# IPv4 Specific Configuration File # # Allow everything over loopback (lo/127.0.0.0/8) # Good idea to keep this turned on, but if you so wish to, # you can disable it here. # Values: no | yes (default) AllowAllv4Loopback="yes" # Very early on rules to allow for trusted machines to access # this machine. Rather important and helps keep you from getting # locked out should the firewalling rules go bad. # # IMPORTANT: Hosts put in the trusted file will have complete # and unfettered access to the host, ignoring all other rules. # # Config file: ipv4/trusted.conf # Values: no | yes (default) EnableTrustedv4Hosts="yes" # Enable MSS clamping to work around MTU size issues # on network links such as PPPoE and wireless # Config file: ipv4/mss-clamp.conf # Values: no | yes (default) Enablev4MSSClamp="yes" # Enable connection tracking features of netfilter/iptables # conntracking allows the firewall to be smart about what # packets it allows and refuses. On highly loaded systems or # ones with low memory, this may be desirable. Everyone else # should probably leave this on. # Depended on by: Enablev4NAT Enablev4ConnTrackInterfaces Enablev4NetfilterModules # Loadv4NetfilterModules # Values: no | yes (default) Enablev4ConnectionTracking="yes" # Interfaces to enable connection tracking by default # List of interfaces to enable ESTABLISHED, RELATED, and INVALID on # by default. Normally, this is helpful and a good idea. Some # people with specific requirements may want to disable and do manually # in the custom rules. # Values: none | all (default)| interface name Enablev4ConnTrackInterfaces="all" # Use /etc/resolv.conf as source for DNS servers that we communicate # with as a client. If you turn this off (recommended if on static IP), # then you will need to manually define the DNS servers you use. # Without conntrack rules allowing established/related, DNS traffic may # be blocked and cause issues. # Values: no | yes (default) DNSClientUsev4ResolvConf="yes" ResolvConfv4File="/etc/resolv.conf" # Uncomment below if you set above to no. You can still manually define your servers # here if you want. Useful at times. # Values: space separated IP list of DNS servers #DNSClientManualv4Servers="" # Enable the Services access list # This allows you to define services on the local # machine that you want to be accessible to the world. # Config file: ipv4/services.conf # Values: no | yes (default) Enablev4Services="yes" # Enable the EasyBlock access list # This is a simple/easy way to block traffic in or out, # no complex options. Use the Filter options for more # complex ACLs # Config file: ipv4/easyblock.conf # Values: no | yes (default) Enablev4EasyBlock="yes" # Enable IPv4 filtering rules # This allows you to define complex access control list / # filtering rules. # Config file: ipv4/acl.conf # Values: no | yes (default) Enablev4Filtering="yes" # Enable IPv4 forwarding rules # This allows you to define forwarding rules # Config file: ipv4/forward.conf # Values: No | yes (default) Enablev4Forwarding="yes" # Enable IPv4 NAT/NETMAP rules # This allows you to set up NAT rules, SNAT, MASQ, and NETMAP # Config file: ipv4/nat.conf # Requires: Enablev4ConnectionTracking="yes" # Values: no | yes (default) Enablev4NAT="yes" # Enable IPv4 Port Forwarding rules # This allows you to set up port forwarding rules to allow # external access to internal machines # Config file: ipv4/portfw.conf # Values: no | yes (default) Enablev4PortForwarding="yes" # Enable loading of helper modules # Load kernel modules for various helpers/ALGs that netfilter # has available. You may need to modify the Loadv4NetfilterModules # option as sometimes kernel modules may not exist or be renamed on # a particular system. # Values: no | yes (default) Enablev4NetfilterModules="yes" # List of kernel netfilter modules to Load # Default: nf_conntrack_ftp nf_conntrack_h323 nf_conntrack_irc # nf_conntrack_pptp nf_conntrack_proto_dccp nf_conntrack_proto_gre # nf_conntrack_proto_sctp nf_conntrack_proto_udplite nf_conntrack_sip # nf_conntrack_broadcast Loadv4NetfilterModules="nf_conntrack_ftp nf_conntrack_h323 nf_conntrack_irc nf_conntrack_pptp nf_conntrack_proto_dccp nf_conntrack_proto_gre nf_conntrack_proto_sctp nf_conntrack_proto_udplite nf_conntrack_sip nf_conntrack_broadcast nf_conntrack_tftp" # These are loaded as well if you have Enablev4NAT set to yes # Default: nf_nat_ftp nf_nat_h323 nf_nat_irc nf_nat_pptp nf_nat_proto_dccp # nf_nat_proto_gre nf_nat_proto_sctp nf_nat_proto_udplite nf_nat_sip Loadv4NetfilterModulesNAT="nf_nat_ftp nf_nat_h323 nf_nat_irc nf_nat_pptp nf_nat_proto_dccp nf_nat_proto_gre nf_nat_proto_sctp nf_nat_proto_udplite nf_nat_sip" # Default policy for filtering rules # netfilter/iptables has a default policy that can be set, such as # DROP all unless it is explicitly allowed via rules. # Values: ACCEPT (default) | DROP # Please note if you do not specify policies, they will default to # ACCEPT, which may not be what you want. Defaultv4InPolicy="ACCEPT" Defaultv4OutPolicy="ACCEPT" Defaultv4FwdPolicy="ACCEPT"