# IPv4 Specific Configuration File # # Allow everything over loopback (lo ::1/28) # Good idea to keep this turned on, but if you so wish to, # you can disable it here. # Values: no | yes (default) AllowAllv6Loopback="yes" # Very early on rules to allow for trusted machines to access # this machine. Rather important and helps keep you from getting # locked out should the firewalling rules go bad. # # IMPORTANT: Hosts put in the trusted file will have complete # and unfettered access to the host, ignoring all other rules. # # Config file: ipv6/trusted.conf # Values: no | yes (default) EnableTrustedv6Hosts="yes" # Enable MSS clamping to work around MTU size issues # on network links such as PPPoE and wireless # Config file: ipv6/mss-clamp.conf # Values: no | yes (default) Enablev6MSSClamp="yes" # Enable connection tracking features of netfilter/iptables # conntracking allows the firewall to be smart about what # packets it allows and refuses. On highly loaded systems or # ones with low memory, this may be desirable. Everyone else # should probably leave this on. # Depended on by: Enablev6NAT Enablev6ConnTrackInterfaces # Values: no | yes (default) Enablev6ConnectionTracking="yes" # Interfaces to enable connection tracking by default # List of interfaces to enable ESTABLISHED, RELATED, and INVALID on # by default. Normally, this is helpful and a good idea. Some # people with specific requirements may want to disable and do manually # in the custom rules. # Values: none | all (default)| interface name Enablev6ConnTrackInterfaces="all" # Use /etc/resolv.conf as source for DNS servers that we communicate # with as a client. If you turn this off (recommended if on static IP), # then you will need to manually define the DNS servers you use. # Without conntrack rules allowing established/related, DNS traffic may # be blocked and cause issues. # Values: no | yes (default) DNSClientUsev6ResolvConf="yes" ResolvConfv6File="/etc/resolv.conf" # Uncomment below if you set above to no. You can still manually define your servers # here if you want. Useful at times. # Values: space separated IP list of DNS servers #DNSClientManualv6Servers="" # Enable the Services access list # This allows you to define services on the local # machine that you want to be accessible to the world. # Config file: ipv6/services.conf # Values: no | yes (default) Enablev6Services="yes" # Enable the EasyBlock access list # This is a simple/easy way to block traffic in or out, # no complex options. Use the Filter options for more # complex ACLs # Config file: ipv6/easyblock.conf # Values: no | yes (default) Enablev6EasyBlock="yes" # Enable IPv6 filtering rules # This allows you to define complex access control list / # filtering rules. # Config file: ipv6/acl.conf # Values: no | yes (default) Enablev6Filtering="yes" # Enable IPv6 forwarding rules # This allows you to define forwarding rules # Config file: ipv6/forward.conf # Values: No | yes (default) Enablev6Forwarding="yes" # Enable IPv6 NAT/NETMAP rules # This allows you to set up NAT rules, SNAT, MASQ, and NETMAP # Config file: ipv6/nat.conf # Requires: Enablev6ConnectionTracking="yes" # Values: no | yes (default) Enablev6NAT="yes" # Enable IPv6 Port Forwarding rules # This allows you to set up port forwarding rules to allow # external access to internal machines # Config file: ipv6/portfw.conf # Values: no | yes (default) Enablev6PortForwarding="yes" # Enable loading of helper modules # Load kernel modules for various helpers/ALGs that netfilter # has available. You may need to modify the Loadv4NetfilterModules # option as sometimes kernel modules may not exist or be renamed on # a particular system. # This is set to no by default on ipv6 because on my test system, I do not # see any usable helper modules for ipv6 use. Obviously this may change # in the future. # Values: no (default) | yes Enablev6NetfilterModules="no" # List of kernel netfilter modules to Load # Default: none Loadv6NetfilterModules="" # These are loaded as well if you have Enablev4NAT set to yes # Default: none Loadv6NetfilterModulesNAT="" # Default policy for filtering rules # netfilter/iptables has a default policy that can be set, such as # DROP all unless it is explicitly allowed via rules. # Values: ACCEPT (default) | DROP # Please note if you do not specify policies, they will default to # ACCEPT, which may not be what you want. Defaultv6InPolicy="ACCEPT" Defaultv6OutPolicy="ACCEPT" Defaultv6FwdPolicy="ACCEPT"