############################################################################## ## Example zone configuration file. ## Read all configuration parameters, and modify to suit your needs. ## Version $Id: zone.ext,v 1.63 2003/05/25 08:50:17 afu Exp $ ############################################################################## ## A sample zone configuration to control traffic to the internet ## Name of the zone. Must match the name in fiaif.conf. NAME=EXT ## Network interface name DEV=eth0 ## DYNAMIC: Set to '1' if the IP can change runtime or if the ip is ## unknow when fiaif is started. ## GLOBAL: Set to '1' if the IP if this zone connect you to the internet. DYNAMIC=1 GLOBAL=1 ## Network information. Nessesary only if DYNAMIC=0 #IP=80.196.xxx.xxx #MASK=255.255.255.252 #NET=80.196.xxx.xxx/255.255.255.252 #BCAST=80.196.xxx.xxx ## IP_EXTRA specifies that the interface has multiple IP addresses; ## all the interface's extra IP's should be listed here. IP_EXTRA="" ## Specifies extra networks in this zone (besides NET). NET_EXTRA="" ## Specify if the zone should respond to DHCP queries. ## This is usefull if a DHCP server is running on the firewall. ## Remember to set this only in the zone for which the DHCP server is running. DHCP_SERVER=0 ## The descriptions of packets coming IN to the interface specifed in DEV and NETWORK to drop|accept|reject ## Use: INPUT[N]=" [:port]]*]> ip[/mask]>" INPUT[0]="ACCEPT tcp smtp,www,https,ssh 0.0.0.0/0=>0.0.0.0/0" INPUT[1]="ACCEPT icmp echo-request 0.0.0.0/0=>0.0.0.0/0" INPUT[2]="ACCEPT igmp 0.0.0.0/0=>224.0.0.0/4" INPUT[3]="DROP ALL 0.0.0.0/0=>0.0.0.0/0" ## The descriptions of packets going OUT of the interface specifed in DEV and NETWORK to drop|accept|reject ## Use: OUTPUT[N]=" [:port]]*]> ip[/mask]>" OUTPUT[0]="ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0" ## Forward rules. Specify where packets entering this zone may originate from. ## Use: FORWARD[N]=" [:port]]*]> ip[/mask]=>ip[/mask]" ## ## Use this to protect this zone ## Rules are read in the order they are written. ## Default is to accept everything: all zones are allowd to talk ## with the Internet. FORWARD[0]="ALL ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0" ## Mark rules. Mark packets parsing through the firewall. ## Use MARK[N]=" [:port]]*]> ip[/mask]>" ## ## MARK packets can be used to determine how a packet sould be routed. ## FIAIF does not use marking. #MARK[0]="ALL 1 tcp ALL 0.0.0.0/0=>0.0.0.0/0" #MARK[1]="ALL 2 udp ALL 0.0.0.0/0=>0.0.0.0/0" ## Make special replys on incoming packets. ## Use: REPLY_XXX=" [:port]]*]> ip[/mask]>" ## Where type can be one of the following: ## icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, ## icmp-proto-unreachable, icmp-net-prohibited, icmp-host-prohibited or ## tcp-reset (Only valid if the protocol if TCP) ## If the zone equal this zone, then the rules apply to packets originating from ## this network towards the firewall REPLY_AUTH="EXT tcp-reset tcp auth 0.0.0.0/0=>0.0.0.0/0" REPLY_TRACEROUTE="EXT icmp-port-unreachable udp 33434:33464 0.0.0.0/0=>0.0.0.0/0" ## Alter the destination of packets. ## Use: REDIRECT_XXX=" ip[/mask]> <[ipaddr[,ipaddr]*] [port]" ## The rule applies only for packet originating from this zone. #REDIRECT_SSH="tcp 22 0.0.0.0/0=>0.0.0.0/0 10.0.0.1 22" ## Log all traffic for these IP addresses ## Use WATCH_IP="[IP[/MASK]]*|[FILE]" #WATCH_IP="111.111.111.111/32 222.222.222.222/24" ## Strip ECN bits from all packets destined for specified IP-addresses ## in this zone ## Use: ECN_REMOVE="[IP[/MASK]]*|[FILE]" #ECN_REMOVE="111.111.111.111/32 222.222.222.222/24" ## Dissalow any communication with specified MAC-addresses in this zone ## Use: MAX_DROP="[MAC address]*|[FILE]" ## Inserted on PREROUTING chain #MAC_DROP="XX:XX:XX:XX:XX:XX YY:YY:YY:YY:YY:YY" ## Dissalow any communication with specified IP-addresses in this zone ## Use: IP_DROP="[IP[/MASK]]*|[FILE]" #IP_DROP="111.111.111.111/32 222.222.222.222/24" ## Change the source address of a packet comming from this zone. ## This is also called masquerading. ## Use: SNAT[N]=" [:port]]*]> ip[/mask]>" ## Where: ZONE : Destination zone. The source of matched packets is ## changed to all ip numbers for the zone. #SNAT[0]="EXT ALL 0.0.0.0/0=>0.0.0.0/0" ## Limit new packets. ## Use: LIMIT_XXX=" *|<:port>]> ip[/mask]>" ## Where: ## ZONE : Is the zone from which the packet originates. This can be this zone itself. ## POLICY : Is waht to do with the packet: ACCEPT|REJECT|DROP ## LIMIT : Maximum average matching rate: specified as a number, with an optional ## '/second', '/minute', '/hour', or '/day' suffix. ## BURST : Maximum initial number of packets to match: this ## number gets recharged by one every time the limit ## specified above is not reached, up to this number. ## PROTOCOL : The protocol: tcp|udp|icmp|all. This parameter is optional ## PORTS : If protocol is tcp|udp: A list of ports or a port range. ## icmp : A single icmp type. ## this parameter is optional, and must only be specified, ## if a protocol is specified. ## IP/MASK : If PORTS are specified, then an optional IP/MASK source and address can be specified. LIMIT_PING="EXT DROP 1/second 3 ICMP echo-request 0.0.0.0/0=>0.0.0.0/0" ## Traffic Shaping. ## Enables traffic shaping for the device. ## This requires the following modules to be present or compiled statically: ## sch_ingress ## cls_fw ## cls_u32 ## sch_sfq ## sch_cbq or sch_htb ## Usage: ## TC_ENABLE=0|1 ## TC_TYPE=CBQ|HTB ## ## TC_UPLINK= ## TC_DOWNLINK= ## The type specifies which shaper is to be used. The new HTB shaper is ## better than the old CBQ, but not available on all systems. ## The speeds should be below the actual speed of the link. TC_ENABLE=0 TC_TYPE=CBQ TC_DOWNLINK=410 TC_UPLINK=434