User Tools

Site Tools


software:firewall:config

Options And Values

Important Options

  • CONFIG_VERSION - This is for future use in heping to keep invalid config files from breaking the firewall. At the moment, default is “1.0”
  • IPTABLES & IP6TABLES - Path to iptables and ip6tables. These options are critical and must be set before the firewall script will work.
  • MODPROBE - Path to modprobe command. This option is critical and must be set properly.

IPv4 Options

  • NAT - Set to 1 to enable NAT iptables rules
  • CONNTRACK - Set to 1 to enable connection tracking rules. On a high traffic machine, this can cause a slowdown and possible table overflow. Can help solve issues with UDP traffic being blocked.
  • FORWARD - Set to 1 to enable forwarding in iptables and via sysctl. On a router/gateway, this machine will not pass packets between interfaces unless this is set.
  • BLOCKINCOMING - Set to 1 to block incoming connections (SYN packets) by default. Don't forget to open a port for ssh (22) so you don't lock yourself out!
  • CLAPMSS - List of space separated interfaces to apply MSS clamping to. This is useful for PPPoE (DSL, etc) and VPN connections. Ex: “eth0 ppp0
  • LANDHCPSERVER - Set to 1 to make sure that clients can make DHCP requests to the gateway/firewall.
  • INTIF - Set to the interface that your LAN is connected to. Ex: “eth1
  • PORTFW - Set to the file that contains a list of port forwardings if the machine is being used for NAT purposes. Ex: “$BASEDIR/port-forwards
  • TCPPORTS & UDPPORTS - Space separated list of TCP and UDP ports to open. Recommended to use port numbers, but technically, port names will work too. Ex: “22 53 80
  • ALLOWEDPROTO - Space separated list of protocols to allow. Common ones are IPv6(41), GRE(47), IPSEC(50,51). Recommended to use protocol numbers, but technically, protocol names should work too. Ex: “41 47 50 51
  • TRUSTEDIP - Space separated list of IPs to explicitly trust. Should at least be set to 127.0.0.1. Ex: “127.0.0.1 192.168.0.2
  • DONTTRACK - Space separated list of IPs to exclude from connection tracking. This can help offset the effect of connection tracking on high traffic machines. Should at least include 127.0.0.1. There are potential pitfalls to using this option, so be careful!
  • ROUTING - Set to the file that contains the list of IP routing commands. Ex: “$BASEDIR/ipv4-routing
software/firewall/config.txt · Last modified: 2010/08/25 14:07 by brielle