Sun, 26 Feb 2023 15:23:19 +0100
Make sure ipset tables exist.
0 | 1 | # /etc/mbse-firewall/firewall.conf |
2 | ||
3 | # --------------------------------------------------------------------------- | |
12 | 4 | # Copyright (C) 2013-2023 by Michiel Broek. |
0 | 5 | # Homepage http://www.mbse.eu |
6 | # Email mbse At mbse dOt eu | |
7 | # | |
8 | # This file is part of mbse-firewall. | |
9 | # | |
10 | # This program is free software; you can redistribute it and/or modify it | |
11 | # under the terms of the GNU General Public License as published by the | |
12 | # Free Software Foundation; either version 2, or (at your option) any | |
13 | # later version. | |
14 | # | |
15 | # This program is distributed in the hope that it will be useful, but | |
16 | # WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
18 | # General Public License for more details. | |
19 | # | |
20 | # You should have received a copy of the GNU General Public License | |
21 | # along with this program; see the file COPYING. If not, write to the Free | |
22 | # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. | |
23 | # --------------------------------------------------------------------------- | |
24 | ||
25 | ||
26 | # --------------------------------------------------------------------------- | |
27 | # | |
28 | # Interface settings | |
29 | # | |
30 | # --------------------------------------------------------------------------- | |
31 | ||
32 | # External interface that will be protected as internet connection. | |
33 | # If this is a server on a DMZ network, use this too. | |
34 | # | |
35 | IF_EXT="eth0" | |
36 | ||
37 | # External IPv6 tunnel interface that will be protected as internet connection. | |
38 | # Enable this if you use a tunnel broker for IPv6. | |
39 | #IF_EXT6="six0" | |
40 | ||
41 | # If the external gateway is a border gateway, (your internet connection) then | |
42 | # set the next option. Certain protocols are disabled in this case, and some | |
43 | # are just enabled. | |
44 | #IF_EXT_IS_BORDER_GW="1" | |
45 | ||
46 | # Enable automatic blacklisting of hosts that do any kind portscanning. | |
47 | # This is tested by any rules not matched on the external interface(s) INPUT | |
48 | # or FORWARD chain and is a repeated undefined port from the same IP. | |
49 | # These hosts are blocked using ipset for one hour. | |
50 | #IF_EXT_AUTO_BLOCK="1" | |
51 | ||
7
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
52 | # Use global blocking table. This just inserts rules to block hosts that |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
53 | # are found in the sets global-blk4 or global-blk6. Other programs like |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
54 | # ossec, fail2ban etc need to put the bad hosts in these tables. |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
55 | #IF_EXT_GLOBAL_BLOCK="1" |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
56 | |
0 | 57 | # Block time in seconds when a host is blocked. Default is 3600. |
58 | #IF_EXT_AUTO_TO=172800 | |
59 | ||
60 | # Average detect limit, default 5/hour | |
61 | #IF_EXT_AUTO_LIMIT="2/hour" | |
62 | ||
63 | # Burst detect limit, default 10 | |
64 | #IF_EXT_AUTO_BURST="2" | |
65 | ||
66 | # Trunk networks. All other interfaces are set here. They should start | |
67 | # with 0 and there should be no gaps. | |
68 | # | |
69 | #IF_TRUNK[0]="eth1" | |
70 | #IF_TRUNK[1]="tap0" | |
71 | #IF_TRUNK[2]="" | |
72 | #IF_TRUNK[3]="" | |
73 | #IF_TRUNK[4]="" | |
74 | #IF_TRUNK[5]="" | |
75 | #IF_TRUNK[6]="" | |
76 | #IF_TRUNK[7]="" | |
77 | #IF_TRUNK[8]="" | |
78 | #IF_TRUNK[9]="" | |
79 | ||
80 | ||
81 | ||
82 | # --------------------------------------------------------------------------- | |
83 | # | |
84 | # Global settings | |
85 | # | |
86 | # --------------------------------------------------------------------------- | |
87 | ||
88 | ||
89 | # On hosts leave this undefined or 0. On routers uncomment and set to 1 | |
90 | FW_FORWARD="0" | |
91 | ||
92 | # Add rules to allow traceroute | |
93 | FW_TRACEROUTE="1" | |
94 | ||
95 | # If you have a bridged interface like br0 with physical interfaces eth0 and | |
96 | # tap0 for example, you need to add iptables rules to forward traffic between | |
97 | # these interfaces. You can turn this off by setting the next variable. | |
98 | # If this variable is set, then all bridged interfaces are seen as one physical | |
99 | # interface. See http://ebtables.sourceforge.net/documentation/bridge-nf.html | |
100 | # for more details. | |
101 | #FW_NO_BRIDGE_NF_CALL="1" | |
102 | ||
9
2e298d35241f
Added options to log to syslog or nflog.
Michiel Broek <mbroek@mbse.eu>
parents:
7
diff
changeset
|
103 | # Log destination. Default is syslog, but you can select nflog that uses the |
2e298d35241f
Added options to log to syslog or nflog.
Michiel Broek <mbroek@mbse.eu>
parents:
7
diff
changeset
|
104 | # ulogd facility. Or, write your own. |
2e298d35241f
Added options to log to syslog or nflog.
Michiel Broek <mbroek@mbse.eu>
parents:
7
diff
changeset
|
105 | FW_LOGDEST=(LOG --log-level info --log-prefix) |
2e298d35241f
Added options to log to syslog or nflog.
Michiel Broek <mbroek@mbse.eu>
parents:
7
diff
changeset
|
106 | #FW_LOGDEST=(NFLOG --nflog-group 0 --nflog-prefix) |
2e298d35241f
Added options to log to syslog or nflog.
Michiel Broek <mbroek@mbse.eu>
parents:
7
diff
changeset
|
107 | |
0 | 108 | # Install a ssh backdoor from this IP. The examples show an exact IP address, |
109 | # but you can use networks if you like. Exact is better of course. | |
110 | # for IPv4 use: 2.3.4.5/32 | |
111 | #IPV4_BACKDOOR_SSH="10.1.1.231/32" | |
112 | # for IPv6 use: 2001:dead:beef::1/128 | |
113 | #IPV6_BACKDOOR_SSH="2001:1af8:dead:beef::e7/128" | |
114 | ||
115 | # Mangle, should be 1 on routers | |
116 | #CLAMP_MSS_TO_PMTU="1" | |
117 |