This file is indexed.

/etc/netscript/network.conf is in netscript-2.4 5.4.10.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
###############################################################################
# General Settings
###############################################################################
#
# VERBOSE=(YES/NO)			Default: Yes
# Be verbose about settings.
VERBOSE=YES

# IPV6_MODULE=(YES/NO) Default: NO
# If kernel is modular, enable IPv6 support by loading module. Once loaded,
# it cannot be unloaded due to kernel internal dependencies.
IPV6_MODULE=NO

# IPV6_DISABLE=(YES/NO) Default: NO
# Disable IPv6 protocol on all interfaces including lo
IPV6_DISABLE=NO

# IPV4_FWDING_KERNEL=(YES/NO/FILTER_ON)	Default: NO
# IPV6_FWDING_KERNEL=(YES/NO/FILTER_ON)	Default: NO
# Enable IP forwarding in the kernel.  FILTER_ON means forwarding will
# only happen when IP filtering rules are loaded
IPV4_FWDING_KERNEL=FILTER_ON
IPV6_FWDING_KERNEL=FILTER_ON

# IPV4_DEFAULT_GW=nnn.nnn.nnn.nnn|OTHER|OFF|NO|NONE
# IPV4_DEFAULT_GWDEV=eth0
# IPV6_DEFAULT_GW=nnnn:nnnn:nnnn::n|OTHER|OFF|NO|NONE
# IPV6_DEFAULT_GWDEV=eth0
# IPV6_DEFAULT_PREFIX=2000::/3	# Default value
# DEFAULT_METRIC=999999999	# Default value
#
# Default Route Setup
# Use this to set the default route if required - ONLY one to be set.
# routed or gated could be used to set this so only use if not running these.
# These routes are installed at metric DEFAULT_METRIC so that netscript 
# can identify its own routes. This means that it can delete them if these 
# if the IPVn_DEFAULT_GW variables are not set.  You can also specify a 
# Default prefix for IPv6 as the kernel does some funny things around
# default IPv6 routes. Also, later kernels will only route if next hop is
# an fe80 link local address...
# OTHER|OFF|NO|NONE - stop netscript doing ANYTHING with default routes
#			Use if you are going to run a routing daemon such as
#			bird, gated, mrtd, routed, or zebra.
#IPV4_DEFAULT_GW=192.0.2.11
#IPV4_DEFAULT_GWDEV=eth0
#IPV6_DEFAULT_GW=fe80::1:11
#IPV6_DEFAULT_GWDEV=eth0

# DHCP_RA_STROKE_CMD=""
#
# DHCP/IPv6 RA restart/reload commmand
# Use this to restart DHCP or radvd on any interface up.  Works round
# issues with special broadcast address routing and multicast listening
# Otherwise, under IPv6, Default route can dissapear!
# DHCP_RA_STROKE_CMD="service dnsmasq restart"
DHCP_RA_STROKE_CMD="systemctl restart dnsmasq"

NET_GLOBAL_SYSCTL="

# This section is set up so that various network global variables can be set.
# Please refrain from trying to set interface variables using this, and
# use the switches provided in this file.  It is very easy to configure 
# the interfaces insecurely.

# Set whether programs can bind to non local IP addresses.  Useful for wierd
# NAT work
ipv4/ip_nonlocal_bind NO

# Set up the kernel to work with dynamic addressing on diald
ipv4/ip_dynaddr NO

# Control response to ICMP echo requests.  the broadcast one also controls
# the response to multicast packets.
ipv4/icmp_echo_ignore_all NO
ipv4/icmp_echo_ignore_broadcasts YES

# Turn off ecn - a good idea for most situations
ipv4/tcp_ecn NO

"
###########################
# Backups and compilation #
###########################
#
# BACKUP_LEVELS - maximum level of back up kept.  This is done by appending
# the number 0 to the setting below to the file name, and rotating them.
# Suggested minumum for this is 2, for 5 lots of backup. Can't be set 
# any lower than 2.
BACKUP_LEVELS=3

###############################################################################
# Interfaces
###############################################################################

# IF_AUTO                       	Default: "eth0"
# A space seperated list of interfaces that get started on boot. Tunneling
# interfaces like CIPE should be after the raw  interfaces they depend on.
# The interfaces are started in the order they occur on the list, and are 
# shutdown in the reverse order of IF_LIST.
IF_AUTO="eth0"

# IF_DYNAMIC                                Default: ""
# A space seperated list of dyanmic interfaces that are not created by
# the loading of a hardware driver etc.  Examples are ppp0 et al.
# Insert an interface in here if it does not exist until the software
# program creates it.  This is so that you can start these dynamic interfaces 
# manually.
#IF_DYNAMIC="ppp0"

# IPv4 global proc flags
#
# Accept ICMP Redirects on ALL interfaces, also depends on /proc 
# per interface IP forwarding flag. - YES/NO 
ALLIF_ACCEPT_REDIRECTS=NO

# IPv6 global proc flags
#
# IF_DEFAULT_IPV6_DISABLE		Default: NO - YES/NO
# Disable IPv6 on new interfaces by default.  Useful when machine
# is a Virtual Machine server, heavily using bridges for network
# connections.
#IF_DEFAULT_IPV6_DISABLE=NO

# Need these both for interfaces run by daemons - ie PPP, CIPE, Sangoma
#	  WAN interfaces
# IPv4 spoofing protection by default for interfaces - YES/NO
DEF_IP_SPOOF=YES
# Kernel logging of spoofed packets by default for interfaces - YES/NO
DEF_IP_KRNL_LOGMARTIANS=YES

#############################
# Bridge Setup - Global stuff
#############################

# Enable bridging - YES/NO/number of bridges
BRG_SWITCH=no
#
# AND Additional named bridges to add
#BRG_LIST="brg0 inet0 dmz0 dbase0 admin0"
#
# Remove Bridges from Nefilter - default YES YES/NO
# Only need to turn this off if creating a transparent
# firewall!
#BRG_NETFILTER_REMOVE=YES

#############################
# Individual Interfaces setup
#############################

# eth0 stuff
# ----------
# ADDRESSING
#
# NB: WATCH LEADING ZEROES - address will not be added to interface!
#
# Use the old style:
#eth0_IPADDR=192.0.2.7
#eth0_MASKLEN=24
#eth0_BROADCAST=192.0.2.255
# 
# Secondary IP addresses/networks on same wire - add them here
#eth0_IP_EXTRA_ADDRS="192.0.2.193 192.0.2.1/24"
#
# -OR- the new style which also supports IPv6...
#
#eth0_IPADDR="0192.0.002.07/24_brd_192.0.2.255  2001:db8:010a:0001::000:007/64"
#
# IP spoofing protection on this interface - YES/NO
eth0_IP_SPOOF=YES
#
# Kernel logging of spoofed packets on this interface - YES/NO
eth0_IP_KRNL_LOGMARTIANS=YES
#
# This setting affects the processing of ICMP redirects. Setting it to NO 
# makes this more secure. Don't turn this off if you have two IP 
# networks/subnets on the same media - YES/NO
#eth0_IP_SHARED_MEDIA=NO
#
# This setting configures the interface to either send redirects or not
# This is useful for use with openvpn, due to the fact it can route packets
# out the same interface they came in on! - YES/NO
#eth0_IP_SEND_REDIRECTS=NO
#
# Interface IPv6 MTU - set to 1280 (minimum) so that tunnelling works
# well without packet fragmentation
#eth0_IPV6_MTU=1500
#
# Disable IPv6 on this interface - default NO - YES/NO
#eth0_IPV6_DISABLE=NO 
#
# Set the interface up in forwarding/non-forwarding configuration modes. This
# setting does not control the forwarding of packets via this interface.  Use
# iptables for this. In host mode allows the acceptance of ICMP redirects and 
# router advertisement packets (overridden by above flags in host mode), as 
# well as setting the IsRouter bit in Neighbour advertisements, and whether 
# router solicitation packets are sent - YES/NO
#eth0_IPV6_FWDING=YES
#
# Accept ICMP IPv6 redirects in host mode on this interface - YES/NO 
#eth0_IPV6_ACCEPT_REDIRECTS=NO
#
# Accept IPv6 Router Adverstisement packets in host mode default YES - YES/NO
#eth0_IPV6_ACCEPT_RA=YES
#
# Accept Prefix for SLAC addressing in IPv6 Router Adverstisement packets 
# in host mode default YES - YES/NO
#eth0_IPV6_ACCEPT_RA_PINFO=YES
#
# Accept routes advertised by Router Advertisements.  Debian Kernel 2.6.32+
# This is the threshhold for the bit length of the prefixes accepted. Kernel
# defaults to zero, which means accept none. 64 will accept normal IPv6 routes
#eth0_IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN=64
#
# Send router solicitations, gives number to send default 3 - YES/NO/0-9
#eth0_IPV6_ROUTER_SOLICITATIONS=0
#
# Enable IPV6 privacy extensions, default NO - YES/N0/0-2
# 1 enables privacy MAC addresses for global addressing, excluding ULA
# prefixes.  2 enables it for all ULA and global addresses, not recomended
#eth0_IPV6_PRIVACY=NO
#
# Set resolvconf details here.  It takes /etc/resolv.conf settings as per
# resolv.conf(5) Note that you have to uncomment whole string below! Will take
# \n as well
#eth0_RESOLVCONF="options edns0 inet6\nsearch internal.foo.org foo.org\nnameserver 192.0.2.1"
#
# Automatically start/stop these interfaces if this interface is manually 
# started/stopped. Interfaces started in order of list, shutdown in reverse
# order.
#eth0_IF_CHAIN_AUTO="tun0"
#
#Same as above, except for PPP interface.
#ppp0_PPP_CHAIN_AUTO="he0"
#
# Automatically stop these interfaces if this interface is manually stopped.
# Interfaces stopped in reverse order of this list before those in 
# IF_CHAIN_AUTO
#eth0_IF_CHAIN=""
#
# Bridge this interface - YES/NO/bridge interface
#eth0_BRIDGE=yes
#
# Proxy-arp from this interface, no other config required to turn on proxy ARP!
# - YES/NO
#eth0_PROXY_ARP=NO
#
# Protocol MTU for interface
# - Set to override default interface value 
#eth0_MTU=1500
#
# Multicast setting for interface
# Set to override configuration default - YES/NO|on/off
#eth0_MULTICAST=YES
#
# Simple QoS/fair queueing support
# Turn on Stochastic Fair Queueing - useful on busy DDS links - YES/NO
#eth0_FAIRQ=NO
#
# Ethernet Transmit Queue Length
#eth0_TXQLEN=100
#
# Complex QoS - Enable all of these + above to turn it on
# Device Bandwidth
#eth0_BNDWIDTH=10Mbit
#
# Queue Handles - both must be unique
# Use for running tunnel daemons or other dynamic inverfaces that 
# can be here and gone very rapidly - not needed for async PPP
# eth0_HNDL1=1
# eth0_HNDL2=2
#
# Interactive Burst parameters - bandwidth and number of packets
#eth0_IABURST=100	# packets
#eth0_IARATE=1Mbit
#
# Device Physical MTU - includes link layer header
# NB FR has 8 bytes LL header, ethernet 14
#eth0_PXMTU=1514
#
# Committed Access Rate 
# - if using FR, set to CIR, else to total combined bulk data
# through put (ie eth0_BULKRATE + sum of special queue rates)
#eth0_CARATE=3Mbit
#
# Optional parameters for Complex QoS
#
# Peak Rate 
# Use this to set FR Burst capacity
#eth0_PEAKRATE=4MBit
#
# Parameters for Bulk Data bandwidth shaping
# Bulk Rate - set for ordinary traffic.
# MUST MUST MUST be used with special queues 
# to indicate the ordinary traffic load.  Has to satisfy
#  BULKRATE <= (CARATE - total_special_queue_bandwidth)
#eth0_BULKRATE=2MBit
# Special Queues - see further down in fair queuing section 
# as this needs unique mark values
#eth0_SPQUEUE

# eth1_IPADDR="192.0.2.1/29_brd_192.0.2.7"
# eth1_IP_SPOOF=YES
# eth1_IP_KRNL_LOGMARTIANS=YES
# eth1_FAIRQ=NO
# eth1_TXQLEN=100
# eth1_BNDWIDTH=10Mbit
# eth1_CARATE=7Mbit
# eth1_HNDL1=3
# eth1_HNDL2=4
# eth1_IABURST=100
# eth1_IARATE=1Mbit
# eth1_PXMTU=1514
# eth1_PEAKRATE=8Mbit
# eth1_BULKRATE=6Mbit

#ppp1_IPADDR=192.0.2.1

#chdlc0_IPADDR=192.0.2.1_peer_192.0.2.2

# PPP interface stuff - these apply to all ASYNC ppp interfaces
ppp_FAIRQ=YES
ppp_TXQLEN=30
# Complex stuff
ppp_BNDWIDTH=30Kbit
ppp_IABURST=20
ppp_CARATE=20Kbit
ppp_IARATE=10Kbit
ppp_PXMTU=1500

############################
# Special Interface Handling
############################
# If the interface requires the running of a daemon or configuration program
# two functions must be supplied taking the interface name as the first
# and only argument.  Both of these functions have names of the form
# <if-name|if-type>_start and <if-name|iftype>_stop, with the former
# starting the interface and the latter shutting it down and deconfiguring it.
# The following global variables will be set for the <if-namei|if-type>_start
# function if they are configured.
#
# IPADDR          - interface IP address/mask -OR- the new form as above
# BROADCAST       - interface broadcast address
# PTPADDR         - PTP address of interface
# IP_EXTRA_ADDRS  - Extra IP addesses/networks bound to interface
#
# The if_addr_start function in if.conf should be used to set the addresses on
# the interface once it is created.  It also sets the interface sysctl 
# /proc flags, and brings the interface up, as well as enabling the use 
# of multiple addresses on the interface. The if_addr_stop compleimentary 
# function should be used to down the itnerface and clear the addresses off it.
#
# BOTH A START AND A STOP FUNCTIONS SHOULD PROBABLY DEFINED if you use them.
#
# The if-type of an interface name is given by the first alpha-numerics
# of the name excluding the instance number on the end - ie the type of "eth1"
# is "eth" and the type of "wan1a2" is "wan1a".
#
# The code in if.conf first of checks for an individual interface function,
# then a typed interface function, and then uses the default which is for
# ethernet type interfaces
#
# If you are starting a tunneling interface that is dependent on another
# interface being up to continue to function correctly, use the intX_IF_CHAIN
# and intX_IF_CHAIN_AUTO interface variables for the hardware interfaces to
# start and stop the tunneled interfaces.  Also add the tunnel interface to 
# IF_AUTO AFTER the hardware interface so that it is started on boot.
#
# Static routes and other network setup can be handled by using the 
# <if-name>_network functions or those above, but the recomendation is to 
# run the zebra routing daemons as this has problems with clearing
# unwanted routes etc.
#
# Here are some example functions, some of which are actually used
#
# PPP - interface ppp0
#
ppp0_start () {
	# don't run pppd if link already exists...
	[ -f /var/run/$1.pid ] && kill -0 `cat /var/run/$1.pid` && return 0
	sleep 5
	# call ISP	 
	pppd call provider updetach > /dev/null
}

#ppp1_start () {
#	# don't run pppd if link already exists...
#	[ -f /var/run/$1.pid ] && kill -0 `cat /var/run/$1.pid` && return 0
#	pppd ttyS2 19200 passive local noauth ${IPADDR}:
#}
#
# NB Stop function is provided as a type function as it can cover all
# analogue ppp interface instances.
ppp_stop () {
	[ ! -f /var/run/$1.pid ] && return 0
	qt kill `cat /var/run/$1.pid`
	sleep 5           # Wait for pppd to die
}


#ppp0_network_ppp () {
#       ip route replace 192.168.34.0/24 via 192.168.23.1
#}

#
# DHCP interface setup
#
# Comment out or add change 'eth_' to 'eth0_'
eth_start () {
	if [ -x /sbin/dhclient ]; then
		qt /sbin/dhclient $1
	elif [ -x /sbin/dhcpcd ]; then
        	qt /sbin/dhcpcd -R -N $1
	elif [ -x /sbin/pump ]; then
		/sbin/pump -i $1 -h `cat /etc/hostname`
	fi
}
#
eth_stop () {
	if [ -f /var/run/dhclient.pid ]; then
		qt kill `cat /var/run/dhclient.pid`
	elif [ -f "/var/run/dhcpcd-${1}.pid" ]; then
		qt /sbin/dhcpcd -k $1
	elif [ -e /var/run/pump.sock ]; then
		/sbin/pump -i $1 -r
	fi
	if_addr_stop $1
}

# Openvpn setup
#tun_start () {
#        local PIDFILE="/var/run/openvpn.${1}.pid"
#        # don't run openvpn if link already exists...
#        [ -f $PIDFILE ] && kill -0 `cat $PIDFILE` && return 0
#        openvpn --config /etc/openvpn/$1.netscript \
#        --writepid $PIDFILE \
#        --cd /etc/openvpn \
#        --daemon openvpn.$1
#
#}
#
#tun_stop () {
#        local PIDFILE="/var/run/openvpn.${1}.pid"
#        [ ! -f $PIDFILE ] && return 0
#        qt kill `cat $PIDFILE`
#        [ -f $PIDFILE ] && rm $PIDFILE
#        sleep 5           # Wait for openvpn to die
#}
#
#tap_start () {
#        tun_start "$@"
#}
#
#tap_stop () {
#        tun_stop "$@"
#}
#
#

# Interesting example showing how to set 
# resolvconf nameserver details
#brg1_start () {
#       # default interface startup
#       brg_iface $1 up "$BRIDGE" "$IPV6_DISABLE"
#        # Start interface
#        if_addr_start $1
#       local NS="
#nameserver 192.0.2.254
#"
#       echo "$NS" | resolvconf -a $1
#}
#
#brg1_stop () {
#       resolvconf -d $1
#       # default action
#        brg_iface $1 down $IPV6_DISABLE
#        if_addr_stop $1
#}

# More examples...

# inet0_start () {
#         if_addr_start $1
#         echo  | resolvconf -a $1 <<INET0F
# nameserver 203.96.152.4
# nameserver 203.96.152.12
# INET0F
# }
# 
# inet0_stop () {
#         resolvconf -d $1
#         if_addr_stop $1
# }
# 

# Laptops
# 
# Integration with whereami - uses dhclient
#
#if_laptop_fwdata () {
#        local MAPPING=`/bin/cat /var/lib/whereami/iam`
#
#        case $MAPPING in
#        cmonline*)
#                ;;
#        home*)
#                # Tupple of the form protocol_source_dstport(s)
#                LAPTOP_IN="tcp_0/0_ssh tcp_0/0_ipp udp_0/0_ipp"
#                # Tupple of the form protocol_dest_dstport(s)
#                LAPTOP_OUT=""
#                # Tupple of the form protocol_source_dstport(s)
#                #IPV6_LAPTOP_IN="tcp_0/0_ssh tcp_0/0_ipp udp_0/0_ipp"
#                # Tupple of the form protocol_dest_dstport(s)
#                #IPV6_LAPTOP_OUT=""
#                ;;
#        lan)
#                ;;
#        # This is the shutdown/flush state, signal it to ipv4_laptop et al.
#        undocked|shutdown)
#                return 1;
#                ;;
##       '')
##               ;;
#        *)
#                ;;
#        esac
#
#        return 0
#}
##
#eth_start () {
#        qt ip link set dev $1 up
#        local MAPPING=`/usr/sbin/whereami --mapping`
#
#        # set up any RF interfaces
#        /etc/netscript/wep.conf $1 $MAPPING
#
#        case  $MAPPING in
#        cmonline*)
#                # Set up firewall
#                ipf4_laptopfw
#                [ -f /var/run/dhclient.pid ] \
#                        && qt kill -0 `cat /var/run/dhclient.pid` \
#                        && return 0
#                qt /sbin/dhclient $1
#                ;;
#        home*)
#                # Set up firewall
#                ipf4_laptopfw
#                [ -f /var/run/dhclient.pid ] \
#                        && qt kill -0 `cat /var/run/dhclient.pid` \
#                        && return 0
#                qt /sbin/dhclient $1
#                ;;
#        lan)
#                # Set up firewall
#                ipf4_laptopfw
#                [ -f /var/run/dhclient.pid ] \
#                        && qt kill -0 `cat /var/run/dhclient.pid` \
#                        && return 0
#                qt /sbin/dhclient $1
#                ;;
#        undocked)
#                ;;
#
##               Example of what to do if nothing is configured
##       '')
##               if_resolvconf_up $1 "some.place.com internal.some.place.com" 127.0.0.1
##               # default interface startup
##               brg_iface $1 up "$BRIDGE" "IPV6_DISABLE"
##               # Start interface
##               if_addr_start $1
##
##               ;;
#        *)
#                # Nothing detected, shut link down
#                qt ip link set dev $1 down
#                ;;
#        esac
#}
##
#eth_stop () {
#        [ -f /var/run/dhclient.pid ] && qt kill `cat /var/run/dhclient.pid` || true
#        if_resolvconf_down $1
#        # default action
#        # brg_iface $1 down
#        if_addr_stop $1
#
#        # Handle firewall
#        local MAPPING=`/usr/sbin/whereami --mapping`
#        ipf4_laptopfw -f
#}
#
#
# Routing samples
#
# Using 'ip route replace' will replace the same route, differing in the 
# next hops used.
#eth1_network () {
#       ip route replace 192.168.34.0/24 via 192.168.23.1
#}
# 
# This sample shows you how to use this hook to refresh heartbeat configured 
# for IP address fail over. You have to specify the IP address resource in 
# the haresource configuration file as "router1 192.168.2.254/24/eth2" to 
# get heartbeat to stop failing with large numbers of routing rules, and
# to specify which interface the IP address range is to be configured on.
#HB_NAME="heartbeat"
#HB_PID="/var/run/${HB_NAME}.pid"
#HB_PATH="/usr/lib/${HB_NAME}/${HB_NAME}"
#eth1_network () {
#        # Check that heartbeat is installed
#        [ ! -f "$HB_PATH" ] && return 0
#        killall -9 $HB_NAME
#        $HB_PATH
#}
#
#
# Sangoma Frame Relay
# - Type functions ought to cover this family if you follow a sane
#   naming interface convention
#
# fr_start () {
#        wanconfig card wanpipe1 dev $1 start
#        if_addr_start $1
# }
#
# fr_stop () {
#	if_addr_stop $1
#	qt wanconfig card wanpipe1 dev $1 stop
# }
#
# Sangoma Cisco HDLC
# - needs individual interfacesi for both start and stop
#
#chdlc0_start () {
#      wanconfig card wanpipe1 dev $1 start
#      if_addr_start $1
#}
#
#chdlc0_stop () {
#	if_addr_stop $1
#	qt wanconfig card wanpipe1 dev $1 stop
#}

######################
# Fair Queuing support
######################
#
# List of Mark values
MRK_CRIT=0x1                      # Critical traffic, routing, DNS
MRK_IA=0x2			# Interactive traffic - telnet, ssh, IRC
MRK_T1=0xa
MRK_T2=0x14
#
# List of traffic types and maps to mark values
# Setting this variable turns on the IPv4 fairq chain
CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route ${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh"
#
IPV6_CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route ${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh"
#
# List of tunneling protocols that should not be touched if the tunnel 
# originates on this host - Mangling can cause rerouting to happen, and 
# prevents Free S/WAN from functioning. Tunnels also pass on the mark value
# of tunneled packets, and this means that the special queues are still 
# effective on this originated traffic for this host.
MANGLE_OUTPUT_BYPASS="gre_0/0 esp_0/0 ah_0/0 ipip_0/0 encap_0/0"
IPV6_MANGLE_OUTPUT_BYPASS="gre_0/0 esp_0/0 ipip_0/0 encap_0/0"
#
# Set up per device special queues here 
#eth0_SPQUEUE="${MRK_T1}_128Kbit_bounded ${MRK_T2}_256Kbit_bounded_isolated"
#

############################################################################
# This set of variables is used with the bolierplate chain creation commands
############################################################################

# HINT: Create the log and rejectlog chains before any of the others
#
#       with the 'netscript ipfilter exec log|rejectlog' command.


##################################
# log chain  - for IPv4 and IPv6 #
##################################

# Syslog level for IP tables kernel messages - v4 and v6
LOG_LEVEL=warning

# Maximum log message rate - v4 and v6
LOG_MAXRATE=3  # messages per second

# Log target - DROP/REJECT 
LOG_TARGET=REJECT
IPV6_LOG_TARGET=REJECT


###############################
# IPv6 ICMP chains - limit rates
###############################

# ICMP rate limit for this host 
IPV6_ICMPHOST_MAXRATE=200 # messages per second
IPV6_ICMPFWD_MAXRATE=1000 # messages per second

# ICMPv6 we optionally want to accept of forward.  All other ICMPv6 is logged
# and dropped  See RFC 4980 and tail of 'ip6tables -p icmpv6 -h' output.
# MIPv6 ICMP messages are ICMP types 144, 145, 146, and 147
# MIPv6 is really useful when tunnelled via IPSEC
# Router Renumbering is type 138
#IPV6_ICMPHOST_OPTIONAL="redirect 144 145 146 147"
#IPV6_ICMPFWD_OPTIONAL="144 145 146 147"


###################
# martians chains #
###################

# Net blocks to bypass martians checking on - useful for internal
# RFC 1918 netblocks.
#MARTIAN_BYPASS="10.0.0.0/8 192.168.1.0/24"
#IPV6_MARTIAN_BYPASS="fd13:123:456::/48"

# Extra blocks for the martian chain
MARTIAN_NETS=""			# List of additional martian/invalid 
				# IP source addresses - network/mask
IPV6_MARTIAN_NETS=""

# Logging of private networks - mostly 'noise'
# default is NO
LOG_NOISE="NO"
IPV6_LOG_NOISE="NO"


###########################################
# ingress chain - for IP spoof protection #
###########################################
        
# List of IP numbers common to the box - this is to protect against
# spoofing of the interface addresses on the machine when using Free S/WAN
# IPSEC.  Insert your interface IPs here, and tie the chain in where 
# appropriate on the INPUT and FORWARD chains
#INGRESS_IPS="127.0.0.1 192.168.1.1 192.168.2.1"
#IPV6_INGRESS_IPS="2001:db8:1::1 2001:db8:1::34"
# Same as above but for use in the ingrssfwd chain for FORWARD chain
# Note interface name can be added to end
#INGRESS_FWD_NETS="127.0.0.0/8 192.168.1.0/24_eth0 192.168.2.1_eth1"
#IPV6_INGRESS_FWD_NETS="2001:db8:1::/48 ::1"

##############
# snmp chain #
##############

# List of IP  Nos used for SNMP management
SNMP_MANAGER_IPS="192.168.1.1"
IPV6_SNMP_MANAGER_IPS="::1"

# Destination block for SNMP blocking - set this to the address containing your
# routers
SNMP_DEST_BLOCK=0/0
IPV6_SNMP_DEST_BLOCK=::/0

########################
# Border router chains #
########################

# This set of variables is used with the inbrdr and outbrdr border
# router chains

# The Link network
#   - Use these if your network link to the outside is in one of your
#     IP Number Blocks
#LINK_NET="192.168.1.0/30"
#IPV6_LINK_NET="2001:db8:1:1::/64"

# Our IP number blocks
#IP_BLOCKS="10.0.100.2 10.0.0.0/8"
#IPV6_IP_BLOCKS="2001:db8:1::/48"

# Block incoming/outgoing SMB/Netbios - YES/NO (v4 and v6)
SMB_BLOCK=YES

# Block incoming SNMP, YES/NO (v4 and v6)
SNMP_BLOCK=YES

# Blocked inbound source addresses
#BLOCKED_INSRC="all_10.200.1.1"
#IPV6_BLOCKED_INSRC="all_2001:db8::1"

# Logged blocked inbound source addresses
#LOGGED_BLOCKED_INSRC="all_10.200.1.2"
#IPV6_LOGGED_BLOCKED_INSRC="all_2001:db8::2"

# Blocked inbound destinations
#BLOCKED_INDEST="tcp_10.0.2.1_23 udp_10.0.3.4_domain"
#IPV6_LOGGED_BLOCKED_INSRC="all_2001:db8::2"

# Logged blocked inbound dests
#LOGGED_BLOCKED_INDEST="tcp_192.168.45.6_smtp"
#IPV6_LOGGED_BLOCKED_INDEST="tcp_2001:db8::23_smtp"

# The DNS servers that are to do zone trasfers
#DNS_IPS="192.0.2.45"
#IPV6_DNS_IPS="2001:db8::4"

# Blocked outbound destinations
#BLOCKED_OUTDEST="tcp_10.0.0.1_23 udp_10.0.0.2_domain"
#IPV6_BLOCKED_OUTDEST="tcp_2001:db8::1_23 udp_2001:db8::2_domain"

# Logged blocked outbound dests
#LOGGED_BLOCKED_OUTDEST="tcp_10.0.0.1_smtp"
#IPV6_LOGGED_BLOCKED_OUTDEST="tcp_2001:db8::45_smtp"

# outbrdr output target - RETURN or ACCEPT
# RETURN is usefull with IPv6 CPE for SOHO / geek domestic
#OUT_TARGET=ACCEPT
#IPV6_OUT_TARGET=ACCEPT
#IPV6_OUT_TARGET=RETURN