"Fossies" - the Fresh Open Source Software Archive

Member "aif-2.1.1/etc/arno-iptables-firewall/plugins/parasitic-net.conf" (16 Sep 2020, 4947 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Generic config files source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "parasitic-net.conf": 2.1.0_vs_2.1.1.

    1 # ------------------------------------------------------------------------------
    2 #     -= Arno's Iptables Firewall(AIF) - Parasitic (SNAT) Network plugin =-
    3 # ------------------------------------------------------------------------------
    4 
    5 # To actually enable this plugin make ENABLED=1:
    6 # ------------------------------------------------------------------------------
    7 ENABLED=0
    8 
    9 # ------------------------------------------------------------------------------
   10 # Parasitic Network
   11 #
   12 # Allows "clients" on the same subnet to use this device as a gateway upstream.
   13 # This network of "clients" is the Parasitic Network, SNAT'ed to this device's
   14 # external interface(s).
   15 #
   16 # This Parasitic Network is useful for situations when the upstream firewall
   17 # is not under your control and you desire added security for specific devices
   18 # in your subnet.  Set the gateway address of Parasitic Network clients to an
   19 # external IPv4 address of this device.
   20 #
   21 # Note: To be effective, be certain the Parasitic Network clients are IPv4-only
   22 #
   23 # (IPv4 Only)
   24 # ------------------------------------------------------------------------------
   25 
   26 # Specify which (external) network interfaces should have parasitic SNAT enabled
   27 # You can optionally also provide the interface IP in the form of interface~IP
   28 # (for eg. interfaces with multiple IP addresses). Multiple interfaces should
   29 # be space separated. Leave empty to include all external interfaces
   30 # ------------------------------------------------------------------------------
   31 PARASITIC_NET_IF=""
   32 
   33 # Specify which "clients" are allowed to use this device as an SNAT gateway.
   34 # If not specified all hosts on parasitic SNAT enabled interfaces are allowed
   35 # NOTE: The hosts in here should be on subnets connected to interfaces specified
   36 # in PARASITIC_NET_IF
   37 # ------------------------------------------------------------------------------
   38 PARASITIC_NET_CLIENT_HOSTS=""
   39 
   40 # Specify here the time(s) in minutes between executes of the helper script
   41 # (leave default if you don't know what it is).
   42 # ------------------------------------------------------------------------------
   43 PARASITIC_NET_TIME="15"
   44 
   45 
   46 ################################################################################
   47 # Use PARASITIC_NET_HOST_OPEN_xxx and PARASITIC_NET_HOST_DENY to restrict      #
   48 # forwarded parasitic network traffic.                                         #
   49 #                                                                              #
   50 # By default all parasitic network packets are forwarded and NAT-ed upstream,  #
   51 # unless one of the PARASATIC_NET_HOST_OPEN_xxx variables is specified. In     #
   52 # that case the default policy for that protocol (TCP, UDP, ICMP, IP) will     #
   53 # become deny, except for IP which always defaults to deny.                    #
   54 ################################################################################
   55 
   56 #-------------------------------------------------------------------------------
   57 # PARASITIC_NET_HOST_xxxx_yyy & PARASITIC_NET_HOST_xxxx_yyy format:
   58 #
   59 # TCP/UDP port form:
   60 #       "SRCIP1,SRCIP2,...>DESTIP1~port \
   61 #        SRCIP3,...>DESTIP2~port"
   62 #
   63 # IP form:
   64 #       "SRCIP1,SRCIP2,...>DESTIP1~protocol \
   65 #        SRCIP3,...>DESTIP2~protocol"
   66 #
   67 # ICMP form:
   68 #       "SRCIP1,SRCIP2,...>DESTIP1 \
   69 #        SRCIP3,...>DESTIP2"
   70 #
   71 # TCP/UDP examples:
   72 # -----------------
   73 # Simple:
   74 #       (Allow port 80 to INET host 1.2.3.4 for all parasitic hosts(0/0)):
   75 #       PARASITIC_NET_HOST_OPEN_xxx="1.2.3.4~80"
   76 # Advanced:
   77 #       (Allow port 20 & 21 to INET host 1.2.3.4 for all parasitic hosts(0/0) and
   78 #        allow port 80 to INET host 1.2.3.4 for parasitic host 192.168.0.10 (only)):
   79 #       PARASITIC_NET_HOST_OPEN_xxx="1.2.3.4~20,21 192.168.0.10>0/0~80"
   80 #
   81 # IP protocol example:
   82 #       (Allow protocols 47 & 48 to INET host 1.2.3.4 for all parasitic hosts(0/0))
   83 #      PARASITIC_NET_HOST_OPEN_IP="1.2.3.4~47,48"
   84 #
   85 # NOTE: If no SRCIPx is specified, any source host is used
   86 #-------------------------------------------------------------------------------
   87 
   88 # Put in the following variables which hosts you want to allow(open) for certain
   89 # services
   90 # ------------------------------------------------------------------------------
   91 PARASITIC_NET_HOST_OPEN_TCP=""
   92 PARASITIC_NET_HOST_OPEN_UDP=""
   93 PARASITIC_NET_HOST_OPEN_ICMP=""
   94 PARASITIC_NET_HOST_OPEN_IP=""
   95 
   96 # Put in the following variables which hosts you want to deny for certain
   97 # services
   98 # ------------------------------------------------------------------------------
   99 PARASITIC_NET_HOST_DENY_TCP=""
  100 PARASITIC_NET_HOST_DENY_UDP=""
  101 PARASITIC_NET_HOST_DENY_ICMP=""
  102 PARASITIC_NET_HOST_DENY_IP=""
  103 
  104 # Enable (1) or disable(0) logging of denied packets
  105 # ------------------------------------------------------------------------------
  106 PARASITIC_NET_DENY_LOG=1
  107 
  108 # Specify the policy for denied packets: DROP (default) or REJECT
  109 # ------------------------------------------------------------------------------
  110 PARASITIC_NET_DENY_POLICY="DROP"