summaryrefslogtreecommitdiffstats
path: root/firewall_wizard/scripts/bastille-firewall.cfg.default
blob: 746c61de10c56bcad0e447fd5d21ce9e9b789a5a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
#
# /etc/bastille-firewall.cfg
#
# Configuration fiel for both 2.2/ipchains and 2.4/netfilter scripts
#
# version 0.99-beta1
# Copyright (C) 1999-2001 Peter Watkins 
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, write to the Free Software
#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
# Thanks to David Ranch, Brad A, Don G, and others for their suggestions

# the configuration values should be whitespace-delimited lists of 
# appropriate values, e.g.
# 	TCP_PUBLIC_SERVICES="80 smtp ssh"
# lists Web (port 80), SMTP mail, and Secure Shell ports
#
# This script is suitable for workstations or simple NAT firewalls;
# you may want to add more "output" restrictions for serious servers

# 0) DNS servers. You must list your DNS servers here so that
#	the firewall will allow them to service your lookup requests
#
# List of DNS servers/networks to allow "domain" responses from
# This _could_ be nameservers as a list of <ip-address>/32 entries
#DNS_SERVERS="a.b.c.d/32 e.f.g.h/32"	
# If you are running a caching nameserver, you'll need to allow from
# "0.0.0.0/0" so named can query any arbitrary nameserver
# (To enable a caching nameserver, you will also probably need to
#  add "domain" to the TCP and UDP public service lists.)
#DNS_SERVERS="0.0.0.0/0"
#
# To have the DNS servers parsed from /etc/resolv.conf at runtime,
# as normal workstations will want, make this variable empty
#DNS_SERVERS=""
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
DNS_SERVERS=""


# 1) define your interfaces
#	Note a "+" acts as a wildcard, e.g. ppp+ would match any PPP 
#	interface
#
# list internal/trusted interfaces
# traffic from these interfaces will be allowed 
# through the firewall, no restrictions
#TRUSTED_IFACES="lo"					# MINIMAL/SAFEST
#
# list external/untrusted interfaces
#PUBLIC_IFACES="eth+ ppp+ slip+"			# SAFEST
#
# list internal/partially-trusted interfaces
# e.g. if this acts as a NAT/IP Masq server and you
# don't want clients on those interfaces having 
# full network access to services running on this
# server (as the TRUSTED_IFACES allows)
#INTERNAL_IFACES=""				# SAFEST
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
TRUSTED_IFACES="lo"					# MINIMAL/SAFEST
PUBLIC_IFACES="eth+ ppp+"			# SAFEST
INTERNAL_IFACES=""				# SAFEST


# 2) services for which we want to log access attempts to syslog
#	Note this only audits connection attempts from public interfaces
#
#	Also see item 12, LOG_FAILURES
#
#TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh" 
# anyone probing for BackOrifice?
#UDP_AUDIT_SERVICES="31337"
# how about ICMP?
#ICMP_AUDIT_TYPES=""
#ICMP_AUDIT_TYPES="echo-request"	# ping/MS tracert
#
# To enable auditing, you must have syslog configured to log "kern"
# messages of "info" level; typically you'd do this with a line in
# syslog.conf like
#   kern.info				/var/log/messages
# though the Bastille port monitor will normally want these messages
# logged to a named pipe instead, and the Bastille script normally
# configures syslog for "kern.*" which catches these messages
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
TCP_AUDIT_SERVICES=""
UDP_AUDIT_SERVICES=""
ICMP_AUDIT_TYPES=""


# 3) services we allow connections to
#
# FTP note:
#	To allow your machine to service "passive" FTP clients,
#	you will need to make allowances for the passive data
#	ports; Bastille users should read README.FTP for more
#	information
#
# "public" interfaces:
# TCP services that "public" hosts should be allowed to connect to
#TCP_PUBLIC_SERVICES=""					# MINIMAL/SAFEST
#
# UDP services that "public" hosts should be allowed to connect to
#UDP_PUBLIC_SERVICES=""					# MINIMAL/SAFEST
#
# "internal" interfaces:
# (NB: you will need to repeat the "public" services if you want
#      to allow "internal" hosts to reach those services, too.)
# TCP services that internal clients can connect to
#TCP_INTERNAL_SERVICES=""				# MINIMAL/SAFEST
#
# UDP services that internal clients can connect to
#UDP_INTERNAL_SERVICES=""				# MINIMAL/SAFEST
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
#TCP_PUBLIC_SERVICES="109 53 143 80 20 21 22 110 443 25" # MINIMAL/SAFEST
TCP_PUBLIC_SERVICES=""	# MINIMAL/SAFEST
UDP_PUBLIC_SERVICES=""					# MINIMAL/SAFEST
TCP_INTERNAL_SERVICES="www ssh" # MINIMAL/SAFEST
UDP_INTERNAL_SERVICES=""				# MINIMAL/SAFEST

# 4) FTP is a firewall nightmare; if you allow "normal" FTP connections,
#	you must be careful to block any TCP services that are listening
#	on high ports; it's safer to require your FTP clients to use
#	"passive" mode. 
#
#	Note this will also force clients on machines
#	that use this one for NAT/IP Masquerading to use passive mode
#	for connections that go through this server (e.g. from the
#	internal network to public Internet machines
#
#	For more information about FTP, see the Bastille README.FTP doc
#
#FORCE_PASV_FTP="N"
#FORCE_PASV_FTP="Y"					# SAFEST
#
FORCE_PASV_FTP="N"					# SAFEST


# 5) Services to explicitly block. See FTP note above
#	Note that ranges of ports are specified with colons, and you
#	can specify an open range by using only one number, e.g.
#	1024: means ports >= 1024 and :6000 means ports <= 6000
#
# TCP services on high ports that should be blocked if not forcing passive FTP
# This should include X (6000:6010) and anything else revealed by 'netstat -an'
#  (this does not matter unless you're not forcing "passive" FTP)
#TCP_BLOCKED_SERVICES="6000:6020"
#
# UDP services to block: this should be UDP services on high ports.
# Your only vulnerability from public interfaces are the DNS and
# NTP servers/networks (those with 0.0.0.0 for DNS servers should
# obviously be very careful here!)
#UDP_BLOCKED_SERVICES="2049"
#
# types of ICMP packets to allow
#ICMP_ALLOWED_TYPES="destination-unreachable"		# MINIMAL/SAFEST
# the following allows you to ping/traceroute outbound
#ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded"
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
TCP_BLOCKED_SERVICES="6000:6020"
UDP_BLOCKED_SERVICES="2049"
ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded"


# 6) Source Address Verification helps prevent "IP Spoofing" attacks
#
ENABLE_SRC_ADDR_VERIFY="Y"				# SAFEST


# 7) IP Masquerading / NAT. List your internal/masq'ed networks here
#
#	Also see item 4, FORCE_PASV_FTP, as that setting affects
#	clients using IP Masquerading through this machine
#
# Set this variable if you're using IP Masq / NAT for a local network
#IP_MASQ_NETWORK=""					# DISABLE/SAFEST
#IP_MASQ_NETWORK="10.0.0.0/8"				# example
#IP_MASQ_NETWORK="192.168.0.0/16"			# example
#
# Have lots of masq hosts? uncomment the following six lines 
#  and list the hosts/networks in /etc/firewall-masqhosts
#  the script assumes any address without a "/" netmask afterwards
#  is an individual address (netmask /255.255.255.255):
#if [ -f /etc/firewall-masqhosts ]; then
#  echo "Reading list of masq hosts from /etc/firewall-masqhosts"
#  # Read the file, but use 'awk' to strip comments
#  # Note the sed bracket phrase includes a space and tab char
#  IP_MASQ_NETWORK=`cat /etc/firewall-masqhosts | awk -F\# '/\// {print $1; next} /[0-9]/ {print $1"/32"}' |sed 's:[ 	]*::g'`
#fi
# 
# Masq modules
# NB: The script will prepend "ip_masq_" to each module name
#IP_MASQ_MODULES="cuseeme ftp irc quake raudio vdolive"	# ALL (?)
#IP_MASQ_MODULES="ftp raudio vdolive"			# RECOMMENDED
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
IP_MASQ_NETWORK="192.168.4.0/24"					# DISABLE/SAFEST
IP_MASQ_MODULES=""			# RECOMMENDED


# 8) How to react to disallowed packets
# whether to "REJECT" or "DENY" disallowed packets; if you're running any
# public services, you probably ought to use "REJECT"; if in serious stealth
# mode, choose "DENY" so simple probes don't know if there's anything out there
#	NOTE: disallowed ICMP packets are discarded with "DENY", as
#		it would not make sense to "reject" the packet if you're
#		trying to disallow ping/traceroute
#
REJECT_METHOD="DENY"


# 9) DHCP
#    In case your server needs to get a DHCP address from some other
#    machine (e.g. cable modem)
#DHCP_IFACES="eth0"			# example, to allow you to query on eth0
#DHCP_IFACES=""				# DISABLED
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
DHCP_IFACES=""				# DISABLED


# 10) more UDP fun. List IP addresses or network space of NTP servers
#
#NTP_SERVERS=""				# DISABLE NTP QUERIES / SAFEST
#NTP_SERVERS="a.b.c.d/32 e.f.g.h/32"	# example, to allow querying 2 servers
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
NTP_SERVERS=""				# DISABLE NTP QUERIES / SAFEST


# 11) more ICMP. Control the outbound ICMP to make yourself invisible to
#     traceroute probes
#
#ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded"
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded"


# 12) Logging
#	With this enabled, ipchains will log all blocked packets.
#	         ** this could generate huge logs **
#	This is primarily intended for the port mointoring system; 
#	also note that you probably do not want to "AUDIT" any services
#	that you are not allowing, as doing so would mean duplicate
#	logging
LOG_FAILURES="N"				# do not log blocked packets

# 13) Block fragmented packets
#       There's no good reason to allow these
#ALLOW_FRAGMENTS="N"				# safest
ALLOW_FRAGMENTS="Y"				# old behavior

# 14) Prevent SMB broadcasts from leaking out NAT setup
#	Windows machines will poll teh net with SMB broadcasts,
#	basically advertising their existence. Most folks agree
#	that this traffic should be dropped
#DROP_SMB_NAT_BCAST="N"		# allow them (are you sure?)
DROP_SMB_NAT_BCAST="Y"		# drop those packets