Code:
HOST_OPEN_TCP=""
HOST_OPEN_UDP=""
HOST_OPEN_IP=""
HOST_OPEN_ICMP=""
# Put in the following variables which hosts you want to DENY(DROP) for certain
# services (and logged).
# to DENY(DROP) for certain hosts.
# TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# IP protocol format (HOST_DENY_IP):
# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
#
# ICMP protocol format (HOST_DENY_ICMP):
# "host1 host2 ...."
# -----------------------------------------------------------------------------
HOST_DENY_TCP=""
HOST_DENY_UDP=""
HOST_DENY_IP=""
HOST_DENY_ICMP=""
# Put in the following variables which hosts you want to DENY(DROP) for certain
# services but NOT logged.
# TCP/UDP port format (HOST_DENY_xxx_NOLOG):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# IP protocol format (HOST_DENY_IP_NOLOG):
# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
#
# ICMP protocol format (HOST_DENY_ICMP_NOLOG):
# "host1 host2 ...."
# -----------------------------------------------------------------------------
HOST_DENY_TCP_NOLOG=""
HOST_DENY_UDP_NOLOG=""
HOST_DENY_IP_NOLOG=""
HOST_DENY_ICMP_NOLOG=""
# Put in the following variables which hosts you want to REJECT (instead of
# DROP) for certain TCP/UDP ports.
# TCP/UDP port format (HOST_REJECT_xxx):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
# -----------------------------------------------------------------------------
HOST_REJECT_TCP=""
HOST_REJECT_UDP=""
# Put in the following variables which hosts you want to REJECT (instead of
# DROP) for certain services but NOT logged.
# TCP/UDP port format (HOST_REJECT_xxx_NOLOG):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
# -----------------------------------------------------------------------------
HOST_REJECT_TCP_NOLOG=""
HOST_REJECT_UDP_NOLOG=""
# Put in the following variables which services THIS machine is NOT
# permitted to connect TO (remote end-point) via the external (internet)
# interface. For example for blocking IRC (tcp 6666:6669).
# -----------------------------------------------------------------------------
DENY_TCP_OUTPUT=""
DENY_UDP_OUTPUT=""
DENY_IP_OUTPUT=""
# Put in the following variables to which hosts THIS machine is NOT
# permitted to connect TO for certain services (remote end-point)
# via the external (internet) interface. In principle you can also
# use this to put your machine in a "virtual-DMZ" by blocking all traffic
# to your local subnet.
# TCP/UDP port format (HOST_DENY_TCP_OUTPUT & HOST_DENY_UDP_OUTPUT):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# IP protocol format (HOST_DENY_IP_OUTPUT):
# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
# -----------------------------------------------------------------------------
HOST_DENY_TCP_OUTPUT=""
HOST_DENY_UDP_OUTPUT=""
HOST_DENY_IP_OUTPUT=""
# Enable (1) to make the default policy allow for IPv4 ICMP (ping) for INET access
# Note: Other ICMP variables apply to both IPv4 and IPv6 unless otherwise noted.
# -----------------------------------------------------------------------------
OPEN_ICMP="1"
# Disable (0) to make the default policy drop IPv6 ICMPv6 for INET access
# Note: Other ICMP variables apply to both IPv4 and IPv6 unless otherwise noted.
# -----------------------------------------------------------------------------
OPEN_ICMPV6=1
# Enable (1) to make the default policy allow IPv6 ICMPv6
# Multicast Listener Discovery (RFC 2710, 3810) for INET access
# Note: Requires setting OPEN_ICMPV6=1 to apply.
# -----------------------------------------------------------------------------
OPEN_ICMPV6_MLD=0
# Put in the following variables which ports or IP protocols you want to leave
# open to the whole world.
# -----------------------------------------------------------------------------
OPEN_TCP="22,$FTP_PORT,436, 25, 80, 110, 143, 443, 465, 587, 993, 995, 21, 20"
OPEN_UDP=""
OPEN_IP=""
# Put in the following variables the TCP/UDP ports you want to DENY(DROP) for
# everyone (and logged). Also use these variables if you want to log connection
# attempts to these ports from everyone (also trusted/full access hosts).
# In principle you don't need these variables, as everything is already blocked
# (denied) by default, but just exists for consistency.
# -----------------------------------------------------------------------------
DENY_TCP=""
DENY_UDP=""
# Put in the following variables which ports you want to DENY(DROP) for
# everyone but NOT logged. This is very useful if you have constant probes on
# the same port(s) over and over again (code red worm) and don't want your logs
# flooded with it.
# -----------------------------------------------------------------------------
DENY_TCP_NOLOG=""
DENY_UDP_NOLOG=""
# Put in the following variables the TCP/UDP ports you want to REJECT (instead
# of DROP) for everyone (and logged).
# -----------------------------------------------------------------------------
REJECT_TCP=""
REJECT_UDP=""
# Put in the following variables the TCP/UDP ports you want to REJECT (instead
# of DROP) for everyone but NOT logged.
# -----------------------------------------------------------------------------
REJECT_TCP_NOLOG=""
REJECT_UDP_NOLOG=""
# Put in the following variable which hosts you want to block (blackhole,
# dropping every packet from the host).
# -----------------------------------------------------------------------------
BLOCK_HOSTS=""
# Blocked Hosts are by default blocked in both Inbound and Outbound directions.
# If only Inbound blocking is desired, set to 0 to disable bidirectional blocking.
# -----------------------------------------------------------------------------
BLOCK_HOSTS_BIDIRECTIONAL=1
# Uncomment & specify here the location of the file that contains a list of
# hosts(IPs) that should be BLOCKED. IP ranges can (only) be specified as
# w.x.y.z1-z2 (eg. 192.168.1.10-15). Note that the last line of this file
# should always contain a carriage-return (enter)!
# -----------------------------------------------------------------------------
BLOCK_HOSTS_FILE="/etc/arno-iptables-firewall/blocked-hosts"