• file
• latest
• revisions
• annotate
• diff
• comparison
• raw

etc/firewall.conf@96a14c72b423 (annotated)

etc/firewall.conf

Thu, 30 Jan 2014 15:20:46 +0100

author

Michiel Broek <mbroek@mbse.eu>

date

Thu, 30 Jan 2014 15:20:46 +0100

changeset 1

96a14c72b423

parent 0

d4d23e51be4f

child 7

c846ebedfff3

permissions

-rw-r--r--

Added dist command to the Makefile

0 d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	1	# /etc/mbse-firewall/firewall.conf
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	2
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	3	# ---------------------------------------------------------------------------
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	4	# Copyright (C) 2013-2014 by Michiel Broek.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	5	# Homepage http://www.mbse.eu
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	6	# Email mbse At mbse dOt eu
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	7	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	8	# This file is part of mbse-firewall.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	9	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	10	# This program is free software; you can redistribute it and/or modify it
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	11	# under the terms of the GNU General Public License as published by the
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	12	# Free Software Foundation; either version 2, or (at your option) any
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	13	# later version.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	14	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	15	# This program is distributed in the hope that it will be useful, but
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	16	# WITHOUT ANY WARRANTY; without even the implied warranty of
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	17	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	18	# General Public License for more details.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	19	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	20	# You should have received a copy of the GNU General Public License
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	21	# along with this program; see the file COPYING. If not, write to the Free
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	22	# Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	23	# ---------------------------------------------------------------------------
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	24
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	25
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	26	# ---------------------------------------------------------------------------
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	27	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	28	# Interface settings
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	29	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	30	# ---------------------------------------------------------------------------
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	31
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	32	# External interface that will be protected as internet connection.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	33	# If this is a server on a DMZ network, use this too.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	34	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	35	IF_EXT="eth0"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	36
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	37	# External IPv6 tunnel interface that will be protected as internet connection.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	38	# Enable this if you use a tunnel broker for IPv6.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	39	#IF_EXT6="six0"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	40
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	41	# If the external gateway is a border gateway, (your internet connection) then
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	42	# set the next option. Certain protocols are disabled in this case, and some
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	43	# are just enabled.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	44	#IF_EXT_IS_BORDER_GW="1"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	45
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	46	# Enable automatic blacklisting of hosts that do any kind portscanning.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	47	# This is tested by any rules not matched on the external interface(s) INPUT
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	48	# or FORWARD chain and is a repeated undefined port from the same IP.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	49	# These hosts are blocked using ipset for one hour.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	50	#IF_EXT_AUTO_BLOCK="1"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	51
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	52	# Block time in seconds when a host is blocked. Default is 3600.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	53	#IF_EXT_AUTO_TO=172800
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	54
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	55	# Average detect limit, default 5/hour
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	56	#IF_EXT_AUTO_LIMIT="2/hour"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	57
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	58	# Burst detect limit, default 10
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	59	#IF_EXT_AUTO_BURST="2"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	60
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	61	# Trunk networks. All other interfaces are set here. They should start
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	62	# with 0 and there should be no gaps.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	63	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	64	#IF_TRUNK[0]="eth1"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	65	#IF_TRUNK[1]="tap0"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	66	#IF_TRUNK[2]=""
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	67	#IF_TRUNK[3]=""
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	68	#IF_TRUNK[4]=""
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	69	#IF_TRUNK[5]=""
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	70	#IF_TRUNK[6]=""
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	71	#IF_TRUNK[7]=""
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	72	#IF_TRUNK[8]=""
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	73	#IF_TRUNK[9]=""
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	74
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	75
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	76
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	77	# ---------------------------------------------------------------------------
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	78	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	79	# Global settings
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	80	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	81	# ---------------------------------------------------------------------------
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	82
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	83
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	84	# On hosts leave this undefined or 0. On routers uncomment and set to 1
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	85	FW_FORWARD="0"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	86
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	87	# Add rules to allow traceroute
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	88	FW_TRACEROUTE="1"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	89
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	90	# If you have a bridged interface like br0 with physical interfaces eth0 and
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	91	# tap0 for example, you need to add iptables rules to forward traffic between
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	92	# these interfaces. You can turn this off by setting the next variable.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	93	# If this variable is set, then all bridged interfaces are seen as one physical
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	94	# interface. See http://ebtables.sourceforge.net/documentation/bridge-nf.html
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	95	# for more details.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	96	#FW_NO_BRIDGE_NF_CALL="1"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	97
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	98	# Install a ssh backdoor from this IP. The examples show an exact IP address,
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	99	# but you can use networks if you like. Exact is better of course.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	100	# for IPv4 use: 2.3.4.5/32
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	101	#IPV4_BACKDOOR_SSH="10.1.1.231/32"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	102	# for IPv6 use: 2001:dead:beef::1/128
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	103	#IPV6_BACKDOOR_SSH="2001:1af8:dead:beef::e7/128"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	104
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	105	# Mangle, should be 1 on routers
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	106	#CLAMP_MSS_TO_PMTU="1"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	107