############################################################################## ## Example zone configuration file. ## Read all configuration parameters, and modify to suit your needs. ## Version $Id: zone.int,v 1.53 2003/05/25 08:50:17 afu Exp $ ############################################################################## ## A sample zone configuration to control traffic to and from an internal ## network (reached via eth1). ## Name of the zone. Must match the name in fiaif.conf. NAME=VENET ## Network interface name DEV=venet0 ## DYNAMIC: Set to '1' if the IP can change runtime or if the ip is ## unknow when fiaif is started. ## GLOBAL: Set to '1' if the IP if this zone connect you to the internet. DYNAMIC=1 GLOBAL=0 ## Network information. Nessesary only if DYNAMIC=0 #IP=192.168.0.1 #MASK=255.255.255.0 #NET=192.168.0.1/255.255.255.0 #BCAST=192.168.0.1 ## IP_EXTRA specifies that the interface has multiple IP addresses; ## all the interface's extra IP's should be listed here. IP_EXTRA="" ## Specifies extra networks in this zone (besides NET). NET_EXTRA="" ## Specify if the zone should respond to DHCP queries. ## This is usefull if a DHCP server is running on the firewall. ## Remember to set this only in the zone for which the DHCP server is running. DHCP_SERVER=0 ## The descriptions of packets coming IN to the interface specifed in DEV and NETWORK to drop|accept|return ## Use: INPUT[N]=" [:port]]*]> ip[/mask]=>ip[/mask]" ## ## Note: You may automate rule's numbering by using (ugly) construction INPUT[${#INPUT[@]}]="" ## This also works for OUTPUT, FORWARD, MARK and SNAT rules.. ## For replacing all numbers with array length following command could be used: ## $ subst 's!\(INPUT\|OUTPUT\|FORWARD\|SNAT\|MARK\)\[\([0-9]\+\)\]!\1[${#\1[@]}]!g' zone.* ## INPUT[0]="ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0" ## The descriptions of packets going OUT of the interface specifed in DEV and NETWORK to drop|accept|return ## Use: OUTPUT[N]=" [:port]]*]> ip[/mask]>" OUTPUT[0]="ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0" ## Forward rules. Specify where packets entering this zone may originate from. ## Use: FORWARD[N]=" [:port]]*]> ip[/mask]>" ## ## Use this to protect a zone. ## Rules are read in the order they are written. ## Default is to drop everything, accepting only related and establihed connections. FORWARD[0]="VENET ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0" FORWARD[1]="ALL DROP ALL 0.0.0.0/0=>0.0.0.0/0" ## Mark rules. Mark packets parsing through the firewall. ## Use MARK[N]=" [:port]]*]> ip[/mask]>" ## ## MARK packets can be used to determine how a packet sould be routed. ## FIAIF does not use marking. #MARK[0]="ALL 1 tcp ALL 0.0.0.0/0=>0.0.0.0/0" #MARK[1]="ALL 2 udp ALL 0.0.0.0/0=>0.0.0.0/0" ## Make special replys on incoming packets. ## Use: REPLY_XXX=" [:port]]*]> ip[/mask]>" ## Where type can be one of the following: ## icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, ## icmp-proto-unreachable, icmp-net-prohibited, icmp-host-prohibited or ## tcp-reset (Only valid if the protocol if TCP) ## If the zone equal this zone, then the rules apply to packets originating from ## this network towards the firewall #REPLY_AUTH="ALL tcp-reset tcp auth 0.0.0.0/0=>0.0.0.0/0" ## Alter the destination of packets. ## Use: REDIRECT_XXX=" ip[/mask]> <[ipaddr[,ipaddr]*] [port]>" ## The rule applies only for packet originating from this zone. #REDIRECT_PROXY="tcp 80 0.0.0.0/0=>0.0.0.0/0 127.0.0.1 3128" ## Log all traffic for these IP addresses ## Use WATCH_IP="[IP[/MASK]]*|[FILE]" #WATCH_IP="111.111.111.111/32 222.222.222.222/24" ## Strip ECN bits from all packets destined for specified IP-addresses ## in this zone ## Use: ECN_REMOVE="[IP[/MASK]]*|[FILE]" #ECN_REMOVE="111.111.111.111/32 222.222.222.222/24" ## Dissalow any communication with specified MAC-addresses in this zone ## Use: MAX_DROP="[MAC address]*|[FILE]" ## Inserted on PREROUTING chain #MAC_DROP="XX:XX:XX:XX:XX:XX YY:YY:YY:YY:YY:YY" ## Dissalow any communication with specified IP-addresses in this zone ## Use: IP_DROP="[IP[/MASK]]*|[FILE]" #IP_DROP="111.111.111.111/32 222.222.222.222/24" ## Change the source address of a packet comming from this zone. ## This is also called masquerading. ## Use: SNAT[N]=" [:port]]*]> ip[/mask]>" ## Where: ZONE : Destination zone. The source of matched packets is ## changed to all ip numbers for the zone. #SNAT[0]="EXT ALL 0.0.0.0/0=>0.0.0.0/0" ## Limit new packets. ## Use: LIMIT_XXX=" *|<:port>]> ip[/mask]>" ## Where: ## ZONE : Is the zone from which the packet originates. This can be this zone itself. ## POLICY : Is what to do with the packet: ACCEPT|REJECT|DROP ## LIMIT : Maximum average matching rate: specified as a number, with an optional ## '/second', '/minute', '/hour', or '/day' suffix. ## BURST : Maximum initial number of packets to match: this ## number gets recharged by one every time the limit ## specified above is not reached, up to this number. ## PROTOCOL : The protocol: tcp|udp|icmp|all. This parameter is optional ## PORTS : If protocol is tcp|udp: A list of ports or a port range. ## icmp : A single icmp type. ## this parameter is optional, and must only be specified, ## if a protocol is specified. ## IP/MASK : If PORTS are specified, then an optional IP/MASK source and address can be specified. #LIMIT_PING="EXT DROP 1/second 3 ICMP echo-request 0.0.0.0/0=>0.0.0.0/0" ## Traffic Shaping. ## Enables traffic shaping for the device. ## This requires the following modules to be present or compiled statically: ## sch_ingress ## cls_fw ## cls_u32 ## sch_sfq ## sch_htb/sch_hfsc ## Usage: ## TC_ENABLE=0|1 ## TC_TYPE=HTB|HFSC ## TC_VOIP=0|1 ## TC_UPLINK= ## TC_DOWNLINK= ## The type specifies which shaper is to be used. The HFSC shaper has more ## features than the HTP shaper, but may not be available on all systems. ## See http://luxik.cdi.cz/~devik/qos/htb/ for info about HTB, and ## http://www.cs.cmu.edu/~hzhang/HFSC/ for info about HFSC. ## TC_VOIP is only implemented for HFSC type shaper. It reserves a minimum ## bandwidth for voip traffic, and creates a special high priority class ## for voip related traffic. ## The speeds should be below the actual speed of the link. TC_ENABLE=0 TC_TYPE=HTB TC_DOWNLINK=512 TC_UPLINK=512