Репозитории ALT
| S: | 1.22.1-alt4 |
| 5.1: | 1.21.1-alt1 |
| 4.1: | 1.21.1-alt0.M41.1 |
| 4.0: | 1.21.1-alt0.M40.1 |
| 3.0: | 1.19.2-alt2 |
| +backports: | 1.20.1-alt0.M30.1 |
Другие репозитории
| Upstream: | 1.21.1 |
Группа :: Безопасность/Сети
Пакет: fiaif
навигация по пакетам
Главная Изменения Спек Патчи Исходники Загрузить Gear Bugs and FR Repocop
##############################################################################
## Example zone configuration file.
## Read all configuration parameters, and modify to suit your needs.
## Version $Id: zone.int,v 1.53 2003/05/25 08:50:17 afu Exp $
##############################################################################
## A sample zone configuration to control traffic to and from an internal
## network (reached via eth1).
## Name of the zone. Must match the name in fiaif.conf.
NAME=VENET
## Network interface name
DEV=venet0
## DYNAMIC: Set to '1' if the IP can change runtime or if the ip is
## unknow when fiaif is started.
## GLOBAL: Set to '1' if the IP if this zone connect you to the internet.
DYNAMIC=1
GLOBAL=0
## Network information. Nessesary only if DYNAMIC=0
#IP=192.168.0.1
#MASK=255.255.255.0
#NET=192.168.0.1/255.255.255.0
#BCAST=192.168.0.1
## IP_EXTRA specifies that the interface has multiple IP addresses;
## all the interface's extra IP's should be listed here.
IP_EXTRA=""
## Specifies extra networks in this zone (besides NET).
NET_EXTRA=""
## Specify if the zone should respond to DHCP queries.
## This is usefull if a DHCP server is running on the firewall.
## Remember to set this only in the zone for which the DHCP server is running.
DHCP_SERVER=0
## The descriptions of packets coming IN to the interface specifed in DEV and NETWORK to drop|accept|return
## Use: INPUT[N]="<ACCEPT|REJECT|DROP> <protocol [port[:port][<,port>[:port]]*]> ip[/mask]=>ip[/mask]"
##
## Note: You may automate rule's numbering by using (ugly) construction INPUT[${#INPUT[@]}]="<rule>"
## This also works for OUTPUT, FORWARD, MARK and SNAT rules..
## For replacing all numbers with array length following command could be used:
## $ subst 's!\(INPUT\|OUTPUT\|FORWARD\|SNAT\|MARK\)\[\([0-9]\+\)\]!\1[${#\1[@]}]!g' zone.*
##
INPUT[0]="ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0"
## The descriptions of packets going OUT of the interface specifed in DEV and NETWORK to drop|accept|return
## Use: OUTPUT[N]="<ACCEPT|REJECT|DROP> <protocol [port[:port][<,port>[:port]]*]> <ip[/mask]=>ip[/mask]>"
OUTPUT[0]="ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0"
## Forward rules. Specify where packets entering this zone may originate from.
## Use: FORWARD[N]="<zone|ALL> <ACCEPT|REJECT|DROP> <protocol [port[:port][<,port>[:port]]*]> <ip[/mask]=>ip[/mask]>"
##
## Use this to protect a zone.
## Rules are read in the order they are written.
## Default is to drop everything, accepting only related and establihed connections.
FORWARD[0]="VENET ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0"
FORWARD[1]="ALL DROP ALL 0.0.0.0/0=>0.0.0.0/0"
## Mark rules. Mark packets parsing through the firewall.
## Use MARK[N]="<zone|ALL> <mark number> <protocol [port[:port][<,port>[:port]]*]> <ip[/mask]=>ip[/mask]>"
##
## MARK packets can be used to determine how a packet sould be routed.
## FIAIF does not use marking.
#MARK[0]="ALL 1 tcp ALL 0.0.0.0/0=>0.0.0.0/0"
#MARK[1]="ALL 2 udp ALL 0.0.0.0/0=>0.0.0.0/0"
## Make special replys on incoming packets.
## Use: REPLY_XXX="<zone> <type> <protocol [port[:port][<,port>[:port]]*]> <ip[/mask]=>ip[/mask]>"
## Where type can be one of the following:
## icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable,
## icmp-proto-unreachable, icmp-net-prohibited, icmp-host-prohibited or
## tcp-reset (Only valid if the protocol if TCP)
## If the zone equal this zone, then the rules apply to packets originating from
## this network towards the firewall
#REPLY_AUTH="ALL tcp-reset tcp auth 0.0.0.0/0=>0.0.0.0/0"
## Alter the destination of packets.
## Use: REDIRECT_XXX="<protocol [port[:port]]> <ip[/mask]=>ip[/mask]> <[ipaddr[,ipaddr]*] [port]>"
## The rule applies only for packet originating from this zone.
#REDIRECT_PROXY="tcp 80 0.0.0.0/0=>0.0.0.0/0 127.0.0.1 3128"
## Log all traffic for these IP addresses
## Use WATCH_IP="[IP[/MASK]]*|[FILE]"
#WATCH_IP="111.111.111.111/32 222.222.222.222/24"
## Strip ECN bits from all packets destined for specified IP-addresses
## in this zone
## Use: ECN_REMOVE="[IP[/MASK]]*|[FILE]"
#ECN_REMOVE="111.111.111.111/32 222.222.222.222/24"
## Dissalow any communication with specified MAC-addresses in this zone
## Use: MAX_DROP="[MAC address]*|[FILE]"
## Inserted on PREROUTING chain
#MAC_DROP="XX:XX:XX:XX:XX:XX YY:YY:YY:YY:YY:YY"
## Dissalow any communication with specified IP-addresses in this zone
## Use: IP_DROP="[IP[/MASK]]*|[FILE]"
#IP_DROP="111.111.111.111/32 222.222.222.222/24"
## Change the source address of a packet comming from this zone.
## This is also called masquerading.
## Use: SNAT[N]="<ZONE> <protocol [port[:port][<,port>[:port]]*]> <ip[/mask]=>ip[/mask]>"
## Where: ZONE : Destination zone. The source of matched packets is
## changed to all ip numbers for the zone.
#SNAT[0]="EXT ALL 0.0.0.0/0=>0.0.0.0/0"
## Limit new packets.
## Use: LIMIT_XXX="<zone> <policy> <limit> <burst> <protocol [port[<,port>*|<:port>]> <ip[/mask]=>ip[/mask]>"
## Where:
## ZONE : Is the zone from which the packet originates. This can be this zone itself.
## POLICY : Is what to do with the packet: ACCEPT|REJECT|DROP
## LIMIT : Maximum average matching rate: specified as a number, with an optional
## '/second', '/minute', '/hour', or '/day' suffix.
## BURST : Maximum initial number of packets to match: this
## number gets recharged by one every time the limit
## specified above is not reached, up to this number.
## PROTOCOL : The protocol: tcp|udp|icmp|all. This parameter is optional
## PORTS : If protocol is tcp|udp: A list of ports or a port range.
## icmp : A single icmp type.
## this parameter is optional, and must only be specified,
## if a protocol is specified.
## IP/MASK : If PORTS are specified, then an optional IP/MASK source and address can be specified.
#LIMIT_PING="EXT DROP 1/second 3 ICMP echo-request 0.0.0.0/0=>0.0.0.0/0"
## Traffic Shaping.
## Enables traffic shaping for the device.
## This requires the following modules to be present or compiled statically:
## sch_ingress
## cls_fw
## cls_u32
## sch_sfq
## sch_htb/sch_hfsc
## Usage:
## TC_ENABLE=0|1
## TC_TYPE=HTB|HFSC
## TC_VOIP=0|1
## TC_UPLINK=<kbits>
## TC_DOWNLINK=<kbits>
## The type specifies which shaper is to be used. The HFSC shaper has more
## features than the HTP shaper, but may not be available on all systems.
## See http://luxik.cdi.cz/~devik/qos/htb/ for info about HTB, and
## http://www.cs.cmu.edu/~hzhang/HFSC/ for info about HFSC.
## TC_VOIP is only implemented for HFSC type shaper. It reserves a minimum
## bandwidth for voip traffic, and creates a special high priority class
## for voip related traffic.
## The speeds should be below the actual speed of the link.
TC_ENABLE=0
TC_TYPE=HTB
TC_DOWNLINK=512
TC_UPLINK=512