Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Copyright (c) 2000-2002 SuSE GmbH Nuernberg, Germany
- # Copyright (c) 2003,2004 SuSE Linux AG Nuernberg, Germany
- # Copyright (c) 2005-2011 SUSE LINUX Products GmbH Nuernberg, Germany
- #
- # Author: Marc Heuse, 2002
- # Ludwig Nussel, 2004-2011
- #
- # /etc/sysconfig/SuSEfirewall2
- #
- # for use with /sbin/SuSEfirewall2 version 3.6
- #
- # ------------------------------------------------------------------------
- #
- # Note that running a packet filter/firewall is no panacea against
- # network security threats. Make sure to
- #
- # - expose only actually needed services
- # - assign different zones to express different levels of trust.
- # Opening ports for LAN services in the external zone defeats the
- # purpose of the firewall!
- # - use software that is designed with security in mind (such as
- # postfix, vsftpd, openssh)
- # - install security updates regularly
- #
- # ------------------------------------------------------------------------
- #
- # Configuration Hints:
- #
- # Note that while this file looks like a shell script and is parsed
- # by a shell script it actually is not a shell script itself. More
- # information about sysconfig files can be found here:
- # http://en.opensuse.org/Packaging/SUSE_Package_Conventions/Sysconfig
- # It's generally a good idea to avoid using shell variable
- # substitution (foo="$bar") and multi line values.
- #
- # If you have any problems configuring this file, take a look at
- # /usr/share/doc/packages/SuSEfirewall2/EXAMPLES or use YaST
- #
- # For end user systems that are only connected to one network
- # FW_DEV_EXT and maybe FW_CONFIGURATIONS_EXT to open some ports need
- # to be modified. The defaults for all other settings are usually
- # fine.
- #
- # For firewalls that should perform routing or masquerading between
- # networks the settings FW_DEV_EXT, FW_DEV_INT, FW_ROUTE, FW_MASQUERADE,
- # FW_SERVICES_EXT_TCP, and maybe FW_SERVICES_ACCEPT_EXT, FW_FORWARD,
- # FW_FORWARD_MASQ
- #
- # Please note that if you use service names, they have to exist in
- # /etc/services. There is for example no service "dns", it's called
- # "domain"; email is called "smtp" etc.
- #
- # ------------------------------------------------------------------------
- ## Path: Network/Firewall/SuSEfirewall2
- ## Description: SuSEfirewall2 configuration
- ## Type: string
- #
- # Which are the interfaces that point to the internet/untrusted
- # networks?
- #
- # Enter all untrusted network devices here
- #
- # Format: space separated list of interface or configuration names
- #
- # The special keyword "any" means that packets arriving on interfaces not
- # explicitly configured as int, ext or dmz will be considered external. Note:
- # this setting only works for packets destined for the local machine. If you
- # want forwarding or masquerading you still have to add the external interfaces
- # individually. "any" can be mixed with other interface names.
- #
- # Examples: "wlan0", "ippp0 ippp1", "any dsl0"
- #
- # Note: alias interfaces (like eth0:1) are ignored
- #
- FW_DEV_EXT="modem0"
- ## Type: string
- #
- # Which are the interfaces that point to the internal network?
- #
- # Enter all trusted network interfaces here. If you are not
- # connected to a trusted network (e.g. you have just a dialup) leave
- # this empty.
- #
- # Format: space separated list of interface or configuration names
- #
- # Examples: "tr0", "eth0 eth1"
- #
- FW_DEV_INT=""
- ## Type: string
- #
- # Which are the interfaces that point to the dmz or dialup network?
- #
- # Enter all the network devices here which point to the dmz/dialups.
- # A "dmz" is a special, seperated network, which is only connected
- # to the firewall, and should be reachable from the internet to
- # provide services, e.g. WWW, Mail, etc. and hence is at risk from
- # attacks. See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an
- # example.
- #
- # Note: You have to configure FW_FORWARD to define the services
- # which should be available to the internet and set FW_ROUTE to yes.
- #
- # Format: space separated list of interface or configuration names
- #
- # Examples: "tr0", "eth0 eth1"
- #
- FW_DEV_DMZ=""
- ## Type: yesno
- #
- # Should routing between the internet, dmz and internal network be
- # activated?
- #
- # Set this to "yes" if you either want to masquerade internal
- # machines or allow access to the dmz (or internal machines, but
- # this is not a good idea).
- #
- # This option overrides IP_FORWARD from /etc/sysconfig/sysctl and
- # net.ipv4.ip_forward settings in /etc/sysctl.conf
- # Note: IPv4 only. The IPv6 forwarding sysctl has to be turned on
- # manually.
- #
- # Setting this option one alone doesn't do anything. Either activate
- # masquerading with FW_MASQUERADE below if you want to masquerade
- # your internal network to the internet, or configure FW_FORWARD to
- # define what is allowed to be forwarded. You also need to define
- # internal or dmz interfaces in FW_DEV_INT or FW_DEV_DMZ.
- #
- # defaults to "no" if not set
- #
- FW_ROUTE="no"
- ## Type: yesno
- #
- # Do you want to masquerade internal networks to the outside?
- #
- # Requires: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE, FW_MASQ_DEV
- #
- # "Masquerading" means that all your internal machines which use
- # services on the internet seem to come from your firewall. Please
- # note that it is more secure to communicate via proxies to the
- # internet than to use masquerading.
- #
- # This option is required for FW_MASQ_NETS and FW_FORWARD_MASQ.
- #
- # defaults to "no" if not set
- #
- FW_MASQUERADE="no"
- ## Type: string
- #
- # You also have to define on which interfaces to masquerade on.
- # Those are usually the same as the external interfaces. Most users
- # can leave the default.
- #
- # The special string "zone:" concatenated with the name of a zone
- # means to take all interfaces in the specified zone.
- #
- # Note: Old version of SuSEfirewall2 used a shell variable
- # ($FW_DEV_EXT) here. That method is deprecated as it breaks auto
- # detection of interfaces. Please use zone:ext instead.
- #
- # Examples: "ippp0", "zone:dmz"
- #
- # defaults to "zone:ext" if not set
- #
- FW_MASQ_DEV=""
- ## Type: string
- #
- # Which internal computers/networks are allowed to access the
- # internet via masquerading (not via proxys on the firewall)?
- #
- # Format: space separated list of
- # <source network>[,<destination network>,<protocol>[,port[:port]]
- #
- # If the protocol is icmp then port is interpreted as icmp type
- #
- # Examples: - "0/0" unrestricted access to the internet
- # - "10.0.0.0/8" allows the whole 10.0.0.0 network with
- # unrestricted access.
- # - "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0,tcp,21" allows
- # the 10.0.1.0 network to use www/ftp to the internet. -
- # - "10.0.1.0/24,0/0,tcp,1024:65535 10.0.2.0/24" the
- # 10.0.1.0/24 network is allowed to access unprivileged
- # ports whereas 10.0.2.0/24 is granted unrestricted
- # access.
- # - "0/0,!10.0.0.0/8" unrestricted access to the internet
- # with the exception of 10.0.0.8 which will not be
- # masqueraded.
- #
- FW_MASQ_NETS=""
- ## Type: string
- #
- # Which computers/networks to exclude from masquerading.
- #
- # Note that this only affects the POSTROUTING chain of the nat
- # table. Ie the forwarding rules installed by FW_MASQ_NETS do not
- # include the listed exceptions.
- # *** Since you may use FW_NOMASQ_NETS together with IPsec make sure
- # that the policy database is loaded even when the tunnel is not up
- # yet. Otherwise packets to the listed networks will be forwarded to
- # the internet unencrypted! ***
- #
- # Format: space separated list of
- # <source network>[,<destination network>,<protocol>[,port[:port]]
- #
- # If the protocol is icmp then port is interpreted as icmp type
- #
- # Examples: - "0/0,10.0.0.0/8" do not masquerade packets from
- # anywhere to the 10.0.0.0/8 network
- #
- FW_NOMASQ_NETS=""
- ## Type: list(yes,no,notrack)
- ## Default: no
- #
- # Do you want to protect the firewall from the internal network?
- # Requires: FW_DEV_INT
- #
- # If you set this to "yes", internal machines may only access
- # services on the firewall you explicitly allow. If you set this to
- # "no", any internal user can connect (and attack) any service on
- # the firewall.
- #
- # The value "notrack" acts similar to "no" but additionally
- # connection tracking is switched off for interfaces in the zone.
- # This is useful to gain better performance on high speed
- # interfaces.
- #
- # defaults to "yes" if not set
- #
- # see also FW_REJECT_INT
- #
- FW_PROTECT_FROM_INT="no"
- ## Type: string
- #
- # Which TCP services _on the firewall_ should be accessible from
- # untrusted networks?
- #
- # Format: space separated list of ports, port ranges or well known
- # service names (see /etc/services)
- #
- # Examples: "ssh", "123 514", "3200:3299", "ftp 22 telnet 512:514"
- #
- # Note: this setting has precedence over FW_SERVICES_ACCEPT_*
- #
- FW_SERVICES_EXT_TCP=""
- ## Type: string
- #
- # Which UDP services _on the firewall_ should be accessible from
- # untrusted networks?
- #
- # Format: space separated list of ports, port ranges or well known
- # service names (see /etc/services)
- #
- # Example: "53", "syslog"
- #
- # Note: this setting has precedence over FW_SERVICES_ACCEPT_*
- #
- FW_SERVICES_EXT_UDP=""
- ## Type: string
- #
- # Which IP services _on the firewall_ should be accessible from
- # untrusted networks?
- #
- # Usually for VPN/Routing services that END at the firewall like
- # IPsec, GRE, PPTP or OSPF
- #
- # Format: space separated list of ports, port ranges or well known
- # protocol names (see /etc/protocols)
- #
- # Example: "esp"
- #
- # Note: this setting has precedence over FW_SERVICES_ACCEPT_*
- #
- FW_SERVICES_EXT_IP=""
- ## Type: string
- #
- # Which RPC services _on the firewall_ should be accessible from
- # untrusted networks?
- #
- # Port numbers of RPC services are dynamically assigned by the
- # portmapper. Therefore "rpcinfo -p localhost" has to be used to
- # automatically determine the currently assigned port for the
- # services specified here.
- #
- # USE WITH CAUTION!
- # regular users can register rpc services and therefore may be able
- # to have SuSEfirewall2 open arbitrary ports
- #
- # Example: "mountd nfs"
- #
- # Note: this setting has precedence over FW_SERVICES_ACCEPT_*
- #
- FW_SERVICES_EXT_RPC=""
- ## Type: string
- #
- # Which services _on the firewall_ should be accessible from
- # untrusted networks?
- #
- # Packages can drop a configuration file that specifies all required
- # ports into /etc/sysconfig/SuSEfirewall2.d/services. That is handy for
- # services that require multiple ports or protocols. Enter the space
- # separated list of configuration files you want to load.
- #
- # The content of those files is merged into
- # FW_SERVICES_$zone_$protocol, ie has precedence over
- # FW_SERVICES_ACCEPT_*
- #
- # Example: "samba-server nfs-kernel-server"
- FW_CONFIGURATIONS_EXT="sshd"
- ## Type: string
- #
- # see comments for FW_SERVICES_EXT_TCP
- FW_SERVICES_DMZ_TCP=""
- ## Type: string
- #
- # see comments for FW_SERVICES_EXT_UDP
- FW_SERVICES_DMZ_UDP=""
- ## Type: string
- #
- # see comments for FW_SERVICES_EXT_IP
- FW_SERVICES_DMZ_IP=""
- ## Type: string
- #
- # see comments for FW_SERVICES_EXT_RPC
- FW_SERVICES_DMZ_RPC=""
- ## Type: string
- #
- # see comments for FW_CONFIGURATIONS_EXT
- FW_CONFIGURATIONS_DMZ="sshd"
- ## Type: string
- #
- # see comments for FW_SERVICES_EXT_TCP
- FW_SERVICES_INT_TCP=""
- ## Type: string
- #
- # see comments for FW_SERVICES_EXT_UDP
- FW_SERVICES_INT_UDP=""
- ## Type: string
- #
- # see comments for FW_SERVICES_EXT_IP
- FW_SERVICES_INT_IP=""
- ## Type: string
- #
- # see comments for FW_SERVICES_EXT_RPC
- FW_SERVICES_INT_RPC=""
- ## Type: string
- #
- # see comments for FW_CONFIGURATIONS_EXT
- FW_CONFIGURATIONS_INT="sshd"
- ## Type: string
- #
- # Packets to drop.
- #
- # Format: space separated list of net,protocol[,port][,sport]
- # Example: "0/0,tcp,445 0/0,udp,4662"
- #
- # The special value _rpc_ is recognized as protocol and means that dport is
- # interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
- # details.
- #
- # Note: In older SuSEfirewall2 version this setting took place after
- # FW_SERVICES_ACCEPT_*, now it takes precedence.
- #
- FW_SERVICES_DROP_EXT=""
- ## Type: string
- #
- # see FW_SERVICES_DROP_EXT
- FW_SERVICES_DROP_DMZ=""
- ## Type: string
- #
- # see FW_SERVICES_DROP_EXT
- FW_SERVICES_DROP_INT=""
- ## Type: string
- ## Default:
- #
- # Packets to reject. Common usage is TCP port 113 which if dropped
- # would cause long timeouts when sending mail or connecting to IRC
- # servers.
- #
- # Format: space separated list of net,protocol[,dport][,sport]
- # Example: "0/0,tcp,113"
- #
- # The special value _rpc_ is recognized as protocol and means that dport is
- # interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
- # details.
- #
- # Note: In older SuSEfirewall2 version this setting took place after
- # FW_SERVICES_ACCEPT_*, now it takes precedence.
- #
- FW_SERVICES_REJECT_EXT=""
- ## Type: string
- #
- # see FW_SERVICES_REJECT_EXT
- FW_SERVICES_REJECT_DMZ=""
- ## Type: string
- #
- # see FW_SERVICES_REJECT_EXT
- FW_SERVICES_REJECT_INT=""
- ## Type: string
- ## Default:
- #
- # Services to allow. This is a more generic form of FW_SERVICES_XXX_{IP,UDP,TCP}
- # and more specific than FW_TRUSTED_NETS
- #
- # Format: space separated list of net,protocol[,dport[,sport[,flags]]]
- # Example: "0/0,tcp,22"
- #
- # Supported flags are
- # hitcount=NUMBER : ipt_recent --hitcount parameter
- # blockseconds=NUMBER : ipt_recent --seconds parameter
- # recentname=NAME : ipt_recent --name parameter
- # Example:
- # Allow max three ssh connects per minute from the same IP address:
- # "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
- #
- # The special value _rpc_ is recognized as protocol and means that dport is
- # interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
- # details.
- #
- # Note1: keep in mind that FW_SERVICES_EXT_TCP, FW_SERVICES_EXT_UDP
- # take precedence over FW_SERVICES_ACCEPT_EXT so don't open the same
- # port with both options.
- #
- # Note2: the iptables recent module may not be available for ipv6. To
- # avoid an error message use 0.0.0.0/0 instead of 0/0. This will
- # install the rule for ipv4 only.
- #
- FW_SERVICES_ACCEPT_EXT=""
- ## Type: string
- #
- # see FW_SERVICES_ACCEPT_EXT
- FW_SERVICES_ACCEPT_DMZ=""
- ## Type: string
- #
- # see FW_SERVICES_ACCEPT_EXT
- FW_SERVICES_ACCEPT_INT=""
- ## Type: string
- ## Default:
- #
- # Services to allow that are considered RELATED by the connection tracking
- # engine.
- #
- # Format: space separated list of net,protocol[,sport[,dport]]
- #
- # Example:
- # Allow samba broadcast replies marked as related by
- # nf_conntrack_netbios_ns from a certain network:
- # "192.168.1.0/24,udp,137"
- #
- # See also FW_LOAD_MODULES
- #
- FW_SERVICES_ACCEPT_RELATED_EXT=""
- ## Type: string
- #
- # see FW_SERVICES_ACCEPT_RELATED_EXT
- FW_SERVICES_ACCEPT_RELATED_DMZ=""
- ## Type: string
- #
- # see FW_SERVICES_ACCEPT_RELATED_EXT
- FW_SERVICES_ACCEPT_RELATED_INT=""
- ## Type: string
- #
- # Which services should be accessible from 'trusted' hosts or nets?
- #
- # Define trusted hosts or networks (doesn't matter whether they are internal or
- # external) and the services (tcp,udp,icmp) they are allowed to use. This can
- # be used instead of FW_SERVICES_* for further access restriction. Please note
- # that this is no replacement for authentication since IP addresses can be
- # spoofed. Also note that trusted hosts/nets are not allowed to ping the
- # firewall until you also permit icmp.
- #
- # Format: space separated list of network[,protocol[,port]]
- # in case of icmp, port means the icmp type
- #
- # Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22"
- #
- FW_TRUSTED_NETS=""
- ## Type: string
- #
- # Which services or networks are allowed to be routed through the
- # firewall, no matter which zone they are in?
- # Requires: FW_ROUTE
- #
- # With this option you may allow access to e.g. your mailserver. The
- # machines must have valid, non-private, IP addresses which were
- # assigned to you by your ISP. This opens a direct link to the
- # specified network, so please think twice befor using this option!
- #
- # Format: space separated list of
- # <source network>,<destination network>[,protocol[,destination port[,flags]]]
- #
- # If the protocol is icmp then port is interpreted as icmp type
- #
- # flags, separated by comma:
- # ipsec:
- # match packets that originate from an IPsec tunnel
- # zonein=ZONE, zoneout=ZONE:
- # match only packets coming in/going out on interfaces from
- # the specified zone.
- #
- # Examples: - "1.1.1.1,2.2.2.2" allow the host 1.1.1.1 to access any
- # service on the host 2.2.2.2
- # - "3.3.3.3/16,4.4.4.4/24" allow the network 3.3.3.3/16
- # to access any service in the network 4.4.4.4/24
- # - "5.5.5.5,6.6.6.6,igmp" allow routing of IGMP messages
- # from 5.5.5.5 to 6.6.6.6
- # - "0/0,0/0,udp,514" always permit udp port 514 to pass
- # the firewall
- # - "192.168.1.0/24,10.10.0.0/16,,,ipsec \
- # 10.10.0.0/16,192.168.1.0/24,,,ipsec" permit traffic
- # from 192.168.1.0/24 to 10.10.0.0/16 and vice versa
- # provided that both networks are connected via an
- # IPsec tunnel.
- # - "fd76:9dbb:91a3:1::/64,fd76:9dbb:91a3:4::/64,tcp,ssh"
- # allow ssh from one IPv6 network to another
- #
- FW_FORWARD=""
- ## Type: string
- #
- # same as FW_FORWARD but packages are rejected instead of accepted
- #
- # Requires: FW_ROUTE
- #
- FW_FORWARD_REJECT=""
- ## Type: string
- #
- # same as FW_FORWARD but packages are dropped instead of accepted
- #
- # Requires: FW_ROUTE
- #
- FW_FORWARD_DROP=""
- ## Type: string
- #
- # Which services accessed from the internet should be allowed to masqueraded
- # servers (on the internal network or dmz)?
- # Requires: FW_ROUTE
- #
- # With this option you may allow access to e.g. your mailserver. The
- # machines must be in a masqueraded segment and may not have public
- # IP addesses! Hint: if FW_DEV_MASQ is set to the external interface
- # you have to set FW_FORWARD from internal to DMZ for the service as
- # well to allow access from internal!
- #
- # Please note that this should *not* be used for security reasons!
- # You are opening a hole to your precious internal network. If e.g.
- # the webserver there is compromised - your full internal network is
- # compromised!
- #
- # Format: space separated list of
- # <source network>,<ip to forward to>,<protocol>,<port>[,redirect port,[destination ip]]
- #
- # Protocol must be either tcp or udp
- #
- # Examples: - "4.0.0.0/8,10.0.0.10,tcp,80" forward all tcp request on
- # port 80 coming from the 4.0.0.0/8 network to the
- # internal server 10.10.0.10
- # - "4.0.0.0/8,10.0.0.10,tcp,80,81" forward all tcp request on
- # port 80 coming from the 4.0.0.0/8 network to the
- # internal server 10.10.0.10 on port 81
- # - "200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202"
- # the network 200.200.200.0/24 trying to access the
- # address 202.202.202.202 on port 80 will be forwarded
- # to the internal server 10.0.0.10 on port 81
- #
- # Note: du to inconsistent iptables behaviour only port numbers are possible
- # but no service names (http://bugzilla.netfilter.org/show_bug.cgi?id=273)
- #
- FW_FORWARD_MASQ=""
- ## Type: string
- #
- # Which accesses to services should be redirected to a local port on
- # the firewall machine?
- #
- # This option can be used to force all internal users to surf via
- # your squid proxy, or transparently redirect incoming webtraffic to
- # a secure webserver.
- #
- # Format: list of <source network>[,<destination network>,<protocol>[,dport[:lport]]
- # Where protocol is either tcp or udp. dport is the original
- # destination port and lport the port on the local machine to
- # redirect the traffic to
- #
- # An exclamation mark in front of source or destination network
- # means everything EXCEPT the specified network
- #
- # Example: "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080"
- #
- # Note: contrary to previous SuSEfirewall2 versions it is no longer necessary
- # to additionally open the local port
- FW_REDIRECT=""
- ## Type: yesno
- #
- # Which kind of packets should be logged?
- #
- # When set to "yes", packages that got dropped and are considered
- # 'critical' will be logged. Such packets include for example
- # spoofed packets, tcp connection requests and certain icmp types.
- #
- # defaults to "yes" if not set
- #
- FW_LOG_DROP_CRIT="yes"
- ## Type: yesno
- #
- # whether all dropped packets should be logged
- #
- # Note: for broadcasts to be logged you also need to set
- # FW_IGNORE_FW_BROADCAST_* to 'no'
- #
- # defaults to "no" if not set
- #
- FW_LOG_DROP_ALL="no"
- ## Type: yesno
- #
- # When set to "yes", packages that got accepted and are considered
- # 'critical' will be logged. Such packets include for example tcp
- # connection requests, rpc connection requests and forwarded pakets.
- #
- # Set to "no" for on systems with high traffic
- #
- # defaults to "no" if not set
- #
- FW_LOG_ACCEPT_CRIT="yes"
- ## Type: yesno
- #
- # whether all accepted packets should be logged
- #
- # Note: setting this to 'yes' causes _LOTS_ of log entries and may
- # fill your disk quickly. It also disables FW_LOG_LIMIT
- #
- # defaults to "no" if not set
- #
- FW_LOG_ACCEPT_ALL="no"
- ## Type: string
- #
- # How many packets per time unit get logged for each logging rule.
- # When empty a default of 3/minute is used to prevent port scans
- # flooding your log files. For desktop usage it's a good idea to
- # have the limit, if you are using logfile analysis tools however
- # you might want to disable it.
- #
- # Set to 'no' to disable the rate limit. Setting FW_LOG_ACCEPT_ALL
- # to 'yes' disables this option as well.
- #
- # Format: a digit and suffix /second, /minute, /hour or /day
- FW_LOG_LIMIT=""
- ## Type: string
- #
- # iptables logging option. Must end with --log-prefix and some prefix
- # characters
- #
- # You may specify an alternative logging target by starting the
- # string with "-j ". E.g. "-j ULOG --ulog-prefix SFW2"
- #
- # Note that ULOG doesn't work with IPv6
- #
- # only change this if you know what you are doing!
- FW_LOG=""
- ## Type: yesno
- #
- # Do you want to enable additional kernel TCP/IP security features?
- # If set to yes, some obscure kernel options are set.
- # (icmp_ignore_bogus_error_responses, icmp_echoreply_rate,
- # icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,
- # ip_local_port_range, log_martians, rp_filter, routing flush,
- # bootp_relay, proxy_arp, secure_redirects, accept_source_route
- # icmp_echo_ignore_broadcasts, ipfrag_time)
- #
- # Tip: Set this to "no" until you have verified that you have got a
- # configuration which works for you. Then set this to "yes" and keep it
- # if everything still works. (It should!) ;-)
- #
- # Choice: "yes" or "no", if not set defaults to "yes"
- #
- FW_KERNEL_SECURITY=""
- ## Type: yesno
- #
- # Whether ip routing should be disabled when the firewall is shut
- # down.
- #
- # Note: IPv4 only, IPv6 sysctls are left untouched
- #
- # Requires: FW_ROUTE
- #
- # defaults to "no" if not set
- #
- FW_STOP_KEEP_ROUTING_STATE=""
- ## Type: yesno
- #
- # Allow the firewall to reply to icmp echo requests
- #
- # defaults to "yes" if not set
- #
- FW_ALLOW_PING_FW=""
- ## Type: yesno
- #
- # Allow hosts in the dmz to be pinged from hosts in other zones even
- # if neither FW_FORWARD nor FW_MASQUERADE is set
- #
- # Requires: FW_ROUTE
- #
- # defaults to "no" if not set
- #
- FW_ALLOW_PING_DMZ=""
- ## Type: yesno
- #
- # Allow hosts in the external zone to be pinged from hosts in other
- # zones even if neither FW_FORWARD nor FW_MASQUERADE is set
- #
- # Requires: FW_ROUTE
- #
- # defaults to "no" if not set
- #
- FW_ALLOW_PING_EXT=""
- ## Type: yesno
- #
- # Allow ICMP sourcequench from your ISP?
- #
- # If set to yes, the firewall will notice when connection is choking, however
- # this opens yourself to a denial of service attack. Choose your poison.
- #
- # Defaults to "yes" if not set
- #
- FW_ALLOW_FW_SOURCEQUENCH=""
- ## Type: string(yes,no)
- #
- # Allow IP Broadcasts?
- #
- # Whether the firewall allows broadcasts packets.
- # Broadcasts are used for e.g. for Netbios/Samba, RIP, OSPF and Games.
- #
- # If you want to drop broadcasts however ignore the annoying log entries, set
- # FW_IGNORE_FW_BROADCAST_* to yes.
- #
- # Note that if you allow specifc ports here it just means that broadcast
- # packets for that port are not dropped. You still need to set
- # FW_SERVICES_*_UDP to actually allow regular unicast packets to
- # reach the applications.
- #
- # Format: either
- # - "yes" or "no"
- # - list of udp destination ports
- #
- # Examples: - "631 137" allow broadcast packets on port 631 and 137
- # to enter the machine but drop any other broadcasts
- # - "yes" do not install any extra drop rules for
- # broadcast packets. They'll be treated just as unicast
- # packets in this case.
- # - "no" drop all broadcast packets before other filtering
- # rules
- #
- # defaults to "no" if not set
- #
- FW_ALLOW_FW_BROADCAST_EXT="no"
- ## Type: string
- #
- # see comments for FW_ALLOW_FW_BROADCAST_EXT
- FW_ALLOW_FW_BROADCAST_INT="no"
- ## Type: string
- #
- # see comments for FW_ALLOW_FW_BROADCAST_EXT
- FW_ALLOW_FW_BROADCAST_DMZ="no"
- ## Type: string(yes,no)
- #
- # Suppress logging of dropped broadcast packets. Useful if you don't allow
- # broadcasts on a LAN interface.
- #
- # This setting only affects packets that are not allowed according
- # to FW_ALLOW_FW_BROADCAST_*
- #
- # Format: either
- # - "yes" or "no"
- # - list of udp destination ports
- #
- # Examples: - "631 137" silently drop broadcast packets on port 631 and 137
- # - "yes" do not log dropped broadcast packets
- # - "no" log all dropped broadcast packets
- #
- #
- # defaults to "no" if not set
- FW_IGNORE_FW_BROADCAST_EXT="yes"
- ## Type: string
- #
- # see comments for FW_IGNORE_FW_BROADCAST_EXT
- FW_IGNORE_FW_BROADCAST_INT="no"
- ## Type: string
- #
- # see comments for FW_IGNORE_FW_BROADCAST_EXT
- FW_IGNORE_FW_BROADCAST_DMZ="no"
- ## Type: list(yes,no,int,ext,dmz,)
- #
- # Specifies whether routing between interfaces of the same zone should be allowed
- # Requires: FW_ROUTE="yes"
- #
- # Set this to allow routing between interfaces in the same zone,
- # e.g. between all internet interfaces, or all internal network
- # interfaces.
- #
- # Caution: Keep in mind that "yes" affects all zones. ie even if you
- # need inter-zone routing only in the internal zone setting this
- # parameter to "yes" would allow routing between all external
- # interfaces as well. It's better to use
- # FW_ALLOW_CLASS_ROUTING="int" in this case.
- #
- # Choice: "yes", "no", or space separate list of zone names
- #
- # Defaults to "no" if not set
- #
- FW_ALLOW_CLASS_ROUTING=""
- ## Type: string
- #
- # Do you want to load customary rules from a file?
- #
- # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
- # READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom
- #
- #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
- FW_CUSTOMRULES=""
- ## Type: yesno
- #
- # Do you want to REJECT packets instead of DROPing?
- #
- # DROPing (which is the default) will make portscans and attacks much
- # slower, as no replies to the packets will be sent. REJECTing means, that
- # for every illegal packet, a connection reject packet is sent to the
- # sender.
- #
- # Choice: "yes" or "no", if not set defaults to "no"
- #
- # Defaults to "no" if not set
- #
- # You may override this value on a per zone basis by using a zone
- # specific variable, e.g. FW_REJECT_DMZ="yes"
- #
- FW_REJECT=""
- ## Type: yesno
- #
- # see FW_REJECT for description
- #
- # default config file setting is "yes" assuming that slowing down
- # portscans is not strictly required in the internal zone even if
- # you protect yourself from the internal zone
- #
- FW_REJECT_INT=""
- ## Type: string
- #
- # Tuning your upstream a little bit via HTB (Hierarchical Token Bucket)
- # for more information about HTB see http://www.lartc.org
- #
- # If your download collapses while you have a parallel upload,
- # this parameter might be an option for you. It manages your
- # upload stream and reserves bandwidth for special packets like
- # TCP ACK packets or interactive SSH.
- # It's a list of devices and maximum bandwidth in kbit.
- # For example, the german TDSL account, provides 128kbit/s upstream
- # and 768kbit/s downstream. We can only tune the upstream.
- #
- # Example:
- # If you want to tune a 128kbit/s upstream DSL device like german TDSL set
- # the following values:
- # FW_HTB_TUNE_DEV="dsl0,125"
- # where dsl0 is your pppoe device and 125 stands for 125kbit/s upstream
- #
- # you might wonder why 125kbit/s and not 128kbit/s. Well practically you'll
- # get a better performance if you keep the value a few percent under your
- # real maximum upload bandwidth, to prevent the DSL modem from queuing traffic in
- # it's own buffers because queing is done by us now.
- # So for a 256kbit upstream
- # FW_HTB_TUNE_DEV="dsl0,250"
- # might be a better value than "dsl0,256". There is no perfect value for a
- # special kind of modem. The perfect value depends on what kind of traffic you
- # have on your line but 5% under your maximum upstream might be a good start.
- # Everthing else is special fine tuning.
- # If you want to know more about the technical background,
- # http://tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/
- # is a good start
- #
- FW_HTB_TUNE_DEV=""
- ## Type: list(no,drop,reject)
- ## Default: drop
- #
- # What to do with IPv6 Packets?
- #
- # On older kernels ip6tables was not stateful so it's not possible to implement
- # the same features as for IPv4 on such machines. For these there are three
- # choices:
- #
- # - no: do not set any IPv6 rules at all. Your Host will allow any IPv6
- # traffic unless you setup your own rules.
- #
- # - drop: drop all IPv6 packets.
- #
- # - reject: reject all IPv6 packets. This is the default if stateful matching is
- # not available.
- #
- # Disallowing IPv6 packets may lead to long timeouts when connecting to IPv6
- # Adresses. See FW_IPv6_REJECT_OUTGOING to avoid this.
- #
- # Leave empty to automatically detect whether ip6tables supports stateful matching.
- #
- FW_IPv6=""
- ## Type: yesno
- ## Default: yes
- #
- # Reject outgoing IPv6 Packets?
- #
- # Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option
- # does only make sense with FW_IPv6 != no
- #
- # Defaults to "yes" if not set
- #
- FW_IPv6_REJECT_OUTGOING=""
- ## Type: list(yes,no,int,ext,dmz,)
- ## Default: no
- #
- # Trust level of IPsec packets.
- #
- # You do not need to change this if you do not intend to run
- # services that should only be available trough an IPsec tunnel.
- #
- # The value specifies how much IPsec packets are trusted. 'int', 'ext' or 'dmz'
- # are the respective zones. 'yes' is the same as 'int. 'no' means that IPsec
- # packets belong to the same zone as the interface they arrive on.
- #
- # Note: you still need to explicitely allow IPsec traffic.
- # Example:
- # FW_IPSEC_TRUST="int"
- # FW_SERVICES_EXT_IP="esp"
- # FW_SERVICES_EXT_UDP="isakmp"
- # FW_PROTECT_FROM_INT="no"
- #
- # Defaults to "no" if not set
- #
- FW_IPSEC_TRUST="no"
- ## Type: string
- #
- # Define additional firewall zones
- #
- # The built-in zones INT, EXT and DMZ must not be listed here. Names
- # of additional zones must only contain lowercase ascii characters.
- # To define rules for the additional zone, take the approriate
- # variable for a built-in zone and substitute INT/EXT/DMZ with the
- # name of the additional zone.
- #
- # Example:
- # FW_ZONES="wlan"
- # FW_DEV_wlan="wlan0"
- # FW_SERVICES_wlan_TCP="80"
- # FW_ALLOW_FW_BROADCAST_wlan="yes"
- #
- FW_ZONES=""
- ## Type: string(no,auto)
- #
- # Set default firewall zone
- #
- # Format: 'auto', 'no' or name of zone.
- #
- # When set to 'no' no firewall rules will be installed for unknown
- # or unconfigured interfaces. That means traffic on such interfaces
- # hits the default drop rules.
- #
- # When left empty or when set to 'auto' the zone that has the
- # interface string 'any' configured is used for all unconfigured
- # interfaces (see FW_DEV_EXT). If no 'any' string was found the
- # external zone is used.
- #
- # When a default zone is defined a catch all rule redirects traffic
- # from interfaces that were not present at the time SuSEfirewall2
- # was run to the default zone. Normally SuSEfirewall2 needs to be
- # run if new interfaces appear to avoid such unknown interfaces.
- #
- # Defaults to 'auto' if not set
- #
- FW_ZONE_DEFAULT=''
- ## Type: list(yes,no,auto,)
- ## Default:
- #
- # Whether to use iptables-batch
- #
- # iptables-batch commits all rules in an almost atomic way similar
- # to iptables-restore. This avoids excessive iptables calls and race
- # conditions.
- #
- # Choice:
- # - yes: use iptables-batch if available and warn if it isn't
- # - no: don't use iptables-batch
- # - auto: use iptables-batch if available, silently fall back to
- # iptables if it isn't
- #
- # Defaults to "auto" if not set
- #
- FW_USE_IPTABLES_BATCH=""
- ## Type: string
- #
- # Which additional kernel modules to load at startup
- #
- # Example:
- # FW_LOAD_MODULES="nf_conntrack_netbios_ns"
- #
- # See also FW_SERVICES_ACCEPT_RELATED_EXT
- #
- FW_LOAD_MODULES="nf_conntrack_netbios_ns"
- ## Type: string
- ## Default:
- #
- # Bridge interfaces without IP address
- #
- # Traffic on bridge interfaces like the one used by xen appears to
- # enter and leave on the same interface. Add such interfaces here in
- # order to install special permitting rules for them.
- #
- # Format: list of interface names separated by space
- #
- # Note: this option is deprecated, use FW_FORWARD_ALLOW_BRIDGING instead
- #
- # Example:
- # FW_FORWARD_ALWAYS_INOUT_DEV="xenbr0"
- #
- FW_FORWARD_ALWAYS_INOUT_DEV=""
- ## Type: string
- #
- # Whether traffic that is only bridged but not routed should be
- # allowed. Such packets appear to pass though the forward chain so
- # normally they would be dropped.
- #
- # Note: it is not possible to configure SuSEfirewall2 as bridging
- # firewall. This option merely controls whether SuSEfirewall2 should
- # try to not interfere with bridges.
- #
- # Choice:
- # - yes: always install a rule to allow bridge traffic
- # - no: don't install a rule to allow bridge traffic
- # - auto: install rule only if there are bridge interfaces
- #
- # Defaults to "auto" if not set
- #
- FW_FORWARD_ALLOW_BRIDGING=""
- ## Type: yesno
- #
- # Write status information to /var/run/SuSEfirewall2/status for use
- # by e.g. graphical user interfaces. Can safely be disabled on
- # servers.
- #
- # Defaults to "yes" if not set
- #
- FW_WRITE_STATUS=""
- ## Type: yesno
- #
- # Allow dynamic configuration overrides in
- # /var/run/SuSEfirewall2/override for use by e.g. graphical user
- # interfaces. Can safely be disabled on servers.
- #
- # Defaults to "yes" if not set
- #
- FW_RUNTIME_OVERRIDE=""
- ## Type: yesno
- #
- # Install NOTRACK target for interface lo in the raw table. Doing so
- # speeds up packet processing on the loopback interface. This breaks
- # certain firewall setups that need to e.g. redirect outgoing
- # packets via custom rules on the local machine.
- #
- # Defaults to "yes" if not set
- #
- FW_LO_NOTRACK=""
- ## Type: yesno
- #
- # Specifies whether /etc/init.d/SuSEfirewall2_init should install the
- # full rule set already. Default is to just install minimum rules
- # that block incoming traffic. Set to "yes" if you use services
- # such as drbd that require open ports during boot already.
- #
- # Defaults to "no" if not set
- #
- FW_BOOT_FULL_INIT=""
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement