Firewall-SOSDG/options.default

214 lines
6.8 KiB
Plaintext
Raw Normal View History

2010-10-10 21:01:20 -06:00
# I'm trying to make this config as simple as possible. Comment out
# options you don't want to use, uncomment them to use them.
# Don't forget to rename this file to 'options'!
2010-08-26 15:49:16 -06:00
# Config file version. Don't change this. Will be used some day to
# figure out if we need to alert the user that they need to redo their
# config file.
CONFIG_VERSION=0.9
# This is for testing purposes.
IPTABLES=/bin/true
IP6TABLES=/bin/true
2009-08-13 13:53:20 -06:00
# Uncomment below to actually activate firewall
#IPTABLES=/sbin/iptables
#IP6TABLES=/sbin/ip6tables
2010-10-10 21:01:20 -06:00
# This is important for loading kernel modules
2010-08-25 11:43:57 -06:00
MODPROBE=/sbin/modprobe
2010-10-10 21:01:20 -06:00
# Extra modules to load such as ftp connection tracking
2010-10-10 21:06:31 -06:00
#MODULES_LOAD="nf_conntrack_ftp nf_conntrack_h323 nf_conntrack_irc nf_conntrack_pptp nf_conntrack_proto_gre nf_conntrack_proto_sctp nf_conntrack_proto_udplite nf_conntrack_sip nf_conntrack_tftp nf_conntrack_sane"
# Run commands before/after rules
PRERUN="$BASEDIR/conf/prerun"
POSTRUN="$BASEDIR/conf/postrun"
# Do we want NAT/Conntrack/Forward features?
2010-08-23 19:35:36 -06:00
#NAT=1
#CONNTRACK=1
#FORWARD=1
# Use old style state matches or new conntrack matches?
# By default, lets use conntrack.
#STATE_TYPE="conntrack"
# Blocking incoming connections by default?
2010-08-27 15:09:51 -06:00
#BLOCKINCOMING=1
# Clamp MSS, useful on DSL/VPN links
2010-05-15 11:07:40 -06:00
# Space separated list of interfaces to apply this on
#CLAMPMSS="ppp0 eth0"
2009-08-13 13:53:20 -06:00
# Do we run a LAN DHCP server? Put the interfaces here
# where this server is providing services.
#LANDHCPSERVER="eth0 eth1"
2009-11-16 13:39:19 -07:00
# Primary external interface
# Can be an interface name (ppp0, eth0) or auto
# which will try to detect the proper interface,
# but requires a default route to be properly setup
# first.
EXTIF="auto"
# Primary external IP address
# Can be an IP address or auto, which will try to detect
# the primary external IP using the information from EXTIF
EXTIP="auto"
# Pattern for finding the default external interface IP address
# Only used if EXTIP is set to auto
#
# Thanks to the people at:
# http://www.linuxquestions.org/questions/programming-9/using-grep-and-awk-to-get-ip-address-627626/
#
# Uncomment one of these if the default doesn't work
#EXTIP_FIND=$(expr "`ifconfig ${EXTIF}`" : '.*inet addr:\([^ ]*\).*')
#EXTIP_FIND=`ifconfig ${EXTIF}| awk -F ' *|:' '/inet addr/{print $4}'`
# Pattern for finding the default external interface
# Only used if EXTIF is set to auto
#
# Uncomment one of these if the default doesn't work
#EXTIF_FIND=`ip route | awk '/^default/{print $3}'`
#EXTIF_FIND=`netstat -rn | awk '/^0.0.0.0/{print $8}'`
2009-11-16 13:39:19 -07:00
# Internal Interface
#INTINF=ppp+
2009-08-13 15:12:04 -06:00
# Port forwardings, requires NAT
#PORTFW=$BASEDIR/conf/port-forwards
2009-08-13 13:53:20 -06:00
2010-09-26 13:45:51 -06:00
# Multiport support?
2010-09-26 15:13:54 -06:00
# yes/no/auto (auto will try to detect if we support multiport or not,
# may not always work but is recommended unless you have a reason otherwise)
2010-09-26 13:45:51 -06:00
IPTABLES_MULTIPORT=auto
2010-09-26 15:13:54 -06:00
# Multiport options - use to override defaults
2010-09-26 13:45:51 -06:00
#NF_MULTIPORT="xt_multiport"
2010-09-26 15:13:54 -06:00
#NF_MULTIPORT_MAX_PORTS="7"
2010-09-26 13:45:51 -06:00
2010-10-13 14:14:46 -06:00
# Allow outgoing DNS requests - important if you did not activate connection
# tracking. Set this to the interfaces you wish to use for outgoing requests
2010-10-13 14:27:41 -06:00
# plus the IP addresses of your upstream servers (recommended up to 3) if you need to.
2010-10-13 14:14:46 -06:00
#DNS_REQUESTS_OUT="eth0|4.2.2.1|4.2.2.2|4.2.2.3 eth1"
# TCP/UDP/Protocol to allow
2009-08-13 13:53:20 -06:00
TCPPORTS="20 21 22 53 80 113 123 443"
UDPPORTS="53"
# common protocols to allow include ipsec, gre, and ipv6
ALLOWEDPROTO="41 47 50 51"
# IPs that are allowed to bypass firewall
2009-08-13 13:53:20 -06:00
TRUSTEDIP="127.0.0.1"
# Don't track these IPs, useful in some occasions. Don't
# use otherwise.
2009-08-13 13:53:20 -06:00
DONTTRACK="127.0.0.1"
# IP range(s) to forward
#ROUTING=$BASEDIR/conf/ipv4-routing
2010-09-22 20:17:08 -06:00
# Mark ipv4 packets for advanced purposes
#IPv4_MARK=$BASEDIR/conf/ipv4-marks
2010-08-23 19:35:36 -06:00
# IP NAT Rules
# SNAT:<INT IF>:<INT IP>:<EXT IF>:<EXT IP>
# MASQ:<INT IF>:<INT IP>:<EXT IF>
2010-11-12 22:18:03 -07:00
# NETMAP:<INT IF>:<INT IP RANGE>:<EXT IF>:<EXT IP RANGE>
#NAT_RANGE=""
2010-08-23 19:35:36 -06:00
# Hacks to either block specific kinds of attacks or fix problems
#
2010-09-24 18:29:17 -06:00
# NS-IN-DDOS - Block DNS DDoS using NS/IN spoof, see:
2010-08-23 19:35:36 -06:00
# http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/
2010-09-24 18:29:17 -06:00
#
# MULTI-NIC-ARP-LOCK - By default, in Linux, arp requests may be answered by interfaces that
# do not actually have the IP in question. In some (alot in my case),
# I have things going through specific wires for a reason. This fixes
# that and makes it behave as expected.
2010-08-23 19:35:36 -06:00
#
HACK_IPV4="NS-IN-DDOS"
2010-08-21 10:54:46 -06:00
# IP NAT Rules
# SNAT:<INT IF>:<INT IP>:<EXT IF>:<EXT IP>
# MASQ:<INT IF>:<INT IP>:<EXT IF>
#NAT_RANGE=
2009-08-29 18:52:40 -06:00
# IP Ranges to block all traffic incoming/outgoing
2010-10-06 12:23:08 -06:00
# New functionality in 0.9.8 obsoletes BLOCKTCPPORTS and BLOCKUDPPORTS
BLOCKEDIP=$BASEDIR/conf/ipv4-blocked
2009-08-29 18:52:40 -06:00
2010-06-19 15:41:27 -06:00
# Strip ECN off of packets - helps with blackholes
# Either individual IPs or 0.0.0.0/0
#STRIPECN="0.0.0.0/0"
2010-06-19 15:41:27 -06:00
2010-09-29 17:04:48 -06:00
# Block private LAN traffic (RFC reserved space) going OUT on these interfaces
# for security reasons. This has the potential to cause issues if your
# provider uses private IP space for uplinks in PPPoE/PPPoA, so don't use it
# and use BLOCK_INCOMING_RFC1981 instead.
#BLOCK_OUTGOING_RFC1918="ppp0"
# Block private LAN traffic (RFC reserved space) coming IN on these interfaces
# for security reasons. This is a bit more safer to use if your provider uses
# private IP space for the other end of PPP links.
#BLOCK_INCOMING_RFC1918="ppp0"
# RFC1918 Space override, don't change or uncomment this unless you absolutely need to
#RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
# IPv6 related features. Commenting out IPV6 variable disables ALL
# IPv6 related items
#IPV6=1
2010-10-13 14:43:20 -06:00
# Do we want IPv6 FORWARD and Connection tracking features?
#IPV6_FORWARD=1
#IPV6_CONNTRACK=1
2010-10-13 14:27:41 -06:00
# Allow outgoing DNS requests - important if you did not activate connection
# tracking. Set this to the interfaces you wish to use for outgoing requests
# plus the IP addresses of your upstream servers (recommended up to 3) if you need to.
#IPV6_DNS_REQUESTS_OUT="eth0|2001::1|2001::2|2001::3 eth1"
# Default block all incoming ipv6 connections?
#IPV6_BLOCKINCOMING=1
# Special case for routers that have ipv6 clients behind them.
# Useful if clients do not have proper ipv6 firewalls.
#IPV6_ROUTEDCLIENTBLOCK=1
# IP range(s) to forward
#IPV6_ROUTING=$BASEDIR/conf/ipv6-routing
2010-10-13 14:43:20 -06:00
# Mark ipv6 packets for advanced purposes
#IPV6_MARK=$BASEDIR/conf/ipv6-marks
2010-10-13 14:43:20 -06:00
2010-10-06 14:11:59 -06:00
# IPv6 Ranges to block all traffic incoming/outgoing
#IPV6_BLOCKEDIP=$BASEDIR/conf/ipv6-blocked
2010-10-06 14:11:59 -06:00
2010-05-15 11:07:40 -06:00
# Clamp MSS, useful on DSL/VPN links
# Space separated list of interfaces to apply this on
# it may be used eventually.
#IPV6_CLAMPMSS="he-ipv6"
2010-05-15 11:07:40 -06:00
# Interface IPv6 comes in on (either tunnel or real network interface)
#IPV6_INT=he-ipv6
2009-08-23 16:43:56 -06:00
# LAN interface for IPv6
#IPV6_LAN=eth1
2009-08-23 16:43:56 -06:00
# Trusted IPv6 ranges
#IPV6_TRUSTED="::1"
# Allowed incoming IPv6 ports (for now, use $TCPPORTS and $UDPPORTS to
# have same for both ipv4 and ipv6)
#IPV6_TCPPORTS=$TCPPORTS
#IPV6_UDPPORTS=$UDPPORTS
# IPv6 range to forward
#IPV6_FORWARDRANGE=""