Mon, 13 Apr 2015 17:22:53 +0200
Added global block ipset tables. Bumped to version 0.0.18
# /etc/mbse-firewall/firewall.conf # --------------------------------------------------------------------------- # Copyright (C) 2013-2015 by Michiel Broek. # Homepage http://www.mbse.eu # Email mbse At mbse dOt eu # # This file is part of mbse-firewall. # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2, or (at your option) any # later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; see the file COPYING. If not, write to the Free # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. # --------------------------------------------------------------------------- # --------------------------------------------------------------------------- # # Interface settings # # --------------------------------------------------------------------------- # External interface that will be protected as internet connection. # If this is a server on a DMZ network, use this too. # IF_EXT="eth0" # External IPv6 tunnel interface that will be protected as internet connection. # Enable this if you use a tunnel broker for IPv6. #IF_EXT6="six0" # If the external gateway is a border gateway, (your internet connection) then # set the next option. Certain protocols are disabled in this case, and some # are just enabled. #IF_EXT_IS_BORDER_GW="1" # Enable automatic blacklisting of hosts that do any kind portscanning. # This is tested by any rules not matched on the external interface(s) INPUT # or FORWARD chain and is a repeated undefined port from the same IP. # These hosts are blocked using ipset for one hour. #IF_EXT_AUTO_BLOCK="1" # Use global blocking table. This just inserts rules to block hosts that # are found in the sets global-blk4 or global-blk6. Other programs like # ossec, fail2ban etc need to put the bad hosts in these tables. #IF_EXT_GLOBAL_BLOCK="1" # Block time in seconds when a host is blocked. Default is 3600. #IF_EXT_AUTO_TO=172800 # Average detect limit, default 5/hour #IF_EXT_AUTO_LIMIT="2/hour" # Burst detect limit, default 10 #IF_EXT_AUTO_BURST="2" # Trunk networks. All other interfaces are set here. They should start # with 0 and there should be no gaps. # #IF_TRUNK[0]="eth1" #IF_TRUNK[1]="tap0" #IF_TRUNK[2]="" #IF_TRUNK[3]="" #IF_TRUNK[4]="" #IF_TRUNK[5]="" #IF_TRUNK[6]="" #IF_TRUNK[7]="" #IF_TRUNK[8]="" #IF_TRUNK[9]="" # --------------------------------------------------------------------------- # # Global settings # # --------------------------------------------------------------------------- # On hosts leave this undefined or 0. On routers uncomment and set to 1 FW_FORWARD="0" # Add rules to allow traceroute FW_TRACEROUTE="1" # If you have a bridged interface like br0 with physical interfaces eth0 and # tap0 for example, you need to add iptables rules to forward traffic between # these interfaces. You can turn this off by setting the next variable. # If this variable is set, then all bridged interfaces are seen as one physical # interface. See http://ebtables.sourceforge.net/documentation/bridge-nf.html # for more details. #FW_NO_BRIDGE_NF_CALL="1" # Install a ssh backdoor from this IP. The examples show an exact IP address, # but you can use networks if you like. Exact is better of course. # for IPv4 use: 2.3.4.5/32 #IPV4_BACKDOOR_SSH="10.1.1.231/32" # for IPv6 use: 2001:dead:beef::1/128 #IPV6_BACKDOOR_SSH="2001:1af8:dead:beef::e7/128" # Mangle, should be 1 on routers #CLAMP_MSS_TO_PMTU="1"