89 lines
		
	
	
		
			1.9 KiB
		
	
	
	
		
			Plaintext
		
	
	
		
			Executable File
		
	
	
	
	
			
		
		
	
	
			89 lines
		
	
	
		
			1.9 KiB
		
	
	
	
		
			Plaintext
		
	
	
		
			Executable File
		
	
	
	
	
| # This is for testing purposes.
 | |
| IPTABLES=/bin/true
 | |
| IP6TABLES=/bin/true
 | |
| 
 | |
| # Uncomment below to actually activate firewall
 | |
| #IPTABLES=/sbin/iptables
 | |
| #IP6TABLES=/sbin/ip6tables
 | |
| 
 | |
| # Don't forget to rename this file to 'options'!
 | |
| 
 | |
| # I'm trying to make this config as simple as possible.  Comment out
 | |
| # options you don't want to use, uncomment them to use them.
 | |
| 
 | |
| # Do we want NAT/Conntrack/Forward features?
 | |
| NAT=1
 | |
| CONNTRACK=1
 | |
| FORWARD=1
 | |
| 
 | |
| # Blocking incoming connections by default?
 | |
| BLOCKINCOMING=1
 | |
| 
 | |
| # Clamp MSS, useful on DSL/VPN links
 | |
| #CLAMPMSS=ppp0
 | |
| 
 | |
| # Do we run a LAN DHCP server?
 | |
| LANDHCPSERVER=1
 | |
| 
 | |
| # Port forwardings, requires NAT
 | |
| PORTFW=$BASEDIR/port-forwards
 | |
| 
 | |
| # TCP/UDP/Protocol to allow
 | |
| TCPPORTS="20 21 22 53 80 113 123 443"
 | |
| UDPPORTS="53"
 | |
| 
 | |
| # common protocols to allow include ipsec, gre, and ipv6
 | |
| ALLOWEDPROTO="41 47 50 51"
 | |
| 
 | |
| # IPs that are allowed to bypass firewall
 | |
| TRUSTEDIP="127.0.0.1"
 | |
| 
 | |
| # Don't track these IPs, useful in some occasions.  Don't
 | |
| # use otherwise.
 | |
| DONTTRACK="127.0.0.1"
 | |
| 
 | |
| # IP range(s) to forward
 | |
| ROUTING=$BASEDIR/ipv4-routing
 | |
| 
 | |
| # IP ranges(s) to NAT using SNAT.
 | |
| NATRANGE="192.168.1.0/24"
 | |
| 
 | |
| # External IP and interface for SNAT
 | |
| NATEXTIP="172.16.1.1"
 | |
| NATEXTIF="eth0"
 | |
| 
 | |
| # IP Ranges to block all traffic incoming/outgoing
 | |
| BLOCKEDIP=$BASEDIR/blocked
 | |
| 
 | |
| 
 | |
| # IPv6 related features.  Commenting out IPV6 variable disables ALL
 | |
| # IPv6 related items
 | |
| IPV6=1
 | |
| 
 | |
| # IPv6 Forwarding
 | |
| #IPV6FORWARD=1
 | |
| 
 | |
| # Default block all incoming ipv6 connections?
 | |
| IPV6BLOCKINCOMING=1
 | |
| 
 | |
| # Special case for routers that have ipv6 clients behind them.
 | |
| # Useful if clients do not have proper ipv6 firewalls.
 | |
| #IPV6ROUTEDCLIENTBLOCK=1
 | |
| 
 | |
| # Interface IPv6 comes in on (either tunnel or real network interface)
 | |
| #IPV6INT=he-ipv6
 | |
| 
 | |
| # LAN interface for IPv6
 | |
| #IPV6LAN=eth1
 | |
| 
 | |
| # Trusted IPv6 ranges
 | |
| IPV6TRUSTED="::1"
 | |
| 
 | |
| # Allowed incoming IPv6 ports (for now, use $TCPPORTS and $UDPPORTS to
 | |
| # have same for both ipv4 and ipv6)
 | |
| IPV6TCP=$TCPPORTS
 | |
| IPV6UDP=$UDPPORTS
 | |
| 
 | |
| # IPv6 range to forward
 | |
| #IPV6FORWARDRANGE=""
 |