# Copyright (c) 2000-2002 SuSE GmbH Nuernberg, Germany# Copyright (c) 2003,2004

1. # Copyright (c) 2000-2002 SuSE GmbH Nuernberg, Germany
2. # Copyright (c) 2003,2004 SuSE Linux AG Nuernberg, Germany
3. # Copyright (c) 2005-2011 SUSE LINUX Products GmbH Nuernberg, Germany
4. #
5. # Author: Marc Heuse, 2002
6. # Ludwig Nussel, 2004-2011
7. #
8. # /etc/sysconfig/SuSEfirewall2
9. #
10. # for use with /sbin/SuSEfirewall2 version 3.6
11. #
12. # ------------------------------------------------------------------------
13. #
14. # Note that running a packet filter/firewall is no panacea against
15. # network security threats. Make sure to
16. #
17. # - expose only actually needed services
18. # - assign different zones to express different levels of trust.
19. # Opening ports for LAN services in the external zone defeats the
20. # purpose of the firewall!
21. # - use software that is designed with security in mind (such as
22. # postfix, vsftpd, openssh)
23. # - install security updates regularly
24. #
25. # ------------------------------------------------------------------------
26. #
27. # Configuration Hints:
28. #
29. # Note that while this file looks like a shell script and is parsed
30. # by a shell script it actually is not a shell script itself. More
31. # information about sysconfig files can be found here:
32. # http://en.opensuse.org/Packaging/SUSE_Package_Conventions/Sysconfig
33. # It's generally a good idea to avoid using shell variable
34. # substitution (foo="$bar") and multi line values.
35. #
36. # If you have any problems configuring this file, take a look at
37. # /usr/share/doc/packages/SuSEfirewall2/EXAMPLES or use YaST
38. #
39. # For end user systems that are only connected to one network
40. # FW_DEV_EXT and maybe FW_CONFIGURATIONS_EXT to open some ports need
41. # to be modified. The defaults for all other settings are usually
42. # fine.
43. #
44. # For firewalls that should perform routing or masquerading between
45. # networks the settings FW_DEV_EXT, FW_DEV_INT, FW_ROUTE, FW_MASQUERADE,
46. # FW_SERVICES_EXT_TCP, and maybe FW_SERVICES_ACCEPT_EXT, FW_FORWARD,
47. # FW_FORWARD_MASQ
48. #
49. # Please note that if you use service names, they have to exist in
50. # /etc/services. There is for example no service "dns", it's called
51. # "domain"; email is called "smtp" etc.
52. #
53. # ------------------------------------------------------------------------
54.  
55. ## Path: Network/Firewall/SuSEfirewall2
56. ## Description: SuSEfirewall2 configuration
57. ## Type: string
58. #
59. # Which are the interfaces that point to the internet/untrusted
60. # networks?
61. #
62. # Enter all untrusted network devices here
63. #
64. # Format: space separated list of interface or configuration names
65. #
66. # The special keyword "any" means that packets arriving on interfaces not
67. # explicitly configured as int, ext or dmz will be considered external. Note:
68. # this setting only works for packets destined for the local machine. If you
69. # want forwarding or masquerading you still have to add the external interfaces
70. # individually. "any" can be mixed with other interface names.
71. #
72. # Examples: "wlan0", "ippp0 ippp1", "any dsl0"
73. #
74. # Note: alias interfaces (like eth0:1) are ignored
75. #
76. FW_DEV_EXT="modem0"
77.  
78. ## Type: string
79. #
80. # Which are the interfaces that point to the internal network?
81. #
82. # Enter all trusted network interfaces here. If you are not
83. # connected to a trusted network (e.g. you have just a dialup) leave
84. # this empty.
85. #
86. # Format: space separated list of interface or configuration names
87. #
88. # Examples: "tr0", "eth0 eth1"
89. #
90. FW_DEV_INT=""
91.  
92. ## Type: string
93. #
94. # Which are the interfaces that point to the dmz or dialup network?
95. #
96. # Enter all the network devices here which point to the dmz/dialups.
97. # A "dmz" is a special, seperated network, which is only connected
98. # to the firewall, and should be reachable from the internet to
99. # provide services, e.g. WWW, Mail, etc. and hence is at risk from
100. # attacks. See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an
101. # example.
102. #
103. # Note: You have to configure FW_FORWARD to define the services
104. # which should be available to the internet and set FW_ROUTE to yes.
105. #
106. # Format: space separated list of interface or configuration names
107. #
108. # Examples: "tr0", "eth0 eth1"
109. #
110. FW_DEV_DMZ=""
111.  
112. ## Type: yesno
113. #
114. # Should routing between the internet, dmz and internal network be
115. # activated?
116. #
117. # Set this to "yes" if you either want to masquerade internal
118. # machines or allow access to the dmz (or internal machines, but
119. # this is not a good idea).
120. #
121. # This option overrides IP_FORWARD from /etc/sysconfig/sysctl and
122. # net.ipv4.ip_forward settings in /etc/sysctl.conf
123. # Note: IPv4 only. The IPv6 forwarding sysctl has to be turned on
124. # manually.
125. #
126. # Setting this option one alone doesn't do anything. Either activate
127. # masquerading with FW_MASQUERADE below if you want to masquerade
128. # your internal network to the internet, or configure FW_FORWARD to
129. # define what is allowed to be forwarded. You also need to define
130. # internal or dmz interfaces in FW_DEV_INT or FW_DEV_DMZ.
131. #
132. # defaults to "no" if not set
133. #
134. FW_ROUTE="no"
135.  
136. ## Type: yesno
137. #
138. # Do you want to masquerade internal networks to the outside?
139. #
140. # Requires: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE, FW_MASQ_DEV
141. #
142. # "Masquerading" means that all your internal machines which use
143. # services on the internet seem to come from your firewall. Please
144. # note that it is more secure to communicate via proxies to the
145. # internet than to use masquerading.
146. #
147. # This option is required for FW_MASQ_NETS and FW_FORWARD_MASQ.
148. #
149. # defaults to "no" if not set
150. #
151. FW_MASQUERADE="no"
152.  
153. ## Type: string
154. #
155. # You also have to define on which interfaces to masquerade on.
156. # Those are usually the same as the external interfaces. Most users
157. # can leave the default.
158. #
159. # The special string "zone:" concatenated with the name of a zone
160. # means to take all interfaces in the specified zone.
161. #
162. # Note: Old version of SuSEfirewall2 used a shell variable
163. # ($FW_DEV_EXT) here. That method is deprecated as it breaks auto
164. # detection of interfaces. Please use zone:ext instead.
165. #
166. # Examples: "ippp0", "zone:dmz"
167. #
168. # defaults to "zone:ext" if not set
169. #
170. FW_MASQ_DEV=""
171.  
172. ## Type: string
173. #
174. # Which internal computers/networks are allowed to access the
175. # internet via masquerading (not via proxys on the firewall)?
176. #
177. # Format: space separated list of
178. # <source network>[,<destination network>,<protocol>[,port[:port]]
179. #
180. # If the protocol is icmp then port is interpreted as icmp type
181. #
182. # Examples: - "0/0" unrestricted access to the internet
183. # - "10.0.0.0/8" allows the whole 10.0.0.0 network with
184. # unrestricted access.
185. # - "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0,tcp,21" allows
186. # the 10.0.1.0 network to use www/ftp to the internet. -
187. # - "10.0.1.0/24,0/0,tcp,1024:65535 10.0.2.0/24" the
188. # 10.0.1.0/24 network is allowed to access unprivileged
189. # ports whereas 10.0.2.0/24 is granted unrestricted
190. # access.
191. # - "0/0,!10.0.0.0/8" unrestricted access to the internet
192. # with the exception of 10.0.0.8 which will not be
193. # masqueraded.
194. #
195. FW_MASQ_NETS=""
196.  
197. ## Type: string
198. #
199. # Which computers/networks to exclude from masquerading.
200. #
201. # Note that this only affects the POSTROUTING chain of the nat
202. # table. Ie the forwarding rules installed by FW_MASQ_NETS do not
203. # include the listed exceptions.
204. # *** Since you may use FW_NOMASQ_NETS together with IPsec make sure
205. # that the policy database is loaded even when the tunnel is not up
206. # yet. Otherwise packets to the listed networks will be forwarded to
207. # the internet unencrypted! ***
208. #
209. # Format: space separated list of
210. # <source network>[,<destination network>,<protocol>[,port[:port]]
211. #
212. # If the protocol is icmp then port is interpreted as icmp type
213. #
214. # Examples: - "0/0,10.0.0.0/8" do not masquerade packets from
215. # anywhere to the 10.0.0.0/8 network
216. #
217. FW_NOMASQ_NETS=""
218.  
219. ## Type: list(yes,no,notrack)
220. ## Default: no
221. #
222. # Do you want to protect the firewall from the internal network?
223. # Requires: FW_DEV_INT
224. #
225. # If you set this to "yes", internal machines may only access
226. # services on the firewall you explicitly allow. If you set this to
227. # "no", any internal user can connect (and attack) any service on
228. # the firewall.
229. #
230. # The value "notrack" acts similar to "no" but additionally
231. # connection tracking is switched off for interfaces in the zone.
232. # This is useful to gain better performance on high speed
233. # interfaces.
234. #
235. # defaults to "yes" if not set
236. #
237. # see also FW_REJECT_INT
238. #
239. FW_PROTECT_FROM_INT="no"
240.  
241. ## Type: string
242. #
243. # Which TCP services _on the firewall_ should be accessible from
244. # untrusted networks?
245. #
246. # Format: space separated list of ports, port ranges or well known
247. # service names (see /etc/services)
248. #
249. # Examples: "ssh", "123 514", "3200:3299", "ftp 22 telnet 512:514"
250. #
251. # Note: this setting has precedence over FW_SERVICES_ACCEPT_*
252. #
253. FW_SERVICES_EXT_TCP=""
254.  
255. ## Type: string
256. #
257. # Which UDP services _on the firewall_ should be accessible from
258. # untrusted networks?
259. #
260. # Format: space separated list of ports, port ranges or well known
261. # service names (see /etc/services)
262. #
263. # Example: "53", "syslog"
264. #
265. # Note: this setting has precedence over FW_SERVICES_ACCEPT_*
266. #
267. FW_SERVICES_EXT_UDP=""
268.  
269. ## Type: string
270. #
271. # Which IP services _on the firewall_ should be accessible from
272. # untrusted networks?
273. #
274. # Usually for VPN/Routing services that END at the firewall like
275. # IPsec, GRE, PPTP or OSPF
276. #
277. # Format: space separated list of ports, port ranges or well known
278. # protocol names (see /etc/protocols)
279. #
280. # Example: "esp"
281. #
282. # Note: this setting has precedence over FW_SERVICES_ACCEPT_*
283. #
284. FW_SERVICES_EXT_IP=""
285.  
286. ## Type: string
287. #
288. # Which RPC services _on the firewall_ should be accessible from
289. # untrusted networks?
290. #
291. # Port numbers of RPC services are dynamically assigned by the
292. # portmapper. Therefore "rpcinfo -p localhost" has to be used to
293. # automatically determine the currently assigned port for the
294. # services specified here.
295. #
296. # USE WITH CAUTION!
297. # regular users can register rpc services and therefore may be able
298. # to have SuSEfirewall2 open arbitrary ports
299. #
300. # Example: "mountd nfs"
301. #
302. # Note: this setting has precedence over FW_SERVICES_ACCEPT_*
303. #
304. FW_SERVICES_EXT_RPC=""
305.  
306. ## Type: string
307. #
308. # Which services _on the firewall_ should be accessible from
309. # untrusted networks?
310. #
311. # Packages can drop a configuration file that specifies all required
312. # ports into /etc/sysconfig/SuSEfirewall2.d/services. That is handy for
313. # services that require multiple ports or protocols. Enter the space
314. # separated list of configuration files you want to load.
315. #
316. # The content of those files is merged into
317. # FW_SERVICES_$zone_$protocol, ie has precedence over
318. # FW_SERVICES_ACCEPT_*
319. #
320. # Example: "samba-server nfs-kernel-server"
321. FW_CONFIGURATIONS_EXT="sshd"
322.  
323. ## Type: string
324. #
325. # see comments for FW_SERVICES_EXT_TCP
326. FW_SERVICES_DMZ_TCP=""
327.  
328. ## Type: string
329. #
330. # see comments for FW_SERVICES_EXT_UDP
331. FW_SERVICES_DMZ_UDP=""
332.  
333. ## Type: string
334. #
335. # see comments for FW_SERVICES_EXT_IP
336. FW_SERVICES_DMZ_IP=""
337.  
338. ## Type: string
339. #
340. # see comments for FW_SERVICES_EXT_RPC
341. FW_SERVICES_DMZ_RPC=""
342.  
343. ## Type: string
344. #
345. # see comments for FW_CONFIGURATIONS_EXT
346. FW_CONFIGURATIONS_DMZ="sshd"
347.  
348. ## Type: string
349. #
350. # see comments for FW_SERVICES_EXT_TCP
351. FW_SERVICES_INT_TCP=""
352.  
353. ## Type: string
354. #
355. # see comments for FW_SERVICES_EXT_UDP
356. FW_SERVICES_INT_UDP=""
357.  
358. ## Type: string
359. #
360. # see comments for FW_SERVICES_EXT_IP
361. FW_SERVICES_INT_IP=""
362.  
363. ## Type: string
364. #
365. # see comments for FW_SERVICES_EXT_RPC
366. FW_SERVICES_INT_RPC=""
367.  
368. ## Type: string
369. #
370. # see comments for FW_CONFIGURATIONS_EXT
371. FW_CONFIGURATIONS_INT="sshd"
372.  
373. ## Type: string
374. #
375. # Packets to drop.
376. #
377. # Format: space separated list of net,protocol[,port][,sport]
378. # Example: "0/0,tcp,445 0/0,udp,4662"
379. #
380. # The special value _rpc_ is recognized as protocol and means that dport is
381. # interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
382. # details.
383. #
384. # Note: In older SuSEfirewall2 version this setting took place after
385. # FW_SERVICES_ACCEPT_*, now it takes precedence.
386. #
387. FW_SERVICES_DROP_EXT=""
388.  
389. ## Type: string
390. #
391. # see FW_SERVICES_DROP_EXT
392. FW_SERVICES_DROP_DMZ=""
393.  
394. ## Type: string
395. #
396. # see FW_SERVICES_DROP_EXT
397. FW_SERVICES_DROP_INT=""
398.  
399. ## Type: string
400. ## Default:
401. #
402. # Packets to reject. Common usage is TCP port 113 which if dropped
403. # would cause long timeouts when sending mail or connecting to IRC
404. # servers.
405. #
406. # Format: space separated list of net,protocol[,dport][,sport]
407. # Example: "0/0,tcp,113"
408. #
409. # The special value _rpc_ is recognized as protocol and means that dport is
410. # interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
411. # details.
412. #
413. # Note: In older SuSEfirewall2 version this setting took place after
414. # FW_SERVICES_ACCEPT_*, now it takes precedence.
415. #
416. FW_SERVICES_REJECT_EXT=""
417.  
418. ## Type: string
419. #
420. # see FW_SERVICES_REJECT_EXT
421. FW_SERVICES_REJECT_DMZ=""
422.  
423. ## Type: string
424. #
425. # see FW_SERVICES_REJECT_EXT
426. FW_SERVICES_REJECT_INT=""
427.  
428. ## Type: string
429. ## Default:
430. #
431. # Services to allow. This is a more generic form of FW_SERVICES_XXX_{IP,UDP,TCP}
432. # and more specific than FW_TRUSTED_NETS
433. #
434. # Format: space separated list of net,protocol[,dport[,sport[,flags]]]
435. # Example: "0/0,tcp,22"
436. #
437. # Supported flags are
438. # hitcount=NUMBER : ipt_recent --hitcount parameter
439. # blockseconds=NUMBER : ipt_recent --seconds parameter
440. # recentname=NAME : ipt_recent --name parameter
441. # Example:
442. # Allow max three ssh connects per minute from the same IP address:
443. # "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
444. #
445. # The special value _rpc_ is recognized as protocol and means that dport is
446. # interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
447. # details.
448. #
449. # Note1: keep in mind that FW_SERVICES_EXT_TCP, FW_SERVICES_EXT_UDP
450. # take precedence over FW_SERVICES_ACCEPT_EXT so don't open the same
451. # port with both options.
452. #
453. # Note2: the iptables recent module may not be available for ipv6. To
454. # avoid an error message use 0.0.0.0/0 instead of 0/0. This will
455. # install the rule for ipv4 only.
456. #
457. FW_SERVICES_ACCEPT_EXT=""
458.  
459. ## Type: string
460. #
461. # see FW_SERVICES_ACCEPT_EXT
462. FW_SERVICES_ACCEPT_DMZ=""
463.  
464. ## Type: string
465. #
466. # see FW_SERVICES_ACCEPT_EXT
467. FW_SERVICES_ACCEPT_INT=""
468.  
469. ## Type: string
470. ## Default:
471. #
472. # Services to allow that are considered RELATED by the connection tracking
473. # engine.
474. #
475. # Format: space separated list of net,protocol[,sport[,dport]]
476. #
477. # Example:
478. # Allow samba broadcast replies marked as related by
479. # nf_conntrack_netbios_ns from a certain network:
480. # "192.168.1.0/24,udp,137"
481. #
482. # See also FW_LOAD_MODULES
483. #
484. FW_SERVICES_ACCEPT_RELATED_EXT=""
485.  
486. ## Type: string
487. #
488. # see FW_SERVICES_ACCEPT_RELATED_EXT
489. FW_SERVICES_ACCEPT_RELATED_DMZ=""
490.  
491. ## Type: string
492. #
493. # see FW_SERVICES_ACCEPT_RELATED_EXT
494. FW_SERVICES_ACCEPT_RELATED_INT=""
495.  
496. ## Type: string
497. #
498. # Which services should be accessible from 'trusted' hosts or nets?
499. #
500. # Define trusted hosts or networks (doesn't matter whether they are internal or
501. # external) and the services (tcp,udp,icmp) they are allowed to use. This can
502. # be used instead of FW_SERVICES_* for further access restriction. Please note
503. # that this is no replacement for authentication since IP addresses can be
504. # spoofed. Also note that trusted hosts/nets are not allowed to ping the
505. # firewall until you also permit icmp.
506. #
507. # Format: space separated list of network[,protocol[,port]]
508. # in case of icmp, port means the icmp type
509. #
510. # Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22"
511. #
512. FW_TRUSTED_NETS=""
513.  
514. ## Type: string
515. #
516. # Which services or networks are allowed to be routed through the
517. # firewall, no matter which zone they are in?
518. # Requires: FW_ROUTE
519. #
520. # With this option you may allow access to e.g. your mailserver. The
521. # machines must have valid, non-private, IP addresses which were
522. # assigned to you by your ISP. This opens a direct link to the
523. # specified network, so please think twice befor using this option!
524. #
525. # Format: space separated list of
526. # <source network>,<destination network>[,protocol[,destination port[,flags]]]
527. #
528. # If the protocol is icmp then port is interpreted as icmp type
529. #
530. # flags, separated by comma:
531. # ipsec:
532. # match packets that originate from an IPsec tunnel
533. # zonein=ZONE, zoneout=ZONE:
534. # match only packets coming in/going out on interfaces from
535. # the specified zone.
536. #
537. # Examples: - "1.1.1.1,2.2.2.2" allow the host 1.1.1.1 to access any
538. # service on the host 2.2.2.2
539. # - "3.3.3.3/16,4.4.4.4/24" allow the network 3.3.3.3/16
540. # to access any service in the network 4.4.4.4/24
541. # - "5.5.5.5,6.6.6.6,igmp" allow routing of IGMP messages
542. # from 5.5.5.5 to 6.6.6.6
543. # - "0/0,0/0,udp,514" always permit udp port 514 to pass
544. # the firewall
545. # - "192.168.1.0/24,10.10.0.0/16,,,ipsec \
546. # 10.10.0.0/16,192.168.1.0/24,,,ipsec" permit traffic
547. # from 192.168.1.0/24 to 10.10.0.0/16 and vice versa
548. # provided that both networks are connected via an
549. # IPsec tunnel.
550. # - "fd76:9dbb:91a3:1::/64,fd76:9dbb:91a3:4::/64,tcp,ssh"
551. # allow ssh from one IPv6 network to another
552. #
553. FW_FORWARD=""
554.  
555. ## Type: string
556. #
557. # same as FW_FORWARD but packages are rejected instead of accepted
558. #
559. # Requires: FW_ROUTE
560. #
561. FW_FORWARD_REJECT=""
562.  
563. ## Type: string
564. #
565. # same as FW_FORWARD but packages are dropped instead of accepted
566. #
567. # Requires: FW_ROUTE
568. #
569. FW_FORWARD_DROP=""
570.  
571. ## Type: string
572. #
573. # Which services accessed from the internet should be allowed to masqueraded
574. # servers (on the internal network or dmz)?
575. # Requires: FW_ROUTE
576. #
577. # With this option you may allow access to e.g. your mailserver. The
578. # machines must be in a masqueraded segment and may not have public
579. # IP addesses! Hint: if FW_DEV_MASQ is set to the external interface
580. # you have to set FW_FORWARD from internal to DMZ for the service as
581. # well to allow access from internal!
582. #
583. # Please note that this should *not* be used for security reasons!
584. # You are opening a hole to your precious internal network. If e.g.
585. # the webserver there is compromised - your full internal network is
586. # compromised!
587. #
588. # Format: space separated list of
589. # <source network>,<ip to forward to>,<protocol>,<port>[,redirect port,[destination ip]]
590. #
591. # Protocol must be either tcp or udp
592. #
593. # Examples: - "4.0.0.0/8,10.0.0.10,tcp,80" forward all tcp request on
594. # port 80 coming from the 4.0.0.0/8 network to the
595. # internal server 10.10.0.10
596. # - "4.0.0.0/8,10.0.0.10,tcp,80,81" forward all tcp request on
597. # port 80 coming from the 4.0.0.0/8 network to the
598. # internal server 10.10.0.10 on port 81
599. # - "200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202"
600. # the network 200.200.200.0/24 trying to access the
601. # address 202.202.202.202 on port 80 will be forwarded
602. # to the internal server 10.0.0.10 on port 81
603. #
604. # Note: du to inconsistent iptables behaviour only port numbers are possible
605. # but no service names (http://bugzilla.netfilter.org/show_bug.cgi?id=273)
606. #
607. FW_FORWARD_MASQ=""
608.  
609. ## Type: string
610. #
611. # Which accesses to services should be redirected to a local port on
612. # the firewall machine?
613. #
614. # This option can be used to force all internal users to surf via
615. # your squid proxy, or transparently redirect incoming webtraffic to
616. # a secure webserver.
617. #
618. # Format: list of <source network>[,<destination network>,<protocol>[,dport[:lport]]
619. # Where protocol is either tcp or udp. dport is the original
620. # destination port and lport the port on the local machine to
621. # redirect the traffic to
622. #
623. # An exclamation mark in front of source or destination network
624. # means everything EXCEPT the specified network
625. #
626. # Example: "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080"
627. #
628. # Note: contrary to previous SuSEfirewall2 versions it is no longer necessary
629. # to additionally open the local port
630. FW_REDIRECT=""
631.  
632. ## Type: yesno
633. #
634. # Which kind of packets should be logged?
635. #
636. # When set to "yes", packages that got dropped and are considered
637. # 'critical' will be logged. Such packets include for example
638. # spoofed packets, tcp connection requests and certain icmp types.
639. #
640. # defaults to "yes" if not set
641. #
642. FW_LOG_DROP_CRIT="yes"
643.  
644. ## Type: yesno
645. #
646. # whether all dropped packets should be logged
647. #
648. # Note: for broadcasts to be logged you also need to set
649. # FW_IGNORE_FW_BROADCAST_* to 'no'
650. #
651. # defaults to "no" if not set
652. #
653. FW_LOG_DROP_ALL="no"
654.  
655. ## Type: yesno
656. #
657. # When set to "yes", packages that got accepted and are considered
658. # 'critical' will be logged. Such packets include for example tcp
659. # connection requests, rpc connection requests and forwarded pakets.
660. #
661. # Set to "no" for on systems with high traffic
662. #
663. # defaults to "no" if not set
664. #
665. FW_LOG_ACCEPT_CRIT="yes"
666.  
667. ## Type: yesno
668. #
669. # whether all accepted packets should be logged
670. #
671. # Note: setting this to 'yes' causes _LOTS_ of log entries and may
672. # fill your disk quickly. It also disables FW_LOG_LIMIT
673. #
674. # defaults to "no" if not set
675. #
676. FW_LOG_ACCEPT_ALL="no"
677.  
678. ## Type: string
679. #
680. # How many packets per time unit get logged for each logging rule.
681. # When empty a default of 3/minute is used to prevent port scans
682. # flooding your log files. For desktop usage it's a good idea to
683. # have the limit, if you are using logfile analysis tools however
684. # you might want to disable it.
685. #
686. # Set to 'no' to disable the rate limit. Setting FW_LOG_ACCEPT_ALL
687. # to 'yes' disables this option as well.
688. #
689. # Format: a digit and suffix /second, /minute, /hour or /day
690. FW_LOG_LIMIT=""
691.  
692. ## Type: string
693. #
694. # iptables logging option. Must end with --log-prefix and some prefix
695. # characters
696. #
697. # You may specify an alternative logging target by starting the
698. # string with "-j ". E.g. "-j ULOG --ulog-prefix SFW2"
699. #
700. # Note that ULOG doesn't work with IPv6
701. #
702. # only change this if you know what you are doing!
703. FW_LOG=""
704.  
705. ## Type: yesno
706. #
707. # Do you want to enable additional kernel TCP/IP security features?
708. # If set to yes, some obscure kernel options are set.
709. # (icmp_ignore_bogus_error_responses, icmp_echoreply_rate,
710. # icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,
711. # ip_local_port_range, log_martians, rp_filter, routing flush,
712. # bootp_relay, proxy_arp, secure_redirects, accept_source_route
713. # icmp_echo_ignore_broadcasts, ipfrag_time)
714. #
715. # Tip: Set this to "no" until you have verified that you have got a
716. # configuration which works for you. Then set this to "yes" and keep it
717. # if everything still works. (It should!) ;-)
718. #
719. # Choice: "yes" or "no", if not set defaults to "yes"
720. #
721. FW_KERNEL_SECURITY=""
722.  
723. ## Type: yesno
724. #
725. # Whether ip routing should be disabled when the firewall is shut
726. # down.
727. #
728. # Note: IPv4 only, IPv6 sysctls are left untouched
729. #
730. # Requires: FW_ROUTE
731. #
732. # defaults to "no" if not set
733. #
734. FW_STOP_KEEP_ROUTING_STATE=""
735.  
736. ## Type: yesno
737. #
738. # Allow the firewall to reply to icmp echo requests
739. #
740. # defaults to "yes" if not set
741. #
742. FW_ALLOW_PING_FW=""
743.  
744. ## Type: yesno
745. #
746. # Allow hosts in the dmz to be pinged from hosts in other zones even
747. # if neither FW_FORWARD nor FW_MASQUERADE is set
748. #
749. # Requires: FW_ROUTE
750. #
751. # defaults to "no" if not set
752. #
753. FW_ALLOW_PING_DMZ=""
754.  
755. ## Type: yesno
756. #
757. # Allow hosts in the external zone to be pinged from hosts in other
758. # zones even if neither FW_FORWARD nor FW_MASQUERADE is set
759. #
760. # Requires: FW_ROUTE
761. #
762. # defaults to "no" if not set
763. #
764. FW_ALLOW_PING_EXT=""
765.  
766. ## Type: yesno
767. #
768. # Allow ICMP sourcequench from your ISP?
769. #
770. # If set to yes, the firewall will notice when connection is choking, however
771. # this opens yourself to a denial of service attack. Choose your poison.
772. #
773. # Defaults to "yes" if not set
774. #
775. FW_ALLOW_FW_SOURCEQUENCH=""
776.  
777. ## Type: string(yes,no)
778. #
779. # Allow IP Broadcasts?
780. #
781. # Whether the firewall allows broadcasts packets.
782. # Broadcasts are used for e.g. for Netbios/Samba, RIP, OSPF and Games.
783. #
784. # If you want to drop broadcasts however ignore the annoying log entries, set
785. # FW_IGNORE_FW_BROADCAST_* to yes.
786. #
787. # Note that if you allow specifc ports here it just means that broadcast
788. # packets for that port are not dropped. You still need to set
789. # FW_SERVICES_*_UDP to actually allow regular unicast packets to
790. # reach the applications.
791. #
792. # Format: either
793. # - "yes" or "no"
794. # - list of udp destination ports
795. #
796. # Examples: - "631 137" allow broadcast packets on port 631 and 137
797. # to enter the machine but drop any other broadcasts
798. # - "yes" do not install any extra drop rules for
799. # broadcast packets. They'll be treated just as unicast
800. # packets in this case.
801. # - "no" drop all broadcast packets before other filtering
802. # rules
803. #
804. # defaults to "no" if not set
805. #
806. FW_ALLOW_FW_BROADCAST_EXT="no"
807.  
808. ## Type: string
809. #
810. # see comments for FW_ALLOW_FW_BROADCAST_EXT
811. FW_ALLOW_FW_BROADCAST_INT="no"
812.  
813. ## Type: string
814. #
815. # see comments for FW_ALLOW_FW_BROADCAST_EXT
816. FW_ALLOW_FW_BROADCAST_DMZ="no"
817.  
818. ## Type: string(yes,no)
819. #
820. # Suppress logging of dropped broadcast packets. Useful if you don't allow
821. # broadcasts on a LAN interface.
822. #
823. # This setting only affects packets that are not allowed according
824. # to FW_ALLOW_FW_BROADCAST_*
825. #
826. # Format: either
827. # - "yes" or "no"
828. # - list of udp destination ports
829. #
830. # Examples: - "631 137" silently drop broadcast packets on port 631 and 137
831. # - "yes" do not log dropped broadcast packets
832. # - "no" log all dropped broadcast packets
833. #
834. #
835. # defaults to "no" if not set
836. FW_IGNORE_FW_BROADCAST_EXT="yes"
837.  
838. ## Type: string
839. #
840. # see comments for FW_IGNORE_FW_BROADCAST_EXT
841. FW_IGNORE_FW_BROADCAST_INT="no"
842.  
843. ## Type: string
844. #
845. # see comments for FW_IGNORE_FW_BROADCAST_EXT
846. FW_IGNORE_FW_BROADCAST_DMZ="no"
847.  
848. ## Type: list(yes,no,int,ext,dmz,)
849. #
850. # Specifies whether routing between interfaces of the same zone should be allowed
851. # Requires: FW_ROUTE="yes"
852. #
853. # Set this to allow routing between interfaces in the same zone,
854. # e.g. between all internet interfaces, or all internal network
855. # interfaces.
856. #
857. # Caution: Keep in mind that "yes" affects all zones. ie even if you
858. # need inter-zone routing only in the internal zone setting this
859. # parameter to "yes" would allow routing between all external
860. # interfaces as well. It's better to use
861. # FW_ALLOW_CLASS_ROUTING="int" in this case.
862. #
863. # Choice: "yes", "no", or space separate list of zone names
864. #
865. # Defaults to "no" if not set
866. #
867. FW_ALLOW_CLASS_ROUTING=""
868.  
869. ## Type: string
870. #
871. # Do you want to load customary rules from a file?
872. #
873. # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
874. # READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom
875. #
876. #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
877. FW_CUSTOMRULES=""
878.  
879. ## Type: yesno
880. #
881. # Do you want to REJECT packets instead of DROPing?
882. #
883. # DROPing (which is the default) will make portscans and attacks much
884. # slower, as no replies to the packets will be sent. REJECTing means, that
885. # for every illegal packet, a connection reject packet is sent to the
886. # sender.
887. #
888. # Choice: "yes" or "no", if not set defaults to "no"
889. #
890. # Defaults to "no" if not set
891. #
892. # You may override this value on a per zone basis by using a zone
893. # specific variable, e.g. FW_REJECT_DMZ="yes"
894. #
895. FW_REJECT=""
896.  
897. ## Type: yesno
898. #
899. # see FW_REJECT for description
900. #
901. # default config file setting is "yes" assuming that slowing down
902. # portscans is not strictly required in the internal zone even if
903. # you protect yourself from the internal zone
904. #
905. FW_REJECT_INT=""
906.  
907. ## Type: string
908. #
909. # Tuning your upstream a little bit via HTB (Hierarchical Token Bucket)
910. # for more information about HTB see http://www.lartc.org
911. #
912. # If your download collapses while you have a parallel upload,
913. # this parameter might be an option for you. It manages your
914. # upload stream and reserves bandwidth for special packets like
915. # TCP ACK packets or interactive SSH.
916. # It's a list of devices and maximum bandwidth in kbit.
917. # For example, the german TDSL account, provides 128kbit/s upstream
918. # and 768kbit/s downstream. We can only tune the upstream.
919. #
920. # Example:
921. # If you want to tune a 128kbit/s upstream DSL device like german TDSL set
922. # the following values:
923. # FW_HTB_TUNE_DEV="dsl0,125"
924. # where dsl0 is your pppoe device and 125 stands for 125kbit/s upstream
925. #
926. # you might wonder why 125kbit/s and not 128kbit/s. Well practically you'll
927. # get a better performance if you keep the value a few percent under your
928. # real maximum upload bandwidth, to prevent the DSL modem from queuing traffic in
929. # it's own buffers because queing is done by us now.
930. # So for a 256kbit upstream
931. # FW_HTB_TUNE_DEV="dsl0,250"
932. # might be a better value than "dsl0,256". There is no perfect value for a
933. # special kind of modem. The perfect value depends on what kind of traffic you
934. # have on your line but 5% under your maximum upstream might be a good start.
935. # Everthing else is special fine tuning.
936. # If you want to know more about the technical background,
937. # http://tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/
938. # is a good start
939. #
940. FW_HTB_TUNE_DEV=""
941.  
942. ## Type: list(no,drop,reject)
943. ## Default: drop
944. #
945. # What to do with IPv6 Packets?
946. #
947. # On older kernels ip6tables was not stateful so it's not possible to implement
948. # the same features as for IPv4 on such machines. For these there are three
949. # choices:
950. #
951. # - no: do not set any IPv6 rules at all. Your Host will allow any IPv6
952. # traffic unless you setup your own rules.
953. #
954. # - drop: drop all IPv6 packets.
955. #
956. # - reject: reject all IPv6 packets. This is the default if stateful matching is
957. # not available.
958. #
959. # Disallowing IPv6 packets may lead to long timeouts when connecting to IPv6
960. # Adresses. See FW_IPv6_REJECT_OUTGOING to avoid this.
961. #
962. # Leave empty to automatically detect whether ip6tables supports stateful matching.
963. #
964. FW_IPv6=""
965.  
966. ## Type: yesno
967. ## Default: yes
968. #
969. # Reject outgoing IPv6 Packets?
970. #
971. # Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option
972. # does only make sense with FW_IPv6 != no
973. #
974. # Defaults to "yes" if not set
975. #
976. FW_IPv6_REJECT_OUTGOING=""
977.  
978. ## Type: list(yes,no,int,ext,dmz,)
979. ## Default: no
980. #
981. # Trust level of IPsec packets.
982. #
983. # You do not need to change this if you do not intend to run
984. # services that should only be available trough an IPsec tunnel.
985. #
986. # The value specifies how much IPsec packets are trusted. 'int', 'ext' or 'dmz'
987. # are the respective zones. 'yes' is the same as 'int. 'no' means that IPsec
988. # packets belong to the same zone as the interface they arrive on.
989. #
990. # Note: you still need to explicitely allow IPsec traffic.
991. # Example:
992. # FW_IPSEC_TRUST="int"
993. # FW_SERVICES_EXT_IP="esp"
994. # FW_SERVICES_EXT_UDP="isakmp"
995. # FW_PROTECT_FROM_INT="no"
996. #
997. # Defaults to "no" if not set
998. #
999. FW_IPSEC_TRUST="no"
1000.  
1001. ## Type: string
1002. #
1003. # Define additional firewall zones
1004. #
1005. # The built-in zones INT, EXT and DMZ must not be listed here. Names
1006. # of additional zones must only contain lowercase ascii characters.
1007. # To define rules for the additional zone, take the approriate
1008. # variable for a built-in zone and substitute INT/EXT/DMZ with the
1009. # name of the additional zone.
1010. #
1011. # Example:
1012. # FW_ZONES="wlan"
1013. # FW_DEV_wlan="wlan0"
1014. # FW_SERVICES_wlan_TCP="80"
1015. # FW_ALLOW_FW_BROADCAST_wlan="yes"
1016. #
1017. FW_ZONES=""
1018.  
1019. ## Type: string(no,auto)
1020. #
1021. # Set default firewall zone
1022. #
1023. # Format: 'auto', 'no' or name of zone.
1024. #
1025. # When set to 'no' no firewall rules will be installed for unknown
1026. # or unconfigured interfaces. That means traffic on such interfaces
1027. # hits the default drop rules.
1028. #
1029. # When left empty or when set to 'auto' the zone that has the
1030. # interface string 'any' configured is used for all unconfigured
1031. # interfaces (see FW_DEV_EXT). If no 'any' string was found the
1032. # external zone is used.
1033. #
1034. # When a default zone is defined a catch all rule redirects traffic
1035. # from interfaces that were not present at the time SuSEfirewall2
1036. # was run to the default zone. Normally SuSEfirewall2 needs to be
1037. # run if new interfaces appear to avoid such unknown interfaces.
1038. #
1039. # Defaults to 'auto' if not set
1040. #
1041. FW_ZONE_DEFAULT=''
1042.  
1043. ## Type: list(yes,no,auto,)
1044. ## Default:
1045. #
1046. # Whether to use iptables-batch
1047. #
1048. # iptables-batch commits all rules in an almost atomic way similar
1049. # to iptables-restore. This avoids excessive iptables calls and race
1050. # conditions.
1051. #
1052. # Choice:
1053. # - yes: use iptables-batch if available and warn if it isn't
1054. # - no: don't use iptables-batch
1055. # - auto: use iptables-batch if available, silently fall back to
1056. # iptables if it isn't
1057. #
1058. # Defaults to "auto" if not set
1059. #
1060. FW_USE_IPTABLES_BATCH=""
1061.  
1062. ## Type: string
1063. #
1064. # Which additional kernel modules to load at startup
1065. #
1066. # Example:
1067. # FW_LOAD_MODULES="nf_conntrack_netbios_ns"
1068. #
1069. # See also FW_SERVICES_ACCEPT_RELATED_EXT
1070. #
1071. FW_LOAD_MODULES="nf_conntrack_netbios_ns"
1072.  
1073. ## Type: string
1074. ## Default:
1075. #
1076. # Bridge interfaces without IP address
1077. #
1078. # Traffic on bridge interfaces like the one used by xen appears to
1079. # enter and leave on the same interface. Add such interfaces here in
1080. # order to install special permitting rules for them.
1081. #
1082. # Format: list of interface names separated by space
1083. #
1084. # Note: this option is deprecated, use FW_FORWARD_ALLOW_BRIDGING instead
1085. #
1086. # Example:
1087. # FW_FORWARD_ALWAYS_INOUT_DEV="xenbr0"
1088. #
1089. FW_FORWARD_ALWAYS_INOUT_DEV=""
1090.  
1091. ## Type: string
1092. #
1093. # Whether traffic that is only bridged but not routed should be
1094. # allowed. Such packets appear to pass though the forward chain so
1095. # normally they would be dropped.
1096. #
1097. # Note: it is not possible to configure SuSEfirewall2 as bridging
1098. # firewall. This option merely controls whether SuSEfirewall2 should
1099. # try to not interfere with bridges.
1100. #
1101. # Choice:
1102. # - yes: always install a rule to allow bridge traffic
1103. # - no: don't install a rule to allow bridge traffic
1104. # - auto: install rule only if there are bridge interfaces
1105. #
1106. # Defaults to "auto" if not set
1107. #
1108. FW_FORWARD_ALLOW_BRIDGING=""
1109.  
1110. ## Type: yesno
1111. #
1112. # Write status information to /var/run/SuSEfirewall2/status for use
1113. # by e.g. graphical user interfaces. Can safely be disabled on
1114. # servers.
1115. #
1116. # Defaults to "yes" if not set
1117. #
1118. FW_WRITE_STATUS=""
1119.  
1120. ## Type: yesno
1121. #
1122. # Allow dynamic configuration overrides in
1123. # /var/run/SuSEfirewall2/override for use by e.g. graphical user
1124. # interfaces. Can safely be disabled on servers.
1125. #
1126. # Defaults to "yes" if not set
1127. #
1128. FW_RUNTIME_OVERRIDE=""
1129.  
1130. ## Type: yesno
1131. #
1132. # Install NOTRACK target for interface lo in the raw table. Doing so
1133. # speeds up packet processing on the loopback interface. This breaks
1134. # certain firewall setups that need to e.g. redirect outgoing
1135. # packets via custom rules on the local machine.
1136. #
1137. # Defaults to "yes" if not set
1138. #
1139. FW_LO_NOTRACK=""
1140.  
1141. ## Type: yesno
1142. #
1143. # Specifies whether /etc/init.d/SuSEfirewall2_init should install the
1144. # full rule set already. Default is to just install minimum rules
1145. # that block incoming traffic. Set to "yes" if you use services
1146. # such as drbd that require open ports during boot already.
1147. #
1148. # Defaults to "no" if not set
1149. #
1150. FW_BOOT_FULL_INIT=""