mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-06 21:48:54 +01:00
af87d30b67
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
154 lines
4.5 KiB
Plaintext
154 lines
4.5 KiB
Plaintext
##############################################################################
|
|
# /etc/shorewall/shorewall.conf V1.2 - Change the following variables to
|
|
# match your setup
|
|
#
|
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
|
#
|
|
# This file should be placed in /etc/shorewall
|
|
#
|
|
# (c) 1999, 2000, 2001 - Tom Eastep (teastep@evergo.net)
|
|
##############################################################################
|
|
# Set this to the name of the lock file expected by your init scripts. For
|
|
# RedHat, this should be /var/lock/subsys/firewall. On Debian, it
|
|
# should be /var/state/shorewall. If your init scripts don't use lock files,
|
|
# set -this to "".
|
|
#
|
|
|
|
SUBSYSLOCK=/var/lock/subsys/shorewall
|
|
|
|
# This is the directory where the firewall maintains state information while
|
|
# it is running
|
|
#
|
|
|
|
STATEDIR=/var/lib/firewall
|
|
|
|
#
|
|
# Set this to "yes" or "Yes" if you want to accept all connection requests
|
|
# that are related to already established connections. For example, you want
|
|
# to accept FTP data connections. If you say "no" here, then to accept
|
|
# these connections between particular zones or hosts, you must include
|
|
# explicit "related" rules in /etc/shorewall/rules.
|
|
#
|
|
|
|
ALLOWRELATED="yes"
|
|
|
|
#
|
|
# If your netfilter kernel modules are in a directory other than
|
|
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
|
|
# directory in this variable. Example: MODULESDIR=/etc/modules.
|
|
|
|
MODULESDIR=""
|
|
|
|
#
|
|
# The next two variables can be used to control the amount of log output
|
|
# generated. LOGRATE is expressed as a number followed by an optional
|
|
# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum
|
|
# rate at which a particular message will occur. LOGBURST determines the
|
|
# maximum initial burst size that will be logged. If set empty, the default
|
|
# value of 5 will be used.
|
|
#
|
|
# If BOTH variables are set empty then the rate of logging will not be
|
|
# rate-limited.
|
|
#
|
|
|
|
LOGRATE="10/hour"
|
|
LOGBURST=5
|
|
|
|
#
|
|
# Enable nat support.
|
|
#
|
|
# You probally want yes here. Only gateways not doing NAT in any form, like
|
|
# SNAT,DNAT masquerading, port forwading etc. should say "no" here.
|
|
#
|
|
NAT_ENABLED="No"
|
|
|
|
#
|
|
# Enable mangle support.
|
|
#
|
|
# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file
|
|
# and will not initialize the mangle table when starting or stopping
|
|
# your firewall.
|
|
#
|
|
MANGLE_ENABLED="Yes"
|
|
|
|
#
|
|
# Enable IP Forwarding
|
|
#
|
|
# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
|
|
# say "Off" or "off", packet forwarding will be disabled. You would only want
|
|
# to disable packet forwarding if you are installing Shorewall on a
|
|
# standalone system or if you want all traffic through the Shorewall system
|
|
# to be handled by proxies.
|
|
#
|
|
# If you set this variable to "Keep" or "keep", Shorewall will neither
|
|
# enable nor disable packet forwarding.
|
|
#
|
|
IP_FORWARDING="Off"
|
|
|
|
#
|
|
# Automatically add IP Aliases
|
|
#
|
|
# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
|
|
# for each NAT external address that you give in /etc/shorewall/nat. If you say
|
|
# "No" or "no", you must add these aliases youself.
|
|
#
|
|
ADD_IP_ALIASES="Yes"
|
|
|
|
#
|
|
# Automatically add SNAT Aliases
|
|
#
|
|
# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
|
|
# for each SNAT external address that you give in /etc/shorewall/masq. If you say
|
|
# "No" or "no", you must add these aliases youself.
|
|
#
|
|
ADD_SNAT_ALIASES="No"
|
|
|
|
#
|
|
# Enable Traffic Shaping
|
|
#
|
|
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
|
|
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
|
|
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
|
|
# you must enable packet mangling above.
|
|
#
|
|
TC_ENABLED="No"
|
|
|
|
#
|
|
# Blacklisting
|
|
#
|
|
# Set this variable to the action that you want to perform on packets from
|
|
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
|
|
# DROP is assumed.
|
|
#
|
|
BLACKLIST_DISPOSITION=DROP
|
|
|
|
#
|
|
# Blacklist Logging
|
|
#
|
|
# Set this variable to the syslogd level that you want blacklist packets logged
|
|
# (beward of DOS attacks resulting from such logging). If not set, no logging
|
|
# of blacklist packets occurs.
|
|
#
|
|
BLACKLIST_LOGLEVEL=
|
|
|
|
#
|
|
# MSS Clamping
|
|
#
|
|
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
|
|
# option. This option is most commonly required when your internet
|
|
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
|
|
#
|
|
# If left blank, or set to "No" or "no", the option is not enabled.
|
|
#
|
|
CLAMPMSS="No"
|
|
|
|
#
|
|
# Route Filtering
|
|
#
|
|
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
|
|
# interfaces.
|
|
#
|
|
ROUTE_FILTER="No"
|
|
|
|
#LAST LINE -- DO NOT REMOVE
|