-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathuif.conf
178 lines (158 loc) · 6.21 KB
/
uif.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
# Copyright (C) 2002-2015, Cajus Pollmeier <[email protected]>
# Copyright (C) 2002-2015, Jörg Platte <[email protected]>
# Copyright (C) 2013-2015, Alex Owen <[email protected]>
# Copyright (C) 2013-2022, Mike Gabriel <[email protected]>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
## uif Firewall Configuration
## Sysconfig definitions
# These entries define the global behaviour of the firewall package. Normally
# they are preset in /etc/default/uif and may be overwritten by this
# section.
#
# syntax: LogLevel : set the kernel loglevel for iptables rules
# LogPrefix: prepend this string to all iptables logs
# LogLimit: set packet log limit per time interval (times/interval)
# LogBurst: set packet log burst
# Limit: set packet limit per time interval (times/interval)
# Burst: set packet burst
# example:
# sysconfig {
# LogLevel debug
# LogPrefix FW
# LogLimit 20/minute
# LogBurst 5
# Limit 20/minute
# Burst 5
# AccountPrefix ACC_
# }
## Include predefined services
# The include section takes a bunch of files and includes them into this
# configuration file.
#
# syntax: "filename"
include {
"/etc/uif/services"
}
## Services needed for workstation setup
# The service section provides the protocol definitions you're
# using in the rules. You're forced to declare everything you
# need for your setup.
#
# syntax: service_name [tcp([source:range]/[dest:range])] [udp([source:range]/[dest:range])]
# [protocol_name([source:range][/][dest:range])] [service_name] ...
# examples: http tcp(/80)
# dns tcp(/53) udp(/53)
# group http dns tcp(/443)
# ipsec esp(/) udp(/500)
service {
traceroute udp(32769:65535/33434:33523) icmp(11)
ping icmp(8)
}
## Network definitions needed for simple workstation setup
# The network definitions are included from two separate files.
# 1. /etc/uif/uif-ipv4-networks.inc
# 2. /etc/uif/uif-ipv6-networks.inc
#
# If you want to setup IPv4 and IPv6 firewalling easily,
# make sure that all network names you use in your ruleset
# in both include files.
#
# Additionally make /etc/uif/uif6.conf a symlink that points to
# /etc/uif/uif.conf.
#
# IPv4 network definitions
#
# If you update from a version of UIF that supported IPv4 only, then
# you probably want to leave the uif.conf file untouched for now and
# move your network definitions block from uif.conf to uif-ipv4-networks.inc
# manually later.
include4 {
"/etc/uif/uif-ipv4-networks.inc"
"/etc/uif/uif-ipv4-networks.inc.d/*"
}
# IPv6 network definitions
#
# Make sure IPV6MODE is set to 1 in /etc/default/uif if you want to use
# IPv6 support on your UIF based firewall.
include6 {
"/etc/uif/uif-ipv6-networks.inc"
"/etc/uif/uif-ipv6-networks.inc.d/*"
}
# conf.d config snippet support for UIF.
#
# After all network definitions have been loaded, let's include config snippets
# placed by other providers (packages) into /etc/uif/uif.conf.d/.
include {
"/etc/uif/uif.conf.d/*"
}
## Interface definitions
# Since all definitions used in the filter section are symbolic,
# you've to specify symbolic names for all your interfaces you're
# going to use.
#
# syntax: interface_name [unix network interface] [interface_name]
# examples: internal eth0
# external ippp0 ipsec0
# allppp ppp+
# group external allppp eth3
interface {
loop lo
}
## Filter definitions
# The filter section defines the rules for in, out, forward, masquerading
# and nat. All rules make use of the symbolic names defined above. This
# section can be used multiple times in one config file. This makes more
# senese when using one of these alias names:
# filter, nat, input, output, forward, masquerade
#
# syntax: in[-/+] [i=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
# out[-/+] [o=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
# fw[>/-/+] [i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
# masq[-/+][i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
# nat[-/+] additionally allows [S=from source] [D=to destination] [P=to port:[range]]
# additional:
# All keys mentioned in the syntax section (in/out/...) can be prefixed with "sl", which
# causes the creation of a stateless rule.
# flags: limit([count/time[,burst]])
# reject([reject type])
# log([name])
# account(name)
# examples:
# masq+ o=extern s=intranet
# nat+ s=intranet p=http D=relayintern P=squid
# in+ s=trusted p=ssh,ping,traceroute,http
# out- s=intranet p=smb f=reject
# fw- d=microsoft f=reject,log(ms-alert)
# slin+ s=testnet
# slout- d=testnet
# fw> o=extern
# fw+ p=myhttp f=account(HTTP)
# Take an attention about the protocol for your accounting rules. If you
# want to count user http traffice, you may need a "myhttp tcp(80/)".
filter {
in+ i=loop s=localhost
out+ o=loop d=localhost
in+ s=all(4) p=ping
# these IPv6-ICMP types are a MUST for IPv6
in+ s=all(6) p=ping,pong,noroute,packet-too-big,time-exceeded,parameter-problem,neighbor-advertisement,neighbor-solicitation
in+ p=traceroute
# in+ s=trusted(4)
# in+ s=trusted(6)
out+ d=all
in- f=log(input),reject
out- f=log(output),reject
fw- f=log(forward),reject
}