## ## lutelwall.conf - Configuration file for LutelWall ## ## Please send suggestions about this file and firewall script to tomek@lutel.pl # This configuration file is divided as follows: # # Section 1: Interface settings # Section 2: Traffic rules # Section 3: General security settings # Section 4: Miscelanous # Note: commented or unset variables will get their default values ################################################# Section 1: Interface settings # ExternalInterface [interface list|auto] (default: auto) # Interface or list of interfaces connected to internet, interface connected # to default gateway must be first on the list. # Note: Do not use "auto" if you have more than one external interface, or # script incorectly recognize external interface. # Example: ExternalInterfaces eth0 # #ExternalInterfaces auto # InternalInterfaces [interface list|auto] (default: auto) # Interface or list of interfaces at your LAN side. In default setting (auto) # all non-external interfaces will be treated as internal. # Example: InternalInterfaces eth1 eth2:0 eth2:1 # #InternalInterfaces auto ###################################################### Section 2: Traffic rules # Rule client server service[(extension,...)][,...] target[,...] # # All rules are parsed and applied from top to bottom order. # If there are no rules lines present, the default is to deny (drop) traffic. # # CLIENT, SERVER: # # me - resolves to all IP adresses of our firewall box # internet - all internet hosts (hosts behind external interface) # lan - all lan hosts (hosts behind internal interface) # all - synonym of 0/0 - all internet and all lan hosts # (hostname) - DNS name of host # (ip) - IP address of computer or network. # Example: 1.2.3.4 or 10.0.0.0/8 or 10.0.0.0/255.0.0.0 # (interface) - Will be translated to IP of given interface label # Example: eth0 or eth1:1 # (interface-net) - Will be translated to net behind given interface # Example: eth0-net or eth1:1-net # (mac) - match source MAC address, It must be of the form # XX:XX:XX:XX:XX:XX # (ip-mac) - match source MAC and IP addresses, ex: # 10.0.0.5-00:09:7B:89:48:54 # # SERVICE: # # TCP/IP services: # # Short name Port(s) Protocol description # # all all all TCP and UDP services # ftp 20,21 FTP passive and active # ftp-active 20,21 FTP active # ftp-passive 21 FTP passive # ssh 22 SSH Remote Login Protocol # telnet 23 Telnet # smtp 25 Incoming mail # time 37 timserver # whois 43 nicname # domain 53 name-domain server # dhcp / bootp 67,68 DHCP / bootp # tftp 69 tFTP # www 80 WorldWideWeb HTTP # kerberos 88 Kerberos v5 # pop3 110 Outgoing mail # auth 113 IDENT authentication # sftp 115 FTP over SSL # news 119 USENET News Transfer Protocol # ntp 123 Network Time Protocol # netbios 137,138,139,445 All NETBIOS Protocols # netbios-ns 137 NETBIOS Name Service # netbios-dgm 138 NETBIOS Datagram Service # netbios-ssn 139 NETBIOS session service # imap2 143 Interim Mail Access Proto v2 # snmp 161 Simple Net Mgmt Proto # snmp-trap 162 Traps for SNMP # imap3 220 Interactive Mail Access # ldap 389 Lightweight Directory Access P # https 443 MCom # microsoft-ds 445 Microsoft-DS # syslog 514 System Logger # printer 515 line printer spooler # ntps 563 NNTP over SSL # ldaps 636 LDAP over SSL # kerberos4 750 Kerberos 4 (server) # kerberosm 751 Kerberos authentication # rsync 873 rsync # imaps 993 IMAP over SSL # pop3s 995 POP-3 over SSL # socks 1080 socks proxy server # ms-sql-s 1433 Microsoft-SQL-Server # ms-sql-m 1434 Microsoft-SQL-Monitor # squid 3128 Squid WebCache # mysql 3306 MySQL # rdesktop 3389 Remote Desktop Protocol # hylafax 4559 HylaFAX client-server protocol # emule 4662,4672,4661,4665,4711 Emule # postgres 5432 PostgreSQL # ircd 6667 Internet Relay Chat # proxy 8080 PROXY service # donkey 12002 E-Donkey # # Note: If you want to use service on non standard port, use: # servicename-yourport (for ex. proxy-3128). # # If you want to set up your own service, edit rule_parser_chain_build # function or use proto[-port] (for ex. 6-80 or tcp-80 is www service) # # ICMP messages: # # icmp or icmp-all # icmp-8 or icmp-echo-reply # icmp-3 or icmp-destination-unreachable # icmo-3/0 or icmp-network-unreachable # icmp-3/1 or icmp-host-unreachable # icmp-3/2 or icmp-protocol-unreachable # icmp-3/3 or icmp-port-unreachable # icmp-3/4 or icmp-fragmentation-needed # icmp-3/5 or icmp-source-route-failed # icmp-3/6 or icmp-network-unknown # icmp-3/7 or icmp-host-unknown # icmp-3/8 or icmp-network-prohibited # icmp-3/9 or icmp-host-prohibited # icmp-3/11 or icmp-TOS-network-unreachable # icmp-3/12 or icmp-TOS-host-unreachable # icmp-3/13 or icmp-communication-prohibited # icmp-3/14 or icmp-host-precedence-violation # icmp-3/15 or icmp-precedence-cutoff # icmp-4 or icmp-source-quench # icmp-5 or icmp-redirect # icmp-5/0 or icmp-network-redirect # icmp-8/0 or icmp-ping # # EXTENSION: # # limit=rate # Maximum average matching rate: specified as a number, with an optional # `/second', `/minute', `/hour', or `/day' suffix. # # TARGET: # # accept # Accept traffic defined in rule. # drop # Drop the traffic defined in rule on the floor. # reject # This is used to drop traffic and send back an error packet. # dnat=ip:port # Redirect traffic defined in rule to ip:port. For example, our external # interface is eth0, we have WWW server on 10.0.0.2 and we want it to be # visible from internet... # Rule internet eth0 http dnat=10.0.0.2:80 # mark=value # This is used to set the netfilter mark value associated with the packet. # It can for example be used in conjunction with iproute2. # log # This is a "non-terminating target", i.e. rule traversal continues at the # next rule. So if you want to log the packets you refuse, use log,reject # or log,drop. ################################# RULES LIST ################################# # # client server service(s) target(s) # ------------------------------------------------------------------------- # # Rules are parsed and applied from top to bottom order. Here is simple examle, # assuming eth0 is external and eth1 is internal interface... # First rule prevents your session from being cut off Rule all me ssh accept # We allow our firewall to connect FTP, SSH, TIME, DOMAIN, HTTP and RSYNC Rule eth0 all ftp,ssh,time,domain,http,rsync accept # Accept connections from LAN to DOMAIN and PROXY server on our box Rule lan eth1 domain,proxy accept # We allow only SMTP and POP3 trough masquerade (WWW should go via PROXY) Rule lan internet smtp,pop3 accept # User on 10.0.0.2 can connect also to FTP, SSH and NEWS servers Rule 10.0.0.2 internet ftp,ssh,news accept # Here we should reject some traffic instead of dropping it, this is mainly # useful for locking ident (113/tcp) or proxy probes which frequently occur. Rule all me auth,proxy,proxy-3128 reject # Rules defining ICMP traffic, here we allow icnoming of # destination-unreachable at rate 5/s and time-exceeded ICMP packets at 3/s: Rule all me icmp-3(limit=5/s),icmp-11(limit=3/s) accept Rule me all icmp-3/3 accept # Log and accept pings (icmp-8/0), and pongs (icmp-0/0) from ant to us... Rule all me icmp-0/0,icmp-8/0(limit=3/s) log,accept Rule me all icmp-0/0(limit=3/s),icmp-8/0 log,accept # To prevent from cluttering up your log by some traffic, drop it now, for ex: Rule lan lan netbios drop # After your last rule, all traffic is logged, then dropped as defined in # fiewall default policy. This is most secure, however if you want to change # this policy, edit policy_filter_start in firewall script. ########################################## Section 3: General security settings # Stateful [yes|no] (default: yes) # Stateful firewall remembers the context of connections and continuously # updates this state information in dynamic connection tables. This can be # a very good thing because a hacker trying to gain access through a firewall # has less chance of forging entry as part of a valid series of connections # because the context shows that the additional connection does not make sense # in the context of the legitimate user. # #Stateful yes # DontFragment [yes|no] (default: yes) # If you set this to no, your firewall will accept fragmented packets. Because # there is no way to tell source or destination ports of such a packets # (or ICMP type), such a packets will not match any rules which specify them. # #DontFragment yes # ICMPEchoIgnoreAll [yes|no] (default: no) # Setting this to on will cause firewall drop incoming ICMP echo messages # regardless traffic rules. # #ICMPEchoIgnoreAll no # ICMPEchoIgnoreBroadcasts [yes|no] (defailt: yes) # "on" disables response to ICMP broadcasts and will prevent Smurf attacks. # The Smurf attack works by sending an ICMP ping message to the broadcast # address of a network. Typically attacker will use a spoofed source address. # All the computers on the network will respond to the ping message and thereby # flooding the spoofed host. # #ICMPEchoIgnoreBroadcasts yes # ICMPIgnoreBogusErrorResponses [yes|no] (defailt: yes) # Enable protection against bogus error message responses. # #ICMPIgnoreBogusErrorResponses yes # AcceptSourceRoute [yes|no] (default: no) # Source routed packets can be used to defeat some access control mechanisms. # They can fool your machine into thinking it's talking to a local machine, # or other trusted host. There is rarely a legitimate need to use source routed # packets, so they are blocked by default. # #AcceptSourceRoute no # AcceptRedirects [yes|no] (default: no) # Disable ICMP redirect acceptance. ICMP redirects can be used to alter your # routing tables, possibly to a bad end. # #AcceptRedirects no # RPFilter [all|(interface list)|none] (default: all) # Turn on reverse path filtering for given interface. This helps make sure that # packets use legitimate source addresses, by automatically rejecting incoming # packets if the routing table entry for their source address does not match the # network interface they are arriving on. This has security advantages because # it prevents IP spoofing. # # Warning: However turning on reverse path filtering can be a problem if you use # asymmetric routing (packets from you to a host take a different path than # packets from that host to you) or if you operate a non-routing host which has # several IP addresses on different interfaces. # #RPFilter all # LOGMartians [yes|no] (default: yes) # Log spoofed packets, source routed packets and redirect packets. # #LOGMartians yes # BlockIANAReserved [all|(interface list)|none] (default: all) # All IPv4 address space reserved by IANA should be blocked on your # all external interfaces. You should keep default. # #BlockIANAReserved all # Multicasts [all|(interface list)|none] (default: none) # This parameter control which interfaces can receive multicasts (224/8) packets # #Multicasts none # Broadcasts [all|(interface list)|none] (default: all) # This parameter control which interfaces can receive broadcast packets # #Broadcasts all # TCPSyncookies [yes|no] (default: yes) # It is possible to conduct denial-of-service attacks by creating TCP half-open # connections. Any system connected to the Internet and providing TCP-based # network services TCP syncookies protection is the answer to this attack. # #TCPSyncookies yes # TCPMaxSynRate [packets/s|no] (default: 40/s) # TCPMaxBurst [packets] (default: 10) # Limit rate at which TCP SYN packets can enter, go through or exit firewall. # #TCPMaxSynRate 40/s #TCPMaxBurst 10 # UDPMaxRate [packets/s|no] (default: 60/s) # UDPMaxBurst [packets] (default: 10) # Limit rate at which all UDP packets can enter, go through or exit firewall. # #UDPMaxRate 60/s #UDPMaxBurst 10 # ICMPMaxRate [packets/s|no] (default: 5/s) # Limit rate at which all ICMP packets can enter, go through or exit firewall. # #ICMPMaxRate 5/s ############################################################### Section 4: Misc # # StaticIP [yes|no|auto] (default: auto) # When set to "no" all connections are forgotten when the interface goes down. # This is the correct behavior when the next dialup is unlikely to have the same # interface address (and hence any established connections are lost anyway). # #StaticIP auto # CheckNewVersion [yes|no] (default: no) # "yes" will attempt to check at startup for new version of firewall. It will # send some basic information (uname -a) of your box for statistical reasons. # Your box must be able to connect to http://firewall.lutel.pl and have wget. # If you are using PROXY set http_proxy variable or edit /etc/wgetrc. Your # firewall must allow connections to http://firewall.lutel.pl. # #CheckNewVersion no # UpdateIANAReserved [yes|no] (default: no) # Set "no" if you dont want to automaticaly update IANA reserved address space # on firewall startup. Updates requires wget installed. # If you are using PROXY set http_proxy variable or edit /etc/wgetrc. # #UpdateIANAReserved no # ClampMSStoPMTU [yes|no] (default: no) # This is used to overcome criminally braindead ISPs or servers which block ICMP # Fragmentation Needed packets. The symptoms of this problem are that everything # works fine from your Linux firewall/router, but machines behind it can never # exchange large packets: # 1) Web browsers connect, then hang with no data received. # 2) Small mail works fine, but large emails hang. # 3) ssh works fine, but scp hangs after initial handshaking. # #ClampMSStoPMTU no # Output [value] (default: 3) # 0 - completly silent # 1 - display only startup message # 2 - as 1 but also errors # 3 - as 2 but also warrnings # 4 - as 3 but also verbose messages # 5 - even more verobse than 4 # #Output 3 # UseSyslog [yes|no] (default: yes) # Set to no if you don't want errors or warrnings go to SysLog # #UseSysLog yes # SETI [yes|no] (default: no) # Change to yes and your firewall box will look for extraterrestrials :-) # You will also join Lutel SETI Team and help to popularize Lutel Firewall # Experiment details can be found at http://setiathome.ssl.berkeley.edu/ # #SETI no