"Fossies" - the Fresh Open Source Software Archive

Member "aif-2.1.1/etc/arno-iptables-firewall/firewall.conf" (16 Sep 2020, 58979 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Generic config files source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "firewall.conf": 2.1.0_vs_2.1.1.

    1 ################################################################################
    2 # You should put this config-file in /etc/arno-iptables-firewall/              #
    3 ################################################################################
    4 
    5 # --------------------------- Configuration file -------------------------------
    6 #                       -= Arno's Iptables Firewall(AIF) =-
    7 #         Single- & multi-homed firewall script with DSL/ADSL support
    8 #
    9 # (C) Copyright 2001-2019 by Arno van Amersfoort & Lonnie Abelbeck
   10 # Homepage   : https://rocky.eld.leidenuniv.nl/
   11 # Email      : arnova AT rocky DOT eld DOT leidenuniv DOT nl
   12 #              (note: you must remove all spaces and substitute the @ and the .
   13 #              at the proper locations!)
   14 # ------------------------------------------------------------------------------
   15 # This program is free software; you can redistribute it and/or
   16 # modify it under the terms of the GNU General Public License
   17 # version 2 as published by the Free Software Foundation.
   18 
   19 # This program is distributed in the hope that it will be useful, but WITHOUT
   20 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
   21 # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
   22 # more details.
   23 
   24 # You should have received a copy of the GNU General Public License along with
   25 # this program; if not, write to the Free Software Foundation Inc., 59 Temple
   26 # Place - Suite 330, Boston, MA 02111-1307, USA.
   27 # ------------------------------------------------------------------------------
   28 
   29 
   30 ################################################################################
   31 # External (internet) interface settings                                       #
   32 ################################################################################
   33 
   34 # The external interface(s) that will be protected (and used as internet
   35 # connection). This is probably ppp+ or dsl+ for non-transparent(!) (A)DSL
   36 # modems otherwise it's probably "ethX" (eg. eth0). Multiple interfaces should
   37 # be space separated.
   38 # ------------------------------------------------------------------------------
   39 EXT_IF=""
   40 
   41 # Enable if THIS machines (dynamically) obtains its IP through (IPv4) DHCP
   42 # and possibly (IPv6) DHCPv6 (from your ISP)
   43 # ------------------------------------------------------------------------------
   44 EXT_IF_DHCP_IP=0
   45 
   46 # Enable if THIS machines (dynamically) obtains its IP through (IPv6) DHCPv6
   47 # and not (IPv4) DHCP. Applies only when EXT_IF_DHCP_IP is set to "0".
   48 # (IPv6 Only)
   49 # ------------------------------------------------------------------------------
   50 EXT_IF_DHCPV6_IPV6=0
   51 
   52 # (EXPERT SETTING!) Here you can override your external(!) IPv4 subnet(s).
   53 # Normally these are (attempted to be) autodetected, so leaving this empty
   54 # should work for most scenarios. This setting is used when eg. running a DHCP
   55 # server on your external(!) interface. Multiple subnets should be space
   56 # separated. Don't forget to specify a proper subnet masker
   57 # (eg. /24, /16 or /8)! Also note that the order should match the order of
   58 # your interfaces in EXT_IF!
   59 # ------------------------------------------------------------------------------
   60 #EXTERNAL_NET=""
   61 
   62 # (EXPERT SETTING!) Here you can override the broadcast address(es) used for
   63 # your external IPv4 subnet(s). Normally these are (attempted to be)
   64 # autodetected, so leaving this empty should work for most scenarios. This
   65 # setting is eg. used for the BROADCAST_XXX_NOLOG variables. Multiple addresses
   66 # should be space separated.
   67 # ------------------------------------------------------------------------------
   68 #EXT_NET_BCAST_ADDRESS=""
   69 
   70 # Enable if THIS MACHINE is running an IPv4 DHCP(BOOTP) server for a subnet
   71 # on the external(!) interface. Note that you don't need this for internal
   72 # subnets, as for these nets everything is accepted by default. Don't forget to
   73 # configure the EXTERNAL_NET variable, to make this work. (IPv4 Only)
   74 # ------------------------------------------------------------------------------
   75 EXTERNAL_DHCP_SERVER=0
   76 
   77 # Enable if THIS MACHINE is running an IPv6 DHCPv6 server for a Link-Local
   78 # address on the external(!) interface. Note that you don't need this for
   79 # internal subnets, as for these nets everything is accepted by default.
   80 # (IPv6 Only)
   81 # ------------------------------------------------------------------------------
   82 EXTERNAL_DHCPV6_SERVER=0
   83 
   84 
   85 ################################################################################
   86 # Internal (LAN) interface settings                                            #
   87 ################################################################################
   88 
   89 # Specify here your internal network (LAN) interface(s). Multiple(!) interfaces
   90 # should be space separated. Remark this if you don't have any internal network
   91 # interfaces. Note that by default ALL traffic is accepted from these
   92 # interfaces. Traffic between multiple (seperate) internal interfaces is
   93 # blocked by default. Use the IF_TRUSTS setting (below) to enable traffic for
   94 # those.
   95 # ------------------------------------------------------------------------------
   96 INT_IF=""
   97 
   98 # Specify here the internal IPv4 subnet(s) which is/are connected to the
   99 # internal interface(s). For multiple interfaces(!) you can either specify
  100 # multiple subnets here or specify one big subnet for all internal interfaces.
  101 # Note that this variable is mainly used for antispoofing.
  102 # ------------------------------------------------------------------------------
  103 #INTERNAL_NET="192.168.0.0/24"
  104 
  105 # Set this variable to 0 to disable antispoof checking for the internal nets
  106 # (EXPERT SETTING!)
  107 # ------------------------------------------------------------------------------
  108 INTERNAL_NET_ANTISPOOF=1
  109 
  110 # (EXPERT SETTING!) Here you can specify the IPv4 address used for broadcasts
  111 # on your internal subnet. You only need to set this option if you want to use
  112 # the MAC filter AND you use a non-standard broadcast address
  113 # (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
  114 # this empty should work fine. Multiple addresses (if you have multiple
  115 # internal nets) should be space separated.
  116 # ------------------------------------------------------------------------------
  117 #INT_NET_BCAST_ADDRESS=""
  118 
  119 
  120 ################################################################################
  121 # DMZ (aka DeMilitarized Zone) settings                                        #
  122 ################################################################################
  123 
  124 # Put in the following variable the network interfaces that are DMZ-classified.
  125 # You can also use this interface if you want to shield your Wireless network
  126 # from your LAN.
  127 # ------------------------------------------------------------------------------
  128 DMZ_IF=""
  129 
  130 # Specify here the subnet which is connected to the DMZ interface (DMZ_IF).
  131 # For multiple interfaces(!) you can either specify multiple subnets here or
  132 # specify one big subnet for all DMZ interfaces.
  133 # ------------------------------------------------------------------------------
  134 DMZ_NET=""
  135 
  136 # Specify the LAN (INT_IF) interfaces that are allowed full access to the
  137 # DMZ interface(s). (LAN to DMZ forwarding policy)
  138 # If LAN_DMZ_ALLOW_IF is not defined, all the INT_IF interfaces will be allowed.
  139 # ------------------------------------------------------------------------------
  140 LAN_DMZ_ALLOW_IF=""
  141 
  142 # Set this variable to 0 to disable antispoof checking for the dmz nets
  143 # (EXPERT SETTING!)
  144 # ------------------------------------------------------------------------------
  145 DMZ_NET_ANTISPOOF=1
  146 
  147 ################################################################################
  148 # NAT (Masquerade, SNAT, DNAT) settings (IPv4 only!)                           #
  149 ################################################################################
  150 
  151 # Enable this if you want to perform NAT (masquerading) for your internal
  152 # network (LAN) (eg. share your internet connection with your internal
  153 # net(s) connected to eg. INT_IF)
  154 # ------------------------------------------------------------------------------
  155 NAT=0
  156 
  157 # (EXPERT SETTING!) In case you would like to use SNAT instead of
  158 # MASQUERADING then uncomment and set the IP or IPs here of your static
  159 # external address(es). Note that when multiple IPs are specified, SNAT
  160 # multiroute is enabled (load balancing over multiple external (internet)
  161 # interfaces, check the README file for more info).
  162 # Note: The order of IPs must match the order of the associated interfaces
  163 # in $EXT_IF (or $NAT_IF if defined).
  164 # ------------------------------------------------------------------------------
  165 #NAT_STATIC_IP="193.2.1.1"
  166 
  167 # (EXPERT SETTING!) Use this variable only if you want to use specific
  168 # external interface(s) for NAT. If not specified all interfaces in EXT_IF
  169 # are used.
  170 # ------------------------------------------------------------------------------
  171 #NAT_IF=""
  172 
  173 # (EXPERT SETTING!) Use this variable only if you want specific subnets or
  174 # hosts to be able to access the internet. When no value is specified, your
  175 # whole internal net will have access. In both cases it's obviously only
  176 # meaningful when NAT is enabled. Note that you can also use this variable if
  177 # you want to use NAT for your DMZ.
  178 # ------------------------------------------------------------------------------
  179 NAT_INTERNAL_NET="$INTERNAL_NET"
  180 
  181 # (EXPERT SETTING!) Enable this if you want to be able to redirect local ports
  182 # or protocols on your gateway using NAT forwards.
  183 # ------------------------------------------------------------------------------
  184 NAT_LOCAL_REDIRECT=0
  185 
  186 # NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to
  187 # an internal client through (D)NAT. Note that you can also use these
  188 # variables to forward ports to DMZ hosts.
  189 #
  190 # TCP/UDP form:
  191 #       "{SRCIP1,SRCIP2,...~}PORT1,PORT2-PORT3,...>DESTIP1{~port} \
  192 #        {SRCIP3,...~}PORT3,...>DESTIP2{~port}"
  193 #
  194 # IP form:
  195 #       "{SRCIP1,SRCIP2,...~}PROTO1,PROTO2,...>DESTIP1 \
  196 #        {SRCIP3~}PROTO3,PROTO4,...>DESTIP2"
  197 #
  198 # TCP/UDP port forward examples:
  199 # Simple (forward port 80 to internal host 192.168.0.10):
  200 #       NAT_FORWARD_xxx="80>192.168.0.10 20,21>192.168.0.10"
  201 # Advanced (forward port 20 & 21 to 192.168.0.10 and
  202 #           forward from 1.2.3.4 port 81 to 192.168.0.11 port 80:
  203 #       NAT_FORWARD_xxx="1.2.3.4~81>192.168.0.11~80"
  204 #
  205 # IP protocol forward example:
  206 #        (forward protocols 47 & 48 to 192.168.0.10)
  207 #        NAT_FORWARD_IP="47,48>192.168.0.10"
  208 #
  209 # NOTE 1: {~port} is optional. Use it to redirect a specific port to a
  210 #         different port on the internal client.
  211 # NOTE 2: {SRCIPx} is optional. Use it to restrict access for specific source
  212 #         (inet) IP addresses.
  213 # (IPv4 Only)
  214 # ------------------------------------------------------------------------------
  215 NAT_FORWARD_TCP=""
  216 NAT_FORWARD_UDP=""
  217 NAT_FORWARD_IP=""
  218 
  219 # TCP/UDP/IP forwards. Forward IPv6 and non-NAT'ed IPv4 ports or protocols
  220 # from the gateway to an internal client. Note that you can also use these
  221 # variables to forward ports to DMZ hosts.
  222 #
  223 # TCP/UDP form:
  224 #       "SRCIP1,SRCIP2,...>DESTIP1{~port} \
  225 #        SRCIP3,...>DESTIP2{~port}"
  226 #
  227 # IP form:
  228 #       "SRCIP1,SRCIP2,...>DESTIP1~PROTO \
  229 #        SRCIP3,...>DESTIP2~PROTO"
  230 #
  231 # TCP/UDP port forward examples:
  232 # Simple (IPv6 forward port 80 to internal host 2001:db8::2):
  233 #       INET_FORWARD_TCP="::/0>2001:db8::2~80"
  234 # Simple (IPv4 non-NAT forward port 80 to internal host 192.168.0.10):
  235 #       INET_FORWARD_TCP="0/0>192.168.0.10~80"
  236 # Advanced (forward all UDP ports for 2000::/3 net to 2001:db8::/32 net):
  237 #       INET_FORWARD_UDP="2000::/3>2001:db8::/32"
  238 #
  239 # IP protocol forward example:
  240 #        (forward protocol 58 (ICMPv6) to 2001:db8::2)
  241 #       INET_FORWARD_IP="::/0>2001:db8::2~58"
  242 #
  243 # (IPv6 and non-NAT'ed IPv4 Only)
  244 # ------------------------------------------------------------------------------
  245 INET_FORWARD_TCP=""
  246 INET_FORWARD_UDP=""
  247 INET_FORWARD_IP=""
  248 
  249 
  250 ################################################################################
  251 # General settings                                                             #
  252 ################################################################################
  253 
  254 # Most people don't want to get any firewall logs being spit to the console.
  255 # This option makes the kernel ring buffer only log messages with level
  256 # "panic".
  257 # ------------------------------------------------------------------------------
  258 DMESG_PANIC_ONLY=1
  259 
  260 # Enable this if you want TOS mangling (RFC)
  261 # ------------------------------------------------------------------------------
  262 MANGLE_TOS=0
  263 
  264 # Enable this if you want to set the maximum packet size via the
  265 # Maximum Segment Size(through MSS field)
  266 # ------------------------------------------------------------------------------
  267 SET_MSS=1
  268 
  269 # Enable this if you want to increase the TTL value by one in the prerouting
  270 # chain. This hides the firewall when performing eg. traceroutes to internal
  271 # hosts. (IPv4 only!)
  272 # ------------------------------------------------------------------------------
  273 TTL_INC=0
  274 
  275 # (EXPERT SETTING!) Enable this if you want to set the TTL value for packets in
  276 # the OUTPUT & FORWARD chain. Note that this only works with newer 2.6 kernels
  277 # (2.6.14 or better) or patched 2.4 kernels, which have netfilter TTL target
  278 # support. Don't mess with this unless you really know what you are doing!
  279 # (IPv4 only!)
  280 # ------------------------------------------------------------------------------
  281 #PACKET_TTL="64"
  282 
  283 # (EXPERT SETTING!) Enable this if you want our internal DNS functions to fail
  284 # "fast". This means a query will be tried only once and times out after 1
  285 # second, the default is 3 tries and a 5 second timeout.
  286 # Note: The command 'dig' is preferred, 'nslookup' will be used if 'dig' is not
  287 # available, though the BusyBox 'nslookup' is not supported with this option
  288 # ------------------------------------------------------------------------------
  289 DNS_FAST_FAIL=0
  290 
  291 # (EXPERT SETTING!) This option sets to maximum allowed age of (previously)
  292 # resolved host names. Defaults to 10 minutes
  293 # ------------------------------------------------------------------------------
  294 DNS_MAX_AGE=10
  295 
  296 # (EXPERT SETTING!) This value defines the threshold for the amount of
  297 # allowed successive cache fallbacks with dns failures
  298 # ------------------------------------------------------------------------------
  299 DNS_FAIL_THRESHOLD=4
  300 
  301 # Enable this to support the IRC-protocol
  302 # ------------------------------------------------------------------------------
  303 USE_IRC=0
  304 
  305 # (EXPERT SETTING!) Loosen the forward chain for the external interface(s).
  306 # Enable it to allow the use of protocols like UPnP. Note that it *could* be
  307 # less secure
  308 # ------------------------------------------------------------------------------
  309 LOOSE_FORWARD=0
  310 
  311 # (EXPERT SETTING!) Enable (1) to allow IPv6 Link-Local addresses to be
  312 # forwarded between interfaces. (IPv6 Only)
  313 # ------------------------------------------------------------------------------
  314 FORWARD_LINK_LOCAL=0
  315 
  316 # (EXPERT SETTING!) Disable (0) to not drop all IPv6 packets with
  317 # Routing Header Type 0. Enabled by default. (IPv6 Only)
  318 # ------------------------------------------------------------------------------
  319 IPV6_DROP_RH_ZERO=1
  320 
  321 # (EXPERT SETTING!) Enable this if you want to drop packets originating from a
  322 # private address.
  323 # Note: To enable logging of dropped private addresses set RESERVED_NET_LOG=1
  324 # ------------------------------------------------------------------------------
  325 RESERVED_NET_DROP=0
  326 
  327 # (EXPERT SETTING!) Protect this machine from being abused for a DRDOS-attack
  328 # ("Distributed Reflection Denial Of Service"-attack). (STILL EXPERIMENTAL!)
  329 # ------------------------------------------------------------------------------
  330 DRDOS_PROTECT=0
  331 
  332 # Enable (1) if you want to enable mixed IPv4/IPv6 traffic support
  333 # Disable (0) if you want to enable only IPv4 traffic support
  334 # ------------------------------------------------------------------------------
  335 IPV6_SUPPORT=0
  336 
  337 # This option fixes problems with SMB broadcasts when using nmblookup
  338 # ------------------------------------------------------------------------------
  339 NMB_BROADCAST_FIX=0
  340 
  341 # Set this to 0 to suppress "assuming module is compiled in kernel" messages
  342 # ------------------------------------------------------------------------------
  343 COMPILED_IN_KERNEL_MESSAGES=1
  344 
  345 # (EXPERT SETTING!) You can choose the default policy for the INPUT & FORWARD
  346 # chain here (1=DROP, 0=ACCEPT). The default policy is DROP. This means that
  347 # when there are no rule(s) available (yet), the packet will be DROPPED. In
  348 # practice this rule only does something while the firewall is starting. Once
  349 # it's started and all rules are in place, the default policy doesn't do
  350 # anything anymore. People that use eg. NFS and let their clients boot from NFS
  351 # (diskless client systems) probably want to disable this option to fix
  352 # "NFS server not responding" etc. errors on their clients.
  353 # ------------------------------------------------------------------------------
  354 DEFAULT_POLICY_DROP=1
  355 
  356 # (EXPERT SETTING!) (Other) trusted network interfaces for which ALL IP
  357 # traffic should be ACCEPTED. (multiple(!) interfaces should be space
  358 # separated). Be warned that anything TO and FROM these interfaces is allowed
  359 # (ACCEPTED) so make sure it's NOT routable(accessible) from the outside world
  360 # (internet)! And of course putting one of your external interfaces here would
  361 # be extremely stupid.
  362 # ------------------------------------------------------------------------------
  363 TRUSTED_IF=""
  364 
  365 # (EXPERT SETTING!) Put here the interfaces that should trust each other
  366 # (accept forward traffic). Use this to e.g. create trusts between multiple
  367 # internal interfaces/subnets. You can use | (piping-sign) to create
  368 # seperate trust groups.  And of course putting one of your external
  369 # interfaces here would be extremely stupid.
  370 # ------------------------------------------------------------------------------
  371 IF_TRUSTS=""
  372 
  373 # Location of the custom iptables rules file (if any).
  374 # ------------------------------------------------------------------------------
  375 CUSTOM_RULES="/etc/arno-iptables-firewall/custom-rules"
  376 
  377 # Location of the local (user/global) configuration file, if used
  378 # ------------------------------------------------------------------------------
  379 LOCAL_CONFIG_FILE=""
  380 
  381 # Location of the local directory, if defined, containing *.conf file(s)
  382 # in that directory, and sources them for configuration variables.
  383 # Note: An undefined LOCAL_CONFIG_DIR variable defaults to the default below.
  384 # ------------------------------------------------------------------------------
  385 LOCAL_CONFIG_DIR="/etc/arno-iptables-firewall/conf.d"
  386 
  387 # (EXPERT SETTING!) Set this (to 1) to enable the use of ipset to efficiently
  388 # match a large block of IPv4/IPv6 addresses/nets. Much faster when enabled.
  389 # BLOCK_NETSET_DIR, BLOCK_HOSTS and BLOCK_HOSTS_FILE utilizes this feature.
  390 # ------------------------------------------------------------------------------
  391 #IPTABLES_IPSET=0
  392 
  393 # (EXPERT SETTING!) Set tunable options when IPTABLES_IPSET is enabled.
  394 # Adjust the default values if there are more than 100,000 block hosts.
  395 # ------------------------------------------------------------------------------
  396 #IPTABLES_IPSET_HASHSIZE=2048
  397 #IPTABLES_IPSET_MAXELEM=131072
  398 
  399 # (EXPERT SETTING!) Set this (to 1) to disable the use of iptables-save and
  400 # iptables-restore to add rules in batch rather than one-by-one. Much slower
  401 # when disabled. BLOCK_HOSTS and BLOCK_HOSTS_FILE utilizes this feature.
  402 # Note: This option is ignored when IPTABLES_IPSET is enabled.
  403 # ------------------------------------------------------------------------------
  404 DISABLE_IPTABLES_BATCH=0
  405 
  406 ################################################################################
  407 # Logging options - All logging is rate limited to prevent log flooding        #
  408 ################################################################################
  409 
  410 # Enable logging for explicitly blocked hosts.
  411 # Log Options: 0 = Disable, 1 = Inbound & Outbound, 2 = Inbound, 3 = Outbound
  412 # ------------------------------------------------------------------------------
  413 BLOCKED_HOST_LOG=1
  414 
  415 # Enable logging for various stealth scans (reliable).
  416 # ------------------------------------------------------------------------------
  417 SCAN_LOG=1
  418 
  419 # Enable logging for possible stealth scans (less reliable).
  420 # ------------------------------------------------------------------------------
  421 POSSIBLE_SCAN_LOG=1
  422 
  423 # Enable logging of invalid TCP packets. Keep disabled (0) by default to reduce
  424 # INVALID packets being logged because of lost (legimate) connections. When
  425 # debugging any problems, you should enable it (temporarily)!
  426 # ------------------------------------------------------------------------------
  427 INVALID_TCP_LOG=0
  428 
  429 # Enable logging of invalid UDP packets. Keep disabled (0) by default to reduce
  430 # INVALID packets being logged because of lost (legimate) connections. When
  431 # debugging any problems, you should enable it (temporarily)!
  432 # ------------------------------------------------------------------------------
  433 INVALID_UDP_LOG=0
  434 
  435 # Enable logging of invalid ICMP packets. Keep disabled (0) to reduce
  436 # INVALID packets being logged caused by lost (legimate) connections. When
  437 # debugging any problems, you should enable it (temporarily)!
  438 # ------------------------------------------------------------------------------
  439 INVALID_ICMP_LOG=0
  440 
  441 # Enable (1) logging of source IPs with reserved or private addresses.
  442 # ------------------------------------------------------------------------------
  443 RESERVED_NET_LOG=0
  444 
  445 # Enable dropping (& logging) of IPv4 fragmented packets. Normally fragmented
  446 # packets are automatically defragmented by the kernel.
  447 # ------------------------------------------------------------------------------
  448 FRAG_DROP=0
  449 
  450 # Enable logging of denied local (OUTPUT) connections.
  451 # ------------------------------------------------------------------------------
  452 INET_OUTPUT_DENY_LOG=1
  453 
  454 # Enable logging of denied LAN output (FORWARD) connections.
  455 # ------------------------------------------------------------------------------
  456 LAN_OUTPUT_DENY_LOG=1
  457 
  458 # Enable logging of denied LAN INPUT connections.
  459 # ------------------------------------------------------------------------------
  460 LAN_INPUT_DENY_LOG=1
  461 
  462 # Enable logging of denied DMZ output (FORWARD) connections.
  463 # ------------------------------------------------------------------------------
  464 DMZ_OUTPUT_DENY_LOG=1
  465 
  466 # Enable logging of denied DMZ input (FORWARD) connections.
  467 # ------------------------------------------------------------------------------
  468 DMZ_INPUT_DENY_LOG=1
  469 
  470 # Enable logging of dropped FORWARD packets.
  471 # ------------------------------------------------------------------------------
  472 FORWARD_DROP_LOG=1
  473 
  474 # Enable logging of dropped IPv6 Link-Local forwarded packets.
  475 # Note: requires FORWARD_LINK_LOCAL=0 (IPv6 Only)
  476 # ------------------------------------------------------------------------------
  477 LINK_LOCAL_DROP_LOG=1
  478 
  479 # Enable logging of dropped ICMP-request packets (ping).
  480 # ------------------------------------------------------------------------------
  481 ICMP_REQUEST_LOG=1
  482 
  483 # Enable logging of dropped "other" ICMP packets.
  484 # ------------------------------------------------------------------------------
  485 ICMP_OTHER_LOG=1
  486 
  487 # Enable logging of normal connection attempts to privileged TCP ports.
  488 # ------------------------------------------------------------------------------
  489 PRIV_TCP_LOG=1
  490 
  491 # Enable logging of normal connection attempts to privileged UDP ports.
  492 # ------------------------------------------------------------------------------
  493 PRIV_UDP_LOG=1
  494 
  495 # Enable logging of normal connection attempts to unprivileged TCP ports.
  496 # ------------------------------------------------------------------------------
  497 UNPRIV_TCP_LOG=1
  498 
  499 # Enable logging of normal connection attempts to unprivileged UDP ports.
  500 # ------------------------------------------------------------------------------
  501 UNPRIV_UDP_LOG=1
  502 
  503 # Enable logging of IPv4 IGMP packets
  504 # ------------------------------------------------------------------------------
  505 IGMP_LOG=1
  506 
  507 # Enable logging of normal connection attempts to "other-IP"-protocols (non
  508 # TCP/UDP/ICMP/IGMP).
  509 # ------------------------------------------------------------------------------
  510 OTHER_IP_LOG=1
  511 
  512 # Enable logging for ICMP flooding.
  513 # ------------------------------------------------------------------------------
  514 ICMP_FLOOD_LOG=1
  515 
  516 # (EXPERT SETTING!) Log-level used for logging to syslog. The default is "info"
  517 # but "debug" can be used to have (legacy) syslogd log to
  518 # /var/log/arno-iptables-firewall. Note that this also requires you to
  519 # modify your syslogd.conf (see examples on how to). Most (if not all) newer
  520 # distributions use rsyslogd which works much better out of the box, so in most
  521 # cases you can leave this setting as is.
  522 # ------------------------------------------------------------------------------
  523 LOGLEVEL="info"
  524 
  525 # Put in the following variables which hosts you want to log certain incoming
  526 # connection attempts for.
  527 # TCP/UDP port format (LOG_HOST_INPUT_xxx):
  528 #       "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  529 #
  530 # IP protocol format (LOG_HOST_INPUT_IP):
  531 #       "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
  532 # ------------------------------------------------------------------------------
  533 LOG_HOST_INPUT_TCP=""
  534 LOG_HOST_INPUT_UDP=""
  535 LOG_HOST_INPUT_IP=""
  536 
  537 # Put in the following variables which hosts you want to log certain outgoing
  538 # connection attempts for.
  539 # TCP/UDP port format (LOG_HOST_OUTPUT_xxx):
  540 #       "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  541 #
  542 # IP protocol format (LOG_HOST_OUTPUT_IP):
  543 #       "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
  544 # ------------------------------------------------------------------------------
  545 LOG_HOST_OUTPUT_TCP=""
  546 LOG_HOST_OUTPUT_UDP=""
  547 LOG_HOST_OUTPUT_IP=""
  548 
  549 # Put in the following variables which services you want to log incoming
  550 # connection attempts for.
  551 # ------------------------------------------------------------------------------
  552 LOG_INPUT_TCP=""
  553 LOG_INPUT_UDP=""
  554 LOG_INPUT_IP=""
  555 
  556 # Put in the following variables which services you want to log outgoing
  557 # connection attempts for.
  558 # ------------------------------------------------------------------------------
  559 LOG_OUTPUT_TCP=""
  560 LOG_OUTPUT_UDP=""
  561 LOG_OUTPUT_IP=""
  562 
  563 # Put in the following variable which hosts you want to log incoming connection
  564 # (attempts) for.
  565 # ------------------------------------------------------------------------------
  566 LOG_HOST_INPUT=""
  567 
  568 # Put in the following variable which hosts you want to log outgoing connection
  569 # (attempts) to.
  570 # ------------------------------------------------------------------------------
  571 LOG_HOST_OUTPUT=""
  572 
  573 
  574 ################################################################################
  575 # sysctl based settings (EXPERT SETTINGS!)                                     #
  576 ################################################################################
  577 
  578 # Enable for synflood protection (through /proc/.../tcp_syncookies).
  579 # ------------------------------------------------------------------------------
  580 SYN_PROT=1
  581 
  582 # Enable this to reduce the ability of others DOS'ing your machine.
  583 # ------------------------------------------------------------------------------
  584 REDUCE_DOS_ABILITY=1
  585 
  586 # Enable to ignore all ICMP echo-requests (IPv4) on ALL interfaces.
  587 # ------------------------------------------------------------------------------
  588 ECHO_IGNORE=0
  589 
  590 # Enable to log packets with impossible addresses to the kernel log.
  591 # ------------------------------------------------------------------------------
  592 LOG_MARTIANS=0
  593 
  594 # Only disable this if you're NOT using forwarding (required for NAT etc.) for
  595 # increased security.
  596 # Note: If enabled and IPV6 enabled, local IPv6 autoconf will be disabled.
  597 # ------------------------------------------------------------------------------
  598 IP_FORWARDING=1
  599 
  600 # (EXPERT SETTING!) Only disable this if IP_FORWARDING is disabled and
  601 # you do not use autoconf to obtain your IPv6 address.
  602 # Note: This is ignored if IP_FORWARDING is enabled. (IPv6 Only)
  603 # ------------------------------------------------------------------------------
  604 IPV6_AUTO_CONFIGURATION=1
  605 
  606 # Enable if you want to accept ICMP redirect messages. Should be set to "0" in
  607 # case of a router.
  608 # ------------------------------------------------------------------------------
  609 ICMP_REDIRECT=0
  610 
  611 # Enable/modify this if you want to be a able to handle a larger (or smaller)
  612 # number of simultaneous connections. For high traffic machines I recommend to
  613 # use a value of at least 16384 (note that a higher value (obviously) also uses
  614 # more memory).
  615 # ------------------------------------------------------------------------------
  616 CONNTRACK=16384
  617 
  618 # Enable ECN (Explicit Congestion Notification) TCP flag. Disabled by default,
  619 # as some routers are still not compatible with this.
  620 # ------------------------------------------------------------------------------
  621 ECN=0
  622 
  623 # Reverse path filter setting. Kernel setting to drop connections from
  624 # non-routable IPs, eg. prevent source routing. By default the firewall itself
  625 # also provides rules against source routing.
  626 # Options: 0 = Disable, 1 = Strict filter, 2 = Loose filter
  627 # When using eg. VPNs, you should probably use 0 (disable) or 2 (loose)
  628 # ------------------------------------------------------------------------------
  629 RP_FILTER=1
  630 
  631 # Protect against source routed packets. Attackers can use source routing to
  632 # generate traffic pretending to be from inside your network, but which is
  633 # routed back along the path from which it came, namely outside, so attackers
  634 # can compromise your network. Source routing is rarely used for legitimate
  635 # purposes, so normally you should always leave this enabled(1)!
  636 # ------------------------------------------------------------------------------
  637 SOURCE_ROUTE_PROTECTION=1
  638 
  639 # Here we set the local port range (ports from which connections are
  640 # initiated from our site). Don't mess with this unless you really know what
  641 # you are doing!
  642 # ------------------------------------------------------------------------------
  643 LOCAL_PORT_RANGE="32768 60999"
  644 
  645 # Here you can change the default TTL used for sending packets. The value
  646 # should be between 10 and 255. Don't mess with this unless you really know
  647 # what you are doing!
  648 # ------------------------------------------------------------------------------
  649 DEFAULT_TTL=64
  650 
  651 # In most cases pmtu discovery is ok, but in some rare cases (when having
  652 # problems) you might want to disable it.
  653 # ------------------------------------------------------------------------------
  654 NO_PMTU_DISCOVERY=0
  655 
  656 # With eg. open iscsi some systems may have problems under heavy load. Enable
  657 # tcp_be_liberal to workaround this
  658 # ------------------------------------------------------------------------------
  659 TCP_BE_LIBERAL=0
  660 
  661 
  662 ################################################################################
  663 # Firewall policies for the LAN (EXPERT SETTINGS!)                             #
  664 ################################################################################
  665 
  666 ################################################################################
  667 # LAN_xxx = LAN->localhost(this machine) input access rules                    #
  668 #                                                                              #
  669 # Note that when both LAN_OPEN_xxx & LAN_HOST_OPEN_xxx are NOT used, the       #
  670 # default policy for this chain is accept (unless denied through               #
  671 # LAN_DENY_xxx and/or LAN_HOST_DENY_xxx)!                                      #
  672 ################################################################################
  673 
  674 # Disable this (set to "") to automatically set default policy as above.
  675 # When set to "1" the LAN->localhost default policy will always be DROP
  676 # When set to "0" the LAN->localhost default policy will always be ACCEPT
  677 # ------------------------------------------------------------------------------
  678 LAN_DEFAULT_POLICY_DROP=""
  679 
  680 # Enable this to allow for ICMP-requests(ping) from your LAN
  681 # ------------------------------------------------------------------------------
  682 LAN_OPEN_ICMP=1
  683 
  684 # Put in the following variables the TCP/UDP ports or IP protocols TO
  685 # (remote end-point) which the LAN hosts are permitted to connect to.
  686 # ------------------------------------------------------------------------------
  687 LAN_OPEN_TCP=""
  688 LAN_OPEN_UDP=""
  689 LAN_OPEN_IP=""
  690 
  691 # Put in the following variables the TCP/UDP ports or IP protocols TO (remote
  692 # end-point) which LAN hosts are NOT permitted to connect to.
  693 # ------------------------------------------------------------------------------
  694 LAN_DENY_TCP=""
  695 LAN_DENY_UDP=""
  696 LAN_DENY_IP=""
  697 
  698 # Put in the following variables the TCP/UDP ports or IP
  699 # protocols TO (remote end-point) which certain LAN hosts are
  700 # permitted to connect to.
  701 #
  702 # TCP/UDP port format (LAN_INPUT_HOST_OPEN_xxx):
  703 #       "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  704 #
  705 # IP protocol format (LAN_INPUT_HOST_OPEN_xxx):
  706 #       "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."
  707 # ------------------------------------------------------------------------------
  708 LAN_HOST_OPEN_TCP=""
  709 LAN_HOST_OPEN_UDP=""
  710 LAN_HOST_OPEN_IP=""
  711 
  712 # Put in the following variables the TCP/UDP ports or IP protocols TO (remote
  713 # end-point) which certain LAN hosts are NOT permitted to connect to.
  714 #
  715 # TCP/UDP port format (LAN_INPUT_HOST_DENY_xxx):
  716 #       "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  717 #
  718 # IP protocol format (LAN_INPUT_HOST_DENY_xxx):
  719 #       "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."
  720 # ------------------------------------------------------------------------------
  721 LAN_HOST_DENY_TCP=""
  722 LAN_HOST_DENY_UDP=""
  723 LAN_HOST_DENY_IP=""
  724 
  725 
  726 ################################################################################
  727 # LAN_LAN_xxx  = LAN->LAN access rules (forward)                               #
  728 ################################################################################
  729 
  730 # Put in the following variables which LAN hosts you want to allow to certain
  731 # hosts/services on a different LAN (net).
  732 #
  733 # TCP/UDP form:
  734 #       "SRCIP1,SRCIP2,...>DESTIP1~port \
  735 #        SRCIP3,...>DESTIP2~port"
  736 #
  737 # IP form:
  738 #       "SRCIP1,SRCIP2,...>DESTIP1~protocol \
  739 #        SRCIP3,...>DESTIP2~protocol"
  740 #
  741 # TCP/UDP examples:
  742 # Simple (Allow port 80 to LAN host 1.2.3.4 from all other LAN hosts(0/0)):
  743 #       LAN_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~80"
  744 # Advanced (Allow port 20 & 21 to LAN host 1.2.3.4 from all other LAN hosts
  745 #           (0/0) and allow port 80 from LAN host 5.6.7.8 (only) to LAN host
  746 #           1.2.3.4):
  747 #       LAN_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
  748 #
  749 # IP protocol example:
  750 #       (Allow protocols 47 & 48 to LAN host 1.2.3.4 from all other LAN hosts
  751 #        (0/0)):
  752 #       LAN_LAN_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
  753 #
  754 # NOTE 1: If no SRCIPx is specified, any source host is used
  755 # NOTE 2: If no port is specified, any port is used
  756 # ------------------------------------------------------------------------------
  757 LAN_LAN_HOST_OPEN_TCP=""
  758 LAN_LAN_HOST_OPEN_UDP=""
  759 LAN_LAN_HOST_OPEN_IP=""
  760 
  761 
  762 ################################################################################
  763 # LAN_INET_xxx = LAN->internet access rules (forward)                          #
  764 #                                                                              #
  765 # Note that when the LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx variables are  #
  766 # NOT used, the default policy will be accept for LAN->INET (unless denied     #
  767 # through LAN_INET_DENY_xxx and/or LAN_INET_HOST_DENY_xxx)!                    #
  768 ################################################################################
  769 
  770 # Disable this (set to "") to automatically set default policy as above.
  771 # When set to "1" the LAN->INET default policy will always be DROP
  772 # When set to "0" the LAN->INET default policy will always be ACCEPT
  773 # ------------------------------------------------------------------------------
  774 LAN_INET_DEFAULT_POLICY_DROP=""
  775 
  776 # Enable this to allow for ICMP-requests(ping) for LAN->INET
  777 # ------------------------------------------------------------------------------
  778 LAN_INET_OPEN_ICMP=1
  779 
  780 # Put in the following variables the TCP/UDP ports or IP
  781 # protocols TO (remote end-point) which the LAN hosts are
  782 # permitted to connect to via the external (internet) interface.
  783 # ------------------------------------------------------------------------------
  784 LAN_INET_OPEN_TCP=""
  785 LAN_INET_OPEN_UDP=""
  786 LAN_INET_OPEN_IP=""
  787 
  788 # Put in the following variables the TCP/UDP ports or IP protocols TO (remote
  789 # end-point) which the LAN hosts are NOT permitted to connect to
  790 # via the external (internet) interface. Examples of usage are for blocking
  791 # IRC (TCP 6666:6669) for the internal network.
  792 # ------------------------------------------------------------------------------
  793 LAN_INET_DENY_TCP=""
  794 LAN_INET_DENY_UDP=""
  795 LAN_INET_DENY_IP=""
  796 
  797 # Put in the following variables which LAN hosts you want to allow to certain
  798 # hosts/services on the internet. By default all services are allowed.
  799 #
  800 # TCP/UDP form:
  801 #       "SRCIP1,SRCIP2,...>DESTIP1~port \
  802 #        SRCIP3,...>DESTIP2~port"
  803 #
  804 # IP form:
  805 #       "SRCIP1,SRCIP2,...>DESTIP1~protocol \
  806 #        SRCIP3,...>DESTIP2~protocol"
  807 #
  808 # TCP/UDP examples:
  809 # Simple:
  810 #       (Allow port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)):
  811 #       LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4~80"
  812 # Advanced:
  813 #       (Allow port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and
  814 #        allow port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)):
  815 #       LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 192.168.0.10>80"
  816 #
  817 # IP protocol example:
  818 #       (Allow protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0))
  819 #       LAN_INET_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
  820 #
  821 # NOTE 1: If no SRCIPx is specified, any source host is used
  822 # NOTE 2: If no port is specified, any port is used
  823 # ------------------------------------------------------------------------------
  824 LAN_INET_HOST_OPEN_TCP=""
  825 LAN_INET_HOST_OPEN_UDP=""
  826 LAN_INET_HOST_OPEN_IP=""
  827 
  828 # Put in the following variables which DMZ hosts you want to deny to certain
  829 # hosts/services on the internet.
  830 #
  831 # TCP/UDP form:
  832 #       "SRCIP1,SRCIP2,...>DESTIP1~port \
  833 #        SRCIP3,...>DESTIP2~port"
  834 #
  835 # IP form:
  836 #       "SRCIP1,SRCIP2,...>DESTIP1~protocol \
  837 #        SRCIP3,...>DESTIP2~protocol"
  838 #
  839 # TCP/UDP examples:
  840 # Simple (Deny port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)):
  841 #       LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4~80"
  842 # Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and
  843 #           deny port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)):
  844 #       LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4~20,21 192.168.0.10>1.2.3.4~80"
  845 #
  846 # IP protocol example:
  847 #       (Deny protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0)):
  848 #       LAN_INET_HOST_DENY_IP="0/0>1.2.3.4~47,48"
  849 #
  850 # NOTE 1: If no SRCIPx is specified, any source host is used
  851 # NOTE 2: If no port is specified, any port is used
  852 # ------------------------------------------------------------------------------
  853 LAN_INET_HOST_DENY_TCP=""
  854 LAN_INET_HOST_DENY_UDP=""
  855 LAN_INET_HOST_DENY_IP=""
  856 
  857 
  858 ################################################################################
  859 # Firewall policies for the DMZ (EXPERT SETTINGS!)                             #
  860 ################################################################################
  861 
  862 ################################################################################
  863 # DMZ_xxx      = DMZ->localhost(this machine) input access rules               #
  864 ################################################################################
  865 
  866 # Enable this to allow ICMP-requests(ping) from the DMZ
  867 # ------------------------------------------------------------------------------
  868 DMZ_OPEN_ICMP=1
  869 
  870 # Put in the following variables which DMZ hosts are permitted to connect to
  871 # certain the TCP/UDP ports, IP protocols or ICMP. By default all (local)
  872 # services are blocked for DMZ hosts.
  873 # ------------------------------------------------------------------------------
  874 DMZ_OPEN_TCP=""
  875 DMZ_OPEN_UDP=""
  876 DMZ_OPEN_IP=""
  877 
  878 # Put in the following variables which DMZ hosts you want to allow for certain
  879 # services. By default all (local) services are blocked for DMZ hosts.
  880 # TCP/UDP port format (DMZ_HOST_OPEN_TCP & DMZ_HOST_OPEN_UDP):
  881 #       "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  882 #
  883 # IP protocol format (DMZ_HOST_OPEN_IP):
  884 #       "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."
  885 # ------------------------------------------------------------------------------
  886 DMZ_HOST_OPEN_TCP=""
  887 DMZ_HOST_OPEN_UDP=""
  888 DMZ_HOST_OPEN_IP=""
  889 
  890 
  891 ################################################################################
  892 # INET_DMZ_xxx = Internet->DMZ access rules (forward)                          #
  893 #                                                                              #
  894 # Note: As of Version 2.0.0 the default policy has changed to DROP             #
  895 # Previous to Version 2.0.0 the default policy was ACCEPT                      #
  896 ################################################################################
  897 
  898 # Enable this to make the default policy allow for ICMP(ping) for INET->DMZ
  899 # ------------------------------------------------------------------------------
  900 INET_DMZ_OPEN_ICMP=0
  901 
  902 # Put in the following variables which INET hosts are permitted to connect to
  903 # certain the TCP/UDP ports or IP protocols in the DMZ.
  904 # ------------------------------------------------------------------------------
  905 INET_DMZ_OPEN_TCP=""
  906 INET_DMZ_OPEN_UDP=""
  907 INET_DMZ_OPEN_IP=""
  908 
  909 # Put in the following variables which INET hosts are NOT permitted to connect
  910 # to certain the TCP/UDP ports or IP protocols in the DMZ.
  911 # ------------------------------------------------------------------------------
  912 INET_DMZ_DENY_TCP=""
  913 INET_DMZ_DENY_UDP=""
  914 INET_DMZ_DENY_IP=""
  915 
  916 # Put in the following variables which INET hosts you want to allow to certain
  917 # hosts/services on the DMZ net. By default all services are dropped.
  918 #
  919 # TCP/UDP form:
  920 #       "SRCIP1,SRCIP2,...>DESTIP1~port \
  921 #        SRCIP3,...>DESTIP2~port"
  922 #
  923 # IP form:
  924 #       "SRCIP1,SRCIP2,...>DESTIP1~protocol \
  925 #        SRCIP3,...>DESTIP2~protocol"
  926 #
  927 # TCP/UDP examples:
  928 # Simple (Allow port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)):
  929 #       INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4~80"
  930 # Advanced (Allow port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and
  931 #           allow port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)):
  932 #       INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
  933 #
  934 # IP protocol example:
  935 #       (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts )
  936 #       INET_DMZ_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
  937 #
  938 # NOTE 1: If no SRCIPx is specified, any source host is used
  939 # NOTE 2: If no port is specified, any port is used
  940 # ------------------------------------------------------------------------------
  941 INET_DMZ_HOST_OPEN_TCP=""
  942 INET_DMZ_HOST_OPEN_UDP=""
  943 INET_DMZ_HOST_OPEN_IP=""
  944 
  945 # Put in the following variables which INET hosts you want to deny to certain
  946 # hosts/services on the DMZ net.
  947 #
  948 # TCP/UDP form:
  949 #       "SRCIP1,SRCIP2,...>DESTIP1~port \
  950 #        SRCIP3,...>DESTIP2~port"
  951 #
  952 # IP form:
  953 #       "SRCIP1,SRCIP2,...>DESTIP1~protocol \
  954 #        SRCIP3,...>DESTIP2~protocol"
  955 #
  956 # TCP/UDP examples:
  957 # Simple (Deny port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)):
  958 #       INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4~80"
  959 # Advanced (Deny port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and
  960 #           deny port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)):
  961 #       INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
  962 #
  963 # IP protocol example:
  964 #       (Deny protocols 47 & 48 on DMZ host 1.2.3.4 for all INET hosts):
  965 #       INET_DMZ_HOST_DENY_IP="0/0>1.2.3.4~47,48"
  966 #
  967 # NOTE 1: If no SRCIPx is specified, any source host is used
  968 # NOTE 2: If no port is specified, any port is used
  969 # ------------------------------------------------------------------------------
  970 INET_DMZ_HOST_DENY_TCP=""
  971 INET_DMZ_HOST_DENY_UDP=""
  972 INET_DMZ_HOST_DENY_IP=""
  973 
  974 
  975 ################################################################################
  976 # DMZ_INET_xxx = DMZ->internet access rules (forward)                          #
  977 #                                                                              #
  978 # Note that when the DMZ_INET_OPEN_xxx & DMZ_INET_HOST_OPEN_xxx variables are  #
  979 # NOT used, the default policy will be accept for DMZ->INET (unless denied     #
  980 # through DMZ_INET_DENY_xxx and/or DMZ_INET_HOST_DENY_xxx)!                    #
  981 ################################################################################
  982 
  983 # Disable this (set to "") to automatically set default policy as above.
  984 # When set to "1" the DMZ->INET default policy will always be DROP
  985 # When set to "0" the DMZ->INET default policy will always be ACCEPT
  986 # ------------------------------------------------------------------------------
  987 DMZ_INET_DEFAULT_POLICY_DROP=""
  988 
  989 # Enable this to make the default policy allow for ICMP(ping) for DMZ->INET
  990 # ------------------------------------------------------------------------------
  991 DMZ_INET_OPEN_ICMP=1
  992 
  993 # Put in the following variables the TCP/UDP ports or IP
  994 # protocols TO (remote end-point) which the DMZ hosts are
  995 # permitted to connect to via the external (internet) interface.
  996 # ------------------------------------------------------------------------------
  997 DMZ_INET_OPEN_TCP=""
  998 DMZ_INET_OPEN_UDP=""
  999 DMZ_INET_OPEN_IP=""
 1000 
 1001 # Put in the following variables the TCP/UDP ports or IP protocols TO (remote
 1002 # end-point) which the DMZ hosts are NOT permitted to connect to
 1003 # via the external (internet) interface. Examples of usage are for blocking
 1004 # IRC (TCP 6666:6669) for the internal network.
 1005 # ------------------------------------------------------------------------------
 1006 DMZ_INET_DENY_TCP=""
 1007 DMZ_INET_DENY_UDP=""
 1008 DMZ_INET_DENY_IP=""
 1009 
 1010 # Put in the following variables which DMZ hosts you want to allow to certain
 1011 # hosts/services on the internet. By default all services are allowed.
 1012 #
 1013 # TCP/UDP form:
 1014 #       "SRCIP1,SRCIP2,...>DESTIP1~port \
 1015 #        SRCIP3,...>DESTIP2~port"
 1016 #
 1017 # IP form:
 1018 #       "SRCIP1,SRCIP2,...>DESTIP1~protocol \
 1019 #        SRCIP3,...>DESTIP2~sprotocol"
 1020 #
 1021 # TCP/UDP examples:
 1022 # Simple (Allow port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
 1023 #       DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4~80"
 1024 # Advanced (Allow port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and
 1025 #           allow port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)):
 1026 #       DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
 1027 #
 1028 # IP protocol example:
 1029 #       (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts):
 1030 #       DMZ_INET_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
 1031 #
 1032 # NOTE 1: If no SRCIPx is specified, any source host is used
 1033 # NOTE 2: If no port is specified, any port is used
 1034 # ------------------------------------------------------------------------------
 1035 DMZ_INET_HOST_OPEN_TCP=""
 1036 DMZ_INET_HOST_OPEN_UDP=""
 1037 DMZ_INET_HOST_OPEN_IP=""
 1038 
 1039 # Put in the following variables which DMZ hosts you want to deny to certain
 1040 # hosts/services on the internet.
 1041 #
 1042 # TCP/UDP form:
 1043 #       "SRCIP1,SRCIP2,...>DESTIP1~port \
 1044 #        SRCIP3,...>DESTIP2~port"
 1045 #
 1046 # IP form:
 1047 #       "SRCIP1,SRCIP2,...>DESTIP1~protocol \
 1048 #        SRCIP3,...>DESTIP2~protocol"
 1049 #
 1050 # TCP/UDP examples:
 1051 # Simple (Deny port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
 1052 #       DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4~80"
 1053 # Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and
 1054 #           deny port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)):
 1055 #       DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
 1056 #
 1057 # IP protocol example:
 1058 #       (Deny protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
 1059 #       DMZ_INET_HOST_DENY_IP="0/0>1.2.3.4:47,48"
 1060 #
 1061 # NOTE 1: If no SRCIPx is specified, any source host is used
 1062 # NOTE 2: If no port is specified, any port is used
 1063 # ------------------------------------------------------------------------------
 1064 DMZ_INET_HOST_DENY_TCP=""
 1065 DMZ_INET_HOST_DENY_UDP=""
 1066 DMZ_INET_HOST_DENY_IP=""
 1067 
 1068 
 1069 ################################################################################
 1070 # DMZ_LAN_xxx  = DMZ->LAN access rules (forward)                               #
 1071 ################################################################################
 1072 
 1073 # Enable this to make the default policy allow for ICMP(ping) for DMZ->LAN
 1074 # ------------------------------------------------------------------------------
 1075 DMZ_LAN_OPEN_ICMP=0
 1076 
 1077 # Put in the following variables which DMZ hosts you want to allow to certain
 1078 # hosts/services on the LAN (net).
 1079 #
 1080 # TCP/UDP form:
 1081 #       "SRCIP1,SRCIP2,...>DESTIP1~port \
 1082 #        SRCIP3,...>DESTIP2~port"
 1083 #
 1084 # IP form:
 1085 #       "SRCIP1,SRCIP2,...>DESTIP1~protocol \
 1086 #        SRCIP3,...>DESTIP2~protocol"
 1087 #
 1088 # TCP/UDP examples:
 1089 # Simple (Allow port 80 on LAN host 1.2.3.4 for all DMZ hosts(0/0)):
 1090 #       DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~80"
 1091 # Advanced (Allow port 20 & 21 on LAN host 1.2.3.4 for all DMZ hosts (0/0) and
 1092 #           allow port 80 for DMZ host 5.6.7.8 (only) on LAN host
 1093 #           1.2.3.4):
 1094 #       DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
 1095 #
 1096 # IP protocol example:
 1097 #       (Allow protocols 47 & 48 on LAN host 1.2.3.4 for all DMZ hosts(0/0)):
 1098 #       DMZ_LAN_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
 1099 #
 1100 # NOTE 1: If no SRCIPx is specified, any source host is used
 1101 # NOTE 2: If no port is specified, any port is used
 1102 # ------------------------------------------------------------------------------
 1103 DMZ_LAN_HOST_OPEN_TCP=""
 1104 DMZ_LAN_HOST_OPEN_UDP=""
 1105 DMZ_LAN_HOST_OPEN_IP=""
 1106 
 1107 
 1108 ################################################################################
 1109 # Firewall policies for the external (inet) interface (default policy = drop)  #
 1110 ################################################################################
 1111 
 1112 # Put in the following variable which hosts (subnets) you want have full access
 1113 # via your internet (EXT_IF) connection(!). This is especially meant for
 1114 # networks/servers which use NIS/NFS, as these protocols require all ports
 1115 # to be open.
 1116 # NOTE: Don't mistake this variable with the one used for internal nets.
 1117 # ------------------------------------------------------------------------------
 1118 FULL_ACCESS_HOSTS=""
 1119 
 1120 # Put in the following variable which TCP/UDP ports you don't want to
 1121 # see broadcasts from (eg. DHCP (67/68) on your EXTERNAL interface. Note that
 1122 # to make this properly work you also need to set "EXTERNAL_NET"!
 1123 # ------------------------------------------------------------------------------
 1124 BROADCAST_TCP_NOLOG=""
 1125 #BROADCAST_UDP_NOLOG="67 68"
 1126 
 1127 # Put in the following variables which hosts you want to allow for certain
 1128 # services.
 1129 # TCP/UDP port format (HOST_OPEN_TCP & HOST_OPEN_UDP):
 1130 #       "host1,host2~port1,port2 host3,host4~port3,port4 ..."
 1131 #
 1132 # IP protocol format (HOST_OPEN_IP):
 1133 #       "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
 1134 #
 1135 # ICMP protocol format (HOST_OPEN_ICMP):
 1136 #       "host1 host2 ...."
 1137 # ------------------------------------------------------------------------------
 1138 HOST_OPEN_TCP=""
 1139 HOST_OPEN_UDP=""
 1140 HOST_OPEN_IP=""
 1141 HOST_OPEN_ICMP=""
 1142 
 1143 # Put in the following variables which hosts you want to DENY(DROP) for certain
 1144 # services (and logged).
 1145 # to DENY(DROP) for certain hosts.
 1146 # TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP):
 1147 #       "host1,host2~port1,port2 host3,host4~port3,port4 ..."
 1148 #
 1149 # IP protocol format (HOST_DENY_IP):
 1150 #       "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
 1151 #
 1152 # ICMP protocol format (HOST_DENY_ICMP):
 1153 #       "host1 host2 ...."
 1154 # ------------------------------------------------------------------------------
 1155 HOST_DENY_TCP=""
 1156 HOST_DENY_UDP=""
 1157 HOST_DENY_IP=""
 1158 HOST_DENY_ICMP=""
 1159 
 1160 # Put in the following variables which hosts you want to DENY(DROP) for certain
 1161 # services but NOT logged.
 1162 # TCP/UDP port format (HOST_DENY_xxx_NOLOG):
 1163 #       "host1,host2~port1,port2 host3,host4~port3,port4 ..."
 1164 #
 1165 # IP protocol format (HOST_DENY_IP_NOLOG):
 1166 #       "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
 1167 #
 1168 # ICMP protocol format (HOST_DENY_ICMP_NOLOG):
 1169 #       "host1 host2 ...."
 1170 # ------------------------------------------------------------------------------
 1171 HOST_DENY_TCP_NOLOG=""
 1172 HOST_DENY_UDP_NOLOG=""
 1173 HOST_DENY_IP_NOLOG=""
 1174 HOST_DENY_ICMP_NOLOG=""
 1175 
 1176 # Put in the following variables which hosts you want to REJECT (instead of
 1177 # DROP) for certain TCP/UDP ports.
 1178 # TCP/UDP port format (HOST_REJECT_xxx):
 1179 #       "host1,host2~port1,port2 host3,host4~port3,port4 ..."
 1180 # ------------------------------------------------------------------------------
 1181 HOST_REJECT_TCP=""
 1182 HOST_REJECT_UDP=""
 1183 
 1184 # Put in the following variables which hosts you want to REJECT (instead of
 1185 # DROP) for certain services but NOT logged.
 1186 # TCP/UDP port format (HOST_REJECT_xxx_NOLOG):
 1187 #       "host1,host2~port1,port2 host3,host4~port3,port4 ..."
 1188 # ------------------------------------------------------------------------------
 1189 HOST_REJECT_TCP_NOLOG=""
 1190 HOST_REJECT_UDP_NOLOG=""
 1191 
 1192 # Put in the following variables which services THIS machine is NOT
 1193 # permitted to connect TO (remote end-point) via the external (internet)
 1194 # interface. For example for blocking IRC (tcp 6666:6669).
 1195 # ------------------------------------------------------------------------------
 1196 DENY_TCP_OUTPUT=""
 1197 DENY_UDP_OUTPUT=""
 1198 DENY_IP_OUTPUT=""
 1199 
 1200 # Put in the following variables to which hosts THIS machine is NOT
 1201 # permitted to connect TO for certain services (remote end-point)
 1202 # via the external (internet) interface. In principle you can also
 1203 # use this to put your machine in a "virtual-DMZ" by blocking all traffic
 1204 # to your local subnet.
 1205 # TCP/UDP port format (HOST_DENY_TCP_OUTPUT & HOST_DENY_UDP_OUTPUT):
 1206 #       "host1,host2~port1,port2 host3,host4~port3,port4 ..."
 1207 #
 1208 # IP protocol format (HOST_DENY_IP_OUTPUT):
 1209 #       "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
 1210 # ------------------------------------------------------------------------------
 1211 HOST_DENY_TCP_OUTPUT=""
 1212 HOST_DENY_UDP_OUTPUT=""
 1213 HOST_DENY_IP_OUTPUT=""
 1214 
 1215 # This enables(1)/disables(0) IPv4 ICMP (ping) for the external net(s)
 1216 # Note: Other ICMP variables apply to both IPv4 and IPv6 unless otherwise noted.
 1217 # ------------------------------------------------------------------------------
 1218 OPEN_ICMP=0
 1219 
 1220 # This enables(1)/disables(0) IPv6 ICMPv6 for the external net(s)
 1221 # Note: Other ICMP variables apply to both IPv4 and IPv6 unless otherwise noted.
 1222 # ------------------------------------------------------------------------------
 1223 OPEN_ICMPV6=1
 1224 
 1225 # Enable (1) to make the default policy allow IPv6 ICMPv6
 1226 # Multicast Listener Discovery (RFC 2710, 3810) for INET access
 1227 # Note: Requires setting OPEN_ICMPV6=1 to apply.
 1228 # ------------------------------------------------------------------------------
 1229 OPEN_ICMPV6_MLD=0
 1230 
 1231 # Put in the following variables which ports or IP protocols you want to leave
 1232 # open to the whole world.
 1233 # ------------------------------------------------------------------------------
 1234 OPEN_TCP=""
 1235 OPEN_UDP=""
 1236 OPEN_IP=""
 1237 
 1238 # Put in the following variables the TCP/UDP ports you want to DENY(DROP) for
 1239 # everyone (and logged). Also use these variables if you want to log connection
 1240 # attempts to these ports from everyone (also trusted/full access hosts).
 1241 # In principle you don't need these variables, as everything is already blocked
 1242 # (denied) by default, but just exists for consistency.
 1243 # ------------------------------------------------------------------------------
 1244 DENY_TCP=""
 1245 DENY_UDP=""
 1246 
 1247 # Put in the following variables which ports you want to DENY(DROP) for
 1248 # everyone but NOT logged. This is very useful if you have constant probes on
 1249 # the same port(s) over and over again (code red worm) and don't want your logs
 1250 # flooded with it.
 1251 # ------------------------------------------------------------------------------
 1252 DENY_TCP_NOLOG=""
 1253 DENY_UDP_NOLOG=""
 1254 
 1255 # Put in the following variables the TCP/UDP ports you want to REJECT (instead
 1256 # of DROP) for everyone (and logged).
 1257 # ------------------------------------------------------------------------------
 1258 REJECT_TCP=""
 1259 REJECT_UDP=""
 1260 
 1261 # Put in the following variables the TCP/UDP ports you want to REJECT (instead
 1262 # of DROP) for everyone but NOT logged.
 1263 # ------------------------------------------------------------------------------
 1264 REJECT_TCP_NOLOG=""
 1265 REJECT_UDP_NOLOG=""
 1266 
 1267 # Put in the following variable which hosts you want to block (blackhole,
 1268 # dropping every packet from the host).
 1269 # ------------------------------------------------------------------------------
 1270 BLOCK_HOSTS=""
 1271 
 1272 # Blocked Hosts are by default blocked in both Inbound and Outbound directions.
 1273 # If only Inbound blocking is desired, set to 0 to disable bidirectional
 1274 # blocking.
 1275 # ------------------------------------------------------------------------------
 1276 BLOCK_HOSTS_BIDIRECTIONAL=1
 1277 
 1278 # (EXPERT SETTING!) When using *.netset files, a default whitelist ipset for
 1279 # IPv4 (and IPv6) is created to ensure blocklist files do not inadvertently
 1280 # block normal local traffic. When undefined these variables default to include
 1281 # all Private (RFC1918), Link-Local and Multicast IP/Nets to be whitelisted.
 1282 # Define a space separated list of IPv4 (and IPv6) IP/Nets for custom defaults.
 1283 #
 1284 # Note: This option depends on BLOCK_NETSET_DIR being defined.
 1285 # ------------------------------------------------------------------------------
 1286 DEFAULT_NETSET_WHITELIST=""
 1287 DEFAULT_NETSET_WHITELISTV6=""
 1288 
 1289 # Uncomment & specify here the location of the file that contains a list of
 1290 # hosts(IPs) that should be BLOCKED. IP ranges can (only) be specified as
 1291 # w.x.y.z1-z2 (eg. 192.168.1.10-15). Note that the last line of this file
 1292 # should always contain a carriage-return (enter)!
 1293 # ------------------------------------------------------------------------------
 1294 #BLOCK_HOSTS_FILE="/etc/arno-iptables-firewall/blocked-hosts"
 1295 
 1296 # Uncomment & specify here the location of the directory that contains *.netset
 1297 # files containing IP addresses and/or Networks (CIDR notation) to be BLOCKED.
 1298 # Each .netset file may contain only one IP/Net entry per line, each IP/Net
 1299 # entry must start at the beginning of the line and any valid entry must be
 1300 # immediately followed by a new-line or a POSIX [[:space:]] character.
 1301 # File contents not matching an IP/Net will be ignored.
 1302 #
 1303 # File naming convention, use *v6.netset files for IPv6 entries, all other
 1304 # *.netset files default to IPv4. Filenames are limited to a maximum of
 1305 # 27 characters before the .netset suffix.
 1306 # Optional whitelist.netset, whitelistv6.netset files may contain IP/Net entries
 1307 # that will NOT be BLOCKED by other *.netset files. Automatically by default,
 1308 # all Private (RFC1918), Link-Local and Multicast IP/Nets will be whitelisted.
 1309 # See also: DEFAULT_NETSET_WHITELIST and DEFAULT_NETSET_WHITELISTV6
 1310 #
 1311 # Note: This option depends on IPTABLES_IPSET being enabled.
 1312 # ------------------------------------------------------------------------------
 1313 #BLOCK_NETSET_DIR="/etc/arno-iptables-firewall/blocklists"