# Copyright (c) 2000-2002 SuSE GmbH Nuernberg, Germany. All rights reserved. # Copyright (c) 2003,2004 SuSE Linux AG Nuernberg, Germany. All rights reserved. # Copyright (c) 2005-2008 SUSE LINUX Products GmbH Nuernberg, Germany. All rights reserved. # # Author: Marc Heuse, 2002 # Ludwig Nussel, 2004-2008 # # /etc/sysconfig/SuSEfirewall2 # # for use with /sbin/SuSEfirewall2 version 3.6 # # ------------------------------------------------------------------------ # # PLEASE NOTE THE FOLLOWING: # # Just by configuring these settings and using the SuSEfirewall2 you # are not secure per se! There is *not* such a thing you install and # hence you are saved from all (security) hazards. # # To ensure your security, you need also: # # * Secure all services you are offering to untrusted networks # (internet) You can do this by using software which has been # designed with security in mind (like postfix, vsftpd, ssh), # setting these up without misconfiguration and praying, that # they have got really no holes. Apparmor can help in # most circumstances to reduce the risk. # * Do not run untrusted software. (philosophical question, can # you trust SuSE or any other software distributor?) # * Check the security of your server(s) regulary # * If you are using this server as a firewall/bastion host to the # internet for an internal network, try to run proxy services # for everything and disable routing on this machine. # * If you run DNS on the firewall: disable untrusted zone # transfers and either don't allow access to it from the # internet or run it split-brained. # # Good luck! # # Yours, # SuSE Security Team # # ------------------------------------------------------------------------ # # Configuration HELP: # # If you have got any problems configuring this file, take a look at # /usr/share/doc/packages/SuSEfirewall2/EXAMPLES or use YaST # # # If you are an end-user who is NOT connected to two networks (read: # you have got a single user system and are using a dialup to the # internet) you just have to configure (all other settings are OK): # 2) and maybe 9). # # If this server is a firewall, which should act like a proxy (no direct # routing between both networks), or you are an end-user connected to the # internet and to an internal network, you have to setup your proxys and # reconfigure (all other settings are OK): 2), 3), 9) and maybe 7), 11), 14) # # If this server is a firewall, and should do routing/masquerading between # the untrusted and the trusted network, you have to reconfigure (all other # settings are OK): 2), 3), 5), 6), 9), and maybe 7), 10), 11), 12), 13), # 14) # # If you want to run a DMZ in either of the above three standard setups, you # just have to configure *additionally* 4), 9), 12), 13), 18) # # Please note that if you use service names, they have to exist in # /etc/services. There is for example no service "dns", it's called # "domain"; email is called "smtp" etc. # # ------------------------------------------------------------------------ ## Path: Network/Firewall/SuSEfirewall2 ## Description: SuSEfirewall2 configuration ## Type: string ## Default: any # # 2.) # Which are the interfaces that point to the internet/untrusted # networks? # # Enter all untrusted network devices here # # Format: space separated list of interface or configuration names # # The special keyword "any" means that packets arriving on interfaces not # explicitly configured as int, ext or dmz will be considered external. Note: # this setting only works for packets destined for the local machine. If you # want forwarding or masquerading you still have to add the external interfaces # individually. "any" can be mixed with other interface names. # # Examples: "ippp0 ippp1", "any dsl0" # # Note: alias interfaces (like eth0:1) are ignored # FW_DEV_EXT="any" ## Type: string # # 3.) # Which are the interfaces that point to the internal network? # # Enter all trusted network interfaces here. If you are not # connected to a trusted network (e.g. you have just a dialup) leave # this empty. # # Format: space separated list of interface or configuration names # # Examples: "tr0", "eth0 eth1" # FW_DEV_INT="" ## Type: string # # 4.) # Which are the interfaces that point to the dmz or dialup network? # # Enter all the network devices here which point to the dmz/dialups. # A "dmz" is a special, seperated network, which is only connected # to the firewall, and should be reachable from the internet to # provide services, e.g. WWW, Mail, etc. and hence is at risk from # attacks. See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an # example. # # Note: You have to configure FW_FORWARD to define the services # which should be available to the internet and set FW_ROUTE to yes. # # Format: space separated list of interface or configuration names # # Examples: "tr0", "eth0 eth1" # FW_DEV_DMZ="" ## Type: yesno ## Default: no # # 5.) # Should routing between the internet, dmz and internal network be # activated? # # Set this to "yes" if you either want to masquerade internal # machines or allow access to the dmz (or internal machines, but # this is not a good idea). # # This option overrides IP_FORWARD from # /etc/sysconfig/network/options # # Setting this option one alone doesn't do anything. Either activate # masquerading with FW_MASQUERADE below if you want to masquerade # your internal network to the internet, or configure FW_FORWARD to # define what is allowed to be forwarded. You also need to define # internal or dmz interfaces in FW_DEV_INT or FW_DEV_DMZ. # # defaults to "no" if not set # FW_ROUTE="no" ## Type: yesno ## Default: no # # 6.) # Do you want to masquerade internal networks to the outside? # # Requires: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE, FW_MASQ_DEV # # "Masquerading" means that all your internal machines which use # services on the internet seem to come from your firewall. Please # note that it is more secure to communicate via proxies to the # internet than to use masquerading. # # This option is required for FW_MASQ_NETS and FW_FORWARD_MASQ. # # defaults to "no" if not set # FW_MASQUERADE="no" ## Type: string ## Default: zone:ext # # 6a.) # You also have to define on which interfaces to masquerade on. # Those are usually the same as the external interfaces. Most users # can leave the default. # # The special string "zone:" concatenated with the name of a zone # means to take all interfaces in the specified zone. # # Old version of SuSEfirewall2 used a shell variable ($FW_DEV_EXT) # here. That method is deprecated as it breaks auto detection of # interfaces. Please use zone:ext instead. # # Examples: "ippp0", "zone:ext" # FW_MASQ_DEV="zone:ext" ## Type: string ## Default: 0/0 # # Which internal computers/networks are allowed to access the # internet via masquerading (not via proxys on the firewall)? # # Format: space separated list of # [,,[,port[:port]] # # If the protocol is icmp then port is interpreted as icmp type # # Examples: - "0/0" unrestricted access to the internet # - "10.0.0.0/8" allows the whole 10.0.0.0 network with # unrestricted access. # - "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0,tcp,21" allows # the 10.0.1.0 network to use www/ftp to the internet. - # - "10.0.1.0/24,0/0,tcp,1024:65535 10.0.2.0/24" the # 10.0.1.0/24 network is allowed to access unprivileged # ports whereas 10.0.2.0/24 is granted unrestricted # access. # - "0/0,!10.0.0.0/8" unrestricted access to the internet # with the exception of 10.0.0.8 which will not be # masqueraded. # FW_MASQ_NETS="0/0" ## Type: string ## Default: 0/0 # # Which computers/networks should be excluded from beeing masqueraded? # Note that this only affects the POSTROUTING chain of the nat # table. Ie the forwarding rules installed by FW_MASQ_NETS do not # include the listed exceptions. # *** Since you may use FW_NOMASQ_NETS together with IPsec make sure # that the policy database is loaded even when the tunnel is not up # yet. Otherwise packets to the listed networks will be forwarded to # the internet unencrypted! *** # # Format: space separated list of # [,,[,port[:port]] # # If the protocol is icmp then port is interpreted as icmp type # # Examples: - "0/0,10.0.0.0/8" do not masquerade packets from # anywhere to the 10.0.0.0/8 network # FW_NOMASQ_NETS="" ## Type: list(yes,no,notrack) ## Default: no # # 7.) # Do you want to protect the firewall from the internal network? # Requires: FW_DEV_INT # # If you set this to "yes", internal machines may only access # services on the firewall you explicitly allow. If you set this to # "no", any internal user can connect (and attack) any service on # the firewall. # # The value "notrack" acts similar to "no" but additionally # connection tracking is switched off for interfaces in the zone. # This is useful to gain better performance on high speed # interfaces. # # defaults to "yes" if not set # # see also FW_REJECT_INT # FW_PROTECT_FROM_INT="no" ## Type: string # # 9.) # Which TCP services _on the firewall_ should be accessible from # untrusted networks? # # Format: space separated list of ports, port ranges or well known # service names (see /etc/services) # # Examples: "ssh", "123 514", "3200:3299", "ftp 22 telnet 512:514" # # Note: this setting has precedence over FW_SERVICES_ACCEPT_* # FW_SERVICES_EXT_TCP="135 139 445 " ## Type: string # # Which UDP services _on the firewall_ should be accessible from # untrusted networks? # # Format: space separated list of ports, port ranges or well known # service names (see /etc/services) # # Example: "53", "syslog" # # Note: this setting has precedence over FW_SERVICES_ACCEPT_* # FW_SERVICES_EXT_UDP="137:138" ## Type: string # # Which IP services _on the firewall_ should be accessible from # untrusted networks? # # Usually for VPN/Routing services that END at the firewall like # IPsec, GRE, PPTP or OSPF # # Format: space separated list of ports, port ranges or well known # protocol names (see /etc/protocols) # # Example: "esp" # # Note: this setting has precedence over FW_SERVICES_ACCEPT_* # FW_SERVICES_EXT_IP="" ## Type: string # # Which RPC services _on the firewall_ should be accessible from # untrusted networks? # # Port numbers of RPC services are dynamically assigned by the # portmapper. Therefore "rpcinfo -p localhost" has to be used to # automatically determine the currently assigned port for the # services specified here. # # USE WITH CAUTION! # regular users can register rpc services and therefore may be able # to have SuSEfirewall2 open arbitrary ports # # Example: "mountd nfs" # # Note: this setting has precedence over FW_SERVICES_ACCEPT_* # FW_SERVICES_EXT_RPC="" ## Type: string # # Which services _on the firewall_ should be accessible from # untrusted networks? # # Packages can drop a configuration file that specifies all required # ports into /etc/sysconfig/SuSEfirewall2.d/services. That is handy for # services that require multiple ports or protocols. Enter the space # separated list of configuration files you want to load. # # The content of those files is merged into # FW_SERVICES_$zone_$protocol, ie has precedence over # FW_SERVICES_ACCEPT_* # # Example: "samba-server nfs-server" FW_CONFIGURATIONS_EXT="apache2 sshd" ## Type: string # # see comments for FW_SERVICES_EXT_TCP FW_SERVICES_DMZ_TCP="" ## Type: string # # see comments for FW_SERVICES_EXT_UDP FW_SERVICES_DMZ_UDP="" ## Type: string # # see comments for FW_SERVICES_EXT_IP FW_SERVICES_DMZ_IP="" ## Type: string # # see comments for FW_SERVICES_EXT_RPC FW_SERVICES_DMZ_RPC="" ## Type: string # # see comments for FW_CONFIGURATIONS_EXT FW_CONFIGURATIONS_DMZ="" ## Type: string # # see comments for FW_SERVICES_EXT_TCP FW_SERVICES_INT_TCP="" ## Type: string # # see comments for FW_SERVICES_EXT_UDP FW_SERVICES_INT_UDP="" ## Type: string # # see comments for FW_SERVICES_EXT_IP FW_SERVICES_INT_IP="" ## Type: string # # see comments for FW_SERVICES_EXT_RPC FW_SERVICES_INT_RPC="" ## Type: string # # see comments for FW_CONFIGURATIONS_EXT FW_CONFIGURATIONS_INT="" ## Type: string # # Packets to silently drop without log message # # Format: space separated list of net,protocol[,port][,sport] # Example: "0/0,tcp,445 0/0,udp,4662" # # The special value _rpc_ is recognized as protocol and means that dport is # interpreted as rpc service name. See FW_SERVICES_EXT_RPC for # details. # FW_SERVICES_DROP_EXT="" ## Type: string # # see FW_SERVICES_DROP_EXT FW_SERVICES_DROP_DMZ="" ## Type: string # # see FW_SERVICES_DROP_EXT FW_SERVICES_DROP_INT="" ## Type: string ## Default: # # Packets to silently reject without log message. Common usage is # TCP port 113 which if dropped would cause long timeouts when # sending mail or connecting to IRC servers. # # Format: space separated list of net,protocol[,dport][,sport] # Example: "0/0,tcp,113" # # The special value _rpc_ is recognized as protocol and means that dport is # interpreted as rpc service name. See FW_SERVICES_EXT_RPC for # details. # FW_SERVICES_REJECT_EXT="" ## Type: string # # see FW_SERVICES_REJECT_EXT FW_SERVICES_REJECT_DMZ="" ## Type: string # # see FW_SERVICES_REJECT_EXT FW_SERVICES_REJECT_INT="" # Example: # Allow max three ssh connects per minute from the same IP address: # "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" # # The special value _rpc_ is recognized as protocol and means that dport is # interpreted as rpc service name. See FW_SERVICES_EXT_RPC for # details. # # Note1: keep in mind that FW_SERVICES_EXT_TCP, FW_SERVICES_EXT_UDP # take precedence over FW_SERVICES_ACCEPT_EXT so don't open the same # port with both options. # # Note2: the iptables recent module may not be available for ipv6. To # avoid an error message use 0.0.0.0/0 instead of 0/0. This will # install the rule for ipv4 only. # FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" ## Type: string # # see FW_SERVICES_ACCEPT_EXT FW_SERVICES_ACCEPT_DMZ="" ## Type: string # # see FW_SERVICES_ACCEPT_EXT FW_SERVICES_ACCEPT_INT="" ## Type: string ## Default: # # Services to allow that are considered RELATED by the connection tracking # engine. # # Format: space separated list of net,protocol[,sport[,dport]] # # Example: # Allow samba broadcast replies marked as related by # nf_conntrack_netbios_ns from a certain network: # "192.168.1.0/24,udp,137" # # See also FW_LOAD_MODULES # FW_SERVICES_ACCEPT_RELATED_EXT="" ## Type: string # # see FW_SERVICES_ACCEPT_RELATED_EXT FW_SERVICES_ACCEPT_RELATED_DMZ="" ## Type: string # # see FW_SERVICES_ACCEPT_RELATED_EXT FW_SERVICES_ACCEPT_RELATED_INT="" ## Type: string # # 10.) # Which services should be accessible from 'trusted' hosts or nets? # # Define trusted hosts or networks (doesn't matter whether they are internal or # external) and the services (tcp,udp,icmp) they are allowed to use. This can # be used instead of FW_SERVICES_* for further access restriction. Please note # that this is no replacement for authentication since IP addresses can be # spoofed. Also note that trusted hosts/nets are not allowed to ping the # firewall until you also permit icmp. # # Format: space separated list of network[,protocol[,port]] # in case of icmp, port means the icmp type # # Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22" # FW_TRUSTED_NETS="192.168.0.0/24" ## Type: string ## Default: # # 11.) # Specify which ports are allowed to access unprivileged ports (>1023) # # Format: yes, no or space separated list of ports # # You may either allow everyone from anyport access to your highports ("yes"), # disallow anyone ("no"), anyone who comes from a defined port (portnumber or # known portname). Note that this is easy to circumvent! The best choice is to # keep this option unset or set to 'no' # # defaults to "no" if not set (good choice) # # Note: Use of this variable is deprecated and it will likely be # removed in the future. If you think it should be kept please # report your use case at # http://forge.novell.com/modules/xfmod/project/?susefirewall2 # FW_ALLOW_INCOMING_HIGHPORTS_TCP="" ## Type: string ## Default: # # See FW_ALLOW_INCOMING_HIGHPORTS_TCP # # defaults to "no" if not set (good choice) # # Note: Use of this variable is deprecated and it will likely be # removed in the future. If you think it should be kept please # report your use case at # http://forge.novell.com/modules/xfmod/project/?susefirewall2 # # If you use this variable to enable browsing samba/windows shares # you most likely have misconfigured your firewall. You should # either put the utilized interface into the internal zone or use # e.g. FW_SERVICES_ACCEPT_RELATED_EXT # FW_ALLOW_INCOMING_HIGHPORTS_UDP="" ## Type: string # # 13.) # Which services or networks are allowed to be routed through the # firewall, no matter which zone they are in? # Requires: FW_ROUTE # # With this option you may allow access to e.g. your mailserver. The # machines must have valid, non-private, IP addresses which were # assigned to you by your ISP. This opens a direct link to the # specified network, so please think twice befor using this option! # # Format: space separated list of # ,[,protocol[,port[,flags]]] # # If the protocol is icmp then port is interpreted as icmp type # # The only flag currently supported is 'ipsec' which means to only # match packets that originate from an IPsec tunnel # # Examples: - "1.1.1.1,2.2.2.2" allow the host 1.1.1.1 to access any # service on the host 2.2.2.2 # - "3.3.3.3/16,4.4.4.4/24" allow the network 3.3.3.3/16 # to access any service in the network 4.4.4.4/24 # - "5.5.5.5,6.6.6.6,igmp" allow routing of IGMP messages # from 5.5.5.5 to 6.6.6.6 # - "0/0,0/0,udp,514" always permit udp port 514 to pass # the firewall # - "192.168.1.0/24,10.10.0.0/16,,,ipsec \ # 10.10.0.0/16,192.168.1.0/24,,,ipsec" permit traffic # from 192.168.1.0/24 to 10.10.0.0/16 and vice versa # provided that both networks are connected via an # IPsec tunnel. # - "fd76:9dbb:91a3:1::/64,fd76:9dbb:91a3:4::/64,tcp,ssh" # allow ssh from one IPv6 network to another # FW_FORWARD="" ## Type: string # # 13a.) # # same as FW_FORWARD but packages are rejected instead of accepted # # Requires: FW_ROUTE # FW_FORWARD_REJECT="" ## Type: string # # 13b.) # # same as FW_FORWARD but packages are dropped instead of accepted # # Requires: FW_ROUTE # FW_FORWARD_DROP="" ## Type: string # # 14.) # Which services accessed from the internet should be allowed to masqueraded # servers (on the internal network or dmz)? # Requires: FW_ROUTE # # With this option you may allow access to e.g. your mailserver. The # machines must be in a masqueraded segment and may not have public # IP addesses! Hint: if FW_DEV_MASQ is set to the external interface # you have to set FW_FORWARD from internal to DMZ for the service as # well to allow access from internal! # # Please note that this should *not* be used for security reasons! # You are opening a hole to your precious internal network. If e.g. # the webserver there is compromised - your full internal network is # compromised! # # Format: space separated list of # ,,,[,redirect port,[destination ip]] # # Protocol must be either tcp or udp # # Examples: - "4.0.0.0/8,10.0.0.10,tcp,80" forward all tcp request on # port 80 coming from the 4.0.0.0/8 network to the # internal server 10.10.0.10 # - "4.0.0.0/8,10.0.0.10,tcp,80,81" forward all tcp request on # port 80 coming from the 4.0.0.0/8 network to the # internal server 10.10.0.10 on port 81 # - "200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202" # the network 200.200.200.0/24 trying to access the # address 202.202.202.202 on port 80 will be forwarded # to the internal server 10.0.0.10 on port 81 # # Note: du to inconsitent iptables behaviour only port numbers are possible but # no service names (https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=273) # FW_FORWARD_MASQ="" ## Type: string # # 15.) # Which accesses to services should be redirected to a local port on # the firewall machine? # # This option can be used to force all internal users to surf via # your squid proxy, or transparently redirect incoming webtraffic to # a secure webserver. # # Format: list of [,,[,dport[:lport]] # Where protocol is either tcp or udp. dport is the original # destination port and lport the port on the local machine to # redirect the traffic to # # An exclamation mark in front of source or destination network # means everything EXCEPT the specified network # # Example: "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080" # # Note: contrary to previous SuSEfirewall2 versions it is no longer necessary # to additionally open the local port FW_REDIRECT="" ## Type: yesno ## Default: yes # # 16.) # Which kind of packets should be logged? # # When set to "yes", packages that got dropped and are considered # 'critical' will be logged. Such packets include for example # spoofed packets, tcp connection requests and certain icmp types. # # defaults to "yes" if not set # FW_LOG_DROP_CRIT="yes" ## Type: yesno ## Default: no # # whether all dropped packets should be logged # # Note: for broadcasts to be logged you also need to set # FW_IGNORE_FW_BROADCAST_* to 'no' # # defaults to "no" if not set # FW_LOG_DROP_ALL="no" ## Type: yesno ## Default: yes # # When set to "yes", packages that got accepted and are considered # 'critical' will be logged. Such packets include for example tcp # connection requests, rpc connection requests, access to high # udp/tcp port and forwarded pakets. # # defaults to "yes" if not set # FW_LOG_ACCEPT_CRIT="no" ## Type: yesno ## Default: no # # whether all accepted packets should be logged # # Note: setting this to 'yes' causes _LOTS_ of log entries and may # fill your disk quickly. It also disables FW_LOG_LIMIT # # defaults to "no" if not set # FW_LOG_ACCEPT_ALL="no" ## Type: string # # How many packets per time unit get logged for each logging rule. # When empty a default of 3/minute is used to prevent port scans # flooding your log files. For desktop usage it's a good idea to # have the limit, if you are using logfile analysis tools however # you might want to disable it. # # Set to 'no' to disable the rate limit. Setting FW_LOG_ACCEPT_ALL # to 'yes' disables this option as well. # # Format: a digit and suffix /second, /minute, /hour or /day FW_LOG_LIMIT="" ## Type: string # # iptables logging option. Must end with --log-prefix and some prefix # characters # # You may specify an alternative logging target by starting the # string with "-j ". E.g. "-j ULOG --ulog-prefix SFW2" # # only change this if you know what you are doing! FW_LOG="" ## Type: yesno ## Default: yes # # 17.) # Do you want to enable additional kernel TCP/IP security features? # If set to yes, some obscure kernel options are set. # (icmp_ignore_bogus_error_responses, icmp_echoreply_rate, # icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate, # ip_local_port_range, log_martians, rp_filter, routing flush, # bootp_relay, proxy_arp, secure_redirects, accept_source_route # icmp_echo_ignore_broadcasts, ipfrag_time) # # Tip: Set this to "no" until you have verified that you have got a # configuration which works for you. Then set this to "yes" and keep it # if everything still works. (It should!) ;-) # # Choice: "yes" or "no", if not set defaults to "yes" # FW_KERNEL_SECURITY="yes" ## Type: yesno ## Default: no # # 18.) # Keep the routing set on, if the firewall rules are unloaded? # REQUIRES: FW_ROUTE # # Choices "yes" or "no", if not set defaults to "no" # FW_STOP_KEEP_ROUTING_STATE="no" ## Type: yesno ## Default: yes # # 19.) # Allow the firewall to reply to icmp echo requests # # defaults to "no" if not set # FW_ALLOW_PING_FW="yes" ## Type: yesno ## Default: no # # 19a.) # Allow hosts in the dmz to be pinged from hosts in other zones even # if neither FW_FORWARD nor FW_MASQUERADE is set # # Requires: FW_ROUTE # # defaults to "no" if not set # FW_ALLOW_PING_DMZ="no" ## Type: yesno ## Default: no # # 19b.) # Allow hosts in the external zone to be pinged from hosts in other # zones even if neither FW_FORWARD nor FW_MASQUERADE is set # # Requires: FW_ROUTE # # defaults to "no" if not set # FW_ALLOW_PING_EXT="no" ## Type: yesno ## Default: yes # # 21.) # Allow ICMP sourcequench from your ISP? # # If set to yes, the firewall will notice when connection is choking, however # this opens yourself to a denial of service attack. Choose your poison. # # Defaults to "yes" if not set # FW_ALLOW_FW_SOURCEQUENCH="" ## Type: string(yes,no) # # 22.) # Allow IP Broadcasts? # # Whether the firewall allows broadcasts packets. # Broadcasts are used for e.g. for Netbios/Samba, RIP, OSPF and Games. # # If you want to drop broadcasts however ignore the annoying log entries, set # FW_IGNORE_FW_BROADCAST_* to yes. # # Note that if you allow specifc ports here it just means that broadcast # packets for that port are not dropped. You still need to set # FW_SERVICES_*_UDP to actually allow regular unicast packets to # reach the applications. # # Format: either # - "yes" or "no" # - list of udp destination ports # # Examples: - "631 137" allow broadcast packets on port 631 and 137 # to enter the machine but drop any other broadcasts # - "yes" do not install any extra drop rules for # broadcast packets. They'll be treated just as unicast # packets in this case. # - "no" drop all broadcast packets before other filtering # rules # # defaults to "no" if not set # FW_ALLOW_FW_BROADCAST_EXT="137:138" ## Type: string # # see comments for FW_ALLOW_FW_BROADCAST_EXT FW_ALLOW_FW_BROADCAST_INT="no" ## Type: string # # see comments for FW_ALLOW_FW_BROADCAST_EXT FW_ALLOW_FW_BROADCAST_DMZ="no" ## Type: string(yes,no) # # Suppress logging of dropped broadcast packets. Useful if you don't allow # broadcasts on a LAN interface. # # This setting only affects packets that are not allowed according # to FW_ALLOW_FW_BROADCAST_* # # Format: either # - "yes" or "no" # - list of udp destination ports # # Examples: - "631 137" silently drop broadcast packets on port 631 and 137 # - "yes" do not log dropped broadcast packets # - "no" log all dropped broadcast packets # # # defaults to "no" if not set FW_IGNORE_FW_BROADCAST_EXT="no" ## Type: string # # see comments for FW_IGNORE_FW_BROADCAST_EXT FW_IGNORE_FW_BROADCAST_INT="no" ## Type: string # # see comments for FW_IGNORE_FW_BROADCAST_EXT FW_IGNORE_FW_BROADCAST_DMZ="no" ## Type: list(yes,no,int,ext,dmz,) ## Default: no # # 23.) # Specifies whether routing between interfaces of the same zone should be allowed # Requires: FW_ROUTE="yes" # # Set this to allow routing between interfaces in the same zone, # e.g. between all internet interfaces, or all internal network # interfaces. # # Caution: Keep in mind that "yes" affects all zones. ie even if you # need inter-zone routing only in the internal zone setting this # parameter to "yes" would allow routing between all external # interfaces as well. It's better to use # FW_ALLOW_CLASS_ROUTING="int" in this case. # # Choice: "yes", "no", or space separate list of zone names # # Defaults to "no" if not set # FW_ALLOW_CLASS_ROUTING="" ## Type: string # # 25.) # Do you want to load customary rules from a file? # # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! # READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom # #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" FW_CUSTOMRULES="" ## Type: yesno ## Default: no # # 26.) # Do you want to REJECT packets instead of DROPing? # # DROPing (which is the default) will make portscans and attacks much # slower, as no replies to the packets will be sent. REJECTing means, that # for every illegal packet, a connection reject packet is sent to the # sender. # # Choice: "yes" or "no", if not set defaults to "no" # # Defaults to "no" if not set # # You may override this value on a per zone basis by using a zone # specific variable, e.g. FW_REJECT_DMZ="yes" # FW_REJECT="" ## Type: yesno ## Default: no # # see FW_REJECT for description # # default config file setting is "yes" assuming that slowing down # portscans is not strictly required in the internal zone even if # you protect yourself from the internal zone # FW_REJECT_INT="yes" ## Type: string # # 27.) # Tuning your upstream a little bit via HTB (Hierarchical Token Bucket) # for more information about HTB see http://www.lartc.org # # If your download collapses while you have a parallel upload, # this parameter might be an option for you. It manages your # upload stream and reserves bandwidth for special packets like # TCP ACK packets or interactive SSH. # It's a list of devices and maximum bandwidth in kbit. # For example, the german TDSL account, provides 128kbit/s upstream # and 768kbit/s downstream. We can only tune the upstream. # # Example: # If you want to tune a 128kbit/s upstream DSL device like german TDSL set # the following values: # FW_HTB_TUNE_DEV="dsl0,125" # where dsl0 is your pppoe device and 125 stands for 125kbit/s upstream # # you might wonder why 125kbit/s and not 128kbit/s. Well practically you'll # get a better performance if you keep the value a few percent under your # real maximum upload bandwidth, to prevent the DSL modem from queuing traffic in # it's own buffers because queing is done by us now. # So for a 256kbit upstream # FW_HTB_TUNE_DEV="dsl0,250" # might be a better value than "dsl0,256". There is no perfect value for a # special kind of modem. The perfect value depends on what kind of traffic you # have on your line but 5% under your maximum upstream might be a good start. # Everthing else is special fine tuning. # If you want to know more about the technical background, # http://tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/ # is a good start # FW_HTB_TUNE_DEV="" ## Type: list(no,drop,reject) ## Default: drop # # 28.) # What to do with IPv6 Packets? # # On older kernels ip6tables was not stateful so it's not possible to implement # the same features as for IPv4 on such machines. For these there are three # choices: # # - no: do not set any IPv6 rules at all. Your Host will allow any IPv6 # traffic unless you setup your own rules. # # - drop: drop all IPv6 packets. # # - reject: reject all IPv6 packets. This is the default if stateful matching is # not available. # # Disallowing IPv6 packets may lead to long timeouts when connecting to IPv6 # Adresses. See FW_IPv6_REJECT_OUTGOING to avoid this. # # Leave empty to automatically detect whether your kernel supports stateful matching. # FW_IPv6="" ## Type: yesno ## Default: yes # # 28a.) # Reject outgoing IPv6 Packets? # # Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option # does only make sense with FW_IPv6 != no # # Defaults to "yes" if not set # FW_IPv6_REJECT_OUTGOING="" ## Type: list(yes,no,int,ext,dmz,) ## Default: no # # 29.) # Trust level of IPsec packets. # # You do not need to change this if you do not intend to run # services that should only be available trough an IPsec tunnel. # # The value specifies how much IPsec packets are trusted. 'int', 'ext' or 'dmz' # are the respective zones. 'yes' is the same as 'int. 'no' means that IPsec # packets belong to the same zone as the interface they arrive on. # # Note: you still need to explicitely allow IPsec traffic. # Example: # FW_IPSEC_TRUST="int" # FW_SERVICES_EXT_IP="esp" # FW_SERVICES_EXT_UDP="isakmp" # FW_PROTECT_FROM_INT="no" # # Defaults to "no" if not set # FW_IPSEC_TRUST="no" ## Type: string ## Default: # # 30.) # Define additional firewall zones # # The built-in zones INT, EXT and DMZ must not be listed here. Names # of additional zones must only contain lowercase ascii characters. # To define rules for the additional zone, take the approriate # variable for a built-in zone and substitute INT/EXT/DMZ with the # name of the additional zone. # # Example: # FW_ZONES="wlan" # FW_ZONES="" ## Type: list(yes,no,auto,) ## Default: # # 31.) # Whether to use iptables-batch # # iptables-batch commits all rules in an almost atomic way similar # to iptables-restore. This avoids excessive iptables calls and race # conditions. # # Choice: # - yes: use iptables-batch if available and warn if it isn't # - no: don't use iptables-batch # - auto: use iptables-batch if available, silently fall back to # iptables if it isn't # # Defaults to "auto" if not set # FW_USE_IPTABLES_BATCH="" ## Type: string ## Default: # # 32.) # Which additional kernel modules to load at startup # # Example: # FW_LOAD_MODULES="nf_conntrack_netbios_ns" # # See also FW_SERVICES_ACCEPT_RELATED_EXT # FW_LOAD_MODULES="nf_conntrack_netbios_ns" ## Type: string ## Default: # # 33.) # Bridge interfaces without IP address # # Traffic on bridge interfaces like the one used by xen appears to # enter and leave on the same interface. Add such interfaces here in # order to install special permitting rules for them. # # Format: list of interface names separated by space # # Note: this option is deprecated, use FW_FORWARD_ALLOW_BRIDGING instead # # Example: # FW_FORWARD_ALWAYS_INOUT_DEV="xenbr0" # FW_FORWARD_ALWAYS_INOUT_DEV="" ## Type: string ## Default: # # Whether traffic that is only bridged but not routed should be # allowed. Such packets appear to pass though the forward chain so # normally they would be dropped. # # Choice: # - yes: always install a rule to allow bridge traffic # - no: don't install a rule to allow bridge traffic # - auto: install rule only if there are bridge interfaces # # Defaults to "auto" if not set # FW_FORWARD_ALLOW_BRIDGING=""