257 lines
8.5 KiB
Plaintext
Executable File
257 lines
8.5 KiB
Plaintext
Executable File
# I'm trying to make this config as simple as possible. Comment out
|
|
# options you don't want to use, uncomment them to use them.
|
|
# Don't forget to rename this file to 'options'!
|
|
|
|
# Config file version. Don't change this. Will be used some day to
|
|
# figure out if we need to alert the user that they need to redo their
|
|
# config file.
|
|
CONFIG_VERSION=0.9
|
|
|
|
# This is for testing purposes.
|
|
IPTABLES=/bin/true
|
|
IP6TABLES=/bin/true
|
|
|
|
# Uncomment below to actually activate firewall
|
|
#IPTABLES=/sbin/iptables
|
|
#IP6TABLES=/sbin/ip6tables
|
|
|
|
# This is important for loading kernel modules
|
|
MODPROBE=/sbin/modprobe
|
|
|
|
# Extra modules to load such as ftp connection tracking
|
|
#MODULES_LOAD="nf_conntrack_ftp nf_conntrack_h323 nf_conntrack_irc nf_conntrack_pptp nf_conntrack_proto_gre nf_conntrack_proto_sctp nf_conntrack_proto_udplite nf_conntrack_sip nf_conntrack_tftp nf_conntrack_sane"
|
|
|
|
# Run commands before/after rules
|
|
PRERUN="$BASEDIR/conf/prerun"
|
|
POSTRUN="$BASEDIR/conf/postrun"
|
|
|
|
# Do we want NAT/Conntrack/Forward features?
|
|
#NAT=1
|
|
#CONNTRACK=1
|
|
#FORWARD=1
|
|
|
|
# Use old style state matches or new conntrack matches?
|
|
# By default, lets use conntrack.
|
|
#STATE_TYPE="conntrack"
|
|
|
|
# Blocking incoming connections by default?
|
|
#BLOCKINCOMING=1
|
|
|
|
# Clamp MSS, useful on DSL/VPN links
|
|
# Space separated list of interfaces to apply this on
|
|
#CLAMPMSS="ppp0 eth0"
|
|
|
|
|
|
# Default IPv4 policies
|
|
# IPV4_PINPUT set to DROP is different from BLOCKINCOMING,
|
|
# as BLOCKINCOMING only blocks syn packets for TCP while still
|
|
# allowing established connections even if connection tracking is off.
|
|
# BLOCKINCOMING does however, deny all incoming UDP just like INPUT=DROP does.
|
|
IPV4_PINPUT=ACCEPT
|
|
IPV4_POUTPUT=ACCEPT
|
|
IPV4_PFORWARD=DROP
|
|
|
|
# Do we run a LAN DHCP server? Put the interfaces here
|
|
# where this server is providing services.
|
|
#LANDHCPSERVER="eth0 eth1"
|
|
|
|
# Primary external interface
|
|
# Can be an interface name (ppp0, eth0) or auto
|
|
# which will try to detect the proper interface,
|
|
# but requires a default route to be properly setup
|
|
# first.
|
|
# We recommend manually defining this unless you really
|
|
# need to automagically detect the interface.
|
|
EXTIF="eth0"
|
|
|
|
# Primary external IP address
|
|
# Can be an IP address or auto, which will try to detect
|
|
# the primary external IP using the information from EXTIF
|
|
# This is mostly useful for people who have a dynamic external
|
|
# IP address. Everyone else should manually define this to
|
|
# avoid potential detection issues.
|
|
EXTIP="auto"
|
|
|
|
# Program/script for finding the default external interface
|
|
# Only used if EXTIF is set to auto
|
|
#
|
|
# If you need to write your own script to find the info, change below
|
|
#EXTIF_FIND="$BASEDIR/bin/get_default_if"
|
|
|
|
# Pattern for finding the default external interface IP address
|
|
# Only used if EXTIP is set to auto
|
|
#
|
|
# If you need to write your own script to find the info, change below
|
|
# note that the script passes the interface from $EXTIF as first option
|
|
#EXTIP_FIND="$BASEDIR/bin/get_default_ip"
|
|
|
|
# Internal Interface
|
|
#INTINF=ppp+
|
|
|
|
# Port forwardings, requires NAT
|
|
#PORTFW=$BASEDIR/conf/port-forwards
|
|
|
|
# Multiport support?
|
|
# yes/no/auto (auto will try to detect if we support multiport or not,
|
|
# may not always work but is recommended unless you have a reason otherwise)
|
|
IPTABLES_MULTIPORT=auto
|
|
|
|
# Multiport options - use to override defaults
|
|
#NF_MULTIPORT="xt_multiport"
|
|
#NF_MULTIPORT_MAX_PORTS="7"
|
|
|
|
# Allow outgoing DNS requests - important if you did not activate connection
|
|
# tracking. Set this to the interfaces you wish to use for outgoing requests
|
|
# plus the IP addresses of your upstream servers (recommended up to 3) if you need to.
|
|
#DNS_REQUESTS_OUT="eth0|4.2.2.1|4.2.2.2|4.2.2.3 eth1"
|
|
|
|
# TCP/UDP/Protocol to allow
|
|
TCPPORTS="20 21 22 53 80 113 123 443"
|
|
UDPPORTS="53"
|
|
|
|
# common protocols to allow include ipsec, gre, and ipv6
|
|
ALLOWEDPROTO="41 47 50 51"
|
|
|
|
# IPs that are allowed to bypass firewall
|
|
TRUSTEDIP="127.0.0.1"
|
|
|
|
# Don't track these IPs, useful in some occasions. Don't
|
|
# use otherwise.
|
|
DONTTRACK="127.0.0.1"
|
|
|
|
# Allowed IPs and ports
|
|
# this is a more advanced form of TCPPORTS and UDPPORTS,
|
|
# and will eventually replace it
|
|
#IPV4_ALLOWED=$BASEDIR/conf/ipv4-allowed
|
|
|
|
# Intercept IPv4 packets for use in a transparent proxy
|
|
#IPV4_INTERCEPT=$BASEDIR/conf/ipv4-intercept
|
|
|
|
# IP range(s) to forward
|
|
#ROUTING=$BASEDIR/conf/ipv4-routing
|
|
|
|
# Mark ipv4 packets for advanced purposes
|
|
#IPv4_MARK=$BASEDIR/conf/ipv4-marks
|
|
|
|
# IP NAT Rules
|
|
# SNAT:<INT IF>:<INT IP>:<EXT IF>:<EXT IP>
|
|
# MASQ:<INT IF>:<INT IP>:<EXT IF>
|
|
# NETMAP:<INT IF>:<INT IP RANGE>:<EXT IF>:<EXT IP RANGE>
|
|
#NAT_RANGE=""
|
|
|
|
|
|
# Hacks to either block specific kinds of attacks or fix problems
|
|
#
|
|
# NS-IN-DDOS - Block DNS DDoS using NS/IN spoof, see:
|
|
# http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/
|
|
#
|
|
# MULTI-NIC-ARP-LOCK - By default, in Linux, arp requests may be answered by interfaces that
|
|
# do not actually have the IP in question. In some (alot in my case),
|
|
# I have things going through specific wires for a reason. This fixes
|
|
# that and makes it behave as expected.
|
|
#
|
|
HACK_IPV4="NS-IN-DDOS"
|
|
|
|
# IP Ranges to block all traffic incoming/outgoing
|
|
# New functionality in 0.9.8 obsoletes BLOCKTCPPORTS and BLOCKUDPPORTS
|
|
BLOCKEDIP=$BASEDIR/conf/ipv4-blocked
|
|
|
|
# Strip ECN off of packets - helps with blackholes
|
|
# Either individual IPs or 0.0.0.0/0
|
|
#STRIPECN="0.0.0.0/0"
|
|
|
|
# Block private LAN traffic (RFC reserved space) going OUT on these interfaces
|
|
# for security reasons. This has the potential to cause issues if your
|
|
# provider uses private IP space for uplinks in PPPoE/PPPoA, so don't use it
|
|
# and use BLOCK_INCOMING_RFC1981 instead.
|
|
#BLOCK_OUTGOING_RFC1918="ppp0"
|
|
|
|
# Block private LAN traffic (RFC reserved space) coming IN on these interfaces
|
|
# for security reasons. This is a bit more safer to use if your provider uses
|
|
# private IP space for the other end of PPP links.
|
|
#BLOCK_INCOMING_RFC1918="ppp0"
|
|
|
|
# RFC1918 Space override, don't change or uncomment this unless you absolutely need to
|
|
#RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
|
|
|
|
|
|
# IPv6 related features. Commenting out IPV6 variable disables ALL
|
|
# IPv6 related items
|
|
#IPV6=1
|
|
|
|
# Do we want IPv6 FORWARD and Connection tracking features?
|
|
#IPV6_FORWARD=1
|
|
#IPV6_CONNTRACK=1
|
|
|
|
# Default IPv6 policies
|
|
# IPV6_PINPUT set to DROP is different from IPV6_BLOCKINCOMING,
|
|
# as BLOCKINCOMING only blocks syn packets for TCP while still
|
|
# allowing established connections even if connection tracking is off.
|
|
# BLOCKINCOMING does however, deny all incoming UDP just like INPUT=DROP does.
|
|
IPV6_PINPUT=ALLOW
|
|
IPV6_POUTPUT=ALLOW
|
|
IPV6_PFORWARD=DROP
|
|
|
|
# Allow outgoing DNS requests - important if you did not activate connection
|
|
# tracking. Set this to the interfaces you wish to use for outgoing requests
|
|
# plus the IP addresses of your upstream servers (recommended up to 3) if you need to.
|
|
#IPV6_DNS_REQUESTS_OUT="eth0|2001::1|2001::2|2001::3 eth1"
|
|
|
|
# Default block all incoming ipv6 connections?
|
|
#IPV6_BLOCKINCOMING=1
|
|
|
|
# Special case for routers that have ipv6 clients behind them.
|
|
# Useful if clients do not have proper ipv6 firewalls. Give list
|
|
# of IPv6 netblocks to enable this on.
|
|
#IPV6_ROUTEDCLIENTBLOCK=""
|
|
|
|
# IP range(s) to forward
|
|
#IPV6_ROUTING=$BASEDIR/conf/ipv6-routing
|
|
|
|
# Mark ipv6 packets for advanced purposes
|
|
#IPV6_MARK=$BASEDIR/conf/ipv6-marks
|
|
|
|
# IPv6 Ranges to block all traffic incoming/outgoing
|
|
#IPV6_BLOCKEDIP=$BASEDIR/conf/ipv6-blocked
|
|
|
|
# Clamp MSS, useful on DSL/VPN links
|
|
# Space separated list of interfaces to apply this on
|
|
# it may be used eventually.
|
|
#IPV6_CLAMPMSS="he-ipv6"
|
|
|
|
# Interface IPv6 comes in on (either tunnel or real network interface)
|
|
#IPV6_INT=he-ipv6
|
|
|
|
# LAN interface for IPv6
|
|
#IPV6_LAN=eth1
|
|
|
|
# Trusted IPv6 ranges
|
|
#IPV6_TRUSTED="::1"
|
|
|
|
# Do we run a LAN DHCP server? Put the interfaces here
|
|
# where this server is providing services.
|
|
#IPV6_LANDHCPSERVER="eth0 eth1"
|
|
|
|
# Allowed incoming IPv6 ports (for now, use $TCPPORTS and $UDPPORTS to
|
|
# have same for both ipv4 and ipv6)
|
|
#IPV6_TCPPORTS=$TCPPORTS
|
|
#IPV6_UDPPORTS=$UDPPORTS
|
|
|
|
# Allowed IPv6 IPs and ports
|
|
# this is a more advanced form of IPV6_TCPPORTS and IPV6_UDPPORTS,
|
|
# and will eventually replace it
|
|
#IPV6_ALLOWED=$BASEDIR/conf/ipv6-allowed
|
|
|
|
# IPv6 range to forward
|
|
#IPV6_FORWARDRANGE=""
|
|
|
|
# Allow critical ICMP messages to go through, such as packet too big.
|
|
# You should _really_ make sure you don't disable this if you have any
|
|
# kind of MTU changes inside or outside your network.
|
|
# Allows: time-exceeded packet-too-big
|
|
IPV6_ICMP_CRITICAL=1
|
|
|
|
# Allow other common IPV6 ICMP messages through the firewall. Though not
|
|
# really critical, these can help with general IPv6 usage/diagnostic
|
|
# Allows: destination-unreachable parameter-problem
|
|
#IPV6_ICMP_OPT=1 |