Code: Select all
/etc/arno-iptables-firewall/firewall.confCode: Select all
###############################################################################
# You should put this config-file in /etc/arno-iptables-firewall/ #
###############################################################################
# --------------------------- Configuration file ------------------------------
# -= Arno's iptables firewall =-
# Single- & multi-homed firewall script with DSL/ADSL support
#
# (C) Copyright 2001-2009 by Arno van Amersfoort
# Homepage : http://rocky.eld.leidenuniv.nl/
# Freshmeat : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
# Email : arnova AT rocky DOT eld DOT leidenuniv DOT nl
# (note: you must remove all spaces and substitute the @ and the .
# at the proper locations!)
# -----------------------------------------------------------------------------
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# version 2 as published by the Free Software Foundation.
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
# more details.
# You should have received a copy of the GNU General Public License along with
# this program; if not, write to the Free Software Foundation Inc., 59 Temple
# Place - Suite 330, Boston, MA 02111-1307, USA.
# -----------------------------------------------------------------------------
###############################################################################
# External (internet) interface settings #
###############################################################################
# The external interface(s) that will be protected (and used as internet
# connection). This is probably ppp+ or dsl+ for non-transparent(!) (A)DSL
# modems otherwise it's probably "ethX" (eg. eth0). Multiple interfaces should
# be space separated.
# -----------------------------------------------------------------------------
# THIS SETTING IS HANDLED BY DEBCONF! DO NOT CHANGE ANYTHING HERE UNLESS YOU
# KNOW WHAT YOU ARE DOING.
# Use 'dpkg-reconfigure arno-iptables-firewall' instead.
EXT_IF="$DC_EXT_IF"
# Enable if THIS machines (dynamically) obtains its IP through DHCP (from your
# ISP).
# -----------------------------------------------------------------------------
# THIS SETTING IS HANDLED BY DEBCONF! DO NOT CHANGE ANYTHING HERE UNLESS YOU
# KNOW WHAT YOU ARE DOING.
# Use 'dpkg-reconfigure arno-iptables-firewall' instead.
EXT_IF_DHCP_IP=$DC_EXT_IF_DHCP_IP
# (EXPERT SETTING!) Here you can specify your external(!) subnet(s). You should
# only use this if you for example have a corporate network and/or running a
# DHCP server on your external(!) interface. Home users should normally NOT
# touch this setting. Multiple subnets should be space separated.
# Don't forget to specify a proper subnet masker (eg. /24, /16 or /8)!
# -----------------------------------------------------------------------------
#EXTERNAL_NET=""
# (EXPERT SETTING!) Here you can specify the IP address used for broadcasts
# on your external subnet. You only need to set this option if you want to use
# the BROADCAST_XXX_NOLOG variables AND you use a non-standard broadcast
# address (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
# this empty should work fine. Multiple addresses should be space separated.
# -----------------------------------------------------------------------------
#EXT_NET_BCAST_ADDRESS=""
# Enable this if THIS MACHINE is running a DHCP(BOOTP) server for a subnet on
# the external(!) interface. Note that you don't need this for internal
# subnets, as for these nets everything is accepted by default. Don't forget to
# configure the EXTERNAL_NET variable, to make this work.
# -----------------------------------------------------------------------------
EXTERNAL_DHCP_SERVER=0
###############################################################################
# Internal (LAN) interface settings #
###############################################################################
# Specify here your internal network (LAN) interface(s). Multiple(!) interfaces
# should be space separated. Remark this if you don't have any internal network
# interfaces. Note that by default ALL traffic is accepted from these
# interfaces.
# -----------------------------------------------------------------------------
# THIS SETTING IS HANDLED BY DEBCONF! DO NOT CHANGE ANYTHING HERE UNLESS YOU
# KNOW WHAT YOU ARE DOING.
# Use 'dpkg-reconfigure arno-iptables-firewall' instead.
INT_IF="$DC_INT_IF"
# Specify here the internal subnet which is connected to the internal interface
# (INT_IF). For multiple interfaces(!) you can either specify multiple subnets
# here or specify one big subnet for all internal interfaces. Note that this
# variable is mainly used for antispoofing.
# -----------------------------------------------------------------------------
# THIS SETTING IS HANDLED BY DEBCONF! DO NOT CHANGE ANYTHING HERE UNLESS YOU
# KNOW WHAT YOU ARE DOING.
# Use 'dpkg-reconfigure arno-iptables-firewall' instead.
INTERNAL_NET="$DC_INTERNAL_NET"
# (EXPERT SETTING!) Here you can specify the IP address used for broadcasts
# on your internal subnet. You only need to set this option if you want to use
# the MAC filter AND you use a non-standard broadcast address
# (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
# this empty should work fine. Multiple addresses (if you have multiple
# internal nets) should be space separated.
# -----------------------------------------------------------------------------
#INT_NET_BCAST_ADDRESS=""
###############################################################################
# DMZ (aka DeMilitarized Zone) settings #
###############################################################################
# Put in the following variable the network interfaces that are DMZ-classified.
# You can also use this interface if you want to shield your Wireless network
# from your LAN.
# -----------------------------------------------------------------------------
DMZ_IF=""
# Specify here the subnet which is connected to the DMZ interface (DMZ_IF).
# For multiple interfaces(!) you can either specify multiple subnets here or
# specify one big subnet for all DMZ interfaces.
# -----------------------------------------------------------------------------
DMZ_NET=""
###############################################################################
# NAT (Masquerade, SNAT, DNAT) settings #
###############################################################################
# Enable this if you want to perform NAT (masquerading) for your internal
# network (LAN) (eg. share your internet connection with your internal
# net(s) connected to eg. INT_IF).
# -----------------------------------------------------------------------------
# THIS SETTING IS HANDLED BY DEBCONF! DO NOT CHANGE ANYTHING HERE UNLESS YOU
# KNOW WHAT YOU ARE DOING.
# Use 'dpkg-reconfigure arno-iptables-firewall' instead.
NAT=$DC_NAT
# (EXPERT SETTING!) In case you would like to use SNAT instead of
# MASQUERADING then uncomment and set the IP or IPs here of your static
# external address(es). Note that when multiple IPs are specified, SNAT
# multiroute is enabled (load balancing over multiple external (internet)
# interfaces, check the README file for more info). Note that the order of IPs
# should match the order of interfaces (they belong to) in $EXT_IF!
# -----------------------------------------------------------------------------
#NAT_STATIC_IP="193.2.1.1"
# (EXPERT SETTING!) Use this variable only if you want specific subnets or
# hosts to be able to access the internet. When no value is specified, your
# whole internal net will have access. In both cases it's obviously only
# meaningful when NAT is enabled. Note that you can also use this variable if
# you want to use NAT for your DMZ.
# -----------------------------------------------------------------------------
# THIS SETTING IS HANDLED BY DEBCONF! DO NOT CHANGE ANYTHING HERE UNLESS YOU
# KNOW WHAT YOU ARE DOING.
# Use 'dpkg-reconfigure arno-iptables-firewall' instead.
NAT_INTERNAL_NET="$DC_NAT_INTERNAL_NET"
# (EXPERT SETTING!) Enable this if you want to be able to redirect local ports
# or protocols on your gateway using NAT forwards.
# -----------------------------------------------------------------------------
NAT_LOCAL_REDIRECT=0
# NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to
# an internal client through (D)NAT. Note that you can also use these
# variables to forward ports to DMZ hosts.
#
# TCP/UDP form:
# "{SRCIP1,SRCIP2,...~}PORT1,PORT2-PORT3,...>DESTIP1{~port} \
# {SRCIP3,...~}PORT3,...>DESTIP2{~port}"
#
# IP form:
# "{SRCIP1,SRCIP2,...~}PROTO1,PROTO2,...>DESTIP1 \
# {SRCIP3~}PROTO3,PROTO4,...>DESTIP2"
#
# TCP/UDP port forward examples:
# Simple (forward port 80 to internal host 192.168.0.10):
# NAT_FORWARD_xxx="80>192.168.0.10 20,21>192.168.0.10"
# Advanced (forward port 20 & 21 to 192.168.0.10 and
# forward from 1.2.3.4 port 81 to 192.168.0.11 port 80:
# NAT_FORWARD_xxx="1.2.3.4~81>192.168.0.11~80"
#
# IP protocol forward example:
# (forward protocols 47 & 48 to 192.168.0.10)
# NAT_FORWARD_IP="47,48>192.168.0.10"
#
# NOTE 1: {~port} is optional. Use it to redirect a specific port to a
# different port on the internal client.
# NOTE 2: {SRCIPx} is optional. Use it to restrict access for specific source
# (inet) IP addresses.
# -----------------------------------------------------------------------------
NAT_FORWARD_TCP=""
NAT_FORWARD_UDP=""
NAT_FORWARD_IP=""
###############################################################################
# General settings #
###############################################################################
# (EXPERT SETTING!) Location of the iptables-binary (use 'locate iptables' or
# 'whereis iptables' to manually locate it), required for (default) IPv4 support
# -----------------------------------------------------------------------------
IP4TABLES="/sbin/iptables"
# (EXPERT SETTING!) Location of the ip6tables-binary (use 'locate ip6tables' or
# 'whereis ip6tables' to manually locate it), required for IPv6 support
# -----------------------------------------------------------------------------
IP6TABLES="/sbin/ip6tables"
# (EXPERT SETTING!) Location of the environment file
# -----------------------------------------------------------------------------
ENV_FILE="/usr/share/arno-iptables-firewall/environment"
# (EXPERT SETTING!) Location of plugin binary & config files
# -----------------------------------------------------------------------------
PLUGIN_BIN_PATH="/usr/share/arno-iptables-firewall/plugins"
PLUGIN_CONF_PATH="/etc/arno-iptables-firewall/plugins"
# Most people don't want to get any firewall logs being spit to the console.
# This option makes the kernel ring buffer only log messages with level
# "panic".
# -----------------------------------------------------------------------------
DMESG_PANIC_ONLY=1
# Enable this if you want TOS mangling (RFC) (recommended).
# -----------------------------------------------------------------------------
MANGLE_TOS=1
# Enable this if you want to set the maximum packet size via the
# Maximum Segment Size(through MSS field) (recommended).
# -----------------------------------------------------------------------------
SET_MSS=1
# Enable this if you want to increase the TTL value by one in the prerouting
# chain. This hides the firewall when performing eg. traceroutes to internal
# hosts.
# -----------------------------------------------------------------------------
TTL_INC=0
# (EXPERT SETTING!) Enable this if you want to set the TTL value for packets in
# the OUTPUT & FORWARD chain. Note that this only works with newer 2.6 kernels
# (2.6.14 or better) or patched 2.4 kernels, which have netfilter TTL target
# support. Don't mess with this unless you really know what you are doing!
# -----------------------------------------------------------------------------
#PACKET_TTL="64"
# Enable this to resolve names of INTERNET(INET) IPs
# -----------------------------------------------------------------------------
RESOLV_IPS=0
# (EXPERT SETTING!) Enable this if you want our internal DNS functions to fail
# "fast". This means a query will be tried only once and times out after 1
# second, the default is 3 tries & a 5 second timeout.
# -------------------------------------------------------------------------------
DNS_FAST_FAIL=0
# Enable this to support the IRC-protocol.
# -----------------------------------------------------------------------------
USE_IRC=0
# (EXPERT SETTING!) Loosen the forward chain for the external interface(s).
# Enable it to allow the use of protocols like UPnP. Note that it *could* be
# less secure.
# -----------------------------------------------------------------------------
LOOSE_FORWARD=0
# (EXPERT SETTING!) Enable this if you want to drop packets originating from a
# private address.
# -----------------------------------------------------------------------------
DROP_PRIVATE_ADDRESSES=0
# (EXPERT SETTING!) Protect this machine from being abused for a DRDOS-attack
# ("Distributed Reflection Denial Of Service"-attack). (STILL EXPERIMENTAL!)
# -----------------------------------------------------------------------------
DRDOS_PROTECT=0
# (EXPERT SETTING!) Enable this if you want to enable IPv6 traffic support
# (and disable IPv4 support).
# -----------------------------------------------------------------------------
IPV6_SUPPORT=0
# This option fixes problems with SMB broadcasts when using nmblookup
# -----------------------------------------------------------------------------
NMB_BROADCAST_FIX=0
# Set this to 0 to suppress "assuming module is compiled in kernel" messages
# -----------------------------------------------------------------------------
COMPILED_IN_KERNEL_MESSAGES=1
# (EXPERT SETTING!) You can choose the default policy for the INPUT & FORWARD
# chain here (1=DROP, 0=ACCEPT). The default policy is DROP. This means that
# when there are no rule(s) available (yet), the packet will be DROPPED. In
# practice this rule only does something while the firewall is starting. Once
# it's started and all rules are in place, the default policy doesn't do
# anything anymore. People that use eg. NFS and let their clients boot from NFS
# (diskless client systems) probably want to disable this option to fix
# "NFS server not responding" etc. errors on their clients.
# -----------------------------------------------------------------------------
DEFAULT_POLICY_DROP=1
# (EXPERT SETTING!) (Other) trusted network interfaces for which ALL IP
# traffic should be ACCEPTED. (multiple(!) interfaces should be space
# separated). Be warned that anything TO and FROM these interfaces is allowed
# (ACCEPTED) so make sure it's NOT routable(accessible) from the outside world
# (internet)! And of course putting one of your external interfaces here would
# be extremely stupid.
# -----------------------------------------------------------------------------
TRUSTED_IF=""
# (EXPERT SETTING!) Put here the interfaces that should trust
# each other (accept forward traffic). You can use | (piping-sign) to create
# seperate interface groups. And (again) of course putting one of your external
# interfaces here would be extremely stupid.
# -----------------------------------------------------------------------------
IF_TRUSTS=""
# Location of the custom iptables rules file (if any).
# -----------------------------------------------------------------------------
CUSTOM_RULES="/etc/arno-iptables-firewall/custom-rules"
# Location of the local (user/global) configuration file, if used
# -----------------------------------------------------------------------------
LOCAL_CONFIG_FILE=""
# (EXPERT SETTING!) Set this (to 1) to disable the use of iptables-save and
# iptables-restore to add rules in batch rather than one-by-one. Much slower
# when disabled. BLOCK_HOSTS and BLOCK_HOSTS_FILE utilizes this feature.
# -----------------------------------------------------------------------------
DISABLE_IPTABLES_BATCH=0
# (EXPERT SETTING!) Set this (to 1) to enable tracing
# -----------------------------------------------------------------------------
TRACE=0
###############################################################################
# Logging options - All logging is rate limited to prevent log flooding #
###############################################################################
# Enable logging for explicitly blocked hosts.
# -----------------------------------------------------------------------------
BLOCKED_HOST_LOG=1
# Enable logging for various stealth scans (reliable).
# -----------------------------------------------------------------------------
SCAN_LOG=1
# Enable logging for possible stealth scans (less reliable).
# -----------------------------------------------------------------------------
POSSIBLE_SCAN_LOG=1
# Enable logging for TCP-packets with bad flags.
# -----------------------------------------------------------------------------
BAD_FLAGS_LOG=1
# Enable logging of invalid TCP packets. Keep disabled (0) by default to reduce
# INVALID packets being logged because of lost (legimate) connections. When
# debugging any problems, you should enable it (temporarily)!
# -----------------------------------------------------------------------------
INVALID_TCP_LOG=0
# Enable logging of invalid UDP packets. Keep disabled (0) by default to reduce
# INVALID packets being logged because of lost (legimate) connections. When
# debugging any problems, you should enable it (temporarily)!
# -----------------------------------------------------------------------------
INVALID_UDP_LOG=0
# Enable logging of invalid ICMP packets. Keep disabled (0) by default to reduce
# INVALID packets being logged because of lost (legimate) connections. When
# debugging any problems, you should enable it (temporarily)!
# -----------------------------------------------------------------------------
INVALID_ICMP_LOG=0
# Enable logging of source IPs with reserved addresses.
# -----------------------------------------------------------------------------
RESERVED_NET_LOG=1
# Enable logging of fragmented packets.
# -----------------------------------------------------------------------------
FRAG_LOG=1
# Enable logging of denied local (OUTPUT) connections.
# -----------------------------------------------------------------------------
INET_OUTPUT_DENY_LOG=1
# Enable logging of denied LAN output (FORWARD) connections.
# -----------------------------------------------------------------------------
LAN_OUTPUT_DENY_LOG=1
# Enable logging of denied LAN INPUT connections.
# -----------------------------------------------------------------------------
LAN_INPUT_DENY_LOG=1
# Enable logging of denied DMZ output (FORWARD) connections.
# -----------------------------------------------------------------------------
DMZ_OUTPUT_DENY_LOG=1
# Enable logging of denied DMZ input (FORWARD) connections.
# -----------------------------------------------------------------------------
DMZ_INPUT_DENY_LOG=1
# Enable logging of dropped ICMP-request packets (ping).
# -----------------------------------------------------------------------------
ICMP_REQUEST_LOG=1
# Enable logging of dropped "other" ICMP packets.
# -----------------------------------------------------------------------------
ICMP_OTHER_LOG=1
# Enable logging of normal connection attempts to privileged TCP ports.
# -----------------------------------------------------------------------------
PRIV_TCP_LOG=1
# Enable logging of normal connection attempts to privileged UDP ports.
# -----------------------------------------------------------------------------
PRIV_UDP_LOG=1
# Enable logging of normal connection attempts to unprivileged TCP ports.
# -----------------------------------------------------------------------------
UNPRIV_TCP_LOG=1
# Enable logging of normal connection attempts to unprivileged UDP ports.
# -----------------------------------------------------------------------------
UNPRIV_UDP_LOG=1
# Enable logging of normal connection attempts to "other-IP"-protocols (non
# TCP/UDP/ICMP).
# -----------------------------------------------------------------------------
OTHER_IP_LOG=1
# Enable logging for ICMP flooding.
# -----------------------------------------------------------------------------
ICMP_FLOOD_LOG=1
# (EXPERT SETTING!) The location of the dedicated firewall log file. When
# enabled the firewall script will also log start/stop etc. info to this file
# as well. Note that in order to make this work, you should also configure
# syslogd to log firewall messages to this file (see LOGLEVEL below for further
# info).
# -----------------------------------------------------------------------------
FIREWALL_LOG="/var/log/arno-iptables-firewall"
# (EXPERT SETTING!) Current log-level ("info": default kernel syslog level)
# "debug": can be used to log to /var/log/firewall.log, but you have to configure
# syslogd accordingly (see included syslogd.conf examples).
# -----------------------------------------------------------------------------
LOGLEVEL="info"
# Put in the following variables which hosts you want to log certain incoming
# connection attempts for.
# TCP/UDP port format (LOG_HOST_INPUT_xxx):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# IP protocol format (LOG_HOST_INPUT_IP):
# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
# -----------------------------------------------------------------------------
LOG_HOST_INPUT_TCP=""
LOG_HOST_INPUT_UDP=""
LOG_HOST_INPUT_IP=""
# Put in the following variables which hosts you want to log certain outgoing
# connection attempts for.
# TCP/UDP port format (LOG_HOST_OUTPUT_xxx):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# IP protocol format (LOG_HOST_OUTPUT_IP):
# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
# -----------------------------------------------------------------------------
LOG_HOST_OUTPUT_TCP=""
LOG_HOST_OUTPUT_UDP=""
LOG_HOST_OUTPUT_IP=""
# Put in the following variables which services you want to log incoming
# connection attempts for.
# -----------------------------------------------------------------------------
LOG_INPUT_TCP=""
LOG_INPUT_UDP=""
LOG_INPUT_IP=""
# Put in the following variables which services you want to log outgoing
# connection attempts for.
# -----------------------------------------------------------------------------
LOG_OUTPUT_TCP=""
LOG_OUTPUT_UDP=""
LOG_OUTPUT_IP=""
# Put in the following variable which hosts you want to log incoming connection
# (attempts) for.
# -----------------------------------------------------------------------------
LOG_HOST_INPUT=""
# Put in the following variable which hosts you want to log outgoing connection
# (attempts) to.
# -----------------------------------------------------------------------------
LOG_HOST_OUTPUT=""
###############################################################################
# sysctl based settings (EXPERT SETTINGS!) #
###############################################################################
# Enable for synflood protection (through /proc/.../tcp_syncookies).
# -----------------------------------------------------------------------------
SYN_PROT=1
# Enable this to reduce the ability of others DOS'ing your machine.
# -----------------------------------------------------------------------------
REDUCE_DOS_ABILITY=1
# Enable to ignore all ICMP echo-requests (IPv4) on ALL interfaces.
# -----------------------------------------------------------------------------
ECHO_IGNORE=0
# Enable to log packets with impossible addresses to the kernel log.
# -----------------------------------------------------------------------------
LOG_MARTIANS=0
# Only disable this if you're NOT using forwarding (required for NAT etc.) for
# increased security.
# -----------------------------------------------------------------------------
IP_FORWARDING=1
# Enable if you want to accept ICMP redirect messages. Should be set to "0" in
# case of a router.
# -----------------------------------------------------------------------------
ICMP_REDIRECT=0
# Enable/modify this if you want to be a able to handle a larger (or smaller)
# number of simultaneous connections. For high traffic machines I recommend to
# use a value of at least 16384 (note that a higher value (obviously) also uses
# more memory).
# -----------------------------------------------------------------------------
CONNTRACK=16384
# Enable ECN (Explicit Congestion Notification) TCP flag. Disabled by default,
# as some routers are still not compatible with this.
# -----------------------------------------------------------------------------
ECN=0
# Enable to drop connections from non-routable IPs, eg. prevent source
# routing. By default the firewall itself also provides rules against source
# routing. Note than when you use eg. VPN (Freeswan), you should probably
# disable this setting.
# -----------------------------------------------------------------------------
RP_FILTER=1
# Protect against source routed packets. Attackers can use source routing to
# generate traffic pretending to be from inside your network, but which is
# routed back along the path from which it came, namely outside, so attackers
# can compromise your network. Source routing is rarely used for legitimate
# purposes, so normally you should always leave this enabled(1)!
# -----------------------------------------------------------------------------
SOURCE_ROUTE_PROTECTION=1
# Here we set the local port range (ports from which connections are
# initiated from our site). Don't mess with this unless you really know what
# you are doing!
# -----------------------------------------------------------------------------
LOCAL_PORT_RANGE="32768 61000"
# Here you can change the default TTL used for sending packets. The value
# should be between 10 and 255. Don't mess with this unless you really know
# what you are doing!
# -----------------------------------------------------------------------------
DEFAULT_TTL=64
# In most cases pmtu discovery is ok, but in some rare cases (when having
# problems) you might want to disable it.
# -----------------------------------------------------------------------------
NO_PMTU_DISCOVERY=0
###############################################################################
# Firewall policies for the LAN (EXPERT SETTINGS!) #
###############################################################################
###############################################################################
# LAN_xxx = LAN->localhost(this machine) input access rules #
# #
# Note that when both LAN_OPEN_xxx & LAN_HOST_OPEN_xxx are NOT used, the #
# default policy for this chain is accept (unless denied through #
# LAN_DENY_xxx and/or LAN_HOST_DENY_xxx)! #
###############################################################################
# Enable this to allow for ICMP-requests(ping) from your LAN
# -----------------------------------------------------------------------------
LAN_OPEN_ICMP=1
# Put in the following variables the TCP/UDP ports or IP protocols TO
# (remote end-point) which the LAN hosts are permitted to connect to.
# -----------------------------------------------------------------------------
LAN_OPEN_TCP=""
LAN_OPEN_UDP=""
LAN_OPEN_IP=""
# Put in the following variables the TCP/UDP ports or IP protocols TO (remote
# end-point) which LAN hosts are NOT permitted to connect to.
# -----------------------------------------------------------------------------
LAN_DENY_TCP=""
LAN_DENY_UDP=""
LAN_DENY_IP=""
# Put in the following variables the TCP/UDP ports or IP
# protocols TO (remote end-point) which certain LAN hosts are
# permitted to connect to.
#
# TCP/UDP port format (LAN_INPUT_HOST_OPEN_xxx):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# IP protocol format (LAN_INPUT_HOST_OPEN_xxx):
# "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."
# -----------------------------------------------------------------------------
LAN_HOST_OPEN_TCP=""
LAN_HOST_OPEN_UDP=""
LAN_HOST_OPEN_IP=""
# Put in the following variables the TCP/UDP ports or IP protocols TO (remote
# end-point) which certain LAN hosts are NOT permitted to connect to.
#
# TCP/UDP port format (LAN_INPUT_HOST_DENY_xxx):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# IP protocol format (LAN_INPUT_HOST_DENY_xxx):
# "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."
# -----------------------------------------------------------------------------
LAN_HOST_DENY_TCP=""
LAN_HOST_DENY_UDP=""
LAN_HOST_DENY_IP=""
###############################################################################
# LAN_INET_xxx = LAN->internet access rules (forward) #
# #
# Note that when both LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx are NOT #
# used, the default policy for this chain is accept (unless denied #
# through LAN_INET_DENY_xxx and/or LAN_INET_HOST_DENY_xxx)! #
###############################################################################
# Enable this to allow for ICMP-requests(ping) for LAN->INET
# -----------------------------------------------------------------------------
LAN_INET_OPEN_ICMP=1
# Put in the following variables the TCP/UDP ports or IP
# protocols TO (remote end-point) which the LAN hosts are
# permitted to connect to via the external (internet) interface.
# -----------------------------------------------------------------------------
LAN_INET_OPEN_TCP=""
LAN_INET_OPEN_UDP=""
LAN_INET_OPEN_IP=""
# Put in the following variables the TCP/UDP ports or IP protocols TO (remote
# end-point) which the LAN hosts are NOT permitted to connect to
# via the external (internet) interface. Examples of usage are for blocking
# IRC (TCP 6666:6669) for the internal network.
# -----------------------------------------------------------------------------
LAN_INET_DENY_TCP=""
LAN_INET_DENY_UDP=""
LAN_INET_DENY_IP=""
# Put in the following variables which LAN hosts you want to allow to certain
# hosts/services on the internet. By default all services are allowed.
#
# TCP/UDP form:
# "SRCIP1,SRCIP2,...>DESTIP1~port \
# SRCIP3,...>DESTIP2~port"
#
# IP form:
# "SRCIP1,SRCIP2,...>DESTIP1~protocol \
# SRCIP3,...>DESTIP2~protocol"
#
# TCP/UDP examples:
# Simple:
# (Allow port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)):
# LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4~80"
# Advanced:
# (Allow port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and
# allow port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)):
# LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 192.168.0.10>80"
#
# IP protocol example:
# (Allow protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0))
# LAN_INET_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
#
# NOTE 1: If no SRCIPx is specified, any source host is used
# NOTE 2: If no DESTIPx is specified, any destination host is used
# NOTE 3: If no port is specified, any port is used
# -----------------------------------------------------------------------------
LAN_INET_HOST_OPEN_TCP=""
LAN_INET_HOST_OPEN_UDP=""
LAN_INET_HOST_OPEN_IP=""
# Put in the following variables which DMZ hosts you want to deny to certain
# hosts/services on the internet.
#
# TCP/UDP form:
# "SRCIP1,SRCIP2,...>DESTIP1~port \
# SRCIP3,...>DESTIP2~port"
#
# IP form:
# "SRCIP1,SRCIP2,...>DESTIP1~protocol \
# SRCIP3,...>DESTIP2~protocol"
#
# TCP/UDP examples:
# Simple (Deny port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)):
# LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4~80"
# Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and
# deny port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)):
# LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4~20,21 192.168.0.10>1.2.3.4~80"
#
# IP protocol example:
# (Deny protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0)):
# LAN_INET_HOST_DENY_IP="0/0>1.2.3.4~47,48"
#
# NOTE 1: If no DESTIPx is specified, any destination host is used
# NOTE 2: If no port is specified, any port is used
# -----------------------------------------------------------------------------
LAN_INET_HOST_DENY_TCP=""
LAN_INET_HOST_DENY_UDP=""
LAN_INET_HOST_DENY_IP=""
###############################################################################
# Firewall policies for the DMZ (EXPERT SETTINGS!) #
###############################################################################
###############################################################################
# DMZ_xxx = DMZ->localhost(this machine) input access rules #
###############################################################################
# Enable this to allow ICMP-requests(ping) from the DMZ
# -----------------------------------------------------------------------------
DMZ_OPEN_ICMP=1
# Put in the following variables which DMZ hosts are permitted to connect to
# certain the TCP/UDP ports, IP protocols or ICMP. By default all (local)
# services are blocked for DMZ hosts.
# -----------------------------------------------------------------------------
DMZ_OPEN_TCP=""
DMZ_OPEN_UDP=""
DMZ_OPEN_IP=""
# Put in the following variables which DMZ hosts you want to allow for certain
# services. By default all (local) services are blocked for DMZ hosts.
# TCP/UDP port format (DMZ_HOST_OPEN_TCP & DMZ_HOST_OPEN_UDP):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# IP protocol format (DMZ_HOST_OPEN_IP):
# "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."
# -----------------------------------------------------------------------------
DMZ_HOST_OPEN_TCP=""
DMZ_HOST_OPEN_UDP=""
DMZ_HOST_OPEN_IP=""
###############################################################################
# INET_DMZ_xxx = Internet->DMZ access rules (forward) #
# #
# Note that when both INET_DMZ_OPEN_xxx & INET_DMZ_HOST_OPEN_xxx are NOT #
# used, the default policy for this chain is accept (unless denied #
# through INET_DMZ_DENY_xxx and/or INET_DMZ_HOST_DENY_xxx)! #
###############################################################################
# Enable this to make the default policy allow for ICMP(ping) for INET->DMZ
# -----------------------------------------------------------------------------
INET_DMZ_OPEN_ICMP=0
# Put in the following variables which INET hosts are permitted to connect to
# certain the TCP/UDP ports or IP protocols in the DMZ.
# -----------------------------------------------------------------------------
INET_DMZ_OPEN_TCP=""
INET_DMZ_OPEN_UDP=""
INET_DMZ_OPEN_IP=""
# Put in the following variables which INET hosts are NOT permitted to connect
# to certain the TCP/UDP ports or IP protocols in the DMZ.
# -----------------------------------------------------------------------------
INET_DMZ_DENY_TCP=""
INET_DMZ_DENY_UDP=""
INET_DMZ_DENY_IP=""
# Put in the following variables which INET hosts you want to allow to certain
# hosts/services on the DMZ net. By default all services are allowed.
#
# TCP/UDP form:
# "SRCIP1,SRCIP2,...>DESTIP1~port \
# SRCIP3,...>DESTIP2~port"
#
# IP form:
# "SRCIP1,SRCIP2,...>DESTIP1~protocol \
# SRCIP3,...>DESTIP2~protocol"
#
# TCP/UDP examples:
# Simple (Allow port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)):
# INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4~80"
# Advanced (Allow port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and
# allow port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)):
# INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
#
# IP protocol example:
# (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts )
# INET_DMZ_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
#
# NOTE 1: If no SRCIPx is specified, any source host is used
# NOTE 2: If no DESTIPx is specified, any destination host is used
# NOTE 3: If no port is specified, any port is used
# -----------------------------------------------------------------------------
INET_DMZ_HOST_OPEN_TCP=""
INET_DMZ_HOST_OPEN_UDP=""
INET_DMZ_HOST_OPEN_IP=""
# Put in the following variables which INET hosts you want to deny to certain
# hosts/services on the DMZ net.
#
# TCP/UDP form:
# "SRCIP1,SRCIP2,...>DESTIP1~port \
# SRCIP3,...>DESTIP2~port"
#
# IP form:
# "SRCIP1,SRCIP2,...>DESTIP1~protocol \
# SRCIP3,...>DESTIP2~protocol"
#
# TCP/UDP examples:
# Simple (Deny port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)):
# INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4~80"
# Advanced (Deny port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and
# deny port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)):
# INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
#
# IP protocol example:
# (Deny protocols 47 & 48 on DMZ host 1.2.3.4 for all INET hosts):
# INET_DMZ_HOST_DENY_IP="0/0>1.2.3.4~47,48"
#
# NOTE 1: If no SRCIPx is specified, any source host is used
# NOTE 2: If no DESTIPx is specified, any destination host is used
# NOTE 3: If no port is specified, any port is used
# -----------------------------------------------------------------------------
INET_DMZ_HOST_DENY_TCP=""
INET_DMZ_HOST_DENY_UDP=""
INET_DMZ_HOST_DENY_IP=""
###############################################################################
# DMZ_INET_xxx = DMZ->internet access rules (forward) #
# #
# Note that when both DMZ_INET_OPEN_xxx & DMZ_INET_HOST_OPEN_xxx are NOT #
# used, the default policy for this chain is accept (unless denied #
# through DMZ_INET_DENY_xxx and/or DMZ_INET_HOST_DENY_xxx)! #
###############################################################################
# Enable this to make the default policy allow for ICMP(ping) for DMZ->INET
# -----------------------------------------------------------------------------
DMZ_INET_OPEN_ICMP=1
# Put in the following variables the TCP/UDP ports or IP
# protocols TO (remote end-point) which the DMZ hosts are
# permitted to connect to via the external (internet) interface.
# -----------------------------------------------------------------------------
DMZ_INET_OPEN_TCP=""
DMZ_INET_OPEN_UDP=""
DMZ_INET_OPEN_IP=""
# Put in the following variables the TCP/UDP ports or IP protocols TO (remote
# end-point) which the DMZ hosts are NOT permitted to connect to
# via the external (internet) interface. Examples of usage are for blocking
# IRC (TCP 6666:6669) for the internal network.
# -----------------------------------------------------------------------------
DMZ_INET_DENY_TCP=""
DMZ_INET_DENY_UDP=""
DMZ_INET_DENY_IP=""
# Put in the following variables which DMZ hosts you want to allow to certain
# hosts/services on the internet. By default all services are allowed.
#
# TCP/UDP form:
# "SRCIP1,SRCIP2,...>DESTIP1~port \
# SRCIP3,...>DESTIP2~port"
#
# IP form:
# "SRCIP1,SRCIP2,...>DESTIP1~protocol \
# SRCIP3,...>DESTIP2~sprotocol"
#
# TCP/UDP examples:
# Simple (Allow port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
# DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4~80"
# Advanced (Allow port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and
# allow port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)):
# DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
#
# IP protocol example:
# (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts):
# DMZ_INET_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
#
# NOTE 1: If no SRCIPx is specified, any source host is used
# NOTE 2: If no DESTIPx is specified, any destination host is used
# NOTE 3: If no port is specified, any port is used
# -----------------------------------------------------------------------------
DMZ_INET_HOST_OPEN_TCP=""
DMZ_INET_HOST_OPEN_UDP=""
DMZ_INET_HOST_OPEN_IP=""
# Put in the following variables which DMZ hosts you want to deny to certain
# hosts/services on the internet.
#
# TCP/UDP form:
# "SRCIP1,SRCIP2,...>DESTIP1~port \
# SRCIP3,...>DESTIP2~port"
#
# IP form:
# "SRCIP1,SRCIP2,...>DESTIP1~protocol \
# SRCIP3,...>DESTIP2~protocol"
#
# TCP/UDP examples:
# Simple (Deny port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
# DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4~80"
# Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and
# deny port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)):
# DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
#
# IP protocol example:
# (Deny protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
# DMZ_INET_HOST_DENY_IP="0/0>1.2.3.4:47,48"
#
# NOTE 1: If no SRCIPx is specified, any source host is used
# NOTE 2: If no DESTIPx is specified, any destination host is used
# NOTE 3: If no port is specified, any port is used
# -----------------------------------------------------------------------------
DMZ_INET_HOST_DENY_TCP=""
DMZ_INET_HOST_DENY_UDP=""
DMZ_INET_HOST_DENY_IP=""
###############################################################################
# DMZ_LAN_xxx = DMZ->LAN access rules (forward) #
###############################################################################
# Enable this to make the default policy allow for ICMP(ping) for DMZ->LAN
# -----------------------------------------------------------------------------
DMZ_LAN_OPEN_ICMP=0
# Put in the following variables which DMZ hosts you want to allow to certain
# hosts/services on the LAN (net).
#
# TCP/UDP form:
# "SRCIP1,SRCIP2,...>DESTIP1~port \
# SRCIP3,...>DESTIP2~port"
#
# IP form:
# "SRCIP1,SRCIP2,...>DESTIP1~protocol \
# SRCIP3,...>DESTIP2~protocol"
#
# TCP/UDP examples:
# Simple (Allow port 80 on LAN host 1.2.3.4 for all DMZ hosts(0/0)):
# DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~80"
# Advanced (Allow port 20 & 21 on LAN host 1.2.3.4 for all DMZ hosts (0/0) and
# allow port 80 for DMZ host 5.6.7.8 (only) on LAN host
# 1.2.3.4):
# DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
#
# IP protocol example:
# (Allow protocols 47 & 48 on LAN host 1.2.3.4 for all DMZ hosts(0/0)):
# DMZ_LAN_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
#
# NOTE 1: If no SRCIPx is specified, any source host is used
# NOTE 2: If no DESTIPx is specified, any destination host is used
# NOTE 3: If no port is specified, any port is used
# -----------------------------------------------------------------------------
DMZ_LAN_HOST_OPEN_TCP=""
DMZ_LAN_HOST_OPEN_UDP=""
DMZ_LAN_HOST_OPEN_IP=""
###############################################################################
# Firewall policies for the external (inet) interface (default policy = drop) #
###############################################################################
# Put in the following variable which hosts (subnets) you want have full access
# via your internet (EXT_IF) connection(!). This is especially meant for
# networks/servers which use NIS/NFS, as these protocols require all ports
# to be open.
# NOTE: Don't mistake this variable with the one used for internal nets.
# -----------------------------------------------------------------------------
FULL_ACCESS_HOSTS=""
# Put in the following variable which TCP/UDP ports you don't want to
# see broadcasts from (eg. DHCP (67/68) on your EXTERNAL interface. Note that
# to make this properly work you also need to set "EXTERNAL_NET"!
# -----------------------------------------------------------------------------
BROADCAST_TCP_NOLOG=""
#BROADCAST_UDP_NOLOG="67 68"
# Put in the following variables which hosts you want to allow for certain
# services.
# TCP/UDP port format (HOST_OPEN_TCP & HOST_OPEN_UDP):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# IP protocol format (HOST_OPEN_IP):
# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
#
# ICMP protocol format (HOST_OPEN_ICMP):
# "host1 host2 ...."
# -----------------------------------------------------------------------------
HOST_OPEN_TCP=""
HOST_OPEN_UDP=""
HOST_OPEN_IP=""
HOST_OPEN_ICMP=""
# Put in the following variables which hosts you want to DENY(DROP) for certain
# services (and logged).
# to DENY(DROP) for certain hosts.
# TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# IP protocol format (HOST_DENY_IP):
# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
#
# ICMP protocol format (HOST_DENY_ICMP):
# "host1 host2 ...."
# -----------------------------------------------------------------------------
HOST_DENY_TCP=""
HOST_DENY_UDP=""
HOST_DENY_IP=""
HOST_DENY_ICMP=""
# Put in the following variables which hosts you want to DENY(DROP) for certain
# services but NOT logged.
# TCP/UDP port format (HOST_DENY_xxx_NOLOG):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# IP protocol format (HOST_DENY_IP_NOLOG):
# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
#
# ICMP protocol format (HOST_DENY_ICMP_NOLOG):
# "host1 host2 ...."
# -----------------------------------------------------------------------------
HOST_DENY_TCP_NOLOG=""
HOST_DENY_UDP_NOLOG=""
HOST_DENY_IP_NOLOG=""
HOST_DENY_ICMP_NOLOG=""
# Put in the following variables which hosts you want to REJECT (instead of
# DROP) for certain TCP/UDP ports.
# TCP/UDP port format (HOST_REJECT_xxx):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
# -----------------------------------------------------------------------------
HOST_REJECT_TCP=""
HOST_REJECT_UDP=""
# Put in the following variables which hosts you want to REJECT (instead of
# DROP) for certain services but NOT logged.
# TCP/UDP port format (HOST_REJECT_xxx_NOLOG):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
# -----------------------------------------------------------------------------
HOST_REJECT_TCP_NOLOG=""
HOST_REJECT_UDP_NOLOG=""
# Put in the following variables which services THIS machine is NOT
# permitted to connect TO (remote end-point) via the external (internet)
# interface. For example for blocking IRC (tcp 6666:6669).
# -----------------------------------------------------------------------------
DENY_TCP_OUTPUT=""
DENY_UDP_OUTPUT=""
DENY_IP_OUTPUT=""
# Put in the following variables to which hosts THIS machine is NOT
# permitted to connect TO for certain services (remote end-point)
# via the external (internet) interface. In principle you can also
# use this to put your machine in a "virtual-DMZ" by blocking all traffic
# to your local subnet.
# TCP/UDP port format (HOST_DENY_TCP_OUTPUT & HOST_DENY_UDP_OUTPUT):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# IP protocol format (HOST_DENY_IP_OUTPUT):
# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
# -----------------------------------------------------------------------------
HOST_DENY_TCP_OUTPUT=""
HOST_DENY_UDP_OUTPUT=""
HOST_DENY_IP_OUTPUT=""
# Enable this to make the default policy allow for ICMP(ping) for INET access
# -----------------------------------------------------------------------------
# THIS SETTING IS HANDLED BY DEBCONF! DO NOT CHANGE ANYTHING HERE UNLESS YOU
# KNOW WHAT YOU ARE DOING.
# Use 'dpkg-reconfigure arno-iptables-firewall' instead.
OPEN_ICMP=$DC_OPEN_ICMP
# Put in the following variables which ports or IP protocols you want to leave
# open to the whole world.
# -----------------------------------------------------------------------------
# OPEN_TCP and OPEN_UDP are handled by Debconf. If you want to add more open TCP
# or UDP ports use 'dpkg-reconfigure arno-iptables-firewall'. For more complex
# setup add them (space separated) after $DC_OPEN_*.
OPEN_TCP="$DC_OPEN_TCP"
OPEN_UDP="$DC_OPEN_UDP"
OPEN_IP=""
# Put in the following variables the TCP/UDP ports you want to DENY(DROP) for
# everyone (and logged). Also use these variables if you want to log connection
# attempts to these ports from everyone (also trusted/full access hosts).
# In principle you don't need these variables, as everything is already blocked
# (denied) by default, but just exists for consistency.
# -----------------------------------------------------------------------------
DENY_TCP=""
DENY_UDP=""
# Put in the following variables which ports you want to DENY(DROP) for
# everyone but NOT logged. This is very useful if you have constant probes on
# the same port(s) over and over again (code red worm) and don't want your logs
# flooded with it.
# -----------------------------------------------------------------------------
DENY_TCP_NOLOG=""
DENY_UDP_NOLOG=""
# Put in the following variables the TCP/UDP ports you want to REJECT (instead
# of DROP) for everyone (and logged).
# -----------------------------------------------------------------------------
REJECT_TCP=""
REJECT_UDP=""
# Put in the following variables the TCP/UDP ports you want to REJECT (instead
# of DROP) for everyone but NOT logged.
# -----------------------------------------------------------------------------
REJECT_TCP_NOLOG=""
REJECT_UDP_NOLOG=""
# Put in the following variable which hosts you want to block (blackhole,
# dropping every packet from the host).
# -----------------------------------------------------------------------------
BLOCK_HOSTS=""
# Uncomment & specify here the location of the file that contains a list of
# hosts(IPs) that should be BLOCKED. IP ranges can (only) be specified as
# w.x.y.z1-z2 (eg. 192.168.1.10-15). Note that the last line of this file
# should always contain a carriage-return (enter)!
# -----------------------------------------------------------------------------
#BLOCK_HOSTS_FILE="/etc/arno-iptables-firewall/blocked-hosts"
Code: Select all
DC_OPEN_ICMP=1