~ubuntu-branches/ubuntu/maverick/arno-iptables-firewall/maverick
» Revision
4
: etc/arno-iptables-firewall/firewall.conf.example
« back to all changes in this revision
Viewing changes to etc/arno-iptables-firewall/firewall.conf.example
- browse files at revision 4
- compare with another revision
- download diff
- download tarball
- view history from revision 4
- Committer: Bazaar Package Importer
- Author(s): Michael Hanke
- Date: 2006-10-30 08:18:55 UTC
- mfrom: (1.1.1 upstream)
- Revision ID: james.westby@ubuntu.com-20061030081855-xwbqq0v9ussymjk7
Tags: 1.8.8.c-1
New upstream release (fixed MAC-filter).
- files added:
- debian/NEWS.Debian
- debian/patches
- etc
- etc/arno-iptables-firewall
- etc/arno-iptables-firewall/plugins
- man
- files removed:
- arno-fwfilter.1
- files modified:
- CHANGELOG
added
removed
etc/arno-iptables-firewall/firewall.conf.example
1
------------------------- EXAMPLE(!) Configuration file -----------------------
2
# -= Arno's iptables firewall =-
3
# Single- & multi-homed firewall script with DSL/ADSL support
4
#
5
# (C) Copyright 2001-2006 by Arno van Amersfoort
6
# Homepage : http://rocky.eld.leidenuniv.nl/
7
# Freshmeat : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
8
# Email : arnova AT rocky DOT eld DOT leidenuniv DOT nl
9
# (note: you must remove all spaces and substitute the @ and the .
10
# at the proper locations!)
11
# -----------------------------------------------------------------------------
12
# This program is free software; you can redistribute it and/or modify it under
13
# the terms of the GNU General Public License as published by the Free Software
14
# Foundation; either version 2 of the License, or (at your option) any later
15
# version.
16
17
# This program is distributed in the hope that it will be useful, but WITHOUT
18
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
19
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
20
# more details.
21
22
# You should have received a copy of the GNU General Public License along with
23
# this program; if not, write to the Free Software Foundation Inc., 59 Temple
24
# Place - Suite 330, Boston, MA 02111-1307, USA.
25
# -----------------------------------------------------------------------------
26
27
28
# Location of the iptables-binary (use 'locate iptables' or 'whereis iptables'
29
# to manually locate it).
30
# -----------------------------------------------------------------------------
31
IPTABLES="/sbin/iptables"
32
33
###############################################################################
34
# External (internet) interface settings #
35
###############################################################################
36
37
# The external interface(s) that will be protected (and used as internet
38
# connection). This is probably ppp+ or dsl+ for non-transparent(!) (A)DSL
39
# modems otherwise it's probably "ethX" (eg. eth0). Multiple interfaces should
40
# be space separated.
41
# -----------------------------------------------------------------------------
42
EXT_IF="ppp+"
43
44
# Enable if THIS machines (dynamically) obtains its IP through DHCP (from your
45
# ISP).
46
# -----------------------------------------------------------------------------
47
EXT_IF_DHCP_IP=0
48
49
# (EXPERT SETTING!) Here you can specify your external(!) subnet(s). You should
50
# only use this if you for example have a corporate network and/or running a
51
# DHCP server on your external(!) interface. Home users should normally NOT
52
# touch this setting. Multiple subnets should be space separated.
53
# Don't forget to specify a proper subnet masker (eg. /24, /16 or /8)!
54
# -----------------------------------------------------------------------------
55
EXTERNAL_NET=""
56
57
# (EXPERT SETTING!) Here you can specify the IP address used for broadcasts
58
# on your external subnet. You only need to set this option if you want to use
59
# the BROADCAST_XXX_NOLOG variables AND you use a non-standard broadcast
60
# address (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
61
# this empty should work fine. Multiple addresses (if you have more than one
62
# external interface) should be space separated.
63
# -----------------------------------------------------------------------------
64
EXT_NET_BCAST_ADDRESS=""
65
66
# Enable this if THIS MACHINE is running a DHCP(BOOTP) server for a subnet on
67
# the external(!) interface. Note that you don't need this for internal
68
# subnets, as for these nets everything is accepted by default. Don't forget to
69
# configure the EXTERNAL_NET variable, to make this work.
70
# -----------------------------------------------------------------------------
71
EXTERNAL_DHCP_SERVER=0
72
73
74
###############################################################################
75
# (ADSL) Modem settings #
76
# #
77
# The MODEM_xxx options should (only) be used when you have an ((A)DSL) #
78
# modem which works with a ppp-connection between the modem and the #
79
# host the modem is connected to. #
80
# #
81
# You can check whether this applies for your (hardware) setup with #
82
# 'ifconfig' (a 'ppp' device is shown). #
83
# This means that if your modem is bridging or an NAT router) or the #
84
# network interface the modem is connected to doesn't have an IP, you #
85
# should leave the MODEM_xxx options disabled (=default)! #
86
###############################################################################
87
88
# The physical(!) network interface your ADSL modem is connected to (this is
89
# not ppp0!).
90
# -----------------------------------------------------------------------------
91
#MODEM_IF="eth1"
92
93
# (optional) The IP of the network interface (MODEM_IF) your ADSL modem is
94
# connected to (IP shown for the modem interface (MODEM_IF) in 'ifconfig').
95
# -----------------------------------------------------------------------------
96
#MODEM_IF_IP="10.0.0.150"
97
98
# (optional) The IP of your (A)DSL modem itself.
99
# -----------------------------------------------------------------------------
100
#MODEM_IP="10.0.0.138"
101
102
# (EXPERT SETTING!). Here you can specify the hosts/local net(s) that should
103
# have access to the (A)DSL modem itself (manage modem settings, if supported
104
# by your modem!). The default setting ("$INTERNAL_NET") allows access from
105
# everybody on your LAN.
106
# -----------------------------------------------------------------------------
107
MODEM_INTERNAL_NET="$INTERNAL_NET"
108
109
110
###############################################################################
111
# Internal (LAN) interface settings #
112
###############################################################################
113
114
# Specify here your internal network (LAN) interface(s). Multiple(!) interfaces
115
# should be space separated. Remark this if you don't have any internal network
116
# interfaces. Note that by default ALL traffic is accepted from these
117
# interfaces.
118
# -----------------------------------------------------------------------------
119
INT_IF="eth0"
120
121
# Specify here the internal subnet which is connected to the internal interface
122
# (INT_IF). For multiple interfaces(!) you can either specify multiple subnets
123
# here or specify one big subnet for all internal interfaces. Note that this
124
# variable is mainly used for antispoofing.
125
# -----------------------------------------------------------------------------
126
INTERNAL_NET="192.168.0.0/24"
127
128
# (EXPERT SETTING!) Here you can specify the IP address used for broadcasts
129
# on your internal subnet. You only need to set this option if you want to use
130
# the MAC filter AND you use a non-standard broadcast address
131
# (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
132
# this empty should work fine. Multiple addresses (if you have multiple
133
# internal nets) should be space separated.
134
# -----------------------------------------------------------------------------
135
INT_NET_BCAST_ADDRESS=""
136
137
# Uncomment & specify here the location of the file that contains the MAC
138
# addresses of INTERNAL hosts that are allowed. The MAC addresses should be
139
# written like 00:11:22:33:44:55
140
# Note that the last line of this
141
# file should always contain a carriage-return (enter)!
142
# -----------------------------------------------------------------------------
143
#MAC_ADDRESS_FILE=/etc/arno-iptables-firewall/mac-addresses
144
145
146
###############################################################################
147
# DMZ (aka DeMilitarized Zone) settings #
148
###############################################################################
149
150
# Put in the following variable the network interfaces that are DMZ-classified.
151
# You can also use this interface if you want to shield your Wireless network
152
# from your LAN.
153
# -----------------------------------------------------------------------------
154
DMZ_IF=""
155
156
# Specify here the subnet which is connected to the DMZ interface (DMZ_IF).
157
# For multiple interfaces(!) you can either specify multiple subnets here or
158
# specify one big subnet for all DMZ interfaces.
159
# -----------------------------------------------------------------------------
160
DMZ_NET=""
161
162
163
###############################################################################
164
# NAT (Masquerade, SNAT, DNAT) settings #
165
###############################################################################
166
167
# Enable this if you want to perform NAT (masquerading) for your internal
168
# network (LAN) (eg. share your internet connection with your internal
169
# net(s) connected to eg. INT_IF).
170
# -----------------------------------------------------------------------------
171
NAT=1
172
173
# (EXPERT SETTING!). In case you would like to use SNAT instead of
174
# MASQUERADING then uncomment and set the IP or IP's here of your static
175
# external address(es). Note that when multiple IP's are specified, SNAT
176
# multiroute is enabled (load balancing over multiple external (internet)
177
# interfaces, check the README file for more info). Note that the order of IP's
178
# should match the order of interfaces (they belond to) in $EXT_IF!
179
# -----------------------------------------------------------------------------
180
#NAT_STATIC_IP="193.2.1.1"
181
182
# (EXPERT SETTING!). Use this variable only if you want specific subnets or
183
# hosts to be able to access the internet. When no value is specified, your
184
# whole internal net will have access. In both cases it's obviously only
185
# meaningful when NAT is enabled. Note that you can also use this variable if
186
# you want to use NAT for your DMZ.
187
# -----------------------------------------------------------------------------
188
NAT_INTERNAL_NET="$INTERNAL_NET"
189
190
# NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to
191
# an internal client through (D)NAT. Note that you can also use these
192
# variables to forward ports to DMZ hosts.
193
#
194
# TCP/UDP form:
195
# "{SRCIP1,SRCIP2,...:}PORT1,PORT2-PORT3,...>DESTIP1{:port} \
196
# {SRCIP3,...:}PORT3,...>DESTIP2:port}"
197
#
198
# IP form:
199
# "{SRCIP1,SRCIP2,...:}PROTO1,PROTO2,...>DESTIP1 \
200
# {SRCIP3:}PROTO3,PROTO4,...>DESTIP2"
201
#
202
# TCP/UDP port forward examples:
203
# Simple (forward port 80 to internal host 192.168.0.10):
204
# NAT_xxx_FORWARD="80>192.168.0.10"
205
# Advanced (forward port 20 & 21 to 192.168.0.10 and
206
# forward from 1.2.3.4 port 81 to 192.168.0.11 port 80:
207
# NAT_xxx_FORWARD="20,21>192.168.0.10 1.2.3.4:81>192.168.0.11:80"
208
#
209
# IP protocol forward example:
210
# (forward protocols 47 & 48 to 192.168.0.10)
211
# NAT_IP_FORWARD="47,48>192.168.0.10"
212
#
213
# NOTE 1: {:port} is optional. Use it to redirect a specific port to a
214
# different port on the internal client.
215
# NOTE 2: {SRCIPx} is optional. Use it to restrict access for specific source
216
# (inet) IP addresses.
217
# -----------------------------------------------------------------------------
218
NAT_TCP_FORWARD="81>192.168.0.10 1.2.3.4:80>192.168.0.11:9999"
219
NAT_UDP_FORWARD=""
220
NAT_IP_FORWARD=""
221
222
223
224
225
###############################################################################
226
# General settings #
227
###############################################################################
228
229
# Most people don't want to get any firewall logs being spit to the console.
230
# This option makes the kernel ring buffer only log messages with level
231
# "panic".
232
# -----------------------------------------------------------------------------
233
DMESG_PANIC_ONLY=1
234
235
# Enable this if you want TOS mangling (RFC) (recommended).
236
# -----------------------------------------------------------------------------
237
MANGLE_TOS=1
238
239
# Enable this if you want to set the maximum packet size via the
240
# Maximum Segment Size(through MSS field) (recommended).
241
# -----------------------------------------------------------------------------
242
SET_MSS=1
243
244
# Enable this if you want to increase the TTL value by one in the prerouting
245
# chain. This hides the firewall when performing eg. traceroutes to internal
246
# hosts.
247
# -----------------------------------------------------------------------------
248
TTL_INC=0
249
250
# (EXPERT SETTING!) Enable this if you want to set the TTL value for packets in
251
# the OUTPUT & FORWARD chain. Note that this only works with newer 2.6 kernels
252
# (2.6.14 or better) or patched 2.4 kernels, which have netfilter TTL target
253
# support. Don't mess with this unless you really know what you are doing!
254
# -----------------------------------------------------------------------------
255
#PACKET_TTL="64"
256
257
# Enable this to resolve names of DNS IP's etc.
258
# -----------------------------------------------------------------------------
259
RESOLV_IPS=0
260
261
# Enable this to support the IRC-protocol.
262
# -----------------------------------------------------------------------------
263
USE_IRC=0
264
265
# (EXPERT SETTING!). Loosen the forward chain for the external interface(s).
266
# Enable it to allow the use of protocols like UPnP. Note that it *could* be
267
# less secure.
268
# -----------------------------------------------------------------------------
269
LOOSE_FORWARD=0
270
271
# (EXPERT SETTING!). Enable this if you want to drop packets originating from a
272
# private address.
273
# -----------------------------------------------------------------------------
274
DROP_PRIVATE_ADDRESSES=0
275
276
# (EXPERT SETTING!). Protect this machine from being abused for a DRDOS-attack
277
# ("Distributed Reflection Denial Of Service"-attack). (STILL EXPERIMENTAL!)
278
# -----------------------------------------------------------------------------
279
DRDOS_PROTECT=0
280
281
# Enable this if you want to allow/enable IPv6 traffic. Note that my firewall
282
# does NOT filter IPv6 traffic (yet), and thus NO checking is performed on it!
283
# -----------------------------------------------------------------------------
284
IPV6_SUPPORT=0
285
286
# This option fixes problems with SMB broadcasts when using nmblookup
287
# -----------------------------------------------------------------------------
288
NMB_BROADCAST_FIX=1
289
290
# (EXPERT SETTING!). (Other) trusted network interfaces for which ALL IP
291
# traffic should be ACCEPTED. (multiple(!) interfaces should be space
292
# separated). Be warned that anything TO and FROM these interfaces is allowed
293
# (ACCEPTED) so make sure it's NOT routable(accessible) from the outside world
294
# (internet)!
295
# -----------------------------------------------------------------------------
296
TRUSTED_IF=""
297
298
# (EXPERT SETTING!). Put here the (internal) interfaces that should trust
299
# (accept forward traffic) each other.
300
# -----------------------------------------------------------------------------
301
INT_IF_TRUST=""
302
303
# Location of the custom iptables rules file (if any).
304
# -----------------------------------------------------------------------------
305
CUSTOM_RULES=/etc/arno-iptables-firewall/custom-rules
306
307
308
###############################################################################
309
# Logging options - All logging is rate limited to prevent log flooding #
310
###############################################################################
311
312
# Enable logging for explicitly blocked hosts.
313
# -----------------------------------------------------------------------------
314
BLOCKED_HOST_LOG=1
315
316
# Enable logging for various stealth scans (reliable).
317
# -----------------------------------------------------------------------------
318
SCAN_LOG=1
319
320
# Enable logging for possible stealth scans (less reliable).
321
# -----------------------------------------------------------------------------
322
POSSIBLE_SCAN_LOG=1
323
324
# Enable logging for TCP-packets with bad flags.
325
# -----------------------------------------------------------------------------
326
BAD_FLAGS_LOG=1
327
328
# Enable logging of invalid packets. Keep disabled (0) by default to reduce
329
# INVALID packets being logged because of lost (legimate) connections. When
330
# debugging any problems, you should enable it (temporarily)!
331
# -----------------------------------------------------------------------------
332
INVALID_PACKET_LOG=0
333
334
# Enable logging of source IP's with reserved addresses.
335
# -----------------------------------------------------------------------------
336
RESERVED_NET_LOG=1
337
338
# Enable logging of fragmented packets.
339
# -----------------------------------------------------------------------------
340
FRAG_LOG=1
341
342
# Enable logging of denied local (OUTPUT) connections.
343
# -----------------------------------------------------------------------------
344
OUTPUT_DENY_LOG=1
345
346
# Enable logging of denied LAN output (FORWARD) connections.
347
# -----------------------------------------------------------------------------
348
LAN_OUTPUT_DENY_LOG=1
349
350
# Enable logging of denied LAN INPUT connections.
351
# -----------------------------------------------------------------------------
352
LAN_INPUT_DENY_LOG=1
353
354
# Enable logging of denied DMZ output (FORWARD) connections.
355
# -----------------------------------------------------------------------------
356
DMZ_OUTPUT_DENY_LOG=1
357
358
# Enable logging of denied DMZ input (FORWARD) connections.
359
# -----------------------------------------------------------------------------
360
DMZ_INPUT_DENY_LOG=1
361
362
# Enable logging of dropped ICMP-request packets (ping).
363
# -----------------------------------------------------------------------------
364
ICMP_REQUEST_LOG=1
365
366
# Enable logging of dropped "other" ICMP packets.
367
# -----------------------------------------------------------------------------
368
ICMP_OTHER_LOG=1
369
370
# Enable logging of normal connection attempts to privileged TCP ports.
371
# -----------------------------------------------------------------------------
372
PRIV_TCP_LOG=1
373
374
# Enable logging of normal connection attempts to privileged UDP ports.
375
# -----------------------------------------------------------------------------
376
PRIV_UDP_LOG=1
377
378
# Enable logging of normal connection attempts to unprivileged TCP ports.
379
# -----------------------------------------------------------------------------
380
UNPRIV_TCP_LOG=1
381
382
# Enable logging of normal connection attempts to unprivileged UDP ports.
383
# -----------------------------------------------------------------------------
384
UNPRIV_UDP_LOG=1
385
386
# Enable logging of normal connection attempts to "other-IP"-protocols (non
387
# TCP/UDP/ICMP).
388
# -----------------------------------------------------------------------------
389
OTHER_IP_LOG=1
390
391
# Enable logging for ICMP flooding.
392
# -----------------------------------------------------------------------------
393
ICMP_FLOOD_LOG=1
394
395
# Enable logging for not-allowed MAC addresses (if used).
396
# -----------------------------------------------------------------------------
397
MAC_ADDRESS_LOG=1
398
399
# (EXPERT SETTING!). The location of the dedicated firewall log file. When
400
# enabled the firewall script will also log start/stop etc. info to this file
401
# as well. Note that in order to make this work, you should also configure
402
# syslogd to log firewall messages to this file (see LOGLEVEL below for further
403
# info).
404
# -----------------------------------------------------------------------------
405
#FIREWALL_LOG=/var/log/firewall
406
407
# (EXPERT SETTING!). Current log-level ("info": default kernel syslog level)
408
# "debug": can be used to log to /var/log/firewall.log, but you have to configure
409
# syslogd accordingly (see included syslogd.conf examples).
410
# -----------------------------------------------------------------------------
411
LOGLEVEL=info
412
413
# Put in the following variables which hosts you want to log certain incoming
414
# connection attempts for.
415
# TCP/UDP port format (LOG_HOST_xxx_INPUT):
416
# "host1,host2>port1,port2 host3,host4>port3,port4 ..."
417
#
418
# IP protocol format (LOG_HOST_IP_INPUT):
419
# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
420
# -----------------------------------------------------------------------------
421
LOG_HOST_TCP_INPUT=""
422
LOG_HOST_UDP_INPUT=""
423
LOG_HOST_IP_INPUT=""
424
425
# Put in the following variables which hosts you want to log certain outgoing
426
# connection attempts for.
427
# TCP/UDP port format (LOG_HOST_xxx_OUTPUT):
428
# "host1,host2>port1,port2 host3,host4>port3,port4 ..."
429
#
430
# IP protocol format (LOG_HOST_IP_OUTPUT):
431
# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
432
# -----------------------------------------------------------------------------
433
LOG_HOST_TCP_OUTPUT=""
434
LOG_HOST_UDP_OUTPUT=""
435
LOG_HOST_IP_OUTPUT=""
436
437
# Put in the following variables which services you want to log incoming
438
# connection attempts for.
439
# -----------------------------------------------------------------------------
440
LOG_TCP_INPUT=""
441
LOG_UDP_INPUT=""
442
LOG_IP_INPUT=""
443
444
# Put in the following variables which services you want to log outgoing
445
# connection attempts for.
446
# -----------------------------------------------------------------------------
447
LOG_TCP_OUTPUT=""
448
LOG_UDP_OUTPUT=""
449
LOG_IP_OUTPUT=""
450
451
# Put in the following variable which hosts you want to log incoming connection
452
# (attempts) for.
453
# -----------------------------------------------------------------------------
454
LOG_HOST_INPUT=""
455
456
# Put in the following variable which hosts you want to log outgoing connection
457
# (attempts) to.
458
# -----------------------------------------------------------------------------
459
LOG_HOST_OUTPUT=""
460
461
462
###############################################################################
463
# /proc based settings (EXPERT SETTINGS!) #
464
###############################################################################
465
466
# Enable for synflood protection (through /proc/.../tcp_syncookies).
467
# -----------------------------------------------------------------------------
468
SYN_PROT=1
469
470
# Enable this to reduce the ability of others DOS'ing your machine.
471
# -----------------------------------------------------------------------------
472
REDUCE_DOS_ABILITY=1
473
474
# Enable to ignore all ICMP echo-requests (IPv4) on ALL interfaces.
475
# -----------------------------------------------------------------------------
476
ECHO_IGNORE=0
477
478
# Enable to log packets with impossible addresses to the kernel log.
479
# -----------------------------------------------------------------------------
480
LOG_MARTIANS=0
481
482
# Only disable this if you're NOT using forwarding (required for NAT etc.) for
483
# increased security.
484
# -----------------------------------------------------------------------------
485
IP_FORWARDING=1
486
487
# Enable if you want to accept ICMP redirect messages. Should be set to "0" in
488
# case of a router.
489
# -----------------------------------------------------------------------------
490
ICMP_REDIRECT=0
491
492
# Enable/modify this if you want to be a able to handle a larger (or smaller)
493
# number of simultaneous connections. For high traffic machines I recommend to
494
# use a value of at least 16384 (note that a higher value (obviously) also uses
495
# more memory).
496
# -----------------------------------------------------------------------------
497
CONNTRACK=16384
498
499
# You may need to enable this to get some internet games to work, but note that
500
# it's *less* secure.
501
# -----------------------------------------------------------------------------
502
LOOSE_UDP_PATCH=0
503
504
# Enable ECN (Explicit Congestion Notification) TCP flag. Disabled by default,
505
# as some routers are still not compatible with this.
506
# -----------------------------------------------------------------------------
507
ECN=0
508
509
# Enable to drop connections from non-routable IP's, eg. prevent source
510
# routing. By default the firewall itself also provides rules against source
511
# routing. Note than when you use eg. VPN (Freeswan), you should probably
512
# disable this setting.
513
# -----------------------------------------------------------------------------
514
RP_FILTER=1
515
516
# Protect against source routed packets. Attackers can use source routing to
517
# generate traffic pretending to be from inside your network, but which is
518
# routed back along the path from which it came, namely outside, so attackers
519
# can compromise your network. Source routing is rarely used for legitimate
520
# purposes, so normally you should always leave this enabled(1)!
521
# -----------------------------------------------------------------------------
522
SOURCE_ROUTE_PROTECTION=1
523
524
# Here we set the local port range (ports from which connections are
525
# initiated from our site). Don't mess with this unless you really know what
526
# you are doing!
527
# -----------------------------------------------------------------------------
528
LOCAL_PORT_RANGE="32768 61000"
529
530
# Here you can change the default TTL used for sending packets. The value
531
# should be between 10 and 255. Don't mess with this unless you really know
532
# what you are doing!
533
# -----------------------------------------------------------------------------
534
DEFAULT_TTL=64
535
536
# In most cases pmtu discovery is ok, but in some rare cases (when having
537
# problems) you might want to disable it.
538
# -----------------------------------------------------------------------------
539
NO_PMTU_DISCOVERY=0
540
541
542
###############################################################################
543
# (Transparent) proxy settings (EXPERT SETTINGS!) #
544
###############################################################################
545
#HTTP_PROXY_PORT="3128"
546
HTTPS_PROXY_PORT=""
547
FTP_PROXY_PORT=""
548
SMTP_PROXY_PORT=""
549
POP3_PROXY_PORT=""
550
551
552
###############################################################################
553
# Firewall policies for the LAN (EXPERT SETTINGS!) #
554
###############################################################################
555
556
###############################################################################
557
# LAN_xxx = LAN->localhost(this machine) input access rules #
558
# #
559
# Note that when both LAN_OPEN_xxx & LAN_HOST_OPEN_xxx are NOT used, the #
560
# default policy for this chain is accept (unless denied through #
561
# LAN_DENY_xxx and/or LAN_HOST_DENY_xxx)! #
562
###############################################################################
563
564
# Enable this to allow for ICMP-requests(ping) from your LAN
565
# -----------------------------------------------------------------------------
566
LAN_OPEN_ICMP=1
567
568
# Put in the following variables the TCP/UDP ports or IP protocols TO
569
# (remote end-point) which the LAN hosts are permitted to connect to.
570
# -----------------------------------------------------------------------------
571
LAN_OPEN_TCP=""
572
LAN_OPEN_UDP=""
573
LAN_OPEN_IP=""
574
575
# Put in the following variables the TCP/UDP ports or IP protocols TO (remote
576
# end-point) which LAN hosts are NOT permitted to connect to.
577
# -----------------------------------------------------------------------------
578
LAN_DENY_TCP=""
579
LAN_DENY_UDP=""
580
LAN_DENY_IP=""
581
582
# Put in the following variables the TCP/UDP ports or IP
583
# protocols TO (remote end-point) which certain LAN hosts are
584
# permitted to connect to.
585
#
586
# TCP/UDP port format (LAN_INPUT_HOST_OPEN_xxx):
587
# "host1,host2>port1,port2 host3,host4>port3,port4 ..."
588
#
589
# IP protocol format (LAN_INPUT_HOST_OPEN_xxx):
590
# "host1,host2>proto1,proto2 host3,host4>proto3,proto4 ..."
591
# -----------------------------------------------------------------------------
592
LAN_HOST_OPEN_TCP=""
593
LAN_HOST_OPEN_UDP=""
594
LAN_HOST_OPEN_IP=""
595
596
# Put in the following variables the TCP/UDP ports or IP protocols TO (remote
597
# end-point) which certain LAN hosts are NOT permitted to connect to.
598
#
599
# TCP/UDP port format (LAN_INPUT_HOST_DENY_xxx):
600
# "host1,host2>port1,port2 host3,host4>port3,port4 ..."
601
#
602
# IP protocol format (LAN_INPUT_HOST_DENY_xxx):
603
# "host1,host2>proto1,proto2 host3,host4>proto3,proto4 ..."
604
# -----------------------------------------------------------------------------
605
LAN_HOST_DENY_TCP=""
606
LAN_HOST_DENY_UDP=""
607
LAN_HOST_DENY_IP=""
608
609
610
###############################################################################
611
# LAN_INET_xxx = LAN->internet access rules (forward) #
612
# #
613
# Note that when both LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx are NOT #
614
# used, the default policy for this chain is accept (unless denied #
615
# through LAN_INET_DENY_xxx and/or LAN_INET_HOST_DENY_xxx)! #
616
###############################################################################
617
618
# Enable this to allow for ICMP-requests(ping) for LAN->INET
619
# -----------------------------------------------------------------------------
620
LAN_INET_OPEN_ICMP=1
621
622
# Put in the following variables the TCP/UDP ports or IP
623
# protocols TO (remote end-point) which the LAN hosts are
624
# permitted to connect to via the external (internet) interface.
625
# -----------------------------------------------------------------------------
626
LAN_INET_OPEN_TCP=""
627
LAN_INET_OPEN_UDP=""
628
LAN_INET_OPEN_IP=""
629
630
# Put in the following variables the TCP/UDP ports or IP protocols TO (remote
631
# end-point) which the LAN hosts are NOT permitted to connect to
632
# via the external (internet) interface. Examples of usage are for blocking
633
# IRC (TCP 6666:6669) for the internal network.
634
# -----------------------------------------------------------------------------
635
LAN_INET_DENY_TCP=""
636
LAN_INET_DENY_UDP=""
637
LAN_INET_DENY_IP=""
638
639
# Put in the following variables which LAN hosts you want to allow to certain
640
# hosts/services on the internet. By default all services are allowed.
641
#
642
# TCP/UDP form:
643
# "SRCIP1,SRCIP2,...>DESTIP1:port \
644
# SRCIP3,...>DESTIP2:port"
645
#
646
# IP form:
647
# "SRCIP1,SRCIP2,...>DESTIP1:protocol \
648
# SRCIP3,...>DESTIP2:protocol"
649
#
650
# TCP/UDP examples:
651
# Simple:
652
# (Allow port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)):
653
# LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4:80"
654
# Advanced:
655
# (Allow port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and
656
# allow port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)):
657
# LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4:20,21 192.168.0.10>80"
658
#
659
# IP protocol example:
660
# (Allow protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0))
661
# LAN_INET_HOST_OPEN_IP="0/0>1.2.3.4:47,48"
662
#
663
# NOTE 1: If no SRCIPx is specified, any source host is used
664
# NOTE 2: If no DESTIPx is specified, any destination host is used
665
# NOTE 3: If no port is specified, any port is used
666
# -----------------------------------------------------------------------------
667
LAN_INET_HOST_OPEN_TCP=""
668
LAN_INET_HOST_OPEN_UDP=""
669
LAN_INET_HOST_OPEN_IP=""
670
671
# Put in the following variables which DMZ hosts you want to deny to certain
672
# hosts/services on the internet.
673
#
674
# TCP/UDP form:
675
# "SRCIP1,SRCIP2,...>DESTIP1:port \
676
# SRCIP3,...>DESTIP2:port"
677
#
678
# IP form:
679
# "SRCIP1,SRCIP2,...>DESTIP1:protocol \
680
# SRCIP3,...>DESTIP2:protocol"
681
#
682
# TCP/UDP examples:
683
# Simple (Deny port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)):
684
# LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4:80"
685
# Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and
686
# deny port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)):
687
# LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4:20,21 192.168.0.10>1.2.3.4:80"
688
#
689
# IP protocol example:
690
# (Deny protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0)):
691
# LAN_INET_HOST_DENY_IP="0/0>1.2.3.4:47,48"
692
#
693
# NOTE 1: If no SRCIPx is specified, any source host is used
694
# NOTE 2: If no DESTIPx is specified, any destination host is used
695
# NOTE 3: If no port is specified, any port is used
696
# -----------------------------------------------------------------------------
697
LAN_INET_HOST_DENY_TCP=""
698
LAN_INET_HOST_DENY_UDP=""
699
LAN_INET_HOST_DENY_IP=""
700
701
702
###############################################################################
703
# Firewall policies for the DMZ (EXPERT SETTINGS!) #
704
###############################################################################
705
706
###############################################################################
707
# DMZ_xxx = DMZ->localhost(this machine) input access rules #
708
###############################################################################
709
710
# Enable this to allow ICMP-requests(ping) from the DMZ
711
# -----------------------------------------------------------------------------
712
DMZ_OPEN_ICMP=1
713
714
# Put in the following variables which DMZ hosts are permitted to connect to
715
# certain the TCP/UDP ports, IP protocols or ICMP. By default all (local)
716
# services are blocked for DMZ hosts.
717
# -----------------------------------------------------------------------------
718
DMZ_OPEN_TCP=""
719
DMZ_OPEN_UDP=""
720
DMZ_OPEN_IP=""
721
722
# Put in the following variables which DMZ hosts you want to allow for certain
723
# services. By default all (local) services are blocked for DMZ hosts.
724
# TCP/UDP port format (DMZ_HOST_OPEN_TCP & DMZ_HOST_OPEN_UDP):
725
# "host1,host2>port1,port2 host3,host4>port3,port4 ..."
726
#
727
# IP protocol format (DMZ_HOST_OPEN_IP):
728
# "host1,host2>proto1,proto2 host3,host4>proto3,proto4 ..."
729
# -----------------------------------------------------------------------------
730
DMZ_HOST_OPEN_TCP=""
731
DMZ_HOST_OPEN_UDP=""
732
DMZ_HOST_OPEN_IP=""
733
734
735
###############################################################################
736
# INET_DMZ_xxx = Internet->DMZ access rules (forward) #
737
# #
738
# Note that when both INET_DMZ_OPEN_xxx & INET_DMZ_HOST_OPEN_xxx are NOT #
739
# used, the default policy for this chain is accept (unless denied #
740
# through INET_DMZ_DENY_xxx and/or INET_DMZ_HOST_DENY_xxx)! #
741
###############################################################################
742
743
# Enable this to make the default policy allow for ICMP(ping) for INET->DMZ
744
# -----------------------------------------------------------------------------
745
INET_DMZ_OPEN_ICMP=0
746
747
# Put in the following variables which INET hosts are permitted to connect to
748
# certain the TCP/UDP ports or IP protocols in the DMZ.
749
# -----------------------------------------------------------------------------
750
INET_DMZ_OPEN_TCP=""
751
INET_DMZ_OPEN_UDP=""
752
INET_DMZ_OPEN_IP=""
753
754
# Put in the following variables which INET hosts are NOT permitted to connect
755
# to certain the TCP/UDP ports or IP protocols in the DMZ.
756
# -----------------------------------------------------------------------------
757
INET_DMZ_DENY_TCP=""
758
INET_DMZ_DENY_UDP=""
759
INET_DMZ_DENY_IP=""
760
761
# Put in the following variables which INET hosts you want to allow to certain
762
# hosts/services on the DMZ net. By default all services are allowed.
763
#
764
# TCP/UDP form:
765
# "SRCIP1,SRCIP2,...>DESTIP1:port \
766
# SRCIP3,...>DESTIP2:port"
767
#
768
# IP form:
769
# "SRCIP1,SRCIP2,...>DESTIP1:protocol \
770
# SRCIP3,...>DESTIP2:protocol"
771
#
772
# TCP/UDP examples:
773
# Simple (Allow port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)):
774
# INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4:80"
775
# Advanced (Allow port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and
776
# allow port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)):
777
# INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4:20,21 5.6.7.8>1.2.3.4:80"
778
#
779
# IP protocol example:
780
# (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts )
781
# INET_DMZ_HOST_OPEN_IP="0/0>1.2.3.4:47,48"
782
#
783
# NOTE 1: If no SRCIPx is specified, any source host is used
784
# NOTE 2: If no DESTIPx is specified, any destination host is used
785
# NOTE 3: If no port is specified, any port is used
786
# -----------------------------------------------------------------------------
787
INET_DMZ_HOST_OPEN_TCP=""
788
INET_DMZ_HOST_OPEN_UDP=""
789
INET_DMZ_HOST_OPEN_IP=""
790
791
# Put in the following variables which INET hosts you want to deny to certain
792
# hosts/services on the DMZ net.
793
#
794
# TCP/UDP form:
795
# "SRCIP1,SRCIP2,...>DESTIP1:port \
796
# SRCIP3,...>DESTIP2:port"
797
#
798
# IP form:
799
# "SRCIP1,SRCIP2,...>DESTIP1:protocol \
800
# SRCIP3,...>DESTIP2:protocol"
801
#
802
# TCP/UDP examples:
803
# Simple (Deny port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)):
804
# INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4:80"
805
# Advanced (Deny port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and
806
# deny port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)):
807
# INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4:20,21 5.6.7.8>1.2.3.4:80"
808
#
809
# IP protocol example:
810
# (Deny protocols 47 & 48 on DMZ host 1.2.3.4 for all INET hosts):
811
# INET_DMZ_HOST_DENY_IP="0/0>1.2.3.4:47,48"
812
#
813
# NOTE 1: If no SRCIPx is specified, any source host is used
814
# NOTE 2: If no DESTIPx is specified, any destination host is used
815
# NOTE 3: If no port is specified, any port is used
816
# -----------------------------------------------------------------------------
817
INET_DMZ_HOST_DENY_TCP=""
818
INET_DMZ_HOST_DENY_UDP=""
819
INET_DMZ_HOST_DENY_IP=""
820
821
822
###############################################################################
823
# DMZ_INET_xxx = DMZ->internet access rules (forward) #
824
# #
825
# Note that when both DMZ_INET_OPEN_xxx & DMZ_INET_HOST_OPEN_xxx are NOT #
826
# used, the default policy for this chain is accept (unless denied #
827
# through DMZ_INET_DENY_xxx and/or DMZ_INET_HOST_DENY_xxx)! #
828
###############################################################################
829
830
# Enable this to make the default policy allow for ICMP(ping) for DMZ->INET
831
# -----------------------------------------------------------------------------
832
DMZ_INET_OPEN_ICMP=1
833
834
# Put in the following variables the TCP/UDP ports or IP
835
# protocols TO (remote end-point) which the DMZ hosts are
836
# permitted to connect to via the external (internet) interface.
837
# -----------------------------------------------------------------------------
838
DMZ_INET_OPEN_TCP=""
839
DMZ_INET_OPEN_UDP=""
840
DMZ_INET_OPEN_IP=""
841
842
# Put in the following variables the TCP/UDP ports or IP protocols TO (remote
843
# end-point) which the DMZ hosts are NOT permitted to connect to
844
# via the external (internet) interface. Examples of usage are for blocking
845
# IRC (TCP 6666:6669) for the internal network.
846
# -----------------------------------------------------------------------------
847
DMZ_INET_DENY_TCP=""
848
DMZ_INET_DENY_UDP=""
849
DMZ_INET_DENY_IP=""
850
851
# Put in the following variables which DMZ hosts you want to allow to certain
852
# hosts/services on the internet. By default all services are allowed.
853
#
854
# TCP/UDP form:
855
# "SRCIP1,SRCIP2,...>DESTIP1:port \
856
# SRCIP3,...>DESTIP2:port"
857
#
858
# IP form:
859
# "SRCIP1,SRCIP2,...>DESTIP1:protocol \
860
# SRCIP3,...>DESTIP2:protocol"
861
#
862
# TCP/UDP examples:
863
# Simple (Allow port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
864
# DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4:80"
865
# Advanced (Allow port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and
866
# allow port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)):
867
# DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4:20,21 5.6.7.8>1.2.3.4:80"
868
#
869
# IP protocol example:
870
# (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts):
871
# DMZ_INET_HOST_OPEN_IP="0/0>1.2.3.4:47,48"
872
#
873
# NOTE 1: If no SRCIPx is specified, any source host is used
874
# NOTE 2: If no DESTIPx is specified, any destination host is used
875
# NOTE 3: If no port is specified, any port is used
876
# -----------------------------------------------------------------------------
877
DMZ_INET_HOST_OPEN_TCP=""
878
DMZ_INET_HOST_OPEN_UDP=""
879
DMZ_INET_HOST_OPEN_IP=""
880
881
# Put in the following variables which DMZ hosts you want to deny to certain
882
# hosts/services on the internet.
883
#
884
# TCP/UDP form:
885
# "SRCIP1,SRCIP2,...>DESTIP1:port \
886
# SRCIP3,...>DESTIP2:port"
887
#
888
# IP form:
889
# "SRCIP1,SRCIP2,...>DESTIP1:protocol \
890
# SRCIP3,...>DESTIP2:protocol"
891
#
892
# TCP/UDP examples:
893
# Simple (Deny port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
894
# DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4:80"
895
# Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and
896
# deny port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)):
897
# DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4:20,21 5.6.7.8>1.2.3.4:80"
898
#
899
# IP protocol example:
900
# (Deny protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
901
# DMZ_INET_HOST_DENY_IP="0/0>1.2.3.4:47,48"
902
#
903
# NOTE 1: If no SRCIPx is specified, any source host is used
904
# NOTE 2: If no DESTIPx is specified, any destination host is used
905
# NOTE 3: If no port is specified, any port is used
906
# -----------------------------------------------------------------------------
907
DMZ_INET_HOST_DENY_TCP=""
908
DMZ_INET_HOST_DENY_UDP=""
909
DMZ_INET_HOST_DENY_IP=""
910
911
912
###############################################################################
913
# DMZ_LAN_xxx = DMZ->LAN access rules (forward) #
914
###############################################################################
915
916
# Enable this to make the default policy allow for ICMP(ping) for DMZ->LAN
917
# -----------------------------------------------------------------------------
918
DMZ_LAN_OPEN_ICMP=0
919
920
# Put in the following variables which DMZ hosts you want to allow to certain
921
# hosts/services on the LAN (net).
922
#
923
# TCP/UDP form:
924
# "SRCIP1,SRCIP2,...>DESTIP1:port \
925
# SRCIP3,...>DESTIP2:port"
926
#
927
# IP form:
928
# "SRCIP1,SRCIP2,...>DESTIP1:protocol \
929
# SRCIP3,...>DESTIP2:protocol"
930
#
931
# TCP/UDP examples:
932
# Simple (Allow port 80 on LAN host 1.2.3.4 for all DMZ hosts(0/0)):
933
# DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4:80"
934
# Advanced (Allow port 20 & 21 on LAN host 1.2.3.4 for all DMZ hosts (0/0) and
935
# allow port 80 for DMZ host 5.6.7.8 (only) on LAN host
936
# 1.2.3.4):
937
# DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4:20,21 5.6.7.8>1.2.3.4:80"
938
#
939
# IP protocol example:
940
# (Allow protocols 47 & 48 on LAN host 1.2.3.4 for all DMZ hosts(0/0)):
941
# DMZ_LAN_HOST_OPEN_IP="0/0>1.2.3.4:47,48"
942
#
943
# NOTE 1: If no SRCIPx is specified, any source host is used
944
# NOTE 2: If no DESTIPx is specified, any destination host is used
945
# NOTE 3: If no port is specified, any port is used
946
# -----------------------------------------------------------------------------
947
DMZ_LAN_HOST_OPEN_TCP=""
948
DMZ_LAN_HOST_OPEN_UDP=""
949
DMZ_LAN_HOST_OPEN_IP=""
950
951
952
###############################################################################
953
# Firewall policies for the external (inet) interface (default policy = drop) #
954
###############################################################################
955
956
# Put in the following variable which hosts (subnets) you want have full access
957
# via your internet (EXT_IF) connection(!). This is especially meant for
958
# networks/servers which use NIS/NFS, as these protocols require all ports
959
# to be open.
960
# NOTE: Don't mistake this variable with the one used for internal nets.
961
# -----------------------------------------------------------------------------
962
FULL_ACCESS_HOSTS=""
963
964
# Enable this to make the default policy allow for ICMP(ping) for INET access
965
# -----------------------------------------------------------------------------
966
OPEN_ICMP=0
967
968
# Put in the following variables which ports or IP protocols you want to leave
969
# open to the whole world.
970
# -----------------------------------------------------------------------------
971
OPEN_TCP="21 22"
972
OPEN_UDP=""
973
OPEN_IP=""
974
975
# Put in the following variables the TCP/UDP ports you want to DENY(DROP) for
976
# everyone (and logged). Also use these variables if you want to log connection
977
# attempts to these ports from everyone (also trusted/full access hosts).
978
# In principle you don't need these variables, as everything is already blocked
979
# (denied) by default, but just exists for consistency.
980
# -----------------------------------------------------------------------------
981
DENY_TCP="23"
982
DENY_UDP=""
983
984
# Put in the following variables which ports you want to DENY(DROP) for
985
# everyone but NOT logged. This is very useful if you have constant probes on
986
# the same port(s) over and over again (code red worm) and don't want your logs
987
# flooded with it.
988
# -----------------------------------------------------------------------------
989
DENY_TCP_NOLOG=""
990
DENY_UDP_NOLOG=""
991
992
# Put in the following variables the TCP/UDP ports you want to REJECT (instead
993
# of DROP) for everyone (and logged).
994
# -----------------------------------------------------------------------------
995
REJECT_TCP=""
996
REJECT_UDP=""
997
998
# Put in the following variables the TCP/UDP ports you want to REJECT (instead
999
# of DROP) for everyone but NOT logged.
1000
# -----------------------------------------------------------------------------
1001
REJECT_TCP_NOLOG=""
1002
REJECT_UDP_NOLOG=""
1003
1004
# Put in the following variables which hosts you want to allow for certain
1005
# services.
1006
# TCP/UDP port format (HOST_OPEN_TCP & HOST_OPEN_UDP):
1007
# "host1,host2>port1,port2 host3,host4>port3,port4 ..."
1008
#
1009
# IP protocol format (HOST_OPEN_IP):
1010
# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
1011
#
1012
# ICMP protocol format (HOST_OPEN_ICMP):
1013
# "host1 host2 ...."
1014
# -----------------------------------------------------------------------------
1015
HOST_OPEN_TCP=""
1016
HOST_OPEN_UDP=""
1017
HOST_OPEN_IP=""
1018
HOST_OPEN_ICMP=""
1019
1020
# Put in the following variables which hosts you want to DENY(DROP) for certain
1021
# services (and logged).
1022
# to DENY(DROP) for certain hosts.
1023
# TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP):
1024
# "host1,host2>port1,port2 host3,host4>port3,port4 ..."
1025
#
1026
# IP protocol format (HOST_DENY_IP):
1027
# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
1028
#
1029
# ICMP protocol format (HOST_DENY_ICMP):
1030
# "host1 host2 ...."
1031
# -----------------------------------------------------------------------------
1032
HOST_DENY_TCP=""
1033
HOST_DENY_UDP=""
1034
HOST_DENY_IP=""
1035
HOST_DENY_ICMP=""
1036
1037
# Put in the following variables which hosts you want to DENY(DROP) for certain
1038
# services but NOT logged.
1039
# TCP/UDP port format (HOST_DENY_xxx_NOLOG):
1040
# "host1,host2>port1,port2 host3,host4>port3,port4 ..."
1041
#
1042
# IP protocol format (HOST_DENY_IP_NOLOG):
1043
# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
1044
#
1045
# ICMP protocol format (HOST_DENY_ICMP_NOLOG):
1046
# "host1 host2 ...."
1047
# -----------------------------------------------------------------------------
1048
HOST_DENY_TCP_NOLOG=""
1049
HOST_DENY_UDP_NOLOG=""
1050
HOST_DENY_IP_NOLOG=""
1051
HOST_DENY_ICMP_NOLOG=""
1052
1053
# Put in the following variables which hosts you want to REJECT (instead of
1054
# DROP) for certain TCP/UDP ports.
1055
# TCP/UDP port format (HOST_REJECT_xxx):
1056
# "host1,host2>port1,port2 host3,host4>port3,port4 ..."
1057
# -----------------------------------------------------------------------------
1058
HOST_REJECT_TCP=""
1059
HOST_REJECT_UDP=""
1060
1061
# Put in the following variables which hosts you want to REJECT (instead of
1062
# DROP) for certain services but NOT logged.
1063
# TCP/UDP port format (HOST_REJECT_xxx_NOLOG):
1064
# "host1,host2>port1,port2 host3,host4>port3,port4 ..."
1065
# -----------------------------------------------------------------------------
1066
HOST_REJECT_TCP_NOLOG=""
1067
HOST_REJECT_UDP_NOLOG=""
1068
1069
# Put in the following variables which services THIS machine is NOT
1070
# permitted to connect TO (remote end-point) via the external (internet)
1071
# interface. For example for blocking IRC (tcp 6666:6669).
1072
# -----------------------------------------------------------------------------
1073
DENY_TCP_OUTPUT=""
1074
DENY_UDP_OUTPUT=""
1075
DENY_IP_OUTPUT=""
1076
1077
# Put in the following variables to which hosts THIS machine is NOT
1078
# permitted to connect TO for certain services (remote end-point)
1079
# via the external (internet) interface. In principle you can also
1080
# use this to put your machine in a "virtual-DMZ" by blocking all traffic
1081
# to your local subnet.
1082
# TCP/UDP port format (HOST_DENY_TCP_OUTPUT & HOST_DENY_UDP_OUTPUT):
1083
# "host1,host2>port1,port2 host3,host4>port3,port4 ..."
1084
#
1085
# IP protocol format (HOST_DENY_IP_OUTPUT):
1086
# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
1087
# -----------------------------------------------------------------------------
1088
HOST_DENY_TCP_OUTPUT=""
1089
HOST_DENY_UDP_OUTPUT=""
1090
HOST_DENY_IP_OUTPUT=""
1091
1092
# Put in the following variable which TCP/UDP ports you don't want to
1093
# see broadcasts from (ie. DHCP (67/68) on your EXTERNAL interface. Note that
1094
# to make this properly work you also need to set "EXTERNAL_NET"!
1095
# -----------------------------------------------------------------------------
1096
BROADCAST_TCP_NOLOG=""
1097
#BROADCAST_UDP_NOLOG="67 68"
1098
1099
# Put in the following variable which hosts you want to block (blackhole,
1100
# dropping every packet from the host).
1101
# -----------------------------------------------------------------------------
1102
BLOCK_HOSTS=""
1103
1104
# Uncomment & specify here the location of the file that contains a list of
1105
# hosts(IP's) that should be BLOCKED. IP ranges can (only) be specified as
1106
# w.x.y.z1-z2 (ie. 192.168.1.10-15). Note that the last line of this file
1107
# should always contain a carriage-return (enter)!
1108
# -----------------------------------------------------------------------------
1109
#BLOCK_HOSTS_FILE=/etc/arno-iptables-firewall/blocked-hosts
Loggerhead is a web-based interface for Breezy
Version: 2.0.1