[people/stevee/network.git] / src / functions / functions.constants-firewall

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2012  IPFire Network Development Team                         #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

# This variable is used to point to a directory
# in which the iptables ruleset will be generated.
IPTABLES_TMPDIR=

FIREWALL_CONFIG_DIR="/etc/firewall"
FIREWALL_ZONES_DIR="${FIREWALL_CONFIG_DIR}/zones"
FIREWALL_CONFIG_FILE="${FIREWALL_CONFIG_DIR}/config"
FIREWALL_CONFIG_RULES="${FIREWALL_CONFIG_DIR}/rules"

FIREWALL_MACROS_DIRS="${FIREWALL_CONFIG_DIR}/macros"
FIREWALL_MACROS_DIRS="${FIREWALL_MACROS_DIRS} /usr/share/firewall/macros"

# List of parameters which are saved in the configuration file.
FIREWALL_CONFIG_PARAMS=""

# Valid arguments in the rules file.
FIREWALL_RULES_CONFIG_PARAMS="src dst proto action sport dport in out"

# Define the default logging method (nflog or syslog).
FIREWALL_LOG_METHOD="nflog"
FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_METHOD"

# Set the default threshold for the nflog method.
FIREWALL_NFLOG_THRESHOLD=30
FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_NFLOG_THRESHOLD"

# Enable clamping MSS for braindead ISPs which filter ICMP packets.
FIREWALL_CLAMP_PATH_MTU="false"
FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_CLAMP_PATH_MTU"

# Conntrack: Max. amount of simultaneous connections.
CONNTRACK_MAX_CONNECTIONS="16384"
FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} CONNTRACK_MAX_CONNECTIONS"

# Conntrack: UDP timeout
CONNTRACK_UDP_TIMEOUT="60"
FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} CONNTRACK_UDP_TIMEOUT"

# Use SYN cookies or not
FIREWALL_SYN_COOKIES="true"
FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_SYN_COOKIES"

# rp_filter
FIREWALL_RP_FILTER="true"
FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_RP_FILTER"

# Log martians
FIREWALL_LOG_MARTIANS="false"
FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_MARTIANS"

# Accept ICMP redirects
FIREWALL_ACCEPT_ICMP_REDIRECTS="false"
FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_ACCEPT_ICMP_REDIRECTS"

# ECN (Explicit Congestion Notification)
FIREWALL_USE_ECN="false"
FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_USE_ECN"

# Path MTU discovery
FIREWALL_PMTU_DISCOVERY="true"
FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_PMTU_DISCOVERY"

# Default TTL
FIREWALL_DEFAULT_TTL="64"
FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_DEFAULT_TTL"

# Log stealth scans
FIREWALL_LOG_STEALTH_SCANS="true"
FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_STEALTH_SCANS"

# Log packets with bad TCP flags
FIREWALL_LOG_BAD_TCP_FLAGS="true"
FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_BAD_TCP_FLAGS"

# Log INVALID TCP packets
FIREWALL_LOG_INVALID_TCP="true"
FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_INVALID_TCP"

# Log INVALID UDP packets
FIREWALL_LOG_INVALID_UDP="true"
FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_INVALID_UDP"

# Log INVALID ICMP packets
FIREWALL_LOG_INVALID_ICMP="true"
FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_INVALID_ICMP"

FIREWALL_SUPPORTED_PROTOCOLS="tcp udp icmp igmp esp ah gre"
FIREWALL_PROTOCOLS_SUPPORTING_PORTS="tcp udp"

# Firewall zone settings.
FIREWALL_ZONE_SETTINGS="FRIEND_ZONES MASQUERADE4"

# Default values.
FIREWALL_ZONE_SETTINGS_MASQUERADE4="false"
Commit	Line	Data
c1400087 MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2012 IPFire Network Development Team #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	# This variable is used to point to a directory
	23	# in which the iptables ruleset will be generated.
	24	IPTABLES_TMPDIR=
	25
	26	FIREWALL_CONFIG_DIR="/etc/firewall"
	27	FIREWALL_ZONES_DIR="${FIREWALL_CONFIG_DIR}/zones"
1206f44c	28	FIREWALL_CONFIG_FILE="${FIREWALL_CONFIG_DIR}/config"
c1400087 MT	29	FIREWALL_CONFIG_RULES="${FIREWALL_CONFIG_DIR}/rules"
	30
	31	FIREWALL_MACROS_DIRS="${FIREWALL_CONFIG_DIR}/macros"
	32	FIREWALL_MACROS_DIRS="${FIREWALL_MACROS_DIRS} /usr/share/firewall/macros"
	33
	34	# List of parameters which are saved in the configuration file.
	35	FIREWALL_CONFIG_PARAMS=""
	36
a2c9dff5 MT	37	# Valid arguments in the rules file.
	38	FIREWALL_RULES_CONFIG_PARAMS="src dst proto action sport dport in out"
	39
c1400087 MT	40	# Define the default logging method (nflog or syslog).
	41	FIREWALL_LOG_METHOD="nflog"
	42	FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_METHOD"
	43
	44	# Set the default threshold for the nflog method.
	45	FIREWALL_NFLOG_THRESHOLD=30
be9aaf8b	46	FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_NFLOG_THRESHOLD"
c1400087 MT	47
	48	# Enable clamping MSS for braindead ISPs which filter ICMP packets.
	49	FIREWALL_CLAMP_PATH_MTU="false"
	50	FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_CLAMP_PATH_MTU"
a2c9dff5	51
ef953be2 MT	52	# Conntrack: Max. amount of simultaneous connections.
	53	CONNTRACK_MAX_CONNECTIONS="16384"
	54	FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} CONNTRACK_MAX_CONNECTIONS"
	55
	56	# Conntrack: UDP timeout
	57	CONNTRACK_UDP_TIMEOUT="60"
	58	FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} CONNTRACK_UDP_TIMEOUT"
	59
	60	# Use SYN cookies or not
	61	FIREWALL_SYN_COOKIES="true"
	62	FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_SYN_COOKIES"
	63
	64	# rp_filter
	65	FIREWALL_RP_FILTER="true"
	66	FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_RP_FILTER"
	67
	68	# Log martians
	69	FIREWALL_LOG_MARTIANS="false"
	70	FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_MARTIANS"
	71
	72	# Accept ICMP redirects
	73	FIREWALL_ACCEPT_ICMP_REDIRECTS="false"
	74	FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_ACCEPT_ICMP_REDIRECTS"
	75
	76	# ECN (Explicit Congestion Notification)
	77	FIREWALL_USE_ECN="false"
	78	FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_USE_ECN"
	79
	80	# Path MTU discovery
	81	FIREWALL_PMTU_DISCOVERY="true"
	82	FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_PMTU_DISCOVERY"
	83
	84	# Default TTL
	85	FIREWALL_DEFAULT_TTL="64"
	86	FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_DEFAULT_TTL"
	87
4320067c MT	88	# Log stealth scans
	89	FIREWALL_LOG_STEALTH_SCANS="true"
	90	FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_STEALTH_SCANS"
	91
	92	# Log packets with bad TCP flags
	93	FIREWALL_LOG_BAD_TCP_FLAGS="true"
	94	FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_BAD_TCP_FLAGS"
	95
	96	# Log INVALID TCP packets
	97	FIREWALL_LOG_INVALID_TCP="true"
	98	FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_INVALID_TCP"
	99
	100	# Log INVALID UDP packets
	101	FIREWALL_LOG_INVALID_UDP="true"
	102	FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_INVALID_UDP"
	103
	104	# Log INVALID ICMP packets
	105	FIREWALL_LOG_INVALID_ICMP="true"
	106	FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_INVALID_ICMP"
	107
a2c9dff5 MT	108	FIREWALL_SUPPORTED_PROTOCOLS="tcp udp icmp igmp esp ah gre"
	109	FIREWALL_PROTOCOLS_SUPPORTING_PORTS="tcp udp"
	110
	111	# Firewall zone settings.
	112	FIREWALL_ZONE_SETTINGS="FRIEND_ZONES MASQUERADE4"
	113
	114	# Default values.
	115	FIREWALL_ZONE_SETTINGS_MASQUERADE4="false"