Arno’s iptables firewall: .../firewall.conf

"Fossies" - the Fresh Open Source Software Archive

Member "aif-2.1.1/etc/arno-iptables-firewall/firewall.conf" (16 Sep 2020, 58979 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:

As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Generic config files source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "firewall.conf":

2.1.0_vs_2.1.1.

1 ################################################################################ 2 # You should put this config-file in /etc/arno-iptables-firewall/ # 3 ################################################################################ 4 5 # --------------------------- Configuration file ------------------------------- 6 # -= Arno's Iptables Firewall(AIF) =- 7 # Single- & multi-homed firewall script with DSL/ADSL support 8 # 9 # (C) Copyright 2001-2019 by Arno van Amersfoort & Lonnie Abelbeck 10 # Homepage : https://rocky.eld.leidenuniv.nl/ 11 # Email : arnova AT rocky DOT eld DOT leidenuniv DOT nl 12 # (note: you must remove all spaces and substitute the @ and the . 13 # at the proper locations!) 14 # ------------------------------------------------------------------------------ 15 # This program is free software; you can redistribute it and/or 16 # modify it under the terms of the GNU General Public License 17 # version 2 as published by the Free Software Foundation. 18 19 # This program is distributed in the hope that it will be useful, but WITHOUT 20 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 21 # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for 22 # more details. 23 24 # You should have received a copy of the GNU General Public License along with 25 # this program; if not, write to the Free Software Foundation Inc., 59 Temple 26 # Place - Suite 330, Boston, MA 02111-1307, USA. 27 # ------------------------------------------------------------------------------ 28 29 30 ################################################################################ 31 # External (internet) interface settings # 32 ################################################################################ 33 34 # The external interface(s) that will be protected (and used as internet 35 # connection). This is probably ppp+ or dsl+ for non-transparent(!) (A)DSL 36 # modems otherwise it's probably "ethX" (eg. eth0). Multiple interfaces should 37 # be space separated. 38 # ------------------------------------------------------------------------------ 39 EXT_IF="" 40 41 # Enable if THIS machines (dynamically) obtains its IP through (IPv4) DHCP 42 # and possibly (IPv6) DHCPv6 (from your ISP) 43 # ------------------------------------------------------------------------------ 44 EXT_IF_DHCP_IP=0 45 46 # Enable if THIS machines (dynamically) obtains its IP through (IPv6) DHCPv6 47 # and not (IPv4) DHCP. Applies only when EXT_IF_DHCP_IP is set to "0". 48 # (IPv6 Only) 49 # ------------------------------------------------------------------------------ 50 EXT_IF_DHCPV6_IPV6=0 51 52 # (EXPERT SETTING!) Here you can override your external(!) IPv4 subnet(s). 53 # Normally these are (attempted to be) autodetected, so leaving this empty 54 # should work for most scenarios. This setting is used when eg. running a DHCP 55 # server on your external(!) interface. Multiple subnets should be space 56 # separated. Don't forget to specify a proper subnet masker 57 # (eg. /24, /16 or /8)! Also note that the order should match the order of 58 # your interfaces in EXT_IF! 59 # ------------------------------------------------------------------------------ 60 #EXTERNAL_NET="" 61 62 # (EXPERT SETTING!) Here you can override the broadcast address(es) used for 63 # your external IPv4 subnet(s). Normally these are (attempted to be) 64 # autodetected, so leaving this empty should work for most scenarios. This 65 # setting is eg. used for the BROADCAST_XXX_NOLOG variables. Multiple addresses 66 # should be space separated. 67 # ------------------------------------------------------------------------------ 68 #EXT_NET_BCAST_ADDRESS="" 69 70 # Enable if THIS MACHINE is running an IPv4 DHCP(BOOTP) server for a subnet 71 # on the external(!) interface. Note that you don't need this for internal 72 # subnets, as for these nets everything is accepted by default. Don't forget to 73 # configure the EXTERNAL_NET variable, to make this work. (IPv4 Only) 74 # ------------------------------------------------------------------------------ 75 EXTERNAL_DHCP_SERVER=0 76 77 # Enable if THIS MACHINE is running an IPv6 DHCPv6 server for a Link-Local 78 # address on the external(!) interface. Note that you don't need this for 79 # internal subnets, as for these nets everything is accepted by default. 80 # (IPv6 Only) 81 # ------------------------------------------------------------------------------ 82 EXTERNAL_DHCPV6_SERVER=0 83 84 85 ################################################################################ 86 # Internal (LAN) interface settings # 87 ################################################################################ 88 89 # Specify here your internal network (LAN) interface(s). Multiple(!) interfaces 90 # should be space separated. Remark this if you don't have any internal network 91 # interfaces. Note that by default ALL traffic is accepted from these 92 # interfaces. Traffic between multiple (seperate) internal interfaces is 93 # blocked by default. Use the IF_TRUSTS setting (below) to enable traffic for 94 # those. 95 # ------------------------------------------------------------------------------ 96 INT_IF="" 97 98 # Specify here the internal IPv4 subnet(s) which is/are connected to the 99 # internal interface(s). For multiple interfaces(!) you can either specify 100 # multiple subnets here or specify one big subnet for all internal interfaces. 101 # Note that this variable is mainly used for antispoofing. 102 # ------------------------------------------------------------------------------ 103 #INTERNAL_NET="192.168.0.0/24" 104 105 # Set this variable to 0 to disable antispoof checking for the internal nets 106 # (EXPERT SETTING!) 107 # ------------------------------------------------------------------------------ 108 INTERNAL_NET_ANTISPOOF=1 109 110 # (EXPERT SETTING!) Here you can specify the IPv4 address used for broadcasts 111 # on your internal subnet. You only need to set this option if you want to use 112 # the MAC filter AND you use a non-standard broadcast address 113 # (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving 114 # this empty should work fine. Multiple addresses (if you have multiple 115 # internal nets) should be space separated. 116 # ------------------------------------------------------------------------------ 117 #INT_NET_BCAST_ADDRESS="" 118 119 120 ################################################################################ 121 # DMZ (aka DeMilitarized Zone) settings # 122 ################################################################################ 123 124 # Put in the following variable the network interfaces that are DMZ-classified. 125 # You can also use this interface if you want to shield your Wireless network 126 # from your LAN. 127 # ------------------------------------------------------------------------------ 128 DMZ_IF="" 129 130 # Specify here the subnet which is connected to the DMZ interface (DMZ_IF). 131 # For multiple interfaces(!) you can either specify multiple subnets here or 132 # specify one big subnet for all DMZ interfaces. 133 # ------------------------------------------------------------------------------ 134 DMZ_NET="" 135 136 # Specify the LAN (INT_IF) interfaces that are allowed full access to the 137 # DMZ interface(s). (LAN to DMZ forwarding policy) 138 # If LAN_DMZ_ALLOW_IF is not defined, all the INT_IF interfaces will be allowed. 139 # ------------------------------------------------------------------------------ 140 LAN_DMZ_ALLOW_IF="" 141 142 # Set this variable to 0 to disable antispoof checking for the dmz nets 143 # (EXPERT SETTING!) 144 # ------------------------------------------------------------------------------ 145 DMZ_NET_ANTISPOOF=1 146 147 ################################################################################ 148 # NAT (Masquerade, SNAT, DNAT) settings (IPv4 only!) # 149 ################################################################################ 150 151 # Enable this if you want to perform NAT (masquerading) for your internal 152 # network (LAN) (eg. share your internet connection with your internal 153 # net(s) connected to eg. INT_IF) 154 # ------------------------------------------------------------------------------ 155 NAT=0 156 157 # (EXPERT SETTING!) In case you would like to use SNAT instead of 158 # MASQUERADING then uncomment and set the IP or IPs here of your static 159 # external address(es). Note that when multiple IPs are specified, SNAT 160 # multiroute is enabled (load balancing over multiple external (internet) 161 # interfaces, check the README file for more info). 162 # Note: The order of IPs must match the order of the associated interfaces 163 # in $EXT_IF (or $NAT_IF if defined). 164 # ------------------------------------------------------------------------------ 165 #NAT_STATIC_IP="193.2.1.1" 166 167 # (EXPERT SETTING!) Use this variable only if you want to use specific 168 # external interface(s) for NAT. If not specified all interfaces in EXT_IF 169 # are used. 170 # ------------------------------------------------------------------------------ 171 #NAT_IF="" 172 173 # (EXPERT SETTING!) Use this variable only if you want specific subnets or 174 # hosts to be able to access the internet. When no value is specified, your 175 # whole internal net will have access. In both cases it's obviously only 176 # meaningful when NAT is enabled. Note that you can also use this variable if 177 # you want to use NAT for your DMZ. 178 # ------------------------------------------------------------------------------ 179 NAT_INTERNAL_NET="$INTERNAL_NET" 180 181 # (EXPERT SETTING!) Enable this if you want to be able to redirect local ports 182 # or protocols on your gateway using NAT forwards. 183 # ------------------------------------------------------------------------------ 184 NAT_LOCAL_REDIRECT=0 185 186 # NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to 187 # an internal client through (D)NAT. Note that you can also use these 188 # variables to forward ports to DMZ hosts. 189 # 190 # TCP/UDP form: 191 # "{SRCIP1,SRCIP2,...~}PORT1,PORT2-PORT3,...>DESTIP1{~port} \ 192 # {SRCIP3,...~}PORT3,...>DESTIP2{~port}" 193 # 194 # IP form: 195 # "{SRCIP1,SRCIP2,...~}PROTO1,PROTO2,...>DESTIP1 \ 196 # {SRCIP3~}PROTO3,PROTO4,...>DESTIP2" 197 # 198 # TCP/UDP port forward examples: 199 # Simple (forward port 80 to internal host 192.168.0.10): 200 # NAT_FORWARD_xxx="80>192.168.0.10 20,21>192.168.0.10" 201 # Advanced (forward port 20 & 21 to 192.168.0.10 and 202 # forward from 1.2.3.4 port 81 to 192.168.0.11 port 80: 203 # NAT_FORWARD_xxx="1.2.3.4~81>192.168.0.11~80" 204 # 205 # IP protocol forward example: 206 # (forward protocols 47 & 48 to 192.168.0.10) 207 # NAT_FORWARD_IP="47,48>192.168.0.10" 208 # 209 # NOTE 1: {~port} is optional. Use it to redirect a specific port to a 210 # different port on the internal client. 211 # NOTE 2: {SRCIPx} is optional. Use it to restrict access for specific source 212 # (inet) IP addresses. 213 # (IPv4 Only) 214 # ------------------------------------------------------------------------------ 215 NAT_FORWARD_TCP="" 216 NAT_FORWARD_UDP="" 217 NAT_FORWARD_IP="" 218 219 # TCP/UDP/IP forwards. Forward IPv6 and non-NAT'ed IPv4 ports or protocols 220 # from the gateway to an internal client. Note that you can also use these 221 # variables to forward ports to DMZ hosts. 222 # 223 # TCP/UDP form: 224 # "SRCIP1,SRCIP2,...>DESTIP1{~port} \ 225 # SRCIP3,...>DESTIP2{~port}" 226 # 227 # IP form: 228 # "SRCIP1,SRCIP2,...>DESTIP1~PROTO \ 229 # SRCIP3,...>DESTIP2~PROTO" 230 # 231 # TCP/UDP port forward examples: 232 # Simple (IPv6 forward port 80 to internal host 2001:db8::2): 233 # INET_FORWARD_TCP="::/0>2001:db8::2~80" 234 # Simple (IPv4 non-NAT forward port 80 to internal host 192.168.0.10): 235 # INET_FORWARD_TCP="0/0>192.168.0.10~80" 236 # Advanced (forward all UDP ports for 2000::/3 net to 2001:db8::/32 net): 237 # INET_FORWARD_UDP="2000::/3>2001:db8::/32" 238 # 239 # IP protocol forward example: 240 # (forward protocol 58 (ICMPv6) to 2001:db8::2) 241 # INET_FORWARD_IP="::/0>2001:db8::2~58" 242 # 243 # (IPv6 and non-NAT'ed IPv4 Only) 244 # ------------------------------------------------------------------------------ 245 INET_FORWARD_TCP="" 246 INET_FORWARD_UDP="" 247 INET_FORWARD_IP="" 248 249 250 ################################################################################ 251 # General settings # 252 ################################################################################ 253 254 # Most people don't want to get any firewall logs being spit to the console. 255 # This option makes the kernel ring buffer only log messages with level 256 # "panic". 257 # ------------------------------------------------------------------------------ 258 DMESG_PANIC_ONLY=1 259 260 # Enable this if you want TOS mangling (RFC) 261 # ------------------------------------------------------------------------------ 262 MANGLE_TOS=0 263 264 # Enable this if you want to set the maximum packet size via the 265 # Maximum Segment Size(through MSS field) 266 # ------------------------------------------------------------------------------ 267 SET_MSS=1 268 269 # Enable this if you want to increase the TTL value by one in the prerouting 270 # chain. This hides the firewall when performing eg. traceroutes to internal 271 # hosts. (IPv4 only!) 272 # ------------------------------------------------------------------------------ 273 TTL_INC=0 274 275 # (EXPERT SETTING!) Enable this if you want to set the TTL value for packets in 276 # the OUTPUT & FORWARD chain. Note that this only works with newer 2.6 kernels 277 # (2.6.14 or better) or patched 2.4 kernels, which have netfilter TTL target 278 # support. Don't mess with this unless you really know what you are doing! 279 # (IPv4 only!) 280 # ------------------------------------------------------------------------------ 281 #PACKET_TTL="64" 282 283 # (EXPERT SETTING!) Enable this if you want our internal DNS functions to fail 284 # "fast". This means a query will be tried only once and times out after 1 285 # second, the default is 3 tries and a 5 second timeout. 286 # Note: The command 'dig' is preferred, 'nslookup' will be used if 'dig' is not 287 # available, though the BusyBox 'nslookup' is not supported with this option 288 # ------------------------------------------------------------------------------ 289 DNS_FAST_FAIL=0 290 291 # (EXPERT SETTING!) This option sets to maximum allowed age of (previously) 292 # resolved host names. Defaults to 10 minutes 293 # ------------------------------------------------------------------------------ 294 DNS_MAX_AGE=10 295 296 # (EXPERT SETTING!) This value defines the threshold for the amount of 297 # allowed successive cache fallbacks with dns failures 298 # ------------------------------------------------------------------------------ 299 DNS_FAIL_THRESHOLD=4 300 301 # Enable this to support the IRC-protocol 302 # ------------------------------------------------------------------------------ 303 USE_IRC=0 304 305 # (EXPERT SETTING!) Loosen the forward chain for the external interface(s). 306 # Enable it to allow the use of protocols like UPnP. Note that it *could* be 307 # less secure 308 # ------------------------------------------------------------------------------ 309 LOOSE_FORWARD=0 310 311 # (EXPERT SETTING!) Enable (1) to allow IPv6 Link-Local addresses to be 312 # forwarded between interfaces. (IPv6 Only) 313 # ------------------------------------------------------------------------------ 314 FORWARD_LINK_LOCAL=0 315 316 # (EXPERT SETTING!) Disable (0) to not drop all IPv6 packets with 317 # Routing Header Type 0. Enabled by default. (IPv6 Only) 318 # ------------------------------------------------------------------------------ 319 IPV6_DROP_RH_ZERO=1 320 321 # (EXPERT SETTING!) Enable this if you want to drop packets originating from a 322 # private address. 323 # Note: To enable logging of dropped private addresses set RESERVED_NET_LOG=1 324 # ------------------------------------------------------------------------------ 325 RESERVED_NET_DROP=0 326 327 # (EXPERT SETTING!) Protect this machine from being abused for a DRDOS-attack 328 # ("Distributed Reflection Denial Of Service"-attack). (STILL EXPERIMENTAL!) 329 # ------------------------------------------------------------------------------ 330 DRDOS_PROTECT=0 331 332 # Enable (1) if you want to enable mixed IPv4/IPv6 traffic support 333 # Disable (0) if you want to enable only IPv4 traffic support 334 # ------------------------------------------------------------------------------ 335 IPV6_SUPPORT=0 336 337 # This option fixes problems with SMB broadcasts when using nmblookup 338 # ------------------------------------------------------------------------------ 339 NMB_BROADCAST_FIX=0 340 341 # Set this to 0 to suppress "assuming module is compiled in kernel" messages 342 # ------------------------------------------------------------------------------ 343 COMPILED_IN_KERNEL_MESSAGES=1 344 345 # (EXPERT SETTING!) You can choose the default policy for the INPUT & FORWARD 346 # chain here (1=DROP, 0=ACCEPT). The default policy is DROP. This means that 347 # when there are no rule(s) available (yet), the packet will be DROPPED. In 348 # practice this rule only does something while the firewall is starting. Once 349 # it's started and all rules are in place, the default policy doesn't do 350 # anything anymore. People that use eg. NFS and let their clients boot from NFS 351 # (diskless client systems) probably want to disable this option to fix 352 # "NFS server not responding" etc. errors on their clients. 353 # ------------------------------------------------------------------------------ 354 DEFAULT_POLICY_DROP=1 355 356 # (EXPERT SETTING!) (Other) trusted network interfaces for which ALL IP 357 # traffic should be ACCEPTED. (multiple(!) interfaces should be space 358 # separated). Be warned that anything TO and FROM these interfaces is allowed 359 # (ACCEPTED) so make sure it's NOT routable(accessible) from the outside world 360 # (internet)! And of course putting one of your external interfaces here would 361 # be extremely stupid. 362 # ------------------------------------------------------------------------------ 363 TRUSTED_IF="" 364 365 # (EXPERT SETTING!) Put here the interfaces that should trust each other 366 # (accept forward traffic). Use this to e.g. create trusts between multiple 367 # internal interfaces/subnets. You can use | (piping-sign) to create 368 # seperate trust groups. And of course putting one of your external 369 # interfaces here would be extremely stupid. 370 # ------------------------------------------------------------------------------ 371 IF_TRUSTS="" 372 373 # Location of the custom iptables rules file (if any). 374 # ------------------------------------------------------------------------------ 375 CUSTOM_RULES="/etc/arno-iptables-firewall/custom-rules" 376 377 # Location of the local (user/global) configuration file, if used 378 # ------------------------------------------------------------------------------ 379 LOCAL_CONFIG_FILE="" 380 381 # Location of the local directory, if defined, containing *.conf file(s) 382 # in that directory, and sources them for configuration variables. 383 # Note: An undefined LOCAL_CONFIG_DIR variable defaults to the default below. 384 # ------------------------------------------------------------------------------ 385 LOCAL_CONFIG_DIR="/etc/arno-iptables-firewall/conf.d" 386 387 # (EXPERT SETTING!) Set this (to 1) to enable the use of ipset to efficiently 388 # match a large block of IPv4/IPv6 addresses/nets. Much faster when enabled. 389 # BLOCK_NETSET_DIR, BLOCK_HOSTS and BLOCK_HOSTS_FILE utilizes this feature. 390 # ------------------------------------------------------------------------------ 391 #IPTABLES_IPSET=0 392 393 # (EXPERT SETTING!) Set tunable options when IPTABLES_IPSET is enabled. 394 # Adjust the default values if there are more than 100,000 block hosts. 395 # ------------------------------------------------------------------------------ 396 #IPTABLES_IPSET_HASHSIZE=2048 397 #IPTABLES_IPSET_MAXELEM=131072 398 399 # (EXPERT SETTING!) Set this (to 1) to disable the use of iptables-save and 400 # iptables-restore to add rules in batch rather than one-by-one. Much slower 401 # when disabled. BLOCK_HOSTS and BLOCK_HOSTS_FILE utilizes this feature. 402 # Note: This option is ignored when IPTABLES_IPSET is enabled. 403 # ------------------------------------------------------------------------------ 404 DISABLE_IPTABLES_BATCH=0 405 406 ################################################################################ 407 # Logging options - All logging is rate limited to prevent log flooding # 408 ################################################################################ 409 410 # Enable logging for explicitly blocked hosts. 411 # Log Options: 0 = Disable, 1 = Inbound & Outbound, 2 = Inbound, 3 = Outbound 412 # ------------------------------------------------------------------------------ 413 BLOCKED_HOST_LOG=1 414 415 # Enable logging for various stealth scans (reliable). 416 # ------------------------------------------------------------------------------ 417 SCAN_LOG=1 418 419 # Enable logging for possible stealth scans (less reliable). 420 # ------------------------------------------------------------------------------ 421 POSSIBLE_SCAN_LOG=1 422 423 # Enable logging of invalid TCP packets. Keep disabled (0) by default to reduce 424 # INVALID packets being logged because of lost (legimate) connections. When 425 # debugging any problems, you should enable it (temporarily)! 426 # ------------------------------------------------------------------------------ 427 INVALID_TCP_LOG=0 428 429 # Enable logging of invalid UDP packets. Keep disabled (0) by default to reduce 430 # INVALID packets being logged because of lost (legimate) connections. When 431 # debugging any problems, you should enable it (temporarily)! 432 # ------------------------------------------------------------------------------ 433 INVALID_UDP_LOG=0 434 435 # Enable logging of invalid ICMP packets. Keep disabled (0) to reduce 436 # INVALID packets being logged caused by lost (legimate) connections. When 437 # debugging any problems, you should enable it (temporarily)! 438 # ------------------------------------------------------------------------------ 439 INVALID_ICMP_LOG=0 440 441 # Enable (1) logging of source IPs with reserved or private addresses. 442 # ------------------------------------------------------------------------------ 443 RESERVED_NET_LOG=0 444 445 # Enable dropping (& logging) of IPv4 fragmented packets. Normally fragmented 446 # packets are automatically defragmented by the kernel. 447 # ------------------------------------------------------------------------------ 448 FRAG_DROP=0 449 450 # Enable logging of denied local (OUTPUT) connections. 451 # ------------------------------------------------------------------------------ 452 INET_OUTPUT_DENY_LOG=1 453 454 # Enable logging of denied LAN output (FORWARD) connections. 455 # ------------------------------------------------------------------------------ 456 LAN_OUTPUT_DENY_LOG=1 457 458 # Enable logging of denied LAN INPUT connections. 459 # ------------------------------------------------------------------------------ 460 LAN_INPUT_DENY_LOG=1 461 462 # Enable logging of denied DMZ output (FORWARD) connections. 463 # ------------------------------------------------------------------------------ 464 DMZ_OUTPUT_DENY_LOG=1 465 466 # Enable logging of denied DMZ input (FORWARD) connections. 467 # ------------------------------------------------------------------------------ 468 DMZ_INPUT_DENY_LOG=1 469 470 # Enable logging of dropped FORWARD packets. 471 # ------------------------------------------------------------------------------ 472 FORWARD_DROP_LOG=1 473 474 # Enable logging of dropped IPv6 Link-Local forwarded packets. 475 # Note: requires FORWARD_LINK_LOCAL=0 (IPv6 Only) 476 # ------------------------------------------------------------------------------ 477 LINK_LOCAL_DROP_LOG=1 478 479 # Enable logging of dropped ICMP-request packets (ping). 480 # ------------------------------------------------------------------------------ 481 ICMP_REQUEST_LOG=1 482 483 # Enable logging of dropped "other" ICMP packets. 484 # ------------------------------------------------------------------------------ 485 ICMP_OTHER_LOG=1 486 487 # Enable logging of normal connection attempts to privileged TCP ports. 488 # ------------------------------------------------------------------------------ 489 PRIV_TCP_LOG=1 490 491 # Enable logging of normal connection attempts to privileged UDP ports. 492 # ------------------------------------------------------------------------------ 493 PRIV_UDP_LOG=1 494 495 # Enable logging of normal connection attempts to unprivileged TCP ports. 496 # ------------------------------------------------------------------------------ 497 UNPRIV_TCP_LOG=1 498 499 # Enable logging of normal connection attempts to unprivileged UDP ports. 500 # ------------------------------------------------------------------------------ 501 UNPRIV_UDP_LOG=1 502 503 # Enable logging of IPv4 IGMP packets 504 # ------------------------------------------------------------------------------ 505 IGMP_LOG=1 506 507 # Enable logging of normal connection attempts to "other-IP"-protocols (non 508 # TCP/UDP/ICMP/IGMP). 509 # ------------------------------------------------------------------------------ 510 OTHER_IP_LOG=1 511 512 # Enable logging for ICMP flooding. 513 # ------------------------------------------------------------------------------ 514 ICMP_FLOOD_LOG=1 515 516 # (EXPERT SETTING!) Log-level used for logging to syslog. The default is "info" 517 # but "debug" can be used to have (legacy) syslogd log to 518 # /var/log/arno-iptables-firewall. Note that this also requires you to 519 # modify your syslogd.conf (see examples on how to). Most (if not all) newer 520 # distributions use rsyslogd which works much better out of the box, so in most 521 # cases you can leave this setting as is. 522 # ------------------------------------------------------------------------------ 523 LOGLEVEL="info" 524 525 # Put in the following variables which hosts you want to log certain incoming 526 # connection attempts for. 527 # TCP/UDP port format (LOG_HOST_INPUT_xxx): 528 # "host1,host2~port1,port2 host3,host4~port3,port4 ..." 529 # 530 # IP protocol format (LOG_HOST_INPUT_IP): 531 # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..." 532 # ------------------------------------------------------------------------------ 533 LOG_HOST_INPUT_TCP="" 534 LOG_HOST_INPUT_UDP="" 535 LOG_HOST_INPUT_IP="" 536 537 # Put in the following variables which hosts you want to log certain outgoing 538 # connection attempts for. 539 # TCP/UDP port format (LOG_HOST_OUTPUT_xxx): 540 # "host1,host2~port1,port2 host3,host4~port3,port4 ..." 541 # 542 # IP protocol format (LOG_HOST_OUTPUT_IP): 543 # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..." 544 # ------------------------------------------------------------------------------ 545 LOG_HOST_OUTPUT_TCP="" 546 LOG_HOST_OUTPUT_UDP="" 547 LOG_HOST_OUTPUT_IP="" 548 549 # Put in the following variables which services you want to log incoming 550 # connection attempts for. 551 # ------------------------------------------------------------------------------ 552 LOG_INPUT_TCP="" 553 LOG_INPUT_UDP="" 554 LOG_INPUT_IP="" 555 556 # Put in the following variables which services you want to log outgoing 557 # connection attempts for. 558 # ------------------------------------------------------------------------------ 559 LOG_OUTPUT_TCP="" 560 LOG_OUTPUT_UDP="" 561 LOG_OUTPUT_IP="" 562 563 # Put in the following variable which hosts you want to log incoming connection 564 # (attempts) for. 565 # ------------------------------------------------------------------------------ 566 LOG_HOST_INPUT="" 567 568 # Put in the following variable which hosts you want to log outgoing connection 569 # (attempts) to. 570 # ------------------------------------------------------------------------------ 571 LOG_HOST_OUTPUT="" 572 573 574 ################################################################################ 575 # sysctl based settings (EXPERT SETTINGS!) # 576 ################################################################################ 577 578 # Enable for synflood protection (through /proc/.../tcp_syncookies). 579 # ------------------------------------------------------------------------------ 580 SYN_PROT=1 581 582 # Enable this to reduce the ability of others DOS'ing your machine. 583 # ------------------------------------------------------------------------------ 584 REDUCE_DOS_ABILITY=1 585 586 # Enable to ignore all ICMP echo-requests (IPv4) on ALL interfaces. 587 # ------------------------------------------------------------------------------ 588 ECHO_IGNORE=0 589 590 # Enable to log packets with impossible addresses to the kernel log. 591 # ------------------------------------------------------------------------------ 592 LOG_MARTIANS=0 593 594 # Only disable this if you're NOT using forwarding (required for NAT etc.) for 595 # increased security. 596 # Note: If enabled and IPV6 enabled, local IPv6 autoconf will be disabled. 597 # ------------------------------------------------------------------------------ 598 IP_FORWARDING=1 599 600 # (EXPERT SETTING!) Only disable this if IP_FORWARDING is disabled and 601 # you do not use autoconf to obtain your IPv6 address. 602 # Note: This is ignored if IP_FORWARDING is enabled. (IPv6 Only) 603 # ------------------------------------------------------------------------------ 604 IPV6_AUTO_CONFIGURATION=1 605 606 # Enable if you want to accept ICMP redirect messages. Should be set to "0" in 607 # case of a router. 608 # ------------------------------------------------------------------------------ 609 ICMP_REDIRECT=0 610 611 # Enable/modify this if you want to be a able to handle a larger (or smaller) 612 # number of simultaneous connections. For high traffic machines I recommend to 613 # use a value of at least 16384 (note that a higher value (obviously) also uses 614 # more memory). 615 # ------------------------------------------------------------------------------ 616 CONNTRACK=16384 617 618 # Enable ECN (Explicit Congestion Notification) TCP flag. Disabled by default, 619 # as some routers are still not compatible with this. 620 # ------------------------------------------------------------------------------ 621 ECN=0 622 623 # Reverse path filter setting. Kernel setting to drop connections from 624 # non-routable IPs, eg. prevent source routing. By default the firewall itself 625 # also provides rules against source routing. 626 # Options: 0 = Disable, 1 = Strict filter, 2 = Loose filter 627 # When using eg. VPNs, you should probably use 0 (disable) or 2 (loose) 628 # ------------------------------------------------------------------------------ 629 RP_FILTER=1 630 631 # Protect against source routed packets. Attackers can use source routing to 632 # generate traffic pretending to be from inside your network, but which is 633 # routed back along the path from which it came, namely outside, so attackers 634 # can compromise your network. Source routing is rarely used for legitimate 635 # purposes, so normally you should always leave this enabled(1)! 636 # ------------------------------------------------------------------------------ 637 SOURCE_ROUTE_PROTECTION=1 638 639 # Here we set the local port range (ports from which connections are 640 # initiated from our site). Don't mess with this unless you really know what 641 # you are doing! 642 # ------------------------------------------------------------------------------ 643 LOCAL_PORT_RANGE="32768 60999" 644 645 # Here you can change the default TTL used for sending packets. The value 646 # should be between 10 and 255. Don't mess with this unless you really know 647 # what you are doing! 648 # ------------------------------------------------------------------------------ 649 DEFAULT_TTL=64 650 651 # In most cases pmtu discovery is ok, but in some rare cases (when having 652 # problems) you might want to disable it. 653 # ------------------------------------------------------------------------------ 654 NO_PMTU_DISCOVERY=0 655 656 # With eg. open iscsi some systems may have problems under heavy load. Enable 657 # tcp_be_liberal to workaround this 658 # ------------------------------------------------------------------------------ 659 TCP_BE_LIBERAL=0 660 661 662 ################################################################################ 663 # Firewall policies for the LAN (EXPERT SETTINGS!) # 664 ################################################################################ 665 666 ################################################################################ 667 # LAN_xxx = LAN->localhost(this machine) input access rules # 668 # # 669 # Note that when both LAN_OPEN_xxx & LAN_HOST_OPEN_xxx are NOT used, the # 670 # default policy for this chain is accept (unless denied through # 671 # LAN_DENY_xxx and/or LAN_HOST_DENY_xxx)! # 672 ################################################################################ 673 674 # Disable this (set to "") to automatically set default policy as above. 675 # When set to "1" the LAN->localhost default policy will always be DROP 676 # When set to "0" the LAN->localhost default policy will always be ACCEPT 677 # ------------------------------------------------------------------------------ 678 LAN_DEFAULT_POLICY_DROP="" 679 680 # Enable this to allow for ICMP-requests(ping) from your LAN 681 # ------------------------------------------------------------------------------ 682 LAN_OPEN_ICMP=1 683 684 # Put in the following variables the TCP/UDP ports or IP protocols TO 685 # (remote end-point) which the LAN hosts are permitted to connect to. 686 # ------------------------------------------------------------------------------ 687 LAN_OPEN_TCP="" 688 LAN_OPEN_UDP="" 689 LAN_OPEN_IP="" 690 691 # Put in the following variables the TCP/UDP ports or IP protocols TO (remote 692 # end-point) which LAN hosts are NOT permitted to connect to. 693 # ------------------------------------------------------------------------------ 694 LAN_DENY_TCP="" 695 LAN_DENY_UDP="" 696 LAN_DENY_IP="" 697 698 # Put in the following variables the TCP/UDP ports or IP 699 # protocols TO (remote end-point) which certain LAN hosts are 700 # permitted to connect to. 701 # 702 # TCP/UDP port format (LAN_INPUT_HOST_OPEN_xxx): 703 # "host1,host2~port1,port2 host3,host4~port3,port4 ..." 704 # 705 # IP protocol format (LAN_INPUT_HOST_OPEN_xxx): 706 # "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..." 707 # ------------------------------------------------------------------------------ 708 LAN_HOST_OPEN_TCP="" 709 LAN_HOST_OPEN_UDP="" 710 LAN_HOST_OPEN_IP="" 711 712 # Put in the following variables the TCP/UDP ports or IP protocols TO (remote 713 # end-point) which certain LAN hosts are NOT permitted to connect to. 714 # 715 # TCP/UDP port format (LAN_INPUT_HOST_DENY_xxx): 716 # "host1,host2~port1,port2 host3,host4~port3,port4 ..." 717 # 718 # IP protocol format (LAN_INPUT_HOST_DENY_xxx): 719 # "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..." 720 # ------------------------------------------------------------------------------ 721 LAN_HOST_DENY_TCP="" 722 LAN_HOST_DENY_UDP="" 723 LAN_HOST_DENY_IP="" 724 725 726 ################################################################################ 727 # LAN_LAN_xxx = LAN->LAN access rules (forward) # 728 ################################################################################ 729 730 # Put in the following variables which LAN hosts you want to allow to certain 731 # hosts/services on a different LAN (net). 732 # 733 # TCP/UDP form: 734 # "SRCIP1,SRCIP2,...>DESTIP1~port \ 735 # SRCIP3,...>DESTIP2~port" 736 # 737 # IP form: 738 # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ 739 # SRCIP3,...>DESTIP2~protocol" 740 # 741 # TCP/UDP examples: 742 # Simple (Allow port 80 to LAN host 1.2.3.4 from all other LAN hosts(0/0)): 743 # LAN_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~80" 744 # Advanced (Allow port 20 & 21 to LAN host 1.2.3.4 from all other LAN hosts 745 # (0/0) and allow port 80 from LAN host 5.6.7.8 (only) to LAN host 746 # 1.2.3.4): 747 # LAN_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80" 748 # 749 # IP protocol example: 750 # (Allow protocols 47 & 48 to LAN host 1.2.3.4 from all other LAN hosts 751 # (0/0)): 752 # LAN_LAN_HOST_OPEN_IP="0/0>1.2.3.4~47,48" 753 # 754 # NOTE 1: If no SRCIPx is specified, any source host is used 755 # NOTE 2: If no port is specified, any port is used 756 # ------------------------------------------------------------------------------ 757 LAN_LAN_HOST_OPEN_TCP="" 758 LAN_LAN_HOST_OPEN_UDP="" 759 LAN_LAN_HOST_OPEN_IP="" 760 761 762 ################################################################################ 763 # LAN_INET_xxx = LAN->internet access rules (forward) # 764 # # 765 # Note that when the LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx variables are # 766 # NOT used, the default policy will be accept for LAN->INET (unless denied # 767 # through LAN_INET_DENY_xxx and/or LAN_INET_HOST_DENY_xxx)! # 768 ################################################################################ 769 770 # Disable this (set to "") to automatically set default policy as above. 771 # When set to "1" the LAN->INET default policy will always be DROP 772 # When set to "0" the LAN->INET default policy will always be ACCEPT 773 # ------------------------------------------------------------------------------ 774 LAN_INET_DEFAULT_POLICY_DROP="" 775 776 # Enable this to allow for ICMP-requests(ping) for LAN->INET 777 # ------------------------------------------------------------------------------ 778 LAN_INET_OPEN_ICMP=1 779 780 # Put in the following variables the TCP/UDP ports or IP 781 # protocols TO (remote end-point) which the LAN hosts are 782 # permitted to connect to via the external (internet) interface. 783 # ------------------------------------------------------------------------------ 784 LAN_INET_OPEN_TCP="" 785 LAN_INET_OPEN_UDP="" 786 LAN_INET_OPEN_IP="" 787 788 # Put in the following variables the TCP/UDP ports or IP protocols TO (remote 789 # end-point) which the LAN hosts are NOT permitted to connect to 790 # via the external (internet) interface. Examples of usage are for blocking 791 # IRC (TCP 6666:6669) for the internal network. 792 # ------------------------------------------------------------------------------ 793 LAN_INET_DENY_TCP="" 794 LAN_INET_DENY_UDP="" 795 LAN_INET_DENY_IP="" 796 797 # Put in the following variables which LAN hosts you want to allow to certain 798 # hosts/services on the internet. By default all services are allowed. 799 # 800 # TCP/UDP form: 801 # "SRCIP1,SRCIP2,...>DESTIP1~port \ 802 # SRCIP3,...>DESTIP2~port" 803 # 804 # IP form: 805 # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ 806 # SRCIP3,...>DESTIP2~protocol" 807 # 808 # TCP/UDP examples: 809 # Simple: 810 # (Allow port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)): 811 # LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4~80" 812 # Advanced: 813 # (Allow port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and 814 # allow port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)): 815 # LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 192.168.0.10>80" 816 # 817 # IP protocol example: 818 # (Allow protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0)) 819 # LAN_INET_HOST_OPEN_IP="0/0>1.2.3.4~47,48" 820 # 821 # NOTE 1: If no SRCIPx is specified, any source host is used 822 # NOTE 2: If no port is specified, any port is used 823 # ------------------------------------------------------------------------------ 824 LAN_INET_HOST_OPEN_TCP="" 825 LAN_INET_HOST_OPEN_UDP="" 826 LAN_INET_HOST_OPEN_IP="" 827 828 # Put in the following variables which DMZ hosts you want to deny to certain 829 # hosts/services on the internet. 830 # 831 # TCP/UDP form: 832 # "SRCIP1,SRCIP2,...>DESTIP1~port \ 833 # SRCIP3,...>DESTIP2~port" 834 # 835 # IP form: 836 # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ 837 # SRCIP3,...>DESTIP2~protocol" 838 # 839 # TCP/UDP examples: 840 # Simple (Deny port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)): 841 # LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4~80" 842 # Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and 843 # deny port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)): 844 # LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4~20,21 192.168.0.10>1.2.3.4~80" 845 # 846 # IP protocol example: 847 # (Deny protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0)): 848 # LAN_INET_HOST_DENY_IP="0/0>1.2.3.4~47,48" 849 # 850 # NOTE 1: If no SRCIPx is specified, any source host is used 851 # NOTE 2: If no port is specified, any port is used 852 # ------------------------------------------------------------------------------ 853 LAN_INET_HOST_DENY_TCP="" 854 LAN_INET_HOST_DENY_UDP="" 855 LAN_INET_HOST_DENY_IP="" 856 857 858 ################################################################################ 859 # Firewall policies for the DMZ (EXPERT SETTINGS!) # 860 ################################################################################ 861 862 ################################################################################ 863 # DMZ_xxx = DMZ->localhost(this machine) input access rules # 864 ################################################################################ 865 866 # Enable this to allow ICMP-requests(ping) from the DMZ 867 # ------------------------------------------------------------------------------ 868 DMZ_OPEN_ICMP=1 869 870 # Put in the following variables which DMZ hosts are permitted to connect to 871 # certain the TCP/UDP ports, IP protocols or ICMP. By default all (local) 872 # services are blocked for DMZ hosts. 873 # ------------------------------------------------------------------------------ 874 DMZ_OPEN_TCP="" 875 DMZ_OPEN_UDP="" 876 DMZ_OPEN_IP="" 877 878 # Put in the following variables which DMZ hosts you want to allow for certain 879 # services. By default all (local) services are blocked for DMZ hosts. 880 # TCP/UDP port format (DMZ_HOST_OPEN_TCP & DMZ_HOST_OPEN_UDP): 881 # "host1,host2~port1,port2 host3,host4~port3,port4 ..." 882 # 883 # IP protocol format (DMZ_HOST_OPEN_IP): 884 # "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..." 885 # ------------------------------------------------------------------------------ 886 DMZ_HOST_OPEN_TCP="" 887 DMZ_HOST_OPEN_UDP="" 888 DMZ_HOST_OPEN_IP="" 889 890 891 ################################################################################ 892 # INET_DMZ_xxx = Internet->DMZ access rules (forward) # 893 # # 894 # Note: As of Version 2.0.0 the default policy has changed to DROP # 895 # Previous to Version 2.0.0 the default policy was ACCEPT # 896 ################################################################################ 897 898 # Enable this to make the default policy allow for ICMP(ping) for INET->DMZ 899 # ------------------------------------------------------------------------------ 900 INET_DMZ_OPEN_ICMP=0 901 902 # Put in the following variables which INET hosts are permitted to connect to 903 # certain the TCP/UDP ports or IP protocols in the DMZ. 904 # ------------------------------------------------------------------------------ 905 INET_DMZ_OPEN_TCP="" 906 INET_DMZ_OPEN_UDP="" 907 INET_DMZ_OPEN_IP="" 908 909 # Put in the following variables which INET hosts are NOT permitted to connect 910 # to certain the TCP/UDP ports or IP protocols in the DMZ. 911 # ------------------------------------------------------------------------------ 912 INET_DMZ_DENY_TCP="" 913 INET_DMZ_DENY_UDP="" 914 INET_DMZ_DENY_IP="" 915 916 # Put in the following variables which INET hosts you want to allow to certain 917 # hosts/services on the DMZ net. By default all services are dropped. 918 # 919 # TCP/UDP form: 920 # "SRCIP1,SRCIP2,...>DESTIP1~port \ 921 # SRCIP3,...>DESTIP2~port" 922 # 923 # IP form: 924 # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ 925 # SRCIP3,...>DESTIP2~protocol" 926 # 927 # TCP/UDP examples: 928 # Simple (Allow port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)): 929 # INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4~80" 930 # Advanced (Allow port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and 931 # allow port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)): 932 # INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80" 933 # 934 # IP protocol example: 935 # (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts ) 936 # INET_DMZ_HOST_OPEN_IP="0/0>1.2.3.4~47,48" 937 # 938 # NOTE 1: If no SRCIPx is specified, any source host is used 939 # NOTE 2: If no port is specified, any port is used 940 # ------------------------------------------------------------------------------ 941 INET_DMZ_HOST_OPEN_TCP="" 942 INET_DMZ_HOST_OPEN_UDP="" 943 INET_DMZ_HOST_OPEN_IP="" 944 945 # Put in the following variables which INET hosts you want to deny to certain 946 # hosts/services on the DMZ net. 947 # 948 # TCP/UDP form: 949 # "SRCIP1,SRCIP2,...>DESTIP1~port \ 950 # SRCIP3,...>DESTIP2~port" 951 # 952 # IP form: 953 # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ 954 # SRCIP3,...>DESTIP2~protocol" 955 # 956 # TCP/UDP examples: 957 # Simple (Deny port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)): 958 # INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4~80" 959 # Advanced (Deny port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and 960 # deny port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)): 961 # INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80" 962 # 963 # IP protocol example: 964 # (Deny protocols 47 & 48 on DMZ host 1.2.3.4 for all INET hosts): 965 # INET_DMZ_HOST_DENY_IP="0/0>1.2.3.4~47,48" 966 # 967 # NOTE 1: If no SRCIPx is specified, any source host is used 968 # NOTE 2: If no port is specified, any port is used 969 # ------------------------------------------------------------------------------ 970 INET_DMZ_HOST_DENY_TCP="" 971 INET_DMZ_HOST_DENY_UDP="" 972 INET_DMZ_HOST_DENY_IP="" 973 974 975 ################################################################################ 976 # DMZ_INET_xxx = DMZ->internet access rules (forward) # 977 # # 978 # Note that when the DMZ_INET_OPEN_xxx & DMZ_INET_HOST_OPEN_xxx variables are # 979 # NOT used, the default policy will be accept for DMZ->INET (unless denied # 980 # through DMZ_INET_DENY_xxx and/or DMZ_INET_HOST_DENY_xxx)! # 981 ################################################################################ 982 983 # Disable this (set to "") to automatically set default policy as above. 984 # When set to "1" the DMZ->INET default policy will always be DROP 985 # When set to "0" the DMZ->INET default policy will always be ACCEPT 986 # ------------------------------------------------------------------------------ 987 DMZ_INET_DEFAULT_POLICY_DROP="" 988 989 # Enable this to make the default policy allow for ICMP(ping) for DMZ->INET 990 # ------------------------------------------------------------------------------ 991 DMZ_INET_OPEN_ICMP=1 992 993 # Put in the following variables the TCP/UDP ports or IP 994 # protocols TO (remote end-point) which the DMZ hosts are 995 # permitted to connect to via the external (internet) interface. 996 # ------------------------------------------------------------------------------ 997 DMZ_INET_OPEN_TCP="" 998 DMZ_INET_OPEN_UDP="" 999 DMZ_INET_OPEN_IP="" 1000 1001 # Put in the following variables the TCP/UDP ports or IP protocols TO (remote 1002 # end-point) which the DMZ hosts are NOT permitted to connect to 1003 # via the external (internet) interface. Examples of usage are for blocking 1004 # IRC (TCP 6666:6669) for the internal network. 1005 # ------------------------------------------------------------------------------ 1006 DMZ_INET_DENY_TCP="" 1007 DMZ_INET_DENY_UDP="" 1008 DMZ_INET_DENY_IP="" 1009 1010 # Put in the following variables which DMZ hosts you want to allow to certain 1011 # hosts/services on the internet. By default all services are allowed. 1012 # 1013 # TCP/UDP form: 1014 # "SRCIP1,SRCIP2,...>DESTIP1~port \ 1015 # SRCIP3,...>DESTIP2~port" 1016 # 1017 # IP form: 1018 # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ 1019 # SRCIP3,...>DESTIP2~sprotocol" 1020 # 1021 # TCP/UDP examples: 1022 # Simple (Allow port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)): 1023 # DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4~80" 1024 # Advanced (Allow port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and 1025 # allow port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)): 1026 # DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80" 1027 # 1028 # IP protocol example: 1029 # (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts): 1030 # DMZ_INET_HOST_OPEN_IP="0/0>1.2.3.4~47,48" 1031 # 1032 # NOTE 1: If no SRCIPx is specified, any source host is used 1033 # NOTE 2: If no port is specified, any port is used 1034 # ------------------------------------------------------------------------------ 1035 DMZ_INET_HOST_OPEN_TCP="" 1036 DMZ_INET_HOST_OPEN_UDP="" 1037 DMZ_INET_HOST_OPEN_IP="" 1038 1039 # Put in the following variables which DMZ hosts you want to deny to certain 1040 # hosts/services on the internet. 1041 # 1042 # TCP/UDP form: 1043 # "SRCIP1,SRCIP2,...>DESTIP1~port \ 1044 # SRCIP3,...>DESTIP2~port" 1045 # 1046 # IP form: 1047 # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ 1048 # SRCIP3,...>DESTIP2~protocol" 1049 # 1050 # TCP/UDP examples: 1051 # Simple (Deny port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)): 1052 # DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4~80" 1053 # Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and 1054 # deny port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)): 1055 # DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80" 1056 # 1057 # IP protocol example: 1058 # (Deny protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts(0/0)): 1059 # DMZ_INET_HOST_DENY_IP="0/0>1.2.3.4:47,48" 1060 # 1061 # NOTE 1: If no SRCIPx is specified, any source host is used 1062 # NOTE 2: If no port is specified, any port is used 1063 # ------------------------------------------------------------------------------ 1064 DMZ_INET_HOST_DENY_TCP="" 1065 DMZ_INET_HOST_DENY_UDP="" 1066 DMZ_INET_HOST_DENY_IP="" 1067 1068 1069 ################################################################################ 1070 # DMZ_LAN_xxx = DMZ->LAN access rules (forward) # 1071 ################################################################################ 1072 1073 # Enable this to make the default policy allow for ICMP(ping) for DMZ->LAN 1074 # ------------------------------------------------------------------------------ 1075 DMZ_LAN_OPEN_ICMP=0 1076 1077 # Put in the following variables which DMZ hosts you want to allow to certain 1078 # hosts/services on the LAN (net). 1079 # 1080 # TCP/UDP form: 1081 # "SRCIP1,SRCIP2,...>DESTIP1~port \ 1082 # SRCIP3,...>DESTIP2~port" 1083 # 1084 # IP form: 1085 # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ 1086 # SRCIP3,...>DESTIP2~protocol" 1087 # 1088 # TCP/UDP examples: 1089 # Simple (Allow port 80 on LAN host 1.2.3.4 for all DMZ hosts(0/0)): 1090 # DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~80" 1091 # Advanced (Allow port 20 & 21 on LAN host 1.2.3.4 for all DMZ hosts (0/0) and 1092 # allow port 80 for DMZ host 5.6.7.8 (only) on LAN host 1093 # 1.2.3.4): 1094 # DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80" 1095 # 1096 # IP protocol example: 1097 # (Allow protocols 47 & 48 on LAN host 1.2.3.4 for all DMZ hosts(0/0)): 1098 # DMZ_LAN_HOST_OPEN_IP="0/0>1.2.3.4~47,48" 1099 # 1100 # NOTE 1: If no SRCIPx is specified, any source host is used 1101 # NOTE 2: If no port is specified, any port is used 1102 # ------------------------------------------------------------------------------ 1103 DMZ_LAN_HOST_OPEN_TCP="" 1104 DMZ_LAN_HOST_OPEN_UDP="" 1105 DMZ_LAN_HOST_OPEN_IP="" 1106 1107 1108 ################################################################################ 1109 # Firewall policies for the external (inet) interface (default policy = drop) # 1110 ################################################################################ 1111 1112 # Put in the following variable which hosts (subnets) you want have full access 1113 # via your internet (EXT_IF) connection(!). This is especially meant for 1114 # networks/servers which use NIS/NFS, as these protocols require all ports 1115 # to be open. 1116 # NOTE: Don't mistake this variable with the one used for internal nets. 1117 # ------------------------------------------------------------------------------ 1118 FULL_ACCESS_HOSTS="" 1119 1120 # Put in the following variable which TCP/UDP ports you don't want to 1121 # see broadcasts from (eg. DHCP (67/68) on your EXTERNAL interface. Note that 1122 # to make this properly work you also need to set "EXTERNAL_NET"! 1123 # ------------------------------------------------------------------------------ 1124 BROADCAST_TCP_NOLOG="" 1125 #BROADCAST_UDP_NOLOG="67 68" 1126 1127 # Put in the following variables which hosts you want to allow for certain 1128 # services. 1129 # TCP/UDP port format (HOST_OPEN_TCP & HOST_OPEN_UDP): 1130 # "host1,host2~port1,port2 host3,host4~port3,port4 ..." 1131 # 1132 # IP protocol format (HOST_OPEN_IP): 1133 # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..." 1134 # 1135 # ICMP protocol format (HOST_OPEN_ICMP): 1136 # "host1 host2 ...." 1137 # ------------------------------------------------------------------------------ 1138 HOST_OPEN_TCP="" 1139 HOST_OPEN_UDP="" 1140 HOST_OPEN_IP="" 1141 HOST_OPEN_ICMP="" 1142 1143 # Put in the following variables which hosts you want to DENY(DROP) for certain 1144 # services (and logged). 1145 # to DENY(DROP) for certain hosts. 1146 # TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP): 1147 # "host1,host2~port1,port2 host3,host4~port3,port4 ..." 1148 # 1149 # IP protocol format (HOST_DENY_IP): 1150 # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..." 1151 # 1152 # ICMP protocol format (HOST_DENY_ICMP): 1153 # "host1 host2 ...." 1154 # ------------------------------------------------------------------------------ 1155 HOST_DENY_TCP="" 1156 HOST_DENY_UDP="" 1157 HOST_DENY_IP="" 1158 HOST_DENY_ICMP="" 1159 1160 # Put in the following variables which hosts you want to DENY(DROP) for certain 1161 # services but NOT logged. 1162 # TCP/UDP port format (HOST_DENY_xxx_NOLOG): 1163 # "host1,host2~port1,port2 host3,host4~port3,port4 ..." 1164 # 1165 # IP protocol format (HOST_DENY_IP_NOLOG): 1166 # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..." 1167 # 1168 # ICMP protocol format (HOST_DENY_ICMP_NOLOG): 1169 # "host1 host2 ...." 1170 # ------------------------------------------------------------------------------ 1171 HOST_DENY_TCP_NOLOG="" 1172 HOST_DENY_UDP_NOLOG="" 1173 HOST_DENY_IP_NOLOG="" 1174 HOST_DENY_ICMP_NOLOG="" 1175 1176 # Put in the following variables which hosts you want to REJECT (instead of 1177 # DROP) for certain TCP/UDP ports. 1178 # TCP/UDP port format (HOST_REJECT_xxx): 1179 # "host1,host2~port1,port2 host3,host4~port3,port4 ..." 1180 # ------------------------------------------------------------------------------ 1181 HOST_REJECT_TCP="" 1182 HOST_REJECT_UDP="" 1183 1184 # Put in the following variables which hosts you want to REJECT (instead of 1185 # DROP) for certain services but NOT logged. 1186 # TCP/UDP port format (HOST_REJECT_xxx_NOLOG): 1187 # "host1,host2~port1,port2 host3,host4~port3,port4 ..." 1188 # ------------------------------------------------------------------------------ 1189 HOST_REJECT_TCP_NOLOG="" 1190 HOST_REJECT_UDP_NOLOG="" 1191 1192 # Put in the following variables which services THIS machine is NOT 1193 # permitted to connect TO (remote end-point) via the external (internet) 1194 # interface. For example for blocking IRC (tcp 6666:6669). 1195 # ------------------------------------------------------------------------------ 1196 DENY_TCP_OUTPUT="" 1197 DENY_UDP_OUTPUT="" 1198 DENY_IP_OUTPUT="" 1199 1200 # Put in the following variables to which hosts THIS machine is NOT 1201 # permitted to connect TO for certain services (remote end-point) 1202 # via the external (internet) interface. In principle you can also 1203 # use this to put your machine in a "virtual-DMZ" by blocking all traffic 1204 # to your local subnet. 1205 # TCP/UDP port format (HOST_DENY_TCP_OUTPUT & HOST_DENY_UDP_OUTPUT): 1206 # "host1,host2~port1,port2 host3,host4~port3,port4 ..." 1207 # 1208 # IP protocol format (HOST_DENY_IP_OUTPUT): 1209 # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..." 1210 # ------------------------------------------------------------------------------ 1211 HOST_DENY_TCP_OUTPUT="" 1212 HOST_DENY_UDP_OUTPUT="" 1213 HOST_DENY_IP_OUTPUT="" 1214 1215 # This enables(1)/disables(0) IPv4 ICMP (ping) for the external net(s) 1216 # Note: Other ICMP variables apply to both IPv4 and IPv6 unless otherwise noted. 1217 # ------------------------------------------------------------------------------ 1218 OPEN_ICMP=0 1219 1220 # This enables(1)/disables(0) IPv6 ICMPv6 for the external net(s) 1221 # Note: Other ICMP variables apply to both IPv4 and IPv6 unless otherwise noted. 1222 # ------------------------------------------------------------------------------ 1223 OPEN_ICMPV6=1 1224 1225 # Enable (1) to make the default policy allow IPv6 ICMPv6 1226 # Multicast Listener Discovery (RFC 2710, 3810) for INET access 1227 # Note: Requires setting OPEN_ICMPV6=1 to apply. 1228 # ------------------------------------------------------------------------------ 1229 OPEN_ICMPV6_MLD=0 1230 1231 # Put in the following variables which ports or IP protocols you want to leave 1232 # open to the whole world. 1233 # ------------------------------------------------------------------------------ 1234 OPEN_TCP="" 1235 OPEN_UDP="" 1236 OPEN_IP="" 1237 1238 # Put in the following variables the TCP/UDP ports you want to DENY(DROP) for 1239 # everyone (and logged). Also use these variables if you want to log connection 1240 # attempts to these ports from everyone (also trusted/full access hosts). 1241 # In principle you don't need these variables, as everything is already blocked 1242 # (denied) by default, but just exists for consistency. 1243 # ------------------------------------------------------------------------------ 1244 DENY_TCP="" 1245 DENY_UDP="" 1246 1247 # Put in the following variables which ports you want to DENY(DROP) for 1248 # everyone but NOT logged. This is very useful if you have constant probes on 1249 # the same port(s) over and over again (code red worm) and don't want your logs 1250 # flooded with it. 1251 # ------------------------------------------------------------------------------ 1252 DENY_TCP_NOLOG="" 1253 DENY_UDP_NOLOG="" 1254 1255 # Put in the following variables the TCP/UDP ports you want to REJECT (instead 1256 # of DROP) for everyone (and logged). 1257 # ------------------------------------------------------------------------------ 1258 REJECT_TCP="" 1259 REJECT_UDP="" 1260 1261 # Put in the following variables the TCP/UDP ports you want to REJECT (instead 1262 # of DROP) for everyone but NOT logged. 1263 # ------------------------------------------------------------------------------ 1264 REJECT_TCP_NOLOG="" 1265 REJECT_UDP_NOLOG="" 1266 1267 # Put in the following variable which hosts you want to block (blackhole, 1268 # dropping every packet from the host). 1269 # ------------------------------------------------------------------------------ 1270 BLOCK_HOSTS="" 1271 1272 # Blocked Hosts are by default blocked in both Inbound and Outbound directions. 1273 # If only Inbound blocking is desired, set to 0 to disable bidirectional 1274 # blocking. 1275 # ------------------------------------------------------------------------------ 1276 BLOCK_HOSTS_BIDIRECTIONAL=1 1277 1278 # (EXPERT SETTING!) When using *.netset files, a default whitelist ipset for 1279 # IPv4 (and IPv6) is created to ensure blocklist files do not inadvertently 1280 # block normal local traffic. When undefined these variables default to include 1281 # all Private (RFC1918), Link-Local and Multicast IP/Nets to be whitelisted. 1282 # Define a space separated list of IPv4 (and IPv6) IP/Nets for custom defaults. 1283 # 1284 # Note: This option depends on BLOCK_NETSET_DIR being defined. 1285 # ------------------------------------------------------------------------------ 1286 DEFAULT_NETSET_WHITELIST="" 1287 DEFAULT_NETSET_WHITELISTV6="" 1288 1289 # Uncomment & specify here the location of the file that contains a list of 1290 # hosts(IPs) that should be BLOCKED. IP ranges can (only) be specified as 1291 # w.x.y.z1-z2 (eg. 192.168.1.10-15). Note that the last line of this file 1292 # should always contain a carriage-return (enter)! 1293 # ------------------------------------------------------------------------------ 1294 #BLOCK_HOSTS_FILE="/etc/arno-iptables-firewall/blocked-hosts" 1295 1296 # Uncomment & specify here the location of the directory that contains *.netset 1297 # files containing IP addresses and/or Networks (CIDR notation) to be BLOCKED. 1298 # Each .netset file may contain only one IP/Net entry per line, each IP/Net 1299 # entry must start at the beginning of the line and any valid entry must be 1300 # immediately followed by a new-line or a POSIX [[:space:]] character. 1301 # File contents not matching an IP/Net will be ignored. 1302 # 1303 # File naming convention, use *v6.netset files for IPv6 entries, all other 1304 # *.netset files default to IPv4. Filenames are limited to a maximum of 1305 # 27 characters before the .netset suffix. 1306 # Optional whitelist.netset, whitelistv6.netset files may contain IP/Net entries 1307 # that will NOT be BLOCKED by other *.netset files. Automatically by default, 1308 # all Private (RFC1918), Link-Local and Multicast IP/Nets will be whitelisted. 1309 # See also: DEFAULT_NETSET_WHITELIST and DEFAULT_NETSET_WHITELISTV6 1310 # 1311 # Note: This option depends on IPTABLES_IPSET being enabled. 1312 # ------------------------------------------------------------------------------ 1313 #BLOCK_NETSET_DIR="/etc/arno-iptables-firewall/blocklists"