# #
###############################################################################
+# Firewall file configuration
+FIREWALL_SETTINGS_DIR="/etc/firewall"
+FIREWALL_SETTINGS_FILE="${FIREWALL_SETTINGS_DIR}/settings"
+
# This variable is used to point to a directory
# in which the iptables ruleset will be generated.
IPTABLES_TMPDIR=
FIREWALL_MACROS_DIRS="${FIREWALL_MACROS_DIRS} /usr/share/firewall/macros"
# List of parameters which are saved in the configuration file.
-FIREWALL_CONFIG_PARAMS=""
+FIREWALL_SETTINGS=( "DEBUG" )
# Valid arguments in the rules file.
FIREWALL_RULES_CONFIG_PARAMS="src dst proto action sport dport in out"
# Define the default logging method (nflog or syslog).
FIREWALL_LOG_METHOD="nflog"
-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_METHOD"
+FIREWALL_SETTINGS+=( "FIREWALL_LOG_METHOD" )
# Set the default threshold for the nflog method.
FIREWALL_NFLOG_THRESHOLD=30
-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_NFLOG_THRESHOLD"
+FIREWALL_SETTINGS+=( "FIREWALL_NFLOG_THRESHOLD" )
# Enable clamping MSS for braindead ISPs which filter ICMP packets.
FIREWALL_CLAMP_PATH_MTU="false"
-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_CLAMP_PATH_MTU"
+FIREWALL_SETTINGS+=( "FIREWALL_CLAMP_PATH_MTU" )
# Conntrack: Max. amount of simultaneous connections.
CONNTRACK_MAX_CONNECTIONS="16384"
-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} CONNTRACK_MAX_CONNECTIONS"
+FIREWALL_SETTINGS+=( "CONNTRACK_MAX_CONNECTIONS" )
# Conntrack: UDP timeout
CONNTRACK_UDP_TIMEOUT="60"
-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} CONNTRACK_UDP_TIMEOUT"
+FIREWALL_SETTINGS+=( "CONNTRACK_UDP_TIMEOUT" )
# Use SYN cookies or not
FIREWALL_SYN_COOKIES="true"
-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_SYN_COOKIES"
+FIREWALL_SETTINGS+=( "FIREWALL_SYN_COOKIES" )
# rp_filter
FIREWALL_RP_FILTER="true"
-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_RP_FILTER"
+FIREWALL_SETTINGS+=( "FIREWALL_RP_FILTER" )
# Log martians
FIREWALL_LOG_MARTIANS="false"
-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_MARTIANS"
+FIREWALL_SETTINGS+=( "FIREWALL_LOG_MARTIANS" )
# Accept ICMP redirects
FIREWALL_ACCEPT_ICMP_REDIRECTS="false"
-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_ACCEPT_ICMP_REDIRECTS"
+FIREWALL_SETTINGS+=( "FIREWALL_ACCEPT_ICMP_REDIRECTS" )
# ECN (Explicit Congestion Notification)
FIREWALL_USE_ECN="true"
-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_USE_ECN"
+FIREWALL_SETTINGS+=( "FIREWALL_USE_ECN" )
# Path MTU discovery
FIREWALL_PMTU_DISCOVERY="true"
-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_PMTU_DISCOVERY"
+FIREWALL_SETTINGS+=( "FIREWALL_PMTU_DISCOVERY" )
# Default TTL
FIREWALL_DEFAULT_TTL="64"
-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_DEFAULT_TTL"
+FIREWALL_SETTINGS+=( "FIREWALL_DEFAULT_TTL" )
# Log stealth scans
FIREWALL_LOG_STEALTH_SCANS="true"
-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_STEALTH_SCANS"
+FIREWALL_SETTINGS+=( "FIREWALL_LOG_STEALTH_SCANS" )
# Log packets with bad TCP flags
FIREWALL_LOG_BAD_TCP_FLAGS="true"
-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_BAD_TCP_FLAGS"
+FIREWALL_SETTINGS+=( "FIREWALL_LOG_BAD_TCP_FLAGS" )
# Log INVALID TCP packets
FIREWALL_LOG_INVALID_TCP="true"
-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_INVALID_TCP"
+FIREWALL_SETTINGS+=( "FIREWALL_LOG_INVALID_TCP" )
# Log INVALID UDP packets
FIREWALL_LOG_INVALID_UDP="true"
-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_INVALID_UDP"
+FIREWALL_SETTINGS+=( "FIREWALL_LOG_INVALID_UDP" )
# Log INVALID ICMP packets
FIREWALL_LOG_INVALID_ICMP="true"
-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_INVALID_ICMP"
+FIREWALL_SETTINGS+=( "FIREWALL_LOG_INVALID_ICMP" )
FIREWALL_SUPPORTED_PROTOCOLS="tcp udp icmp igmp esp ah gre"
FIREWALL_PROTOCOLS_SUPPORTING_PORTS="tcp udp"