etc/firewall.conf

# /etc/mbse-firewall/firewall.conf

# ---------------------------------------------------------------------------
# Copyright (C) 2013-2015 by Michiel Broek.
# Homepage                   http://www.mbse.eu
# Email                      mbse At mbse dOt eu
#
# This file is part of mbse-firewall.
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2, or (at your option) any
# later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
# 
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING.  If not, write to the Free
# Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
# ---------------------------------------------------------------------------


# ---------------------------------------------------------------------------
#
#     Interface settings
#
# ---------------------------------------------------------------------------

# External interface that will be protected as internet connection.
# If this is a server on a DMZ network, use this too.
#
IF_EXT="eth0"

# External IPv6 tunnel interface that will be protected as internet connection.
# Enable this if you use a tunnel broker for IPv6.
#IF_EXT6="six0"

# If the external gateway is a border gateway, (your internet connection) then
# set the next option. Certain protocols are disabled in this case, and some
# are just enabled.
#IF_EXT_IS_BORDER_GW="1"

# Enable automatic blacklisting of hosts that do any kind portscanning.
# This is tested by any rules not matched on the external interface(s) INPUT
# or FORWARD chain and is a repeated undefined port from the same IP.
# These hosts are blocked using ipset for one hour.
#IF_EXT_AUTO_BLOCK="1"

# Use global blocking table. This just inserts rules to block hosts that
# are found in the sets global-blk4 or global-blk6. Other programs like
# ossec, fail2ban etc need to put the bad hosts in these tables.
#IF_EXT_GLOBAL_BLOCK="1"

# Block time in seconds when a host is blocked. Default is 3600.
#IF_EXT_AUTO_TO=172800

# Average detect limit, default 5/hour
#IF_EXT_AUTO_LIMIT="2/hour"

# Burst detect limit, default 10
#IF_EXT_AUTO_BURST="2"

# Trunk networks. All other interfaces are set here. They should start
# with 0 and there should be no gaps. 
#
#IF_TRUNK[0]="eth1"
#IF_TRUNK[1]="tap0"
#IF_TRUNK[2]=""
#IF_TRUNK[3]=""
#IF_TRUNK[4]=""
#IF_TRUNK[5]=""
#IF_TRUNK[6]=""
#IF_TRUNK[7]=""
#IF_TRUNK[8]=""
#IF_TRUNK[9]=""


# ---------------------------------------------------------------------------
#
#     Global settings
#
# ---------------------------------------------------------------------------


# On hosts leave this undefined or 0. On routers uncomment and set to 1
FW_FORWARD="0"

# Add rules to allow traceroute
FW_TRACEROUTE="1"

# If you have a bridged interface like br0 with physical interfaces eth0 and
# tap0 for example, you need to add iptables rules to forward traffic between
# these interfaces. You can turn this off by setting the next variable.
# If this variable is set, then all bridged interfaces are seen as one physical
# interface. See http://ebtables.sourceforge.net/documentation/bridge-nf.html
# for more details.
#FW_NO_BRIDGE_NF_CALL="1"

# Log destination. Default is syslog, but you can select nflog that uses the
# ulogd facility. Or, write your own.
FW_LOGDEST=(LOG --log-level info --log-prefix)
#FW_LOGDEST=(NFLOG --nflog-group 0 --nflog-prefix)

# Install a ssh backdoor from this IP. The examples show an exact IP address,
# but you can use networks if you like. Exact is better of course.
# for IPv4 use: 2.3.4.5/32
#IPV4_BACKDOOR_SSH="10.1.1.231/32"
# for IPv6 use: 2001:dead:beef::1/128
#IPV6_BACKDOOR_SSH="2001:1af8:dead:beef::e7/128"

# Mangle, should be 1 on routers
#CLAMP_MSS_TO_PMTU="1"