FW_DEV_EXT=“eth0”
FW_DEV_INT=“eth1”
FW_DEV_DMZ=""
FW_ROUTE=“yes”
FW_MASQUERADE=“yes”
FW_MASQ_DEV=“zone:ext”
FW_MASQ_NETS=“172.16.0.0/24,0/0,icmp 172.16.0.0/24,0/0,tcp,22”
FW_NOMASQ_NETS=""
FW_PROTECT_FROM_INT=“yes”
FW_SERVICES_EXT_TCP=“111:142 144:388 1:24 26:109 3261:3305 3307:5800 390:630 5802:5900 5902:65535 632:635 637:872 874:992 994 996:3259”
FW_SERVICES_EXT_UDP=“domain ipsec-nat-t isakmp”
FW_SERVICES_EXT_IP=“esp”
FW_SERVICES_EXT_RPC=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_CONFIGURATIONS_DMZ=""
FW_SERVICES_INT_TCP=“domain”
FW_SERVICES_INT_UDP=“domain”
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_CONFIGURATIONS_INT=“bind sshd”
FW_SERVICES_DROP_EXT=""
FW_SERVICES_DROP_DMZ=""
FW_SERVICES_DROP_INT=""
FW_SERVICES_REJECT_EXT=""
FW_SERVICES_REJECT_DMZ=""
FW_SERVICES_REJECT_INT=""
FW_SERVICES_ACCEPT_EXT=“0/0,tcp 0/0,udp”
FW_SERVICES_ACCEPT_INT=“0/0,tcp 0/0,udp”
FW_SERVICES_ACCEPT_RELATED_EXT=""
FW_SERVICES_ACCEPT_RELATED_DMZ=""
FW_SERVICES_ACCEPT_RELATED_INT=""
FW_TRUSTED_NETS=“172.16.0.0/24 192.168.0.0/24,icmp 192.168.0.0/24,tcp,22”
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
FW_FORWARD=""
FW_FORWARD_REJECT=""
FW_FORWARD_DROP=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT=“no”
FW_LOG_DROP_ALL=“no”
FW_LOG_ACCEPT_CRIT=“no”
FW_LOG_ACCEPT_ALL=“no”
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY=“yes”
FW_STOP_KEEP_ROUTING_STATE=“no”
FW_ALLOW_PING_FW=“yes”
FW_ALLOW_PING_DMZ=“no”
FW_ALLOW_PING_EXT=“no”
Type: yesno
Default: yes
Allow ICMP sourcequench from your ISP?
If set to yes, the firewall will notice when connection is choking, however
this opens yourself to a denial of service attack. Choose your poison.
Defaults to “yes” if not set
FW_ALLOW_FW_SOURCEQUENCH=""
Type: string(yes,no)
Allow IP Broadcasts?
Whether the firewall allows broadcasts packets.
Broadcasts are used for e.g. for Netbios/Samba, RIP, OSPF and Games.
If you want to drop broadcasts however ignore the annoying log entries, set
FW_IGNORE_FW_BROADCAST_* to yes.
Note that if you allow specifc ports here it just means that broadcast
packets for that port are not dropped. You still need to set
FW_SERVICES_*_UDP to actually allow regular unicast packets to
reach the applications.
Format: either
- “yes” or “no”
- list of udp destination ports
Examples: - “631 137” allow broadcast packets on port 631 and 137
to enter the machine but drop any other broadcasts
- “yes” do not install any extra drop rules for
broadcast packets. They’ll be treated just as unicast
packets in this case.
- “no” drop all broadcast packets before other filtering
rules
defaults to “no” if not set
FW_ALLOW_FW_BROADCAST_EXT=“no”
Type: string
see comments for FW_ALLOW_FW_BROADCAST_EXT
FW_ALLOW_FW_BROADCAST_INT=“no”
Type: string
see comments for FW_ALLOW_FW_BROADCAST_EXT
FW_ALLOW_FW_BROADCAST_DMZ=“no”
Type: string(yes,no)
Suppress logging of dropped broadcast packets. Useful if you don’t allow
broadcasts on a LAN interface.
This setting only affects packets that are not allowed according
to FW_ALLOW_FW_BROADCAST_*
Format: either
- “yes” or “no”
- list of udp destination ports
Examples: - “631 137” silently drop broadcast packets on port 631 and 137
- “yes” do not log dropped broadcast packets
- “no” log all dropped broadcast packets
defaults to “no” if not set
FW_IGNORE_FW_BROADCAST_EXT=“yes”
Type: string
see comments for FW_IGNORE_FW_BROADCAST_EXT
FW_IGNORE_FW_BROADCAST_INT=“yes”
Type: string
see comments for FW_IGNORE_FW_BROADCAST_EXT
FW_IGNORE_FW_BROADCAST_DMZ=“yes”
Type: list(yes,no,int,ext,dmz,)
Default: no
Specifies whether routing between interfaces of the same zone should be allowed
Requires: FW_ROUTE=“yes”
Set this to allow routing between interfaces in the same zone,
e.g. between all internet interfaces, or all internal network
interfaces.
Caution: Keep in mind that “yes” affects all zones. ie even if you
need inter-zone routing only in the internal zone setting this
parameter to “yes” would allow routing between all external
interfaces as well. It’s better to use
FW_ALLOW_CLASS_ROUTING=“int” in this case.
Choice: “yes”, “no”, or space separate list of zone names
Defaults to “no” if not set
FW_ALLOW_CLASS_ROUTING=""
Type: string
Do you want to load customary rules from a file?
This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_CUSTOMRULES=""
Type: yesno
Default: no
Do you want to REJECT packets instead of DROPing?
DROPing (which is the default) will make portscans and attacks much
slower, as no replies to the packets will be sent. REJECTing means, that
for every illegal packet, a connection reject packet is sent to the
sender.
Choice: “yes” or “no”, if not set defaults to “no”
Defaults to “no” if not set
You may override this value on a per zone basis by using a zone
specific variable, e.g. FW_REJECT_DMZ=“yes”
FW_REJECT=""
Type: yesno
Default: no
see FW_REJECT for description
default config file setting is “yes” assuming that slowing down
portscans is not strictly required in the internal zone even if
you protect yourself from the internal zone
FW_REJECT_INT=“yes”
Type: string
Tuning your upstream a little bit via HTB (Hierarchical Token Bucket)
for more information about HTB see http://www.lartc.org
If your download collapses while you have a parallel upload,
this parameter might be an option for you. It manages your
upload stream and reserves bandwidth for special packets like
TCP ACK packets or interactive SSH.
It’s a list of devices and maximum bandwidth in kbit.
For example, the german TDSL account, provides 128kbit/s upstream
and 768kbit/s downstream. We can only tune the upstream.
Example:
If you want to tune a 128kbit/s upstream DSL device like german TDSL set
the following values:
FW_HTB_TUNE_DEV=“dsl0,125”
where dsl0 is your pppoe device and 125 stands for 125kbit/s upstream
you might wonder why 125kbit/s and not 128kbit/s. Well practically you’ll
get a better performance if you keep the value a few percent under your
real maximum upload bandwidth, to prevent the DSL modem from queuing traffic in
it’s own buffers because queing is done by us now.
So for a 256kbit upstream
FW_HTB_TUNE_DEV=“dsl0,250”
might be a better value than “dsl0,256”. There is no perfect value for a
special kind of modem. The perfect value depends on what kind of traffic you
have on your line but 5% under your maximum upstream might be a good start.
Everthing else is special fine tuning.
If you want to know more about the technical background,
ADSL Bandwidth Management HOWTO
is a good start
FW_HTB_TUNE_DEV=""
Type: list(no,drop,reject)
Default: drop
What to do with IPv6 Packets?
On older kernels ip6tables was not stateful so it’s not possible to implement
the same features as for IPv4 on such machines. For these there are three
choices:
- no: do not set any IPv6 rules at all. Your Host will allow any IPv6
traffic unless you setup your own rules.
- drop: drop all IPv6 packets.
- reject: reject all IPv6 packets. This is the default if stateful matching is
not available.
Disallowing IPv6 packets may lead to long timeouts when connecting to IPv6
Adresses. See FW_IPv6_REJECT_OUTGOING to avoid this.
Leave empty to automatically detect whether your kernel supports stateful matching.
FW_IPv6=""
Type: yesno
Default: yes
Reject outgoing IPv6 Packets?
Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option
does only make sense with FW_IPv6 != no
Defaults to “yes” if not set
FW_IPv6_REJECT_OUTGOING=""
Type: list(yes,no,int,ext,dmz,)
Default: no
Trust level of IPsec packets.
You do not need to change this if you do not intend to run
services that should only be available trough an IPsec tunnel.
The value specifies how much IPsec packets are trusted. ‘int’, ‘ext’ or ‘dmz’
are the respective zones. ‘yes’ is the same as 'int. ‘no’ means that IPsec
packets belong to the same zone as the interface they arrive on.
Note: you still need to explicitely allow IPsec traffic.
Example:
FW_IPSEC_TRUST=“int”
FW_SERVICES_EXT_IP=“esp”
FW_SERVICES_EXT_UDP=“isakmp”
FW_PROTECT_FROM_INT=“no”
Defaults to “no” if not set
FW_IPSEC_TRUST=“no”
Type: string
Default:
Define additional firewall zones
The built-in zones INT, EXT and DMZ must not be listed here. Names
of additional zones must only contain lowercase ascii characters.
To define rules for the additional zone, take the approriate
variable for a built-in zone and substitute INT/EXT/DMZ with the
name of the additional zone.
Example:
FW_ZONES=“wlan”
FW_DEV_wlan=“wlan0”
FW_SERVICES_wlan_TCP=“80”
FW_ALLOW_FW_BROADCAST_wlan=“yes”
FW_ZONES=""
Type: string(no,auto)
Default:
Set default firewall zone
Format: ‘auto’, ‘no’ or name of zone.
When set to ‘no’ no firewall rules will be installed for unknown
or unconfigured interfaces. That means traffic on such interfaces
hits the default drop rules.
When left empty or when set to ‘auto’ the zone that has the
interface string ‘any’ configured is used for all unconfigured
interfaces (see FW_DEV_EXT). If no ‘any’ string was found the
external zone is used.
When a default zone is defined a catch all rule redirects traffic
from interfaces that were not present at the time SuSEfirewall2
was run to the default zone. Normally SuSEfirewall2 needs to be
run if new interfaces appear to avoid such unknown interfaces.
Default to ‘auto’ if not set
FW_ZONE_DEFAULT=""
Type: list(yes,no,auto,)
Default:
Whether to use iptables-batch
iptables-batch commits all rules in an almost atomic way similar
to iptables-restore. This avoids excessive iptables calls and race
conditions.
Choice:
- yes: use iptables-batch if available and warn if it isn’t
- no: don’t use iptables-batch
- auto: use iptables-batch if available, silently fall back to
iptables if it isn’t
Defaults to “auto” if not set
FW_USE_IPTABLES_BATCH=""
Type: string
Default:
Which additional kernel modules to load at startup
Example:
FW_LOAD_MODULES=“nf_conntrack_netbios_ns”
See also FW_SERVICES_ACCEPT_RELATED_EXT
FW_LOAD_MODULES=“nf_conntrack_netbios_ns”
Type: string
Default:
Bridge interfaces without IP address
Traffic on bridge interfaces like the one used by xen appears to
enter and leave on the same interface. Add such interfaces here in
order to install special permitting rules for them.
Format: list of interface names separated by space
Note: this option is deprecated, use FW_FORWARD_ALLOW_BRIDGING instead
Example:
FW_FORWARD_ALWAYS_INOUT_DEV=“xenbr0”
FW_FORWARD_ALWAYS_INOUT_DEV=""
Type: string
Default:
Whether traffic that is only bridged but not routed should be
allowed. Such packets appear to pass though the forward chain so
normally they would be dropped.
Note: it is not possible to configure SuSEfirewall2 as bridging
firewall. This option merely controls whether SuSEfirewall2 should
try to not interfere with bridges.
Choice:
- yes: always install a rule to allow bridge traffic
- no: don’t install a rule to allow bridge traffic
- auto: install rule only if there are bridge interfaces
Defaults to “auto” if not set
FW_FORWARD_ALLOW_BRIDGING=""
Type: yesno
Default: yes
Write status information to /var/run/SuSEfirewall2/status for use
by e.g. graphical user interfaces. Can safely be disabled on
servers.
Defaults to “yes” if not set
FW_WRITE_STATUS=""
Type: yesno
Default: yes
Allow dynamic configuration overrides in
/var/run/SuSEfirewall2/override for use by e.g. graphical user
interfaces. Can safely be disabled on servers.
Defaults to “yes” if not set
FW_RUNTIME_OVERRIDE=""
Type: yesno
Default: yes
Install NOTRACK target for interface lo in the raw table. Doing so
speeds up packet processing on the loopback interface. This breaks
certain firewall setups that need to e.g. redirect outgoing
packets via custom rules on the local machine.
Defaults to “yes” if not set
FW_LO_NOTRACK=""
Type: yesno
Default: no
Specifies whether /etc/init.d/SuSEfirewall2_init should install the
full rule set already. Default is to just install minimum rules
that block incoming traffic. Set to “yes” if you user services
such as drbd that require open ports during boot already.
Defaults to “no” if not set
FW_BOOT_FULL_INIT=""
[/QUOTE]
here is my configuration file, i am also running child proxy on this server which is 172.16.0.1. i this firewall work as no host is allowed to go out unless 172.16.0.1, even if i stop firewall still hosts can access internet, what is my error up thier?
plz tnx in advance,