment out
# options you don't want to use, uncomment them to use them.

# Do we want NAT/Conntrack/Forward features?
#NAT=1
#CONNTRACK=1
#FORWARD=1

# Blocking incoming connections by default?
#BLOCKINCOMING=1

# Clamp MSS, useful on DSL/VPN links
# Space separated list of interfaces to apply this on
#CLAMPMSS="ppp0 eth0"

# Do we run a LAN DHCP server?
#LANDHCPSERVER=1

# Internal Interface
#INTINF=ppp+

# Port forwardings, requires NAT
#PORTFW=$BASEDIR/port-forwards


# Multiport support?
# yes/no/auto  (auto will try to detect if we support multiport or not,
# may not always work but is recommended unless you have a reason otherwise)
IPTABLES_MULTIPORT=auto

# Multiport options - use to override defaults
#NF_MULTIPORT="xt_multiport"
#NF_MULTIPORT_MAX_PORTS="7"

# TCP/UDP/Protocol to allow
TCPPORTS="20 21 22 53 80 113 123 443"
UDPPORTS="53"

# common protocols to allow include ipsec, gre, and ipv6
ALLOWEDPROTO="41 47 50 51"

# IPs that are allowed to bypass firewall
TRUSTEDIP="127.0.0.1"

# Don't track these IPs, useful in some occasions.  Don't
# use otherwise.
DONTTRACK="127.0.0.1"

# IP range(s) to forward
ROUTING=$BASEDIR/ipv4-routing

# Mark ipv4 packets for advanced purposes
IPv4_MARK=$BASEDIR/ipv4-marks

# Hacks to either block specific kinds of attacks or fix problems
#
# NS-IN-DDOS - 			Block DNS DDoS using NS/IN spoof, see:
# http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/
# 
# MULTI-NIC-ARP-LOCK -	By default, in Linux, arp requests may be answered by interfaces that
#						do not actually have the IP in question.  In some (alot in my case),
#						I have things going through specific wires for a reason.  This fixes
#						that and makes it behave as expected.
#
HACK_IPV4="NS-IN-DDOS"


#==============
# Obsolete - DO NOT USE ANYMORE. Will be removed in 1.0
# IP ranges(s) to NAT using SNAT.
#NATRANGE="192.168.1.0/24"
# External IP and interface for SNAT
#NATEXTIP="172.16.1.1"
#NATEXTIF="eth0"
#==============

# IP NAT Rules
# SNAT:<INT IF>:<INT IP>:<EXT IF>:<EXT IP>
# MASQ:<INT IF>:<INT IP>:<EXT IF>
#NAT_RANGE=


# IP Ranges to block all traffic incoming/outgoing
BLOCKEDIP=$BASEDIR/blocked

# Block outgoing traffic on these TCP/UDP ports
#BLOCKTCPPORTS="6881"
#BLOCKUDPPORTS="6881"

# Strip ECN off of packets - helps with blackholes
# Either individual IPs or 0.0.0.0/0
STRIPECN="0.0.0.0/0"


# IPv6 related features.  Commenting out IPV6 variable disables ALL
# IPv6 related items
IPV6=1

# IPv6 Forwarding
#IPV6FORWARD=1

# Default block all incoming ipv6 connections?
IPV6BLOCKINCOMING=1

# Special case for routers that have ipv6 clients behind them.
# Useful if clients do not have proper ipv6 firewalls.
#IPV6ROUTEDCLIENTBLOCK=1

# Clamp MSS, useful on DSL/VPN links
# Space separated list of interfaces to apply this on
# it may be used eventually.
#CLAMPMSSIPV6="he-ipv6"

# Interface IPv6 comes in on (either tunnel or real network interface)
#IPV6INT=he-ipv6

# LAN interface for IPv6
#IPV6LAN=eth1

# Trusted IPv6 ranges
IPV6TRUSTED="::1"

# Allowed incoming IPv6 ports (for now, use $TCPPORTS and $UDPPORTS to
# have same for both ipv4 and ipv6)
IPV6TCP=$TCPPORTS
IPV6UDP=$UDPPORTS

# IPv6 range to forward
#IPV6FORWARDRANGE=""

# Block outgoing IPv6 traffic on these TCP/UDP ports
#BLOCKIPV6TCPPORTS=$BLOCKTCPPORTS
#BLOCKIPV6UDPPORTS=$BLOCKUDPPORTS