Thu, 18 Dec 2014 17:01:36 +0100
Allow inverse neighbour discovery solicitation (141) / advertisement (142)
0 | 1 | # /etc/mbse-firewall/firewall.conf |
2 | ||
3 | # --------------------------------------------------------------------------- | |
4 | # Copyright (C) 2013-2014 by Michiel Broek. | |
5 | # Homepage http://www.mbse.eu | |
6 | # Email mbse At mbse dOt eu | |
7 | # | |
8 | # This file is part of mbse-firewall. | |
9 | # | |
10 | # This program is free software; you can redistribute it and/or modify it | |
11 | # under the terms of the GNU General Public License as published by the | |
12 | # Free Software Foundation; either version 2, or (at your option) any | |
13 | # later version. | |
14 | # | |
15 | # This program is distributed in the hope that it will be useful, but | |
16 | # WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
18 | # General Public License for more details. | |
19 | # | |
20 | # You should have received a copy of the GNU General Public License | |
21 | # along with this program; see the file COPYING. If not, write to the Free | |
22 | # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. | |
23 | # --------------------------------------------------------------------------- | |
24 | ||
25 | ||
26 | # --------------------------------------------------------------------------- | |
27 | # | |
28 | # Interface settings | |
29 | # | |
30 | # --------------------------------------------------------------------------- | |
31 | ||
32 | # External interface that will be protected as internet connection. | |
33 | # If this is a server on a DMZ network, use this too. | |
34 | # | |
35 | IF_EXT="eth0" | |
36 | ||
37 | # External IPv6 tunnel interface that will be protected as internet connection. | |
38 | # Enable this if you use a tunnel broker for IPv6. | |
39 | #IF_EXT6="six0" | |
40 | ||
41 | # If the external gateway is a border gateway, (your internet connection) then | |
42 | # set the next option. Certain protocols are disabled in this case, and some | |
43 | # are just enabled. | |
44 | #IF_EXT_IS_BORDER_GW="1" | |
45 | ||
46 | # Enable automatic blacklisting of hosts that do any kind portscanning. | |
47 | # This is tested by any rules not matched on the external interface(s) INPUT | |
48 | # or FORWARD chain and is a repeated undefined port from the same IP. | |
49 | # These hosts are blocked using ipset for one hour. | |
50 | #IF_EXT_AUTO_BLOCK="1" | |
51 | ||
52 | # Block time in seconds when a host is blocked. Default is 3600. | |
53 | #IF_EXT_AUTO_TO=172800 | |
54 | ||
55 | # Average detect limit, default 5/hour | |
56 | #IF_EXT_AUTO_LIMIT="2/hour" | |
57 | ||
58 | # Burst detect limit, default 10 | |
59 | #IF_EXT_AUTO_BURST="2" | |
60 | ||
61 | # Trunk networks. All other interfaces are set here. They should start | |
62 | # with 0 and there should be no gaps. | |
63 | # | |
64 | #IF_TRUNK[0]="eth1" | |
65 | #IF_TRUNK[1]="tap0" | |
66 | #IF_TRUNK[2]="" | |
67 | #IF_TRUNK[3]="" | |
68 | #IF_TRUNK[4]="" | |
69 | #IF_TRUNK[5]="" | |
70 | #IF_TRUNK[6]="" | |
71 | #IF_TRUNK[7]="" | |
72 | #IF_TRUNK[8]="" | |
73 | #IF_TRUNK[9]="" | |
74 | ||
75 | ||
76 | ||
77 | # --------------------------------------------------------------------------- | |
78 | # | |
79 | # Global settings | |
80 | # | |
81 | # --------------------------------------------------------------------------- | |
82 | ||
83 | ||
84 | # On hosts leave this undefined or 0. On routers uncomment and set to 1 | |
85 | FW_FORWARD="0" | |
86 | ||
87 | # Add rules to allow traceroute | |
88 | FW_TRACEROUTE="1" | |
89 | ||
90 | # If you have a bridged interface like br0 with physical interfaces eth0 and | |
91 | # tap0 for example, you need to add iptables rules to forward traffic between | |
92 | # these interfaces. You can turn this off by setting the next variable. | |
93 | # If this variable is set, then all bridged interfaces are seen as one physical | |
94 | # interface. See http://ebtables.sourceforge.net/documentation/bridge-nf.html | |
95 | # for more details. | |
96 | #FW_NO_BRIDGE_NF_CALL="1" | |
97 | ||
98 | # Install a ssh backdoor from this IP. The examples show an exact IP address, | |
99 | # but you can use networks if you like. Exact is better of course. | |
100 | # for IPv4 use: 2.3.4.5/32 | |
101 | #IPV4_BACKDOOR_SSH="10.1.1.231/32" | |
102 | # for IPv6 use: 2001:dead:beef::1/128 | |
103 | #IPV6_BACKDOOR_SSH="2001:1af8:dead:beef::e7/128" | |
104 | ||
105 | # Mangle, should be 1 on routers | |
106 | #CLAMP_MSS_TO_PMTU="1" | |
107 |