# # File: /etc/firewall/firewall.conf.iptables # # Firewall Configuration # # This file contains the editable firewall parameters. # User edits belong in this file. It is included by # /etc/rc.d/init.d/firewall when the configuration script # runs. # # Original ipchains scripts by: # Craig Zeller - 03-Jan-2000 # Translated to iptables and modified by: # Bob Sully (rcs@malibyte.net) - latest: 21-Jan-2005 # ------------------------------------------------------------------ VERBOSE=1 # Turns on verbose feature # (configuration messages) # # INTERFACES # # Edit these to suit your system interfaces # # # The 'External Interface' is the connection to your # ISP via Ethernet, xDSL, Cable Modem, T1, etc. This # is the Internet side, where the bad guys hang out. # EXTERNAL_INTERFACE="ppp0" # Unsecure (Red) Interface <--- Edit here! EXTERNAL_IP="213.229.xx.xxx" # Unsecure (Red) IP address <--- Edit here! # # Special case for PPP external interface: grabs external IP address after connecting. # If running PPP over Ethernet, may need to change "ppp0" to "ethx" where ethx = # your "external" network interface, e.g. eth0 # Requires awk; thanks to Sean Mannion # #if [ $EXTERNAL_INTERFACE == "ppp0" ]; then # EXTERNAL_IP=`/sbin/ifconfig ppp0 |awk '/inet addr/{split($2,x,":"); print x[2]}'` #fi # # The 'Internal Interface' is the connection to your # protected network(s). # INTERNAL_INTERFACE="wlan0" # Secure (Black) Interface <--- Edit here! INTERNAL_NETWORK="192.168.1.0/24" # Secure (Black) LAN network range <--- Edit here! INTERNAL_IP="192.168.1.101" # Secure (Black) LAN IP address <--- Edit here! #BROADCAST_NET="213.229.11.255" # Broadcast address for your local subnet; # can be used for user-generated rules in # firewall.local; not required to be defined # otherwise. # ------------------------------------------------------------------ # # Your ISP's servers # # # Valid responses here consist of: # # 1. A single or list of IP address(es) in CIDR notation (ex: 192.168.1.1/32) # # 2. A single or list of network IP address range(s) in CIDR notation (ex: 192.168.1.0/24) # # 3. The expression 'any/0', which matches any IP address. # # Note that in CIDR (Classless Internet Domain Routing) notation, the # number following the slash mark is the number of bits in the network # portion of the address. This notation replaces the old Class-A (CIDR /8), # Class-B (CIDR /16), and Class-C (CIDR /24) netmasks. CIDR addressing # greatly simplifies sub-netting as netmasks can be on any bit-boundary. # DHCP_SERVER_IP="195.58.161.122" # ISPs DHCP Server (if known) SMTP_SERVER="62.99.194.14" # List of external SMTP Mail Servers, if any POP_SERVER="213.229.60.101" # External POP3 Servers, if any #MY_IMAP_SERVER="my.imap.server" # External IMAP Servers, if any #MY_IMAPS_SERVER"my.imaps.server" # External Secure IMAP servers, if any NEWS_SERVER="213.229.60.102" # External NNTP News Servers, if any #SNEWS_SERVER="your.snews.server" # External Secure NNTP News Servers, if any #MY_NEWS_FEED="my.news.feed" # ISP NNTP News Feed, if any # # The following entry requires an IP address or range as in the # previous paragraph. # #WEB_PROXY_SERVER="my.www.proxy" # ISP Web Proxy Server, if any # # The port number of your proxy host. Typically this is 8008 # or 8080. # #WEB_PROXY_PORT="www.proxy.port" # ISP Web Proxy Port, if any # ------------------------------------------------------------------ # # Firewall Configuration Options # # Set the variables on the following lines = 1 to enable # their respective features, or = 0 to disable. # # IP MASQUERADING # # Set the following variable = 1 if you are Masquerading # your internal (RFC-1918) network, else = 0. # MASQUERADING=1 # # Set the following variable = 1 if your firewall's # external interface gets its IP address from your ISP's # DHCP server. The 'external interface' is the one that is # connected to your ISP via xDSL, Cable Modem, T1, etc., # and is often referred to as the 'Red' interface. # # New DHCP client routine should work with just about any DHCP # client application. DHCP=1 # # Port-Forwarding # # # Set the following variable = 1 if you wish to allow # port-forwarding through your firewall to services # running on machines in your internal network. # PORT_FORWARD=1 # # ICMP Services # # # Set the following variable = 1 if you wish to allow # local clients to 'ping' external sites. # OUTBOUND_PING=1 # # Set the following variable = 1 if you wish to allow # external sites to ping your firewall (stops at the # firewall). # INBOUND_PING=1 # # Set the following variable = 1 if you wish to allow # local clients to 'traceroute' to external sites. # OUTBOUND_TRACEROUTE=1 # # Set the following variable = 1 if you wish to allow # external sites to 'traceroute' to your firewall (stops # at the firewall). # INBOUND_TRACEROUTE=1 # ------------------------------------------------------------------ # # E-Mail Services # # # Set the following variable = 1 if you send your outbound # EMail via SMTP protocol through your ISPs mail server. # This is most frequently used in combination with the # next option, POP3_CLIENT. # SMTP_REMOTE_SERVER=1 # # Set the following variable = 1 if you receive your # inbound EMail via POP3 protocol from your ISPs mail # server. This is the method most installations will use. # POP3_CLIENT=1 # # Set the following variable = 1 if you get your # EMail via IMAP protocol from your ISPs mail server. # This is still quite rare. # IMAP_CLIENT=0 IMAPS_CLIENT=0 # # Set the following variable = 1 if you are running # Sendmail (or other MTA) on your firewall. Your # local mail clients will connect via POP3 to your # firewall for mail delivery. Note that this does # not require the POP3_CLIENT option for clients # inside the firewall. # SMTP_LOCAL_SERVER=0 # ------------------------------------------------------------------ # # CLIENT ACCESS # # Set the following variables = 1 to enable their respective # client services, or = 0 to disable. These features allow # your internal clients to access services on external # Internet servers. # AUTH_CLIENT=1 # The Auth Protocol DNS_CLIENT=1 # Domain Name Servers FINGER_CLIENT=1 # Finger Protocol FTP_CLIENT=1 # File Transfer Protocol GOPHER_CLIENT=1 # Gopher Protocol HTTP_CLIENT=1 # WWW Client Protocol HTTPS_CLIENT=1 # Secure WWW Client Protocol HTTP_PROXY=0 # WWW through a Web Proxy Server NNTP_CLIENT=1 # The Usenet News Protocol NNTPS_CLIENT=1 # NNTP access over SSL (port 563) NTP_CLIENT=1 # The Network Time Protocol SSH_CLIENT=1 # The secure SSH Protocol (Telnet/FTP) TELNET_CLIENT=1 # The Telnet Protocol WAIS_CLIENT=1 # The WAIS Protocol WHOIS_CLIENT=1 # WHOIS Protocol ICQ_CLIENT=1 # The Miribilis ICQ Client Protocol RV_CLIENT=1 # The RealVideo Client (port 554) PPTP_CLIENT=1 # PPTP server access as client (1723) # ------------------------------------------------------------------ # # SERVER ACCESS # # Enable this if you're running dhcpd on your firewall to # supply IP addresses to machines on your internal (masqueraded) # network. DHCP_SERVER=1 # DHCP server for internal network # Note: Enabling these services is for EXTERNAL access from # the Internet. Access from internal clients to the firewall # server does not require that these items be configured. # THIS IS FOR EXTERNAL ACCESS - BE CAREFUL! # FTP_SERVER=0 # If you are running an FTP server MY_FTP_CLIENTS="any/0" # My FTP client list DNS_CACHING_SERVER=0 # Caching-Only Domain Name Server DNS_FULL_SERVER=0 # Full-function Domain Name Server # DNS Secondary name servers for zone transfer: # Place allowed DNS IP's in /etc/firewall/firewall.dns # in CIDR format, one IP per line AUTH_SERVER=0 # AUTH protocol server POP3_SERVER=0 # POP-3 EMail server MY_POP3_CLIENTS="any/0" # POP-3 EMail client list IMAP_SERVER=0 # IMAP EMail server MY_IMAP_CLIENTS="any/0" # IMAP E-Mail client list IMAPS_SERVER=0 # Secure IMAP EMail server MY_IMAPS_CLIENTS="any/0" # Secure IMAP EMail client list NNTP_SERVER=0 # Usenet NNTP News server MY_NNTP_CLIENTS="any/0" # News client list NNTP_NEWS_FEED=0 # NNTP News feeds TELNET_SERVER=0 # Telnet server (unsecure - not recommended) MY_TELNET_CLIENTS="any/0" # Telnet client list SSH_SERVER=1 # Secure SSH server (Telnet/FTP) MY_SSH_CLIENTS="any/0" # Secure SSH client list SSH_PORT="22" # SSH access port, usually 22 HTTP_SERVER=0 # Web (HTTP) server MY_HTTP_CLIENTS="any/0" # HTTP client list HTTPS_SERVER=0 # Secure Web server (SSL) MY_HTTPS_CLIENTS="any/0" # HTTPS client list FINGER_SERVER=0 # Finger Server (not recommended) MY_FINGER_CLIENTS="any/0" # My Finger client list # # Games # HALF_LIFE=0 # Enable this if you run a # Half-Life/CounterStrike server WOLF_CLIENT=0 # Client ports for Return to Castle Wolfenstein