#!/bin/bash # By Brielle Bruns # URL: http://www.sosdg.org/freestuff/firewall # License: GPLv3 # # Copyright (C) 2009 - 2010 Brielle Bruns # Copyright (C) 2009 - 2010 The Summit Open Source Development Group # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program. If not, see . # # # This file defines static variables that we will be using. Normally, you # should not be needing to edit these. # These defines are here to help pre-1.0 users easily upgrade, defines critical defaults # that would otherwise require remaking their options file. I leave this on by default, # but if you want to make sure you have a current options file, define this to 0. if [[ "$COMPAT_CONFIG" == "1" ]]; then MODPROBE=`which modprobe` PRERUN="$BASEDIR/prerun" POSTRUN="$BASEDIR/postrun" fi # ANSI color sequences BLUE="\E[34m" GREEN="\E[32m" RED="\E[31m" YELLOW="\E[33m" PURPLE="\E[35m" AQUA="\E[36m" WHITE="\E[1m" GREY="\E[37m" DEFAULT_COLOR="\E[39m" # Module names that we may need to load MOD_U32="xt_u32" # Location of the ipv4 network conf in proc PROC_NET_IPV4="/proc/sys/net/ipv4/conf" # Multiport options - override in options NF_MULTIPORT="xt_multiport" NF_MULTIPORT_MAX_PORTS="7" # RFC 1918 Space RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" # By default, use conntrack instead of state STATE_TYPE="conntrack" # Auto detect multiport IPTABLES_MULTIPORT=auto # Where we store output of cached rules RULE_CACHE=$BASEDIR/cache/ipt-rules RULE_CACHE_V6=$BASEDIR/cache/ipt6-rules EXTIP="auto" EXTIF="eth0" EXTIF_FIND="$BASEDIR/bin/get_default_if" EXTIP_FIND="$BASEDIR/bin/get_default_ip" # By default, we allow ipv6 critical icmp IPV6_ICMP_CRITICAL=1 # IPv4 and IPv6 regex matches to determine if entry is valid. These may need # to be tweaked over time. At the moment, we use by default the pattern here: # http://stackoverflow.com/questions/53497/regular-expression-that-matches-valid-ipv6-addresses IPV4_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))" IPV6_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))" # At the moment I don't have a valid way of verifying ranges within a certain constraint (ie /0 through /32) # If anyone wants to write these, feel free to! IPV4_NETMASK_MATCH="" IPV6_NETMASK_MATCH="" # Default policies for IPv4 and IPv6. Make these ACCEPT by default, except for FORWARD, # since one wrong configuration can lock someone out. IPV4_PINPUT=ACCEPT IPV4_POUTPUT=ACCEPT IPV4_PFORWARD=DROP IPV6_PINPUT=ACCEPT IPV6_POUTPUT=ACCEPT IPV6_PFORWARD=DROP