# I'm trying to make this config as simple as possible. Comment out # options you don't want to use, uncomment them to use them. # Don't forget to rename this file to 'options'! # Config file version. Don't change this. Will be used some day to # figure out if we need to alert the user that they need to redo their # config file. CONFIG_VERSION=0.9 # This is for testing purposes. IPTABLES=/bin/true IP6TABLES=/bin/true # Uncomment below to actually activate firewall #IPTABLES=/sbin/iptables #IP6TABLES=/sbin/ip6tables # This is important for loading kernel modules MODPROBE=/sbin/modprobe # Extra modules to load such as ftp connection tracking #MODULES_LOAD="nf_conntrack_ftp nf_conntrack_h323 nf_conntrack_irc nf_conntrack_pptp nf_conntrack_proto_gre nf_conntrack_proto_sctp nf_conntrack_proto_udplite nf_conntrack_sip nf_conntrack_tftp nf_conntrack_sane" # Run commands before/after rules PRERUN="$BASEDIR/conf/prerun" POSTRUN="$BASEDIR/conf/postrun" # Do we want NAT/Conntrack/Forward features? #NAT=1 #CONNTRACK=1 #FORWARD=1 # Use old style state matches or new conntrack matches? # By default, lets use conntrack. #STATE_TYPE="conntrack" # Blocking incoming connections by default? #BLOCKINCOMING=1 # Clamp MSS, useful on DSL/VPN links # Space separated list of interfaces to apply this on #CLAMPMSS="ppp0 eth0" # Default IPv4 policies # IPV4_PINPUT set to DROP is different from BLOCKINCOMING, # as BLOCKINCOMING only blocks syn packets for TCP while still # allowing established connections even if connection tracking is off. # BLOCKINCOMING does however, deny all incoming UDP just like INPUT=DROP does. IPV4_PINPUT=ACCEPT IPV4_POUTPUT=ACCEPT IPV4_PFORWARD=DROP # Do we run a LAN DHCP server? Put the interfaces here # where this server is providing services. #LANDHCPSERVER="eth0 eth1" # Primary external interface # Can be an interface name (ppp0, eth0) or auto # which will try to detect the proper interface, # but requires a default route to be properly setup # first. # We recommend manually defining this unless you really # need to automagically detect the interface. EXTIF="eth0" # Primary external IP address # Can be an IP address or auto, which will try to detect # the primary external IP using the information from EXTIF # This is mostly useful for people who have a dynamic external # IP address. Everyone else should manually define this to # avoid potential detection issues. EXTIP="auto" # Program/script for finding the default external interface # Only used if EXTIF is set to auto # # If you need to write your own script to find the info, change below #EXTIF_FIND="$BASEDIR/bin/get_default_if" # Pattern for finding the default external interface IP address # Only used if EXTIP is set to auto # # If you need to write your own script to find the info, change below # note that the script passes the interface from $EXTIF as first option #EXTIP_FIND="$BASEDIR/bin/get_default_ip" # Internal Interface #INTINF=ppp+ # Port forwardings, requires NAT #PORTFW=$BASEDIR/conf/port-forwards # Multiport support? # yes/no/auto (auto will try to detect if we support multiport or not, # may not always work but is recommended unless you have a reason otherwise) IPTABLES_MULTIPORT=auto # Multiport options - use to override defaults #NF_MULTIPORT="xt_multiport" #NF_MULTIPORT_MAX_PORTS="7" # Allow outgoing DNS requests - important if you did not activate connection # tracking. Set this to the interfaces you wish to use for outgoing requests # plus the IP addresses of your upstream servers (recommended up to 3) if you need to. #DNS_REQUESTS_OUT="eth0|4.2.2.1|4.2.2.2|4.2.2.3 eth1" # TCP/UDP/Protocol to allow TCPPORTS="20 21 22 53 80 113 123 443" UDPPORTS="53" # common protocols to allow include ipsec, gre, and ipv6 ALLOWEDPROTO="41 47 50 51" # IPs that are allowed to bypass firewall TRUSTEDIP="127.0.0.1" # Don't track these IPs, useful in some occasions. Don't # use otherwise. DONTTRACK="127.0.0.1" # Intercept IPv4 packets for use in a transparent proxy #IPV4_INTERCEPT=$BASEDIR/conf/ipv4-intercept # IP range(s) to forward #ROUTING=$BASEDIR/conf/ipv4-routing # Mark ipv4 packets for advanced purposes #IPv4_MARK=$BASEDIR/conf/ipv4-marks # IP NAT Rules # SNAT:::: # MASQ::: # NETMAP:::: #NAT_RANGE="" # Hacks to either block specific kinds of attacks or fix problems # # NS-IN-DDOS - Block DNS DDoS using NS/IN spoof, see: # http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/ # # MULTI-NIC-ARP-LOCK - By default, in Linux, arp requests may be answered by interfaces that # do not actually have the IP in question. In some (alot in my case), # I have things going through specific wires for a reason. This fixes # that and makes it behave as expected. # HACK_IPV4="NS-IN-DDOS" # IP NAT Rules # SNAT:::: # MASQ::: #NAT_RANGE= # IP Ranges to block all traffic incoming/outgoing # New functionality in 0.9.8 obsoletes BLOCKTCPPORTS and BLOCKUDPPORTS BLOCKEDIP=$BASEDIR/conf/ipv4-blocked # Strip ECN off of packets - helps with blackholes # Either individual IPs or 0.0.0.0/0 #STRIPECN="0.0.0.0/0" # Block private LAN traffic (RFC reserved space) going OUT on these interfaces # for security reasons. This has the potential to cause issues if your # provider uses private IP space for uplinks in PPPoE/PPPoA, so don't use it # and use BLOCK_INCOMING_RFC1981 instead. #BLOCK_OUTGOING_RFC1918="ppp0" # Block private LAN traffic (RFC reserved space) coming IN on these interfaces # for security reasons. This is a bit more safer to use if your provider uses # private IP space for the other end of PPP links. #BLOCK_INCOMING_RFC1918="ppp0" # RFC1918 Space override, don't change or uncomment this unless you absolutely need to #RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" # IPv6 related features. Commenting out IPV6 variable disables ALL # IPv6 related items #IPV6=1 # Do we want IPv6 FORWARD and Connection tracking features? #IPV6_FORWARD=1 #IPV6_CONNTRACK=1 # Default IPv6 policies # IPV6_PINPUT set to DROP is different from IPV6_BLOCKINCOMING, # as BLOCKINCOMING only blocks syn packets for TCP while still # allowing established connections even if connection tracking is off. # BLOCKINCOMING does however, deny all incoming UDP just like INPUT=DROP does. IPV6_PINPUT=ALLOW IPV6_POUTPUT=ALLOW IPV6_PFORWARD=DROP # Allow outgoing DNS requests - important if you did not activate connection # tracking. Set this to the interfaces you wish to use for outgoing requests # plus the IP addresses of your upstream servers (recommended up to 3) if you need to. #IPV6_DNS_REQUESTS_OUT="eth0|2001::1|2001::2|2001::3 eth1" # Default block all incoming ipv6 connections? #IPV6_BLOCKINCOMING=1 # Special case for routers that have ipv6 clients behind them. # Useful if clients do not have proper ipv6 firewalls. Give list # of IPv6 netblocks to enable this on. #IPV6_ROUTEDCLIENTBLOCK="" # IP range(s) to forward #IPV6_ROUTING=$BASEDIR/conf/ipv6-routing # Mark ipv6 packets for advanced purposes #IPV6_MARK=$BASEDIR/conf/ipv6-marks # IPv6 Ranges to block all traffic incoming/outgoing #IPV6_BLOCKEDIP=$BASEDIR/conf/ipv6-blocked # Clamp MSS, useful on DSL/VPN links # Space separated list of interfaces to apply this on # it may be used eventually. #IPV6_CLAMPMSS="he-ipv6" # Interface IPv6 comes in on (either tunnel or real network interface) #IPV6_INT=he-ipv6 # LAN interface for IPv6 #IPV6_LAN=eth1 # Trusted IPv6 ranges #IPV6_TRUSTED="::1" # Allowed incoming IPv6 ports (for now, use $TCPPORTS and $UDPPORTS to # have same for both ipv4 and ipv6) #IPV6_TCPPORTS=$TCPPORTS #IPV6_UDPPORTS=$UDPPORTS # IPv6 range to forward #IPV6_FORWARDRANGE="" # Allow critical ICMP messages to go through, such as packet too big. # You should _really_ make sure you don't disable this if you have any # kind of MTU changes inside or outside your network. # Allows: time-exceeded packet-too-big IPV6_ICMP_CRITICAL=1 # Allow other common IPV6 ICMP messages through the firewall. Though not # really critical, these can help with general IPv6 usage/diagnostic # Allows: destination-unreachable parameter-problem #IPV6_ICMP_OPT=1