--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/etc/firewall.conf Thu Jan 30 14:46:10 2014 +0100
@@ -0,0 +1,107 @@
+# /etc/mbse-firewall/firewall.conf
+
+# ---------------------------------------------------------------------------
+# Copyright (C) 2013-2014 by Michiel Broek.
+# Homepage http://www.mbse.eu
+# Email mbse At mbse dOt eu
+#
+# This file is part of mbse-firewall.
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2, or (at your option) any
+# later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; see the file COPYING. If not, write to the Free
+# Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
+# ---------------------------------------------------------------------------
+
+
+# ---------------------------------------------------------------------------
+#
+# Interface settings
+#
+# ---------------------------------------------------------------------------
+
+# External interface that will be protected as internet connection.
+# If this is a server on a DMZ network, use this too.
+#
+IF_EXT="eth0"
+
+# External IPv6 tunnel interface that will be protected as internet connection.
+# Enable this if you use a tunnel broker for IPv6.
+#IF_EXT6="six0"
+
+# If the external gateway is a border gateway, (your internet connection) then
+# set the next option. Certain protocols are disabled in this case, and some
+# are just enabled.
+#IF_EXT_IS_BORDER_GW="1"
+
+# Enable automatic blacklisting of hosts that do any kind portscanning.
+# This is tested by any rules not matched on the external interface(s) INPUT
+# or FORWARD chain and is a repeated undefined port from the same IP.
+# These hosts are blocked using ipset for one hour.
+#IF_EXT_AUTO_BLOCK="1"
+
+# Block time in seconds when a host is blocked. Default is 3600.
+#IF_EXT_AUTO_TO=172800
+
+# Average detect limit, default 5/hour
+#IF_EXT_AUTO_LIMIT="2/hour"
+
+# Burst detect limit, default 10
+#IF_EXT_AUTO_BURST="2"
+
+# Trunk networks. All other interfaces are set here. They should start
+# with 0 and there should be no gaps.
+#
+#IF_TRUNK[0]="eth1"
+#IF_TRUNK[1]="tap0"
+#IF_TRUNK[2]=""
+#IF_TRUNK[3]=""
+#IF_TRUNK[4]=""
+#IF_TRUNK[5]=""
+#IF_TRUNK[6]=""
+#IF_TRUNK[7]=""
+#IF_TRUNK[8]=""
+#IF_TRUNK[9]=""
+
+
+
+# ---------------------------------------------------------------------------
+#
+# Global settings
+#
+# ---------------------------------------------------------------------------
+
+
+# On hosts leave this undefined or 0. On routers uncomment and set to 1
+FW_FORWARD="0"
+
+# Add rules to allow traceroute
+FW_TRACEROUTE="1"
+
+# If you have a bridged interface like br0 with physical interfaces eth0 and
+# tap0 for example, you need to add iptables rules to forward traffic between
+# these interfaces. You can turn this off by setting the next variable.
+# If this variable is set, then all bridged interfaces are seen as one physical
+# interface. See http://ebtables.sourceforge.net/documentation/bridge-nf.html
+# for more details.
+#FW_NO_BRIDGE_NF_CALL="1"
+
+# Install a ssh backdoor from this IP. The examples show an exact IP address,
+# but you can use networks if you like. Exact is better of course.
+# for IPv4 use: 2.3.4.5/32
+#IPV4_BACKDOOR_SSH="10.1.1.231/32"
+# for IPv6 use: 2001:dead:beef::1/128
+#IPV6_BACKDOOR_SSH="2001:1af8:dead:beef::e7/128"
+
+# Mangle, should be 1 on routers
+#CLAMP_MSS_TO_PMTU="1"
+
