File: rc

package info (click to toggle)
uruk 20160219-1
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 1,164 kB
  • ctags: 71
  • sloc: sh: 1,835; makefile: 151; xml: 51
file content (134 lines) | stat: -rw-r--r-- 4,903 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
 
# this file maintained at http://git.mdcc.cx/uruk.git
# Sample Uruk rc file

# Copyright (C) 2003 Stichting LogReport Foundation logreport@logreport.org
# Copyright (C) 2003, 2004 Tilburg University http://www.uvt.nl/
# Copyright (C) 2003, 2004, 2005, 2010 Joost van Baal
# Copyright (C) 2012, 2013, 2014 Joost van Baal-Ilić
#
# This file is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free
# Software Foundation, either version 3 of the License, or (at your option)
# any later version.
#
# This file is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE.  See the GNU GPL for more details.
#
# You should have received a copy of the GNU GPL along with this file, see
# e.g. the file named COPYING.  If not, see <http://www.gnu.org/licenses/>.


##########
# preamble
##########

# Uruk version compatibility of this rc file
# (actually, likely works with version=20071030 too)
version=20140319

# Log denied packets, which are targetted at one of our IPs.  Do not log
# blocked broadcasts.
loglevel=30


###############################
# define our network interfaces
###############################

# List of network interfaces.  lo should not be in this list (see below). For
# every interface <if>, variables ip_<if>, bcast_<if> and net_<if> should be
# defined.
interfaces="eth0 eth1"

# List of network interfaces we want uruk to leave alone: all traffic on these
# interfaces will be trusted and accepted.  By default, interfaces_unprotect=lo
#
interfaces_unprotect="lo sit0 eth3"


###############################################
# assign IPs and networks to network interfaces
###############################################

# this helper sets ip_<if> and net_<if>
. /lib/uruk/init/autodetect-ips

# alternatively, explicitly list adresses manually, by setting ip_<stuff>,
# ip6_<stuff>, net_<stuff> and net6_<stuff>, like this:

ips_eth0=default
# For each interface <if> in interfaces, ip_<if> and net_<if> should be
# defined
ip_eth0_default=10.56.0.201
# Supply IPv6 addresses like this:
ip6_eth0_default=2006:488:1a9b::4a54:e8ff:fe2b:f25c # (aka 2006:488:1a9b:0:4a54:e8ff:fe2b:f25c)
# NB: /sbin/ip6tables (as shipped with e.g. iptables 1.4.8-2) understands
# both full and abbreviated IPv6 names.
ips_eth1="default local"
ip_eth1_default=192.168.0.4
ip_eth1_local=10.0.0.1

# To which network does this interface belong?  Should be one of
# 0.0.0.0/0 (aka 0/0) 10.0.0.0/8 (aka 10./8) 172.16.0.0/12 (aka 172.16./12)
# 192.168.0.0/16 (aka 192.168./16) . Used to decide wether a
# packet for this interface is spoofed, and therefore should get dropped.
# NB: /sbin/iptables (as shipped with e.g. iptables 1.4.8-2) understands
# full names only.
net_eth0_default=0.0.0.0/0
net_eth1_default=192.168.0.0/16
net_eth1_local=10.0.0.0/8

# Subset of named IPs per interface, which should drop broadcast and multicast packets
bcasts_eth1="local"
bcast_eth1_local="10.255.255.255"

# For each interface <if> in interfaces_nocast, bcast_<if> should be defined
bcast_eth0_default=10.56.255.255


#########################################
# optionally, define some shell variables
#########################################

# You can define any shell variable, and reference it later on
localnet="10.56.0.0/16"
all4=0.0.0.0/0


#####################################################
# finally, define allowed services, sources and ports
#####################################################

# For each interface, and for both tcp and udp, symbolic names of (sets of)
# services could be defined, in variables services_<if>_{tcp,udp}.
services_eth0_default_tcp="mail local public"

# For every servicesetname <s>, every interface <if>, and tcp and/or udp, a
# list of allowed source addresses should be defined in a variable
# sources_<if>_{tcp,udp}_<s> .  Furthermore a list of ports should be defined
# in a variable ports_<if>_{tcp,udp}_<s> .

# A valid source is 192.168.6.26, another valid source is 192.168.6.0/24.
# One can add DNS domainnames like gandalf.example.com too: iptables will
# perform a DNS lookup
# Supply IPv6 addresses like e.g. this:
# "::/0" # aka 0000:0000:0000:0000:0000:0000:0000:0000/0
sources_eth0_default_tcp_mail="10.0.0.0/24 192.0.32.0/24 192.168.6.26"
sources_eth0_default_tcp_local="$localnet gandalf.example.com"
sources_eth0_default_tcp_public="$all4 ::/0"

# Symbolic port names are fine.
ports_eth0_default_tcp_mail=smtp
ports_eth0_default_tcp_local="ssh ftp"
ports_eth0_default_tcp_public=www

services_eth0_default_udp="syslog local"

sources_eth0_default_udp_syslog="10.56.0.10/32 2001:db8::/32"
sources_eth0_default_udp_local=$localnet

ports_eth0_default_udp_syslog="syslog"
# Port ranges are allowed too
ports_eth0_default_udp_local="ntp 605:608 853:876"