File: uif.conf

package info (click to toggle)
uif 1.1.9-2
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, sid
  • size: 520 kB
  • sloc: perl: 1,991; sh: 324; makefile: 37
file content (148 lines) | stat: -rw-r--r-- 5,083 bytes parent folder | download | duplicates (5)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
## uif Firewall Configuration

## Sysconfig definitions
#  These entries define the global behaviour of the firewall package. Normally
#  they are preset in /etc/default/uif and may be overwritten by this
#  section.
#
#  syntax:   LogLevel : set the kernel loglevel for iptables rules
#            LogPrefix: prepend this string to all iptables logs
#            LogLimit:  set packet log limit per time interval (times/interval)
#            LogBurst:  set packet log burst
#            Limit:     set packet limit per time interval (times/interval)
#            Burst:     set packet burst
#  example:
#   sysconfig {
#      LogLevel      debug
#      LogPrefix     FW
#      LogLimit      20/minute
#      LogBurst      5
#      Limit         20/minute
#      Burst         5
#      AccountPrefix ACC_
#   }


## Include predefined services
#  The include section takes a bunch of files and includes them into this
#  configuration file.
#
#  syntax:  "filename"
include {
    "/etc/uif/services"
}


## Services needed for workstation setup
#  The service section provides the protocol definitions you're
#  using in the rules. You're forced to declare everything you
#  need for your setup.
#
#  syntax: service_name [tcp([source:range]/[dest:range])] [udp([source:range]/[dest:range])]
#                       [protocol_name([source:range][/][dest:range])] [service_name] ...
#  examples: http  tcp(/80)
#            dns   tcp(/53) udp(/53)
#            group http dns tcp(/443)
#            ipsec esp(/) udp(/500)
service {
    traceroute  udp(32769:65535/33434:33523) icmp(11)
    ping        icmp(8)
}

## Network definitions needed for simple workstation setup
# The network definitions are included from two separate files.
#   1. /etc/uif/uif-ipv4-networks.inc
#   2. /etc/uif/uif-ipv6-networks.inc
#
# If you want to setup IPv4 and IPv6 firewalling easily,
# make sure that all network names you use in your ruleset
# in both include files.
#
# Additionally make /etc/uif/uif6.conf a symlink that points to
# /etc/uif/uif.conf.
#

# IPv4 network definitions
#
# If you update from a version of UIF that supported IPv4 only, then
# you probably want to leave the uif.conf file untouched for now and
# move your network definitions block from uif.conf to uif-ipv4-networks.inc
# manually later.

include4 {
    "/etc/uif/uif-ipv4-networks.inc"
}

# IPv6 network definitions
#
# Make sure IPV6MODE is set to 1 in /etc/default/uif if you want to use
# IPv6 support on your UIF based firewall.

include6 {
    "/etc/uif/uif-ipv6-networks.inc"
}

## Interface definitions
#  Since all definitions used in the filter section are symbolic,
#  you've to specify symbolic names for all your interfaces you're
#  going to use.
#
#  syntax: interface_name [unix network interface] [interface_name]
#  examples: internal eth0
#            external ippp0 ipsec0
#            allppp   ppp+
#            group    external allppp eth3
interface {
    loop     lo
}

## Filter definitions
#  The filter section defines the rules for in, out, forward, masquerading
#  and nat. All rules make use of the symbolic names defined above. This
#  section can be used multiple times in one config file. This makes more
#  senese when using one of these alias names:
#  filter, nat, input, output, forward, masquerade
#
#  syntax: in[-/+]  [i=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
#          out[-/+] [o=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
#          fw[>/-/+]  [i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
#          masq[-/+][i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
#          nat[-/+] additionally allows [S=from source] [D=to destination] [P=to port:[range]]
#  additional:
#          All keys mentioned in the syntax section (in/out/...) can be prefixed with "sl", which
#          causes the creation of a stateless rule.
#  flags:  limit([count/time[,burst]])
#          reject([reject type])
#          log([name])
#          account(name)
#  examples:
#       masq+  o=extern s=intranet
#       nat+   s=intranet p=http   D=relayintern   P=squid
#       in+    s=trusted  p=ssh,ping,traceroute,http
#       out-   s=intranet p=smb    f=reject
#       fw-    d=microsoft         f=reject,log(ms-alert)
#       slin+  s=testnet
#       slout- d=testnet
#       fw>    o=extern
#       fw+    p=myhttp            f=account(HTTP)
#              Take an attention about the protocol for your accounting rules. If you
#              want to count user http traffice, you may need a "myhttp tcp(80/)".
filter {
    in+  i=loop    s=localhost
    out+ o=loop    d=localhost

    in+  s=all(4) p=ping

    # these IPv6-ICMP types are a MUST for IPv6
    in+  s=all(6) p=ping,pong,noroute,packet-too-big,time-exceeded,parameter-problem,neighbor-advertisement,neighbor-solicitation

    in+  p=traceroute

#   in+  s=trusted(4)
#   in+  s=trusted(6)
    out+ d=all

    in-  f=log(input),reject
    out- f=log(output),reject
    fw-  f=log(forward),reject
}