/etc/netscript/network.conf is in netscript-2.4 5.4.10.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 | ###############################################################################
# General Settings
###############################################################################
#
# VERBOSE=(YES/NO) Default: Yes
# Be verbose about settings.
VERBOSE=YES
# IPV6_MODULE=(YES/NO) Default: NO
# If kernel is modular, enable IPv6 support by loading module. Once loaded,
# it cannot be unloaded due to kernel internal dependencies.
IPV6_MODULE=NO
# IPV6_DISABLE=(YES/NO) Default: NO
# Disable IPv6 protocol on all interfaces including lo
IPV6_DISABLE=NO
# IPV4_FWDING_KERNEL=(YES/NO/FILTER_ON) Default: NO
# IPV6_FWDING_KERNEL=(YES/NO/FILTER_ON) Default: NO
# Enable IP forwarding in the kernel. FILTER_ON means forwarding will
# only happen when IP filtering rules are loaded
IPV4_FWDING_KERNEL=FILTER_ON
IPV6_FWDING_KERNEL=FILTER_ON
# IPV4_DEFAULT_GW=nnn.nnn.nnn.nnn|OTHER|OFF|NO|NONE
# IPV4_DEFAULT_GWDEV=eth0
# IPV6_DEFAULT_GW=nnnn:nnnn:nnnn::n|OTHER|OFF|NO|NONE
# IPV6_DEFAULT_GWDEV=eth0
# IPV6_DEFAULT_PREFIX=2000::/3 # Default value
# DEFAULT_METRIC=999999999 # Default value
#
# Default Route Setup
# Use this to set the default route if required - ONLY one to be set.
# routed or gated could be used to set this so only use if not running these.
# These routes are installed at metric DEFAULT_METRIC so that netscript
# can identify its own routes. This means that it can delete them if these
# if the IPVn_DEFAULT_GW variables are not set. You can also specify a
# Default prefix for IPv6 as the kernel does some funny things around
# default IPv6 routes. Also, later kernels will only route if next hop is
# an fe80 link local address...
# OTHER|OFF|NO|NONE - stop netscript doing ANYTHING with default routes
# Use if you are going to run a routing daemon such as
# bird, gated, mrtd, routed, or zebra.
#IPV4_DEFAULT_GW=192.0.2.11
#IPV4_DEFAULT_GWDEV=eth0
#IPV6_DEFAULT_GW=fe80::1:11
#IPV6_DEFAULT_GWDEV=eth0
# DHCP_RA_STROKE_CMD=""
#
# DHCP/IPv6 RA restart/reload commmand
# Use this to restart DHCP or radvd on any interface up. Works round
# issues with special broadcast address routing and multicast listening
# Otherwise, under IPv6, Default route can dissapear!
# DHCP_RA_STROKE_CMD="service dnsmasq restart"
DHCP_RA_STROKE_CMD="systemctl restart dnsmasq"
NET_GLOBAL_SYSCTL="
# This section is set up so that various network global variables can be set.
# Please refrain from trying to set interface variables using this, and
# use the switches provided in this file. It is very easy to configure
# the interfaces insecurely.
# Set whether programs can bind to non local IP addresses. Useful for wierd
# NAT work
ipv4/ip_nonlocal_bind NO
# Set up the kernel to work with dynamic addressing on diald
ipv4/ip_dynaddr NO
# Control response to ICMP echo requests. the broadcast one also controls
# the response to multicast packets.
ipv4/icmp_echo_ignore_all NO
ipv4/icmp_echo_ignore_broadcasts YES
# Turn off ecn - a good idea for most situations
ipv4/tcp_ecn NO
"
###########################
# Backups and compilation #
###########################
#
# BACKUP_LEVELS - maximum level of back up kept. This is done by appending
# the number 0 to the setting below to the file name, and rotating them.
# Suggested minumum for this is 2, for 5 lots of backup. Can't be set
# any lower than 2.
BACKUP_LEVELS=3
###############################################################################
# Interfaces
###############################################################################
# IF_AUTO Default: "eth0"
# A space seperated list of interfaces that get started on boot. Tunneling
# interfaces like CIPE should be after the raw interfaces they depend on.
# The interfaces are started in the order they occur on the list, and are
# shutdown in the reverse order of IF_LIST.
IF_AUTO="eth0"
# IF_DYNAMIC Default: ""
# A space seperated list of dyanmic interfaces that are not created by
# the loading of a hardware driver etc. Examples are ppp0 et al.
# Insert an interface in here if it does not exist until the software
# program creates it. This is so that you can start these dynamic interfaces
# manually.
#IF_DYNAMIC="ppp0"
# IPv4 global proc flags
#
# Accept ICMP Redirects on ALL interfaces, also depends on /proc
# per interface IP forwarding flag. - YES/NO
ALLIF_ACCEPT_REDIRECTS=NO
# IPv6 global proc flags
#
# IF_DEFAULT_IPV6_DISABLE Default: NO - YES/NO
# Disable IPv6 on new interfaces by default. Useful when machine
# is a Virtual Machine server, heavily using bridges for network
# connections.
#IF_DEFAULT_IPV6_DISABLE=NO
# Need these both for interfaces run by daemons - ie PPP, CIPE, Sangoma
# WAN interfaces
# IPv4 spoofing protection by default for interfaces - YES/NO
DEF_IP_SPOOF=YES
# Kernel logging of spoofed packets by default for interfaces - YES/NO
DEF_IP_KRNL_LOGMARTIANS=YES
#############################
# Bridge Setup - Global stuff
#############################
# Enable bridging - YES/NO/number of bridges
BRG_SWITCH=no
#
# AND Additional named bridges to add
#BRG_LIST="brg0 inet0 dmz0 dbase0 admin0"
#
# Remove Bridges from Nefilter - default YES YES/NO
# Only need to turn this off if creating a transparent
# firewall!
#BRG_NETFILTER_REMOVE=YES
#############################
# Individual Interfaces setup
#############################
# eth0 stuff
# ----------
# ADDRESSING
#
# NB: WATCH LEADING ZEROES - address will not be added to interface!
#
# Use the old style:
#eth0_IPADDR=192.0.2.7
#eth0_MASKLEN=24
#eth0_BROADCAST=192.0.2.255
#
# Secondary IP addresses/networks on same wire - add them here
#eth0_IP_EXTRA_ADDRS="192.0.2.193 192.0.2.1/24"
#
# -OR- the new style which also supports IPv6...
#
#eth0_IPADDR="0192.0.002.07/24_brd_192.0.2.255 2001:db8:010a:0001::000:007/64"
#
# IP spoofing protection on this interface - YES/NO
eth0_IP_SPOOF=YES
#
# Kernel logging of spoofed packets on this interface - YES/NO
eth0_IP_KRNL_LOGMARTIANS=YES
#
# This setting affects the processing of ICMP redirects. Setting it to NO
# makes this more secure. Don't turn this off if you have two IP
# networks/subnets on the same media - YES/NO
#eth0_IP_SHARED_MEDIA=NO
#
# This setting configures the interface to either send redirects or not
# This is useful for use with openvpn, due to the fact it can route packets
# out the same interface they came in on! - YES/NO
#eth0_IP_SEND_REDIRECTS=NO
#
# Interface IPv6 MTU - set to 1280 (minimum) so that tunnelling works
# well without packet fragmentation
#eth0_IPV6_MTU=1500
#
# Disable IPv6 on this interface - default NO - YES/NO
#eth0_IPV6_DISABLE=NO
#
# Set the interface up in forwarding/non-forwarding configuration modes. This
# setting does not control the forwarding of packets via this interface. Use
# iptables for this. In host mode allows the acceptance of ICMP redirects and
# router advertisement packets (overridden by above flags in host mode), as
# well as setting the IsRouter bit in Neighbour advertisements, and whether
# router solicitation packets are sent - YES/NO
#eth0_IPV6_FWDING=YES
#
# Accept ICMP IPv6 redirects in host mode on this interface - YES/NO
#eth0_IPV6_ACCEPT_REDIRECTS=NO
#
# Accept IPv6 Router Adverstisement packets in host mode default YES - YES/NO
#eth0_IPV6_ACCEPT_RA=YES
#
# Accept Prefix for SLAC addressing in IPv6 Router Adverstisement packets
# in host mode default YES - YES/NO
#eth0_IPV6_ACCEPT_RA_PINFO=YES
#
# Accept routes advertised by Router Advertisements. Debian Kernel 2.6.32+
# This is the threshhold for the bit length of the prefixes accepted. Kernel
# defaults to zero, which means accept none. 64 will accept normal IPv6 routes
#eth0_IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN=64
#
# Send router solicitations, gives number to send default 3 - YES/NO/0-9
#eth0_IPV6_ROUTER_SOLICITATIONS=0
#
# Enable IPV6 privacy extensions, default NO - YES/N0/0-2
# 1 enables privacy MAC addresses for global addressing, excluding ULA
# prefixes. 2 enables it for all ULA and global addresses, not recomended
#eth0_IPV6_PRIVACY=NO
#
# Set resolvconf details here. It takes /etc/resolv.conf settings as per
# resolv.conf(5) Note that you have to uncomment whole string below! Will take
# \n as well
#eth0_RESOLVCONF="options edns0 inet6\nsearch internal.foo.org foo.org\nnameserver 192.0.2.1"
#
# Automatically start/stop these interfaces if this interface is manually
# started/stopped. Interfaces started in order of list, shutdown in reverse
# order.
#eth0_IF_CHAIN_AUTO="tun0"
#
#Same as above, except for PPP interface.
#ppp0_PPP_CHAIN_AUTO="he0"
#
# Automatically stop these interfaces if this interface is manually stopped.
# Interfaces stopped in reverse order of this list before those in
# IF_CHAIN_AUTO
#eth0_IF_CHAIN=""
#
# Bridge this interface - YES/NO/bridge interface
#eth0_BRIDGE=yes
#
# Proxy-arp from this interface, no other config required to turn on proxy ARP!
# - YES/NO
#eth0_PROXY_ARP=NO
#
# Protocol MTU for interface
# - Set to override default interface value
#eth0_MTU=1500
#
# Multicast setting for interface
# Set to override configuration default - YES/NO|on/off
#eth0_MULTICAST=YES
#
# Simple QoS/fair queueing support
# Turn on Stochastic Fair Queueing - useful on busy DDS links - YES/NO
#eth0_FAIRQ=NO
#
# Ethernet Transmit Queue Length
#eth0_TXQLEN=100
#
# Complex QoS - Enable all of these + above to turn it on
# Device Bandwidth
#eth0_BNDWIDTH=10Mbit
#
# Queue Handles - both must be unique
# Use for running tunnel daemons or other dynamic inverfaces that
# can be here and gone very rapidly - not needed for async PPP
# eth0_HNDL1=1
# eth0_HNDL2=2
#
# Interactive Burst parameters - bandwidth and number of packets
#eth0_IABURST=100 # packets
#eth0_IARATE=1Mbit
#
# Device Physical MTU - includes link layer header
# NB FR has 8 bytes LL header, ethernet 14
#eth0_PXMTU=1514
#
# Committed Access Rate
# - if using FR, set to CIR, else to total combined bulk data
# through put (ie eth0_BULKRATE + sum of special queue rates)
#eth0_CARATE=3Mbit
#
# Optional parameters for Complex QoS
#
# Peak Rate
# Use this to set FR Burst capacity
#eth0_PEAKRATE=4MBit
#
# Parameters for Bulk Data bandwidth shaping
# Bulk Rate - set for ordinary traffic.
# MUST MUST MUST be used with special queues
# to indicate the ordinary traffic load. Has to satisfy
# BULKRATE <= (CARATE - total_special_queue_bandwidth)
#eth0_BULKRATE=2MBit
# Special Queues - see further down in fair queuing section
# as this needs unique mark values
#eth0_SPQUEUE
# eth1_IPADDR="192.0.2.1/29_brd_192.0.2.7"
# eth1_IP_SPOOF=YES
# eth1_IP_KRNL_LOGMARTIANS=YES
# eth1_FAIRQ=NO
# eth1_TXQLEN=100
# eth1_BNDWIDTH=10Mbit
# eth1_CARATE=7Mbit
# eth1_HNDL1=3
# eth1_HNDL2=4
# eth1_IABURST=100
# eth1_IARATE=1Mbit
# eth1_PXMTU=1514
# eth1_PEAKRATE=8Mbit
# eth1_BULKRATE=6Mbit
#ppp1_IPADDR=192.0.2.1
#chdlc0_IPADDR=192.0.2.1_peer_192.0.2.2
# PPP interface stuff - these apply to all ASYNC ppp interfaces
ppp_FAIRQ=YES
ppp_TXQLEN=30
# Complex stuff
ppp_BNDWIDTH=30Kbit
ppp_IABURST=20
ppp_CARATE=20Kbit
ppp_IARATE=10Kbit
ppp_PXMTU=1500
############################
# Special Interface Handling
############################
# If the interface requires the running of a daemon or configuration program
# two functions must be supplied taking the interface name as the first
# and only argument. Both of these functions have names of the form
# <if-name|if-type>_start and <if-name|iftype>_stop, with the former
# starting the interface and the latter shutting it down and deconfiguring it.
# The following global variables will be set for the <if-namei|if-type>_start
# function if they are configured.
#
# IPADDR - interface IP address/mask -OR- the new form as above
# BROADCAST - interface broadcast address
# PTPADDR - PTP address of interface
# IP_EXTRA_ADDRS - Extra IP addesses/networks bound to interface
#
# The if_addr_start function in if.conf should be used to set the addresses on
# the interface once it is created. It also sets the interface sysctl
# /proc flags, and brings the interface up, as well as enabling the use
# of multiple addresses on the interface. The if_addr_stop compleimentary
# function should be used to down the itnerface and clear the addresses off it.
#
# BOTH A START AND A STOP FUNCTIONS SHOULD PROBABLY DEFINED if you use them.
#
# The if-type of an interface name is given by the first alpha-numerics
# of the name excluding the instance number on the end - ie the type of "eth1"
# is "eth" and the type of "wan1a2" is "wan1a".
#
# The code in if.conf first of checks for an individual interface function,
# then a typed interface function, and then uses the default which is for
# ethernet type interfaces
#
# If you are starting a tunneling interface that is dependent on another
# interface being up to continue to function correctly, use the intX_IF_CHAIN
# and intX_IF_CHAIN_AUTO interface variables for the hardware interfaces to
# start and stop the tunneled interfaces. Also add the tunnel interface to
# IF_AUTO AFTER the hardware interface so that it is started on boot.
#
# Static routes and other network setup can be handled by using the
# <if-name>_network functions or those above, but the recomendation is to
# run the zebra routing daemons as this has problems with clearing
# unwanted routes etc.
#
# Here are some example functions, some of which are actually used
#
# PPP - interface ppp0
#
ppp0_start () {
# don't run pppd if link already exists...
[ -f /var/run/$1.pid ] && kill -0 `cat /var/run/$1.pid` && return 0
sleep 5
# call ISP
pppd call provider updetach > /dev/null
}
#ppp1_start () {
# # don't run pppd if link already exists...
# [ -f /var/run/$1.pid ] && kill -0 `cat /var/run/$1.pid` && return 0
# pppd ttyS2 19200 passive local noauth ${IPADDR}:
#}
#
# NB Stop function is provided as a type function as it can cover all
# analogue ppp interface instances.
ppp_stop () {
[ ! -f /var/run/$1.pid ] && return 0
qt kill `cat /var/run/$1.pid`
sleep 5 # Wait for pppd to die
}
#ppp0_network_ppp () {
# ip route replace 192.168.34.0/24 via 192.168.23.1
#}
#
# DHCP interface setup
#
# Comment out or add change 'eth_' to 'eth0_'
eth_start () {
if [ -x /sbin/dhclient ]; then
qt /sbin/dhclient $1
elif [ -x /sbin/dhcpcd ]; then
qt /sbin/dhcpcd -R -N $1
elif [ -x /sbin/pump ]; then
/sbin/pump -i $1 -h `cat /etc/hostname`
fi
}
#
eth_stop () {
if [ -f /var/run/dhclient.pid ]; then
qt kill `cat /var/run/dhclient.pid`
elif [ -f "/var/run/dhcpcd-${1}.pid" ]; then
qt /sbin/dhcpcd -k $1
elif [ -e /var/run/pump.sock ]; then
/sbin/pump -i $1 -r
fi
if_addr_stop $1
}
# Openvpn setup
#tun_start () {
# local PIDFILE="/var/run/openvpn.${1}.pid"
# # don't run openvpn if link already exists...
# [ -f $PIDFILE ] && kill -0 `cat $PIDFILE` && return 0
# openvpn --config /etc/openvpn/$1.netscript \
# --writepid $PIDFILE \
# --cd /etc/openvpn \
# --daemon openvpn.$1
#
#}
#
#tun_stop () {
# local PIDFILE="/var/run/openvpn.${1}.pid"
# [ ! -f $PIDFILE ] && return 0
# qt kill `cat $PIDFILE`
# [ -f $PIDFILE ] && rm $PIDFILE
# sleep 5 # Wait for openvpn to die
#}
#
#tap_start () {
# tun_start "$@"
#}
#
#tap_stop () {
# tun_stop "$@"
#}
#
#
# Interesting example showing how to set
# resolvconf nameserver details
#brg1_start () {
# # default interface startup
# brg_iface $1 up "$BRIDGE" "$IPV6_DISABLE"
# # Start interface
# if_addr_start $1
# local NS="
#nameserver 192.0.2.254
#"
# echo "$NS" | resolvconf -a $1
#}
#
#brg1_stop () {
# resolvconf -d $1
# # default action
# brg_iface $1 down $IPV6_DISABLE
# if_addr_stop $1
#}
# More examples...
# inet0_start () {
# if_addr_start $1
# echo | resolvconf -a $1 <<INET0F
# nameserver 203.96.152.4
# nameserver 203.96.152.12
# INET0F
# }
#
# inet0_stop () {
# resolvconf -d $1
# if_addr_stop $1
# }
#
# Laptops
#
# Integration with whereami - uses dhclient
#
#if_laptop_fwdata () {
# local MAPPING=`/bin/cat /var/lib/whereami/iam`
#
# case $MAPPING in
# cmonline*)
# ;;
# home*)
# # Tupple of the form protocol_source_dstport(s)
# LAPTOP_IN="tcp_0/0_ssh tcp_0/0_ipp udp_0/0_ipp"
# # Tupple of the form protocol_dest_dstport(s)
# LAPTOP_OUT=""
# # Tupple of the form protocol_source_dstport(s)
# #IPV6_LAPTOP_IN="tcp_0/0_ssh tcp_0/0_ipp udp_0/0_ipp"
# # Tupple of the form protocol_dest_dstport(s)
# #IPV6_LAPTOP_OUT=""
# ;;
# lan)
# ;;
# # This is the shutdown/flush state, signal it to ipv4_laptop et al.
# undocked|shutdown)
# return 1;
# ;;
## '')
## ;;
# *)
# ;;
# esac
#
# return 0
#}
##
#eth_start () {
# qt ip link set dev $1 up
# local MAPPING=`/usr/sbin/whereami --mapping`
#
# # set up any RF interfaces
# /etc/netscript/wep.conf $1 $MAPPING
#
# case $MAPPING in
# cmonline*)
# # Set up firewall
# ipf4_laptopfw
# [ -f /var/run/dhclient.pid ] \
# && qt kill -0 `cat /var/run/dhclient.pid` \
# && return 0
# qt /sbin/dhclient $1
# ;;
# home*)
# # Set up firewall
# ipf4_laptopfw
# [ -f /var/run/dhclient.pid ] \
# && qt kill -0 `cat /var/run/dhclient.pid` \
# && return 0
# qt /sbin/dhclient $1
# ;;
# lan)
# # Set up firewall
# ipf4_laptopfw
# [ -f /var/run/dhclient.pid ] \
# && qt kill -0 `cat /var/run/dhclient.pid` \
# && return 0
# qt /sbin/dhclient $1
# ;;
# undocked)
# ;;
#
## Example of what to do if nothing is configured
## '')
## if_resolvconf_up $1 "some.place.com internal.some.place.com" 127.0.0.1
## # default interface startup
## brg_iface $1 up "$BRIDGE" "IPV6_DISABLE"
## # Start interface
## if_addr_start $1
##
## ;;
# *)
# # Nothing detected, shut link down
# qt ip link set dev $1 down
# ;;
# esac
#}
##
#eth_stop () {
# [ -f /var/run/dhclient.pid ] && qt kill `cat /var/run/dhclient.pid` || true
# if_resolvconf_down $1
# # default action
# # brg_iface $1 down
# if_addr_stop $1
#
# # Handle firewall
# local MAPPING=`/usr/sbin/whereami --mapping`
# ipf4_laptopfw -f
#}
#
#
# Routing samples
#
# Using 'ip route replace' will replace the same route, differing in the
# next hops used.
#eth1_network () {
# ip route replace 192.168.34.0/24 via 192.168.23.1
#}
#
# This sample shows you how to use this hook to refresh heartbeat configured
# for IP address fail over. You have to specify the IP address resource in
# the haresource configuration file as "router1 192.168.2.254/24/eth2" to
# get heartbeat to stop failing with large numbers of routing rules, and
# to specify which interface the IP address range is to be configured on.
#HB_NAME="heartbeat"
#HB_PID="/var/run/${HB_NAME}.pid"
#HB_PATH="/usr/lib/${HB_NAME}/${HB_NAME}"
#eth1_network () {
# # Check that heartbeat is installed
# [ ! -f "$HB_PATH" ] && return 0
# killall -9 $HB_NAME
# $HB_PATH
#}
#
#
# Sangoma Frame Relay
# - Type functions ought to cover this family if you follow a sane
# naming interface convention
#
# fr_start () {
# wanconfig card wanpipe1 dev $1 start
# if_addr_start $1
# }
#
# fr_stop () {
# if_addr_stop $1
# qt wanconfig card wanpipe1 dev $1 stop
# }
#
# Sangoma Cisco HDLC
# - needs individual interfacesi for both start and stop
#
#chdlc0_start () {
# wanconfig card wanpipe1 dev $1 start
# if_addr_start $1
#}
#
#chdlc0_stop () {
# if_addr_stop $1
# qt wanconfig card wanpipe1 dev $1 stop
#}
######################
# Fair Queuing support
######################
#
# List of Mark values
MRK_CRIT=0x1 # Critical traffic, routing, DNS
MRK_IA=0x2 # Interactive traffic - telnet, ssh, IRC
MRK_T1=0xa
MRK_T2=0x14
#
# List of traffic types and maps to mark values
# Setting this variable turns on the IPv4 fairq chain
CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route ${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh"
#
IPV6_CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route ${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh"
#
# List of tunneling protocols that should not be touched if the tunnel
# originates on this host - Mangling can cause rerouting to happen, and
# prevents Free S/WAN from functioning. Tunnels also pass on the mark value
# of tunneled packets, and this means that the special queues are still
# effective on this originated traffic for this host.
MANGLE_OUTPUT_BYPASS="gre_0/0 esp_0/0 ah_0/0 ipip_0/0 encap_0/0"
IPV6_MANGLE_OUTPUT_BYPASS="gre_0/0 esp_0/0 ipip_0/0 encap_0/0"
#
# Set up per device special queues here
#eth0_SPQUEUE="${MRK_T1}_128Kbit_bounded ${MRK_T2}_256Kbit_bounded_isolated"
#
############################################################################
# This set of variables is used with the bolierplate chain creation commands
############################################################################
# HINT: Create the log and rejectlog chains before any of the others
#
# with the 'netscript ipfilter exec log|rejectlog' command.
##################################
# log chain - for IPv4 and IPv6 #
##################################
# Syslog level for IP tables kernel messages - v4 and v6
LOG_LEVEL=warning
# Maximum log message rate - v4 and v6
LOG_MAXRATE=3 # messages per second
# Log target - DROP/REJECT
LOG_TARGET=REJECT
IPV6_LOG_TARGET=REJECT
###############################
# IPv6 ICMP chains - limit rates
###############################
# ICMP rate limit for this host
IPV6_ICMPHOST_MAXRATE=200 # messages per second
IPV6_ICMPFWD_MAXRATE=1000 # messages per second
# ICMPv6 we optionally want to accept of forward. All other ICMPv6 is logged
# and dropped See RFC 4980 and tail of 'ip6tables -p icmpv6 -h' output.
# MIPv6 ICMP messages are ICMP types 144, 145, 146, and 147
# MIPv6 is really useful when tunnelled via IPSEC
# Router Renumbering is type 138
#IPV6_ICMPHOST_OPTIONAL="redirect 144 145 146 147"
#IPV6_ICMPFWD_OPTIONAL="144 145 146 147"
###################
# martians chains #
###################
# Net blocks to bypass martians checking on - useful for internal
# RFC 1918 netblocks.
#MARTIAN_BYPASS="10.0.0.0/8 192.168.1.0/24"
#IPV6_MARTIAN_BYPASS="fd13:123:456::/48"
# Extra blocks for the martian chain
MARTIAN_NETS="" # List of additional martian/invalid
# IP source addresses - network/mask
IPV6_MARTIAN_NETS=""
# Logging of private networks - mostly 'noise'
# default is NO
LOG_NOISE="NO"
IPV6_LOG_NOISE="NO"
###########################################
# ingress chain - for IP spoof protection #
###########################################
# List of IP numbers common to the box - this is to protect against
# spoofing of the interface addresses on the machine when using Free S/WAN
# IPSEC. Insert your interface IPs here, and tie the chain in where
# appropriate on the INPUT and FORWARD chains
#INGRESS_IPS="127.0.0.1 192.168.1.1 192.168.2.1"
#IPV6_INGRESS_IPS="2001:db8:1::1 2001:db8:1::34"
# Same as above but for use in the ingrssfwd chain for FORWARD chain
# Note interface name can be added to end
#INGRESS_FWD_NETS="127.0.0.0/8 192.168.1.0/24_eth0 192.168.2.1_eth1"
#IPV6_INGRESS_FWD_NETS="2001:db8:1::/48 ::1"
##############
# snmp chain #
##############
# List of IP Nos used for SNMP management
SNMP_MANAGER_IPS="192.168.1.1"
IPV6_SNMP_MANAGER_IPS="::1"
# Destination block for SNMP blocking - set this to the address containing your
# routers
SNMP_DEST_BLOCK=0/0
IPV6_SNMP_DEST_BLOCK=::/0
########################
# Border router chains #
########################
# This set of variables is used with the inbrdr and outbrdr border
# router chains
# The Link network
# - Use these if your network link to the outside is in one of your
# IP Number Blocks
#LINK_NET="192.168.1.0/30"
#IPV6_LINK_NET="2001:db8:1:1::/64"
# Our IP number blocks
#IP_BLOCKS="10.0.100.2 10.0.0.0/8"
#IPV6_IP_BLOCKS="2001:db8:1::/48"
# Block incoming/outgoing SMB/Netbios - YES/NO (v4 and v6)
SMB_BLOCK=YES
# Block incoming SNMP, YES/NO (v4 and v6)
SNMP_BLOCK=YES
# Blocked inbound source addresses
#BLOCKED_INSRC="all_10.200.1.1"
#IPV6_BLOCKED_INSRC="all_2001:db8::1"
# Logged blocked inbound source addresses
#LOGGED_BLOCKED_INSRC="all_10.200.1.2"
#IPV6_LOGGED_BLOCKED_INSRC="all_2001:db8::2"
# Blocked inbound destinations
#BLOCKED_INDEST="tcp_10.0.2.1_23 udp_10.0.3.4_domain"
#IPV6_LOGGED_BLOCKED_INSRC="all_2001:db8::2"
# Logged blocked inbound dests
#LOGGED_BLOCKED_INDEST="tcp_192.168.45.6_smtp"
#IPV6_LOGGED_BLOCKED_INDEST="tcp_2001:db8::23_smtp"
# The DNS servers that are to do zone trasfers
#DNS_IPS="192.0.2.45"
#IPV6_DNS_IPS="2001:db8::4"
# Blocked outbound destinations
#BLOCKED_OUTDEST="tcp_10.0.0.1_23 udp_10.0.0.2_domain"
#IPV6_BLOCKED_OUTDEST="tcp_2001:db8::1_23 udp_2001:db8::2_domain"
# Logged blocked outbound dests
#LOGGED_BLOCKED_OUTDEST="tcp_10.0.0.1_smtp"
#IPV6_LOGGED_BLOCKED_OUTDEST="tcp_2001:db8::45_smtp"
# outbrdr output target - RETURN or ACCEPT
# RETURN is usefull with IPv6 CPE for SOHO / geek domestic
#OUT_TARGET=ACCEPT
#IPV6_OUT_TARGET=ACCEPT
#IPV6_OUT_TARGET=RETURN
|