2014-03-29 10:57:08 -06:00
|
|
|
# IPv4 Specific Configuration File
|
2014-03-30 10:16:22 -06:00
|
|
|
#
|
|
|
|
|
|
|
|
# Allow everything over loopback (lo/127.0.0.0/8)
|
|
|
|
# Good idea to keep this turned on, but if you so wish to,
|
|
|
|
# you can disable it here.
|
2014-03-30 10:40:28 -06:00
|
|
|
# Values: no | yes (default)
|
|
|
|
AllowAllv4Loopback="yes"
|
|
|
|
|
|
|
|
# Very early on rules to allow for trusted machines to access
|
|
|
|
# this machine. Rather important and helps keep you from getting
|
|
|
|
# locked out should the firewalling rules go bad.
|
2014-03-30 10:53:31 -06:00
|
|
|
#
|
|
|
|
# IMPORTANT: Hosts put in the trusted file will have complete
|
|
|
|
# and unfettered access to the host, ignoring all other rules.
|
|
|
|
#
|
2014-03-30 12:18:26 -06:00
|
|
|
# Config file: ipv4/trusted.conf
|
2014-03-30 10:40:28 -06:00
|
|
|
# Values: no | yes (default)
|
2014-03-30 12:18:26 -06:00
|
|
|
EnableTrustedv4Hosts="yes"
|
|
|
|
|
|
|
|
# Enable MSS clamping to work around MTU size issues
|
|
|
|
# on network links such as PPPoE and wireless
|
|
|
|
# Config file: ipv4/mss-clamp.conf
|
2014-03-30 13:18:45 -06:00
|
|
|
# Values: no | yes (default)
|
|
|
|
Enablev4MSSClamp="yes"
|
|
|
|
|
2014-04-05 16:56:00 -06:00
|
|
|
# Enable connection tracking features of netfilter/iptables
|
|
|
|
# conntracking allows the firewall to be smart about what
|
|
|
|
# packets it allows and refuses. On highly loaded systems or
|
|
|
|
# ones with low memory, this may be desirable. Everyone else
|
|
|
|
# should probably leave this on.
|
2014-04-12 09:09:08 -06:00
|
|
|
# Depended on by: Enablev4NAT Enablev4ConnTrackInterfaces Enablev4NetfilterModules
|
|
|
|
# Loadv4NetfilterModules
|
2014-04-05 16:56:00 -06:00
|
|
|
# Values: no | yes (default)
|
|
|
|
Enablev4ConnectionTracking="yes"
|
|
|
|
|
2014-04-06 11:59:17 -06:00
|
|
|
# Interfaces to enable connection tracking by default
|
|
|
|
# List of interfaces to enable ESTABLISHED, RELATED, and INVALID on
|
|
|
|
# by default. Normally, this is helpful and a good idea. Some
|
|
|
|
# people with specific requirements may want to disable and do manually
|
|
|
|
# in the custom rules.
|
|
|
|
# Values: none | all (default)| interface name
|
|
|
|
Enablev4ConnTrackInterfaces="all"
|
|
|
|
|
2014-03-30 13:18:45 -06:00
|
|
|
# Use /etc/resolv.conf as source for DNS servers that we communicate
|
|
|
|
# with as a client. If you turn this off (recommended if on static IP),
|
|
|
|
# then you will need to manually define the DNS servers you use.
|
|
|
|
# Without conntrack rules allowing established/related, DNS traffic may
|
|
|
|
# be blocked and cause issues.
|
|
|
|
# Values: no | yes (default)
|
|
|
|
DNSClientUsev4ResolvConf="yes"
|
|
|
|
ResolvConfv4File="/etc/resolv.conf"
|
|
|
|
|
2014-03-30 13:36:55 -06:00
|
|
|
# Uncomment below if you set above to no. You can still manually define your servers
|
|
|
|
# here if you want. Useful at times.
|
|
|
|
# Values: space separated IP list of DNS servers
|
2014-03-31 17:37:38 -06:00
|
|
|
#DNSClientManualv4Servers=""
|
|
|
|
|
2014-04-06 11:06:11 -06:00
|
|
|
# Enable the Services access list
|
|
|
|
# This allows you to define services on the local
|
|
|
|
# machine that you want to be accessible to the world.
|
|
|
|
# Config file: ipv4/services.conf
|
|
|
|
# Values: no | yes (default)
|
|
|
|
Enablev4Services="yes"
|
|
|
|
|
2014-03-31 17:37:38 -06:00
|
|
|
# Enable the EasyBlock access list
|
|
|
|
# This is a simple/easy way to block traffic in or out,
|
|
|
|
# no complex options. Use the Filter options for more
|
|
|
|
# complex ACLs
|
|
|
|
# Config file: ipv4/easyblock.conf
|
|
|
|
# Values: no | yes (default)
|
2014-04-05 11:26:08 -06:00
|
|
|
Enablev4EasyBlock="yes"
|
|
|
|
|
|
|
|
# Enable IPv4 filtering rules
|
|
|
|
# This allows you to define complex access control list /
|
|
|
|
# filtering rules.
|
|
|
|
# Config file: ipv4/acl.conf
|
|
|
|
# Values: no | yes (default)
|
2014-04-05 14:53:01 -06:00
|
|
|
Enablev4Filtering="yes"
|
|
|
|
|
2014-04-05 16:39:57 -06:00
|
|
|
# Enable IPv4 forwarding rules
|
|
|
|
# This allows you to define forwarding rules
|
|
|
|
# Config file: ipv4/forward.conf
|
|
|
|
# Values: No | yes (default)
|
|
|
|
Enablev4Forwarding="yes"
|
|
|
|
|
2014-04-05 14:53:01 -06:00
|
|
|
# Enable IPv4 NAT/NETMAP rules
|
|
|
|
# This allows you to set up NAT rules, SNAT, MASQ, and NETMAP
|
|
|
|
# Config file: ipv4/nat.conf
|
2014-04-05 16:56:00 -06:00
|
|
|
# Requires: Enablev4ConnectionTracking="yes"
|
2014-04-05 14:53:01 -06:00
|
|
|
# Values: no | yes (default)
|
2014-04-06 12:37:31 -06:00
|
|
|
Enablev4NAT="yes"
|
|
|
|
|
|
|
|
# Enable IPv4 Port Forwarding rules
|
|
|
|
# This allows you to set up port forwarding rules to allow
|
|
|
|
# external access to internal machines
|
|
|
|
# Config file: ipv4/portfw.conf
|
|
|
|
# Values: no | yes (default)
|
2014-04-09 20:21:41 -06:00
|
|
|
Enablev4PortForwarding="yes"
|
|
|
|
|
2014-04-12 09:09:08 -06:00
|
|
|
# Enable loading of helper modules
|
|
|
|
# Load kernel modules for various helpers/ALGs that netfilter
|
|
|
|
# has available. You may need to modify the Loadv4NetfilterModules
|
|
|
|
# option as sometimes kernel modules may not exist or be renamed on
|
|
|
|
# a particular system.
|
|
|
|
# Values: no | yes (default)
|
|
|
|
Enablev4NetfilterModules="yes"
|
|
|
|
|
|
|
|
# List of kernel netfilter modules to Load
|
|
|
|
# Default: nf_conntrack_ftp nf_conntrack_h323 nf_conntrack_irc
|
|
|
|
# nf_conntrack_pptp nf_conntrack_proto_dccp nf_conntrack_proto_gre
|
|
|
|
# nf_conntrack_proto_sctp nf_conntrack_proto_udplite nf_conntrack_sip
|
|
|
|
# nf_conntrack_broadcast
|
2014-06-09 17:12:34 -06:00
|
|
|
Loadv4NetfilterModules="nf_conntrack_ftp nf_conntrack_h323 nf_conntrack_irc nf_conntrack_pptp nf_conntrack_proto_dccp nf_conntrack_proto_gre nf_conntrack_proto_sctp nf_conntrack_proto_udplite nf_conntrack_sip nf_conntrack_broadcast nf_conntrack_tftp"
|
2014-04-12 09:09:08 -06:00
|
|
|
|
|
|
|
# These are loaded as well if you have Enablev4NAT set to yes
|
|
|
|
# Default: nf_nat_ftp nf_nat_h323 nf_nat_irc nf_nat_pptp nf_nat_proto_dccp
|
|
|
|
# nf_nat_proto_gre nf_nat_proto_sctp nf_nat_proto_udplite nf_nat_sip
|
2014-06-24 20:26:20 -06:00
|
|
|
Loadv4NetfilterModulesNAT="nf_nat_ftp nf_nat_h323 nf_nat_irc nf_nat_pptp nf_nat_proto_dccp nf_nat_proto_gre nf_nat_proto_sctp nf_nat_proto_udplite nf_nat_sip nf_nat_tftp"
|
2014-04-12 09:09:08 -06:00
|
|
|
|
2014-04-09 20:21:41 -06:00
|
|
|
# Default policy for filtering rules
|
|
|
|
# netfilter/iptables has a default policy that can be set, such as
|
|
|
|
# DROP all unless it is explicitly allowed via rules.
|
|
|
|
# Values: ACCEPT (default) | DROP
|
|
|
|
# Please note if you do not specify policies, they will default to
|
|
|
|
# ACCEPT, which may not be what you want.
|
|
|
|
Defaultv4InPolicy="ACCEPT"
|
|
|
|
Defaultv4OutPolicy="ACCEPT"
|
|
|
|
Defaultv4FwdPolicy="ACCEPT"
|