#!/bin/bash ############################################################################### # # # IPFire.org - A linux based firewall # # Copyright (C) 2012 IPFire Network Development Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # # the Free Software Foundation, either version 3 of the License, or # # (at your option) any later version. # # # # This program is distributed in the hope that it will be useful, # # but WITHOUT ANY WARRANTY; without even the implied warranty of # # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # # GNU General Public License for more details. # # # # You should have received a copy of the GNU General Public License # # along with this program. If not, see . # # # ############################################################################### # This variable is used to point to a directory # in which the iptables ruleset will be generated. IPTABLES_TMPDIR= FIREWALL_CONFIG_DIR="/etc/firewall" FIREWALL_ZONES_DIR="${FIREWALL_CONFIG_DIR}/zones" FIREWALL_CONFIG_FILE="${FIREWALL_CONFIG_DIR}/config" FIREWALL_CONFIG_RULES="${FIREWALL_CONFIG_DIR}/rules" FIREWALL_MACROS_DIRS="${FIREWALL_CONFIG_DIR}/macros" FIREWALL_MACROS_DIRS="${FIREWALL_MACROS_DIRS} /usr/share/firewall/macros" # List of parameters which are saved in the configuration file. FIREWALL_CONFIG_PARAMS="" # Valid arguments in the rules file. FIREWALL_RULES_CONFIG_PARAMS="src dst proto action sport dport in out" # Define the default logging method (nflog or syslog). FIREWALL_LOG_METHOD="nflog" FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_METHOD" # Set the default threshold for the nflog method. FIREWALL_NFLOG_THRESHOLD=30 FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_NFLOG_THRESHOLD" # Enable clamping MSS for braindead ISPs which filter ICMP packets. FIREWALL_CLAMP_PATH_MTU="false" FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_CLAMP_PATH_MTU" # Conntrack: Max. amount of simultaneous connections. CONNTRACK_MAX_CONNECTIONS="16384" FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} CONNTRACK_MAX_CONNECTIONS" # Conntrack: UDP timeout CONNTRACK_UDP_TIMEOUT="60" FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} CONNTRACK_UDP_TIMEOUT" # Use SYN cookies or not FIREWALL_SYN_COOKIES="true" FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_SYN_COOKIES" # rp_filter FIREWALL_RP_FILTER="true" FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_RP_FILTER" # Log martians FIREWALL_LOG_MARTIANS="false" FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_MARTIANS" # Accept ICMP redirects FIREWALL_ACCEPT_ICMP_REDIRECTS="false" FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_ACCEPT_ICMP_REDIRECTS" # ECN (Explicit Congestion Notification) FIREWALL_USE_ECN="false" FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_USE_ECN" # Path MTU discovery FIREWALL_PMTU_DISCOVERY="true" FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_PMTU_DISCOVERY" # Default TTL FIREWALL_DEFAULT_TTL="64" FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_DEFAULT_TTL" # Log stealth scans FIREWALL_LOG_STEALTH_SCANS="true" FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_STEALTH_SCANS" # Log packets with bad TCP flags FIREWALL_LOG_BAD_TCP_FLAGS="true" FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_BAD_TCP_FLAGS" # Log INVALID TCP packets FIREWALL_LOG_INVALID_TCP="true" FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_INVALID_TCP" # Log INVALID UDP packets FIREWALL_LOG_INVALID_UDP="true" FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_INVALID_UDP" # Log INVALID ICMP packets FIREWALL_LOG_INVALID_ICMP="true" FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_INVALID_ICMP" FIREWALL_SUPPORTED_PROTOCOLS="tcp udp icmp igmp esp ah gre" FIREWALL_PROTOCOLS_SUPPORTING_PORTS="tcp udp" # Firewall zone settings. FIREWALL_ZONE_SETTINGS="FRIEND_ZONES MASQUERADE4" # Default values. FIREWALL_ZONE_SETTINGS_MASQUERADE4="false"