]>
Commit | Line | Data |
---|---|---|
c1400087 MT |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2012 IPFire Network Development Team # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | # This variable is used to point to a directory | |
23 | # in which the iptables ruleset will be generated. | |
24 | IPTABLES_TMPDIR= | |
25 | ||
26 | FIREWALL_CONFIG_DIR="/etc/firewall" | |
27 | FIREWALL_ZONES_DIR="${FIREWALL_CONFIG_DIR}/zones" | |
1206f44c | 28 | FIREWALL_CONFIG_FILE="${FIREWALL_CONFIG_DIR}/config" |
c1400087 MT |
29 | FIREWALL_CONFIG_RULES="${FIREWALL_CONFIG_DIR}/rules" |
30 | ||
31 | FIREWALL_MACROS_DIRS="${FIREWALL_CONFIG_DIR}/macros" | |
32 | FIREWALL_MACROS_DIRS="${FIREWALL_MACROS_DIRS} /usr/share/firewall/macros" | |
33 | ||
34 | # List of parameters which are saved in the configuration file. | |
35 | FIREWALL_CONFIG_PARAMS="" | |
36 | ||
a2c9dff5 MT |
37 | # Valid arguments in the rules file. |
38 | FIREWALL_RULES_CONFIG_PARAMS="src dst proto action sport dport in out" | |
39 | ||
c1400087 MT |
40 | # Define the default logging method (nflog or syslog). |
41 | FIREWALL_LOG_METHOD="nflog" | |
42 | FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_METHOD" | |
43 | ||
44 | # Set the default threshold for the nflog method. | |
45 | FIREWALL_NFLOG_THRESHOLD=30 | |
be9aaf8b | 46 | FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_NFLOG_THRESHOLD" |
c1400087 MT |
47 | |
48 | # Enable clamping MSS for braindead ISPs which filter ICMP packets. | |
49 | FIREWALL_CLAMP_PATH_MTU="false" | |
50 | FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_CLAMP_PATH_MTU" | |
a2c9dff5 | 51 | |
ef953be2 MT |
52 | # Conntrack: Max. amount of simultaneous connections. |
53 | CONNTRACK_MAX_CONNECTIONS="16384" | |
54 | FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} CONNTRACK_MAX_CONNECTIONS" | |
55 | ||
56 | # Conntrack: UDP timeout | |
57 | CONNTRACK_UDP_TIMEOUT="60" | |
58 | FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} CONNTRACK_UDP_TIMEOUT" | |
59 | ||
60 | # Use SYN cookies or not | |
61 | FIREWALL_SYN_COOKIES="true" | |
62 | FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_SYN_COOKIES" | |
63 | ||
64 | # rp_filter | |
65 | FIREWALL_RP_FILTER="true" | |
66 | FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_RP_FILTER" | |
67 | ||
68 | # Log martians | |
69 | FIREWALL_LOG_MARTIANS="false" | |
70 | FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_MARTIANS" | |
71 | ||
72 | # Accept ICMP redirects | |
73 | FIREWALL_ACCEPT_ICMP_REDIRECTS="false" | |
74 | FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_ACCEPT_ICMP_REDIRECTS" | |
75 | ||
76 | # ECN (Explicit Congestion Notification) | |
77 | FIREWALL_USE_ECN="false" | |
78 | FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_USE_ECN" | |
79 | ||
80 | # Path MTU discovery | |
81 | FIREWALL_PMTU_DISCOVERY="true" | |
82 | FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_PMTU_DISCOVERY" | |
83 | ||
84 | # Default TTL | |
85 | FIREWALL_DEFAULT_TTL="64" | |
86 | FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_DEFAULT_TTL" | |
87 | ||
4320067c MT |
88 | # Log stealth scans |
89 | FIREWALL_LOG_STEALTH_SCANS="true" | |
90 | FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_STEALTH_SCANS" | |
91 | ||
92 | # Log packets with bad TCP flags | |
93 | FIREWALL_LOG_BAD_TCP_FLAGS="true" | |
94 | FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_BAD_TCP_FLAGS" | |
95 | ||
96 | # Log INVALID TCP packets | |
97 | FIREWALL_LOG_INVALID_TCP="true" | |
98 | FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_INVALID_TCP" | |
99 | ||
100 | # Log INVALID UDP packets | |
101 | FIREWALL_LOG_INVALID_UDP="true" | |
102 | FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_INVALID_UDP" | |
103 | ||
104 | # Log INVALID ICMP packets | |
105 | FIREWALL_LOG_INVALID_ICMP="true" | |
106 | FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_INVALID_ICMP" | |
107 | ||
a2c9dff5 MT |
108 | FIREWALL_SUPPORTED_PROTOCOLS="tcp udp icmp igmp esp ah gre" |
109 | FIREWALL_PROTOCOLS_SUPPORTING_PORTS="tcp udp" | |
110 | ||
111 | # Firewall zone settings. | |
112 | FIREWALL_ZONE_SETTINGS="FRIEND_ZONES MASQUERADE4" | |
113 | ||
114 | # Default values. | |
115 | FIREWALL_ZONE_SETTINGS_MASQUERADE4="false" |