Firewall-SOSDG/include/static

101 lines
3.7 KiB
Bash
Executable File

#!/bin/bash
# By Brielle Bruns <bruns@2mbit.com>
# URL: http://www.sosdg.org/freestuff/firewall
# License: GPLv3
#
# Copyright (C) 2009 - 2010 Brielle Bruns
# Copyright (C) 2009 - 2010 The Summit Open Source Development Group
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#
# This file defines static variables that we will be using. Normally, you
# should not be needing to edit these. You can override them in your options
# file easily, thus avoiding problems with overwriting settings during upgrades.
# You should always make sure this file is from the most recent firewall package,
# as missing variables here could foul up the firewall's ability to setup rules
# correctly.
# These defines are here to help pre-1.0 users easily upgrade, defines critical defaults
# that would otherwise require remaking their options file. I leave this on by default,
# but if you want to make sure you have a current options file, define this to 0.
if [[ "$COMPAT_CONFIG" == "1" ]]; then
MODPROBE=`which modprobe`
PRERUN="$BASEDIR/prerun"
POSTRUN="$BASEDIR/postrun"
fi
# ANSI color sequences
BLUE="\E[34m"
GREEN="\E[32m"
RED="\E[31m"
YELLOW="\E[33m"
PURPLE="\E[35m"
AQUA="\E[36m"
WHITE="\E[1m"
GREY="\E[37m"
DEFAULT_COLOR="\E[39m"
# Module names that we may need to load
MOD_U32="xt_u32"
# Location of the ipv4 network conf in proc
PROC_NET_IPV4="/proc/sys/net/ipv4/conf"
# Multiport options - override in options
NF_MULTIPORT="xt_multiport"
NF_MULTIPORT_MAX_PORTS="7"
# RFC 1918 Space
RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
# By default, use conntrack instead of state
STATE_TYPE="conntrack"
# Auto detect multiport
IPTABLES_MULTIPORT=auto
# Where we store output of cached rules
RULE_CACHE=$BASEDIR/cache/ipt-rules
RULE_CACHE_V6=$BASEDIR/cache/ipt6-rules
EXTIP="auto"
EXTIF="eth0"
EXTIF_FIND="$BASEDIR/bin/get_default_if"
EXTIP_FIND="$BASEDIR/bin/get_default_ip"
# By default, we allow ipv6 critical icmp
IPV6_ICMP_CRITICAL=1
# IPv4 and IPv6 regex matches to determine if entry is valid. These may need
# to be tweaked over time. At the moment, we use by default the pattern here:
# http://stackoverflow.com/questions/53497/regular-expression-that-matches-valid-ipv6-addresses
IPV4_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))"
IPV6_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))"
# At the moment I don't have a valid way of verifying ranges within a certain constraint (ie /0 through /32)
# If anyone wants to write these, feel free to!
IPV4_NETMASK_MATCH=""
IPV6_NETMASK_MATCH=""
# Default policies for IPv4 and IPv6. Make these ACCEPT by default, except for FORWARD,
# since one wrong configuration can lock someone out.
IPV4_PINPUT=ACCEPT
IPV4_POUTPUT=ACCEPT
IPV4_PFORWARD=DROP
IPV6_PINPUT=ACCEPT
IPV6_POUTPUT=ACCEPT
IPV6_PFORWARD=DROP