# IPv4 Specific Configuration File
#

# Allow everything over loopback (lo ::1/28)
# Good idea to keep this turned on, but if you so wish to,
# you can disable it here.
# Values: no | yes (default)
AllowAllv6Loopback="yes"

# Very early on rules to allow for trusted machines to access
# this machine.  Rather important and helps keep you from getting
# locked out should the firewalling rules go bad.
#
# IMPORTANT:  Hosts put in the trusted file will have complete
# and unfettered access to the host, ignoring all other rules.
#
# Config file: ipv6/trusted.conf
# Values: no | yes (default)
EnableTrustedv6Hosts="yes"

# Enable MSS clamping to work around MTU size issues
# on network links such as PPPoE and wireless
# Config file: ipv6/mss-clamp.conf
# Values: no | yes (default)
Enablev6MSSClamp="yes"

# Enable connection tracking features of netfilter/iptables
# conntracking allows the firewall to be smart about what
# packets it allows and refuses.  On highly loaded systems or
# ones with low memory, this may be desirable.  Everyone else
# should probably leave this on.
# Depended on by: Enablev6NAT Enablev6ConnTrackInterfaces
# Values: no | yes (default)
Enablev6ConnectionTracking="yes"

# Interfaces to enable connection tracking by default
# List of interfaces to enable ESTABLISHED, RELATED, and INVALID on
# by default.  Normally, this is helpful and a good idea.  Some
# people with specific requirements may want to disable and do manually
# in the custom rules.
# Values: none | all (default)| interface name
Enablev6ConnTrackInterfaces="all"

# Use /etc/resolv.conf as source for DNS servers that we communicate
# with as a client.  If you turn this off (recommended if on static IP),
# then you will need to manually define the DNS servers you use.
# Without conntrack rules allowing established/related, DNS traffic may
# be blocked and cause issues.
# Values: no | yes (default)
DNSClientUsev6ResolvConf="yes"
ResolvConfv6File="/etc/resolv.conf"

# Uncomment below if you set above to no.  You can still manually define your servers
# here if you want.  Useful at times.
# Values: space separated IP list of DNS servers
#DNSClientManualv6Servers=""

# Enable the Services access list
# This allows you to define services on the local
# machine that you want to be accessible to the world.
# Config file: ipv6/services.conf
# Values: no | yes (default)
Enablev6Services="yes"

# Enable the EasyBlock access list
# This is a simple/easy way to block traffic in or out,
# no complex options.  Use the Filter options for more
# complex ACLs
# Config file: ipv6/easyblock.conf
# Values: no | yes (default)
Enablev6EasyBlock="yes"

# Enable IPv6 filtering rules
# This allows you to define complex access control list /
# filtering rules.
# Config file: ipv6/acl.conf
# Values: no | yes (default)
Enablev6Filtering="yes"

# Enable IPv6 forwarding rules
# This allows you to define forwarding rules
# Config file: ipv6/forward.conf
# Values: No | yes (default)
Enablev6Forwarding="yes"

# Enable IPv6 NAT/NETMAP rules
# This allows you to set up NAT rules, SNAT, MASQ, and NETMAP
# Config file: ipv6/nat.conf
# Requires: Enablev6ConnectionTracking="yes"
# Values: no | yes (default)
Enablev6NAT="yes"

# Enable IPv6 Port Forwarding rules
# This allows you to set up port forwarding rules to allow
# external access to internal machines
# Config file: ipv6/portfw.conf
# Values: no | yes (default)
Enablev6PortForwarding="yes"

# Enable loading of helper modules
# Load kernel modules for various helpers/ALGs that netfilter
# has available. You may need to modify the Loadv4NetfilterModules
# option as sometimes kernel modules may not exist or be renamed on
# a particular system.
# This is set to no by default on ipv6 because on my test system, I do not
# see any usable helper modules for ipv6 use.  Obviously this may change
# in the future.
# Values: no (default) | yes
Enablev6NetfilterModules="no"

# List of kernel netfilter modules to Load
# Default: none
Loadv6NetfilterModules=""

# These are loaded as well if you have Enablev4NAT set to yes
# Default: none
Loadv6NetfilterModulesNAT=""

# Default policy for filtering rules
# netfilter/iptables has a default policy that can be set, such as
# DROP all unless it is explicitly allowed via rules.
# Values: ACCEPT (default) | DROP
# Please note if you do not specify policies, they will default to
# ACCEPT, which may not be what you want.
Defaultv6InPolicy="ACCEPT"
Defaultv6OutPolicy="ACCEPT"
Defaultv6FwdPolicy="ACCEPT"