# --- BEGIN OF FIREHOL DEFAULTS --- # These are the defaults for FireHOL. # You can set everything system-wide here, or set any or all # of these to your firewall config file. # The options set in the firewall config file have the highest # priority (will overwrite these one). # FireHOL config directory. # EVEN IF YOU CHANGE THIS, THE firehol-defaults.conf FILE # SHOULD STILL EXIST IN /etc/firehol FIREHOL_CONFIG_DIR="/etc/firehol" # FireHOL services directory. # FireHOL will look into this directory for service # definition files (*.conf). # Package maintainers may install their service definitions # in this directory. # Default: /etc/firehol/services FIREHOL_SERVICES_DIR="${FIREHOL_CONFIG_DIR}/services" # Where to permanently save state information? # Default: /var/spool/firehol FIREHOL_SPOOL_DIR="/etc/firehol-spool" # Where temporary files should go? # /var/run is usualy a ram drive, so we prefer to use # this for temporary files. # Default: /var/run/firehol FIREHOL_RUN_DIR="/tmp/firehol" # Restore instead of Start when possible. # If set to 1, FireHOL will actually do a 'restore' when a # 'start' is requested. # If enabled and the config files have not changed since # the last successful activation, the last successfuly # activated firewall will be restored. # THIS OPTION SHOULD NOT BE ENABLED IF THE FIREWALL CONFIG # IS USING DYNAMIC DETECTION OF SERVER PORTS OR OTHER DATA # THAT MAY INFLUENCE THE GENERATED RULES. # At the other hand, if the firewall is always static # this option provides fast startup of the firewall. # Default: 0 FIREHOL_RESTORE_INSTEAD_OF_START="0" # Enable IPv4 firewall # Default: 1 ENABLE_IPV4="1" # Enable IPv6 firewall # Default: 1 ENABLE_IPV6="1" # Syslog facility to use when logging FireHOL events. # This is only used by FireHOL, not the iptables packet # logging mechanism. # Default: daemon FIREHOL_SYSLOG_FACILITY="daemon" # FireHOL can wait for an interface to come up. # Set the interface name to wait for, here. # Default: check the environment variable, if any WAIT_FOR_IFACE="${WAIT_FOR_IFACE}" # External program to call on 'start' (successfull or # failed), 'stop' and 'panic' # It will be run like this: # "${FIREHOL_NOTIFICATION_PROGRAM}" "${FIREHOL_CONFIG}" "${result}" "${restored}" "${work_error}" "${work_runtime_error}" # where # FIREHOL_CONFIG is the filename of the config # result is either empty, OK or FAILED # restored is either NO, OK or FAILED # work_error is the count of pre-processing errors encountered # work_runtime_error is the count of post-processing errors encountered # Default: check the environment variable, if any FIREHOL_NOTIFICATION_PROGRAM="${FIREHOL_NOTIFICATION_PROGRAM}" # ---------------------------------------------------------------------- # RUNTIME CONTROL VARIABLES # These do not affect the final firewall output. They just control how # FireHOL behaves. # They can also be set as environment variables of the same name. # If set to 1, FireHOL will attempt to activate the firewall with # iptables-restore. This is a lot faster firewall activation. # The only drawback of this, is that in case of error, FireHOL may be # unable to identify the exact statement in the firewall config that # caused the error. # Default: 1 FIREHOL_FAST_ACTIVATION="${FIREHOL_FAST_ACTIVATION-1}" # If set to 0, firehol will not try to load the required kernel modules # Generally, FireHOL is able to detect if a module is compiled in the # kernel, even if this is set to 1. # Default: 1 FIREHOL_LOAD_KERNEL_MODULES="${FIREHOL_LOAD_KERNEL_MODULES-1}" # Firewall Policy during firewall activation # Default: ACCEPT # Possible values: ACCEPT, REJECT, DROP FIREHOL_INPUT_ACTIVATION_POLICY="${FIREHOL_INPUT_ACTIVATION_POLICY-ACCEPT}" FIREHOL_OUTPUT_ACTIVATION_POLICY="${FIREHOL_OUTPUT_ACTIVATION_POLICY-ACCEPT}" FIREHOL_FORWARD_ACTIVATION_POLICY="${FIREHOL_FORWARD_ACTIVATION_POLICY-ACCEPT}" # Do we allow pre-existing connections to continue during activation? # If this is set to 0 and FIREHOL_FAST_ACTIVATION is also set to 0, then # every time the firewall is activated, existing connections will be disrupted. # Default: 1 FIREHOL_ESTABLISHED_ACTIVATION_ACCEPT="${FIREHOL_ESTABLISHED_ACTIVATION_ACCEPT-1}" # Set this to 1 have firehol load NAT kernel modules # It will be enabled automatically if nat commands are given in the firewall # Default: 0 FIREHOL_NAT="${FIREHOL_NAT-0}" # Set this to 1 to enable rooting of packets in the kernel # It will be enabled automatically if routers are defined in the firewall # Default: 0 FIREHOL_ROUTING="${FIREHOL_ROUTING-0}" # If you want to restore the firewall using the iptables init script of # your distribution, set here the paths where it expects the rules. # These settings are only saved when 'save' is requested at the command line. # Default: unset for automatic detection. FIREHOL_AUTOSAVE=/etc/firehol/saved.iptables FIREHOL_AUTOSAVE6=/etc/firehol/saved.ip6tables # Ready to use values for various distributions: # # Gentoo # Check: /etc/conf.d/iptables and ip6tables #FIREHOL_AUTOSAVE="/var/lib/iptables/rules-save" #FIREHOL_AUTOSAVE6="/var/lib/ip6tables/rules-save" # # Arch # Check: /usr/lib/systemd/system/iptables.service and ip6tables.service #FIREHOL_AUTOSAVE=/etc/iptables/iptables.rules #FIREHOL_AUTOSAVE6=/etc/iptables/ip6tables.rules # ---------------------------------------------------------------------- # FIREWALL CONFIGURATION VARIABLES # These affect the final output firewall. # They can also be set in the firewall config file. # The default policy for the interfaces of the firewall. # This can be controlled on a per interface basis using the # policy interface subcommand. # Default: DROP # Possible Values: DROP REJECT RETURN DEFAULT_INTERFACE_POLICY="DROP" # The default policy for the router commands of the firewall. # This can be controlled on a per interface basis using the # policy interface subscommand. # Default: RETURN # Possible Values: DROP REJECT RETURN DEFAULT_ROUTER_POLICY="RETURN" # Should we drop all INVALID packets always? # INVALID packets as seen by the connection tracker. # Default: 0 FIREHOL_DROP_INVALID=0 # At the end of the firewall, there may be packets not matched # anywhere. What to do with them? # Default: DROP # Possible Values: DROP REJECT UNMATCHED_INPUT_POLICY="DROP" UNMATCHED_OUTPUT_POLICY="DROP" UNMATCHED_ROUTER_POLICY="DROP" # The client ports to be used for "default" client ports when the # client specified is a foreign host. # Note that FireHOL will ask the kernel for default client ports of # the local host. This setting only applies to client ports of remote hosts. # Default: 1024:65535 DEFAULT_CLIENT_PORTS="1024:65535" # If set to 0, FireHOL will NOT trust interface lo for all traffic, thus # a firewall could be set up on lo. # Default: 1 FIREHOL_TRUST_LOOPBACK=1 # ---------------------------------------------------------------------- # IPTABLES MARKS BITMASKING # FireHOL allows multiple independent MARKs. # By default FireHOL requires 'connmark' and 'usermark'. # The possible values supported by each may be defined here. # The value must be a power of two. # reset the internal marks to empty - do not remove marksreset # connmarks are used by the connmark helper markdef connmark 64 # usermark are used by the mark helper markdef usermark 128 # Additional types may be defined like this: # markdef qosmark 8 # To use it use 'custommark' helper and match # The first argument to both is the mark name (qosmark in this case) markdef qosmark 2 stateless permanent # ---------------------------------------------------------------------- # IPTABLES PACKETS LOGGING # LOG mode for iptables # Default: LOG # Possible Values: LOG, ULOG, NFLOG # LOG = syslog # We recommend to install ulogd and use NFLOG. FIREHOL_LOG_MODE="LOG" # Accepts anything iptables accepts for each mode. # Check: iptables -j LOG --help # iptables -j ULOG --help # iptables -j NFLOG --help # Default: empty FIREHOL_LOG_OPTIONS="" # FireHOL can prefix each log with a keyword. # Default: empty FIREHOL_LOG_PREFIX="" # Used only for FIREHOL_LOG_MODE="LOG" # The syslog level to be used when logging packets. FIREHOL_LOG_LEVEL="debug" # For loglimit, these are the frequency and the burst # of logging. They are applied per logging rule, not across # the firewall. FIREHOL_LOG_FREQUENCY="1/second" FIREHOL_LOG_BURST="5" # If set to 1, FireHOL will silently drop orphan TCP packets with ACK,FIN set. # In modern kernels, the connection tracker detects closed sockets # and removes them from memory before receiving the FIN,ACK from the remote # party. This makes FireHOL log these packets when they will be received. # To silently drop these packets, enable this option. # Default: 1 FIREHOL_DROP_ORPHAN_TCP_ACK_FIN=1 # ---------------------------------------------------------------------- # DEFAULT IP SETS # FireHOL will overwite these settings with the contents of the files with # the same names in ${FIREHOL_CONFIG_DIR}. # # For example, RESERVED_IPV4 will be set from /etc/firehol/RESERVED_IPV4 # IANA reserved address space that should never appear RESERVED_IPV4="0.0.0.0/8 127.0.0.0/8 240.0.0.0/4 " RESERVED_IPV6="::/8 0100::/8 0200::/7 0400::/6 0800::/5 1000::/4 4000::/3 6000::/3 8000::/3 A000::/3 C000::/3 E000::/4 F000::/5 F800::/6 FE00::/9 FEC0::/10" # Private IPv4 address space # 10.0.0.0/8 => RFC 1918: IANA Private Use # 169.254.0.0/16 => Link Local # 192.0.2.0/24 => Test Net # 192.88.99.0/24 => RFC 3068: 6to4 anycast & RFC 2544: Benchmarking addresses # 192.168.0.0/16 => RFC 1918: Private use PRIVATE_IPV4="10.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.2.0/24 192.88.99.0/24 192.168.0.0/16" # Private IPv6 address space # FC00::/7 => Unique Local Unicast # FE80::/10 => Link Local Unicast PRIVATE_IPV6="FC00::/7 FE80::/10" # The multicast address space MULTICAST_IPV4="224.0.0.0/4" MULTICAST_IPV6="FF00::/16" MODPROBE_CMD=/usr/sbin/insmod # --- END OF FIREHOL DEFAULTS ---