|
1 # /etc/mbse-firewall/firewall.conf |
|
2 |
|
3 # --------------------------------------------------------------------------- |
|
4 # Copyright (C) 2013-2014 by Michiel Broek. |
|
5 # Homepage http://www.mbse.eu |
|
6 # Email mbse At mbse dOt eu |
|
7 # |
|
8 # This file is part of mbse-firewall. |
|
9 # |
|
10 # This program is free software; you can redistribute it and/or modify it |
|
11 # under the terms of the GNU General Public License as published by the |
|
12 # Free Software Foundation; either version 2, or (at your option) any |
|
13 # later version. |
|
14 # |
|
15 # This program is distributed in the hope that it will be useful, but |
|
16 # WITHOUT ANY WARRANTY; without even the implied warranty of |
|
17 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
|
18 # General Public License for more details. |
|
19 # |
|
20 # You should have received a copy of the GNU General Public License |
|
21 # along with this program; see the file COPYING. If not, write to the Free |
|
22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
|
23 # --------------------------------------------------------------------------- |
|
24 |
|
25 |
|
26 # --------------------------------------------------------------------------- |
|
27 # |
|
28 # Interface settings |
|
29 # |
|
30 # --------------------------------------------------------------------------- |
|
31 |
|
32 # External interface that will be protected as internet connection. |
|
33 # If this is a server on a DMZ network, use this too. |
|
34 # |
|
35 IF_EXT="eth0" |
|
36 |
|
37 # External IPv6 tunnel interface that will be protected as internet connection. |
|
38 # Enable this if you use a tunnel broker for IPv6. |
|
39 #IF_EXT6="six0" |
|
40 |
|
41 # If the external gateway is a border gateway, (your internet connection) then |
|
42 # set the next option. Certain protocols are disabled in this case, and some |
|
43 # are just enabled. |
|
44 #IF_EXT_IS_BORDER_GW="1" |
|
45 |
|
46 # Enable automatic blacklisting of hosts that do any kind portscanning. |
|
47 # This is tested by any rules not matched on the external interface(s) INPUT |
|
48 # or FORWARD chain and is a repeated undefined port from the same IP. |
|
49 # These hosts are blocked using ipset for one hour. |
|
50 #IF_EXT_AUTO_BLOCK="1" |
|
51 |
|
52 # Block time in seconds when a host is blocked. Default is 3600. |
|
53 #IF_EXT_AUTO_TO=172800 |
|
54 |
|
55 # Average detect limit, default 5/hour |
|
56 #IF_EXT_AUTO_LIMIT="2/hour" |
|
57 |
|
58 # Burst detect limit, default 10 |
|
59 #IF_EXT_AUTO_BURST="2" |
|
60 |
|
61 # Trunk networks. All other interfaces are set here. They should start |
|
62 # with 0 and there should be no gaps. |
|
63 # |
|
64 #IF_TRUNK[0]="eth1" |
|
65 #IF_TRUNK[1]="tap0" |
|
66 #IF_TRUNK[2]="" |
|
67 #IF_TRUNK[3]="" |
|
68 #IF_TRUNK[4]="" |
|
69 #IF_TRUNK[5]="" |
|
70 #IF_TRUNK[6]="" |
|
71 #IF_TRUNK[7]="" |
|
72 #IF_TRUNK[8]="" |
|
73 #IF_TRUNK[9]="" |
|
74 |
|
75 |
|
76 |
|
77 # --------------------------------------------------------------------------- |
|
78 # |
|
79 # Global settings |
|
80 # |
|
81 # --------------------------------------------------------------------------- |
|
82 |
|
83 |
|
84 # On hosts leave this undefined or 0. On routers uncomment and set to 1 |
|
85 FW_FORWARD="0" |
|
86 |
|
87 # Add rules to allow traceroute |
|
88 FW_TRACEROUTE="1" |
|
89 |
|
90 # If you have a bridged interface like br0 with physical interfaces eth0 and |
|
91 # tap0 for example, you need to add iptables rules to forward traffic between |
|
92 # these interfaces. You can turn this off by setting the next variable. |
|
93 # If this variable is set, then all bridged interfaces are seen as one physical |
|
94 # interface. See http://ebtables.sourceforge.net/documentation/bridge-nf.html |
|
95 # for more details. |
|
96 #FW_NO_BRIDGE_NF_CALL="1" |
|
97 |
|
98 # Install a ssh backdoor from this IP. The examples show an exact IP address, |
|
99 # but you can use networks if you like. Exact is better of course. |
|
100 # for IPv4 use: 2.3.4.5/32 |
|
101 #IPV4_BACKDOOR_SSH="10.1.1.231/32" |
|
102 # for IPv6 use: 2001:dead:beef::1/128 |
|
103 #IPV6_BACKDOOR_SSH="2001:1af8:dead:beef::e7/128" |
|
104 |
|
105 # Mangle, should be 1 on routers |
|
106 #CLAMP_MSS_TO_PMTU="1" |
|
107 |