diff -r 000000000000 -r d4d23e51be4f etc/firewall.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/etc/firewall.conf Thu Jan 30 14:46:10 2014 +0100 @@ -0,0 +1,107 @@ +# /etc/mbse-firewall/firewall.conf + +# --------------------------------------------------------------------------- +# Copyright (C) 2013-2014 by Michiel Broek. +# Homepage http://www.mbse.eu +# Email mbse At mbse dOt eu +# +# This file is part of mbse-firewall. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2, or (at your option) any +# later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the Free +# Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. +# --------------------------------------------------------------------------- + + +# --------------------------------------------------------------------------- +# +# Interface settings +# +# --------------------------------------------------------------------------- + +# External interface that will be protected as internet connection. +# If this is a server on a DMZ network, use this too. +# +IF_EXT="eth0" + +# External IPv6 tunnel interface that will be protected as internet connection. +# Enable this if you use a tunnel broker for IPv6. +#IF_EXT6="six0" + +# If the external gateway is a border gateway, (your internet connection) then +# set the next option. Certain protocols are disabled in this case, and some +# are just enabled. +#IF_EXT_IS_BORDER_GW="1" + +# Enable automatic blacklisting of hosts that do any kind portscanning. +# This is tested by any rules not matched on the external interface(s) INPUT +# or FORWARD chain and is a repeated undefined port from the same IP. +# These hosts are blocked using ipset for one hour. +#IF_EXT_AUTO_BLOCK="1" + +# Block time in seconds when a host is blocked. Default is 3600. +#IF_EXT_AUTO_TO=172800 + +# Average detect limit, default 5/hour +#IF_EXT_AUTO_LIMIT="2/hour" + +# Burst detect limit, default 10 +#IF_EXT_AUTO_BURST="2" + +# Trunk networks. All other interfaces are set here. They should start +# with 0 and there should be no gaps. +# +#IF_TRUNK[0]="eth1" +#IF_TRUNK[1]="tap0" +#IF_TRUNK[2]="" +#IF_TRUNK[3]="" +#IF_TRUNK[4]="" +#IF_TRUNK[5]="" +#IF_TRUNK[6]="" +#IF_TRUNK[7]="" +#IF_TRUNK[8]="" +#IF_TRUNK[9]="" + + + +# --------------------------------------------------------------------------- +# +# Global settings +# +# --------------------------------------------------------------------------- + + +# On hosts leave this undefined or 0. On routers uncomment and set to 1 +FW_FORWARD="0" + +# Add rules to allow traceroute +FW_TRACEROUTE="1" + +# If you have a bridged interface like br0 with physical interfaces eth0 and +# tap0 for example, you need to add iptables rules to forward traffic between +# these interfaces. You can turn this off by setting the next variable. +# If this variable is set, then all bridged interfaces are seen as one physical +# interface. See http://ebtables.sourceforge.net/documentation/bridge-nf.html +# for more details. +#FW_NO_BRIDGE_NF_CALL="1" + +# Install a ssh backdoor from this IP. The examples show an exact IP address, +# but you can use networks if you like. Exact is better of course. +# for IPv4 use: 2.3.4.5/32 +#IPV4_BACKDOOR_SSH="10.1.1.231/32" +# for IPv6 use: 2001:dead:beef::1/128 +#IPV6_BACKDOOR_SSH="2001:1af8:dead:beef::e7/128" + +# Mangle, should be 1 on routers +#CLAMP_MSS_TO_PMTU="1" +