# Config file version. Don't change this. Will be used some day to # figure out if we need to alert the user that they need to redo their # config file. CONFIG_VERSION=0.9 # This is for testing purposes. IPTABLES=/bin/true IP6TABLES=/bin/true # Uncomment below to actually activate firewall #IPTABLES=/sbin/iptables #IP6TABLES=/sbin/ip6tables #This is important for loading kernel modules MODPROBE=/sbin/modprobe # Don't forget to rename this file to 'options'! # I'm trying to make this config as simple as possible. Comment out # options you don't want to use, uncomment them to use them. # Do we want NAT/Conntrack/Forward features? #NAT=1 #CONNTRACK=1 #FORWARD=1 # Blocking incoming connections by default? #BLOCKINCOMING=1 # Clamp MSS, useful on DSL/VPN links # Space separated list of interfaces to apply this on #CLAMPMSS="ppp0 eth0" # Do we run a LAN DHCP server? Put the interfaces here # where this server is providing services. #LANDHCPSERVER="eth0 eth1" # Internal Interface #INTINF=ppp+ # Port forwardings, requires NAT #PORTFW=$BASEDIR/port-forwards # Multiport support? # yes/no/auto (auto will try to detect if we support multiport or not, # may not always work but is recommended unless you have a reason otherwise) IPTABLES_MULTIPORT=auto # Multiport options - use to override defaults #NF_MULTIPORT="xt_multiport" #NF_MULTIPORT_MAX_PORTS="7" # TCP/UDP/Protocol to allow TCPPORTS="20 21 22 53 80 113 123 443" UDPPORTS="53" # common protocols to allow include ipsec, gre, and ipv6 ALLOWEDPROTO="41 47 50 51" # IPs that are allowed to bypass firewall TRUSTEDIP="127.0.0.1" # Don't track these IPs, useful in some occasions. Don't # use otherwise. DONTTRACK="127.0.0.1" # IP range(s) to forward ROUTING=$BASEDIR/ipv4-routing # Mark ipv4 packets for advanced purposes IPv4_MARK=$BASEDIR/ipv4-marks # Hacks to either block specific kinds of attacks or fix problems # # NS-IN-DDOS - Block DNS DDoS using NS/IN spoof, see: # http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/ # # MULTI-NIC-ARP-LOCK - By default, in Linux, arp requests may be answered by interfaces that # do not actually have the IP in question. In some (alot in my case), # I have things going through specific wires for a reason. This fixes # that and makes it behave as expected. # HACK_IPV4="NS-IN-DDOS" # IP NAT Rules # SNAT:::: # MASQ::: #NAT_RANGE= # IP Ranges to block all traffic incoming/outgoing # New functionality in 0.9.8 obsoletes BLOCKTCPPORTS and BLOCKUDPPORTS BLOCKEDIP=$BASEDIR/ipv4-blocked # Block outgoing traffic on these TCP/UDP ports # Obsoleted: Use BLOCKEDIP above in new format. Going away in 1.0 #BLOCKTCPPORTS="6881" #BLOCKUDPPORTS="6881" # Strip ECN off of packets - helps with blackholes # Either individual IPs or 0.0.0.0/0 STRIPECN="0.0.0.0/0" # Block private LAN traffic (RFC reserved space) going OUT on these interfaces # for security reasons. This has the potential to cause issues if your # provider uses private IP space for uplinks in PPPoE/PPPoA, so don't use it # and use BLOCK_INCOMING_RFC1981 instead. #BLOCK_OUTGOING_RFC1918="ppp0" # Block private LAN traffic (RFC reserved space) coming IN on these interfaces # for security reasons. This is a bit more safer to use if your provider uses # private IP space for the other end of PPP links. #BLOCK_INCOMING_RFC1918="ppp0" # RFC1918 Space override, don't change or uncomment this unless you absolutely need to #RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" # IPv6 related features. Commenting out IPV6 variable disables ALL # IPv6 related items IPV6=1 # IPv6 Forwarding #IPV6FORWARD=1 # Default block all incoming ipv6 connections? IPV6BLOCKINCOMING=1 # Special case for routers that have ipv6 clients behind them. # Useful if clients do not have proper ipv6 firewalls. #IPV6ROUTEDCLIENTBLOCK=1 # IPv6 Ranges to block all traffic incoming/outgoing #BLOCKEDIPV6=$BASEDIR/ipv6-blocked # Clamp MSS, useful on DSL/VPN links # Space separated list of interfaces to apply this on # it may be used eventually. #CLAMPMSSIPV6="he-ipv6" # Interface IPv6 comes in on (either tunnel or real network interface) #IPV6INT=he-ipv6 # LAN interface for IPv6 #IPV6LAN=eth1 # Trusted IPv6 ranges IPV6TRUSTED="::1" # Allowed incoming IPv6 ports (for now, use $TCPPORTS and $UDPPORTS to # have same for both ipv4 and ipv6) IPV6TCP=$TCPPORTS IPV6UDP=$UDPPORTS # IPv6 range to forward #IPV6FORWARDRANGE="" # Block outgoing IPv6 traffic on these TCP/UDP ports #BLOCKIPV6TCPPORTS=$BLOCKTCPPORTS #BLOCKIPV6UDPPORTS=$BLOCKUDPPORTS