This file is indexed.

/etc/netscript/network.conf is in netscript-2.4-upstart 5.2.9ubuntu1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
###############################################################################
# General Settings
###############################################################################
#
# VERBOSE=(YES/NO)			Default: Yes
# Be verbose about settings.
VERBOSE=YES

# IPV6_MODULE=(YES/NO) Default: NO
# If kernel is modular, enable IPv6 support by loading module. Once loaded,
# it cannot be unloaded due to kernel internal dependencies.
IPV6_MODULE=NO

# IPV6_DISABLE=(YES/NO) Default: NO
# Disable IPv6 protocol on all interfaces including lo
IPV6_DISABLE=NO

# IPV4_FWDING_KERNEL=(YES/NO/FILTER_ON)	Default: NO
# IPV6_FWDING_KERNEL=(YES/NO/FILTER_ON)	Default: NO
# Enable IP forwarding in the kernel.  FILTER_ON means forwarding will
# only happen when IP filtering rules are loaded
IPV4_FWDING_KERNEL=FILTER_ON
IPV6_FWDING_KERNEL=FILTER_ON

# IPV4_DEFAULT_GW=nnn.nnn.nnn.nnn|OTHER|OFF|NO|NONE
# IPV4_DEFAULT_GWDEV=eth0
# IPV6_DEFAULT_GW=nnnn:nnnn:nnnn::n|OTHER|OFF|NO|NONE
# IPV6_DEFAULT_GWDEV=eth0
# IPV6_DEFAULT_PREFIX=2000::/3	# Default value
# DEFAULT_METRIC=999999999	# Default value
#
# Default Route Setup
# Use this to set the default route if required - ONLY one to be set.
# routed or gated could be used to set this so only use if not running these.
# These routes are installed at metric DEFAULT_METRIC so that netscript 
# can identify its own routes. This means that it can delete them if these 
# if the IPVn_DEFAULT_GW variables are not set.  You can also specify a 
# Default prefix for IPv6 as the kernel does some funny things around
# default IPv6 routes
# OTHER|OFF|NO|NONE - stop netscript doing ANYTHING with default routes
#			Use if you are going to run a routing daemon such as
#			bird, gated, mrtd, routed, or zebra.
#IPV4_DEFAULT_GW=192.168.1.11
#IPV4_DEFAULT_GWDEV=eth0
#IPV6_DEFAULT_GW=2002:ca31:40dc:1::11
#IPV6_DEFAULT_GWDEV=eth0

# IP_FILTER_KERNEL=(NONE/PACKET/STATEFUL/NAT)	Default: PACKET
# Set the level of NetFilter/IP Filtering in the kernel by controlling
# which classes of NetFilter modules get loaded.
#
# NONE - don't load IP NetFilter modules.  Gives fastest packet forwarding
#        at expense of disabling QoS and any protection.  Use when speed
#        is an absolute necessity.
#
# PACKET - Normal operation as a router.  This satisfies most operational
#          routing conditions.  QoS works as filter chains are used to 
#	   classify the packets.
#
# STATEFUL/NAT - Turns on full connection tracking stateful filtering and NAT.
#          
# **WARNING** - If this was set to STATEFUL everywhere in a network 
# of routers, it can result in TCP connections failing and TCP connection 
# resets. 
#
# ONLY set this to STATEFUL/NAT if the box is a firewall or the single point of
# entry for a network, or an endpoint for port forwarding or a load
# balancer for a WWW server farm.  DO NOT switch to STATEFUL/NAT if the box 
# is a conventional router as it breaks the TCP/IP RFCes.  This option is
# needed when using IP NAT, IP masquerading, IP auto firewalling, IP port
# forwarding, transperent proxying or other kernel operations that intercept a
# packet flow and redirect it.
#
# It is a usful tool when using a packet filtering router to protect
# directly attached ethernet networks of servers as it stops fragment
# attacks on the servers in behind the router. Another use is packet
# filtering router to protect dial-in Internet users on NASes
# (Portmasters, TC racks etc) from various SMB and fragment attacks
# and to redirect all WWW connections into a WWW proxy-caching server.
IP_FILTER_KERNEL=PACKET

NET_GLOBAL_SYSCTL="

# This section is set up so that various network global variables can be set.
# Please refrain from trying to set interface variables using this, and
# use the switches provided in this file.  It is very easy to configure 
# the interfaces insecurely.

# Set whether programs can bind to non local IP addresses.  Useful for wierd
# NAT work
ipv4/ip_nonlocal_bind NO

# Set up the kernel to work with dynamic addressing on diald
ipv4/ip_dynaddr NO

# Control response to ICMP echo requests.  the broadcast one also controls
# the response to multicast packets.
ipv4/icmp_echo_ignore_all NO
ipv4/icmp_echo_ignore_broadcasts YES

# Turn off ecn - a good idea for most situations
ipv4/tcp_ecn NO

"
###########################
# Backups and compilation #
###########################
#
# BACKUP_LEVELS - maximum level of back up kept.  This is done by appending
# the number 0 to the setting below to the file name, and rotating them.
# Suggested minumum for this is 2, for 5 lots of backup. Can't be set 
# any lower than 2.
BACKUP_LEVELS=3
#
# IPV4/IPV6_CONFIGURE_SWITCH - the shell script function (as given to 
# 'netscript ipfilter exec') to run after compiling ipfilter-defs rules 
# instead of loading and saving iptables rules to and from disk.  If set this
# is used to configure the firewall on startup, and turns off the 
# 'netscript ipfilter save' command. The Configure function is the standard
# function in ipfilter-defs used to do this, though another can be used.
#IPV4_CONFIGURE_SWITCH="Configure" 
#
# The counter part of the above for IPv6.  Not used yet though
#IPV6_CONFIGURE_SWITCH="Configure"

###############################################################################
# Interfaces
###############################################################################

# IF_AUTO                       	Default: "eth0"
# A space seperated list of interfaces that get started on boot. Tunneling
# interfaces like CIPE should be after the raw  interfaces they depend on.
# The interfaces are started in the order they occur on the list, and are 
# shutdown in the reverse order of IF_LIST.
IF_AUTO="eth0"

# IF_DYNAMIC                                Default: ""
# A space seperated list of dyanmic interfaces that are not created by
# the loading of a hardware driver etc.  Examples are ppp0 et al.
# Insert an interface in here if it does not exist until the software
# program creates it.  This is so that you can start these dynamic interfaces 
# manually.
#IF_DYNAMIC="ppp0"

# IPv4 global proc flags
#
# Accept ICMP Redirects on ALL interfaces, also depends on /proc 
# per interface IP forwarding flag. - YES/NO 
ALLIF_ACCEPT_REDIRECTS=NO

# IPv6 global proc flags
#
# IF_DEFAULT_IPV6_DISABLE		Default: NO - YES/NO
# Disable IPv6 on new interfaces by default.  Useful when machine
# is a Virtual Machine server, heavily using bridges for network
# connections.
#IF_DEFAULT_IPV6_DISABLE=NO

# Need these both for interfaces run by daemons - ie PPP, CIPE, Sangoma
#	  WAN interfaces
# IPv4 spoofing protection by default for interfaces - YES/NO
DEF_IP_SPOOF=YES
# Kernel logging of spoofed packets by default for interfaces - YES/NO
DEF_IP_KRNL_LOGMARTIANS=YES

#############################
# Bridge Setup - Global stuff
#############################

# Enable bridging - YES/NO/number of bridges
BRG_SWITCH=no
#
# AND Additional named bridges to add
#BRG_LIST="brg0 inet0 dmz0 dbase0 admin0"
#
# Remove Bridges from Nefilter - default YES YES/NO
# Only need to turn this off if creating a transparent
# firewall!
#BRG_NETFILTER_REMOVE=YES

#############################
# Individual Interfaces setup
#############################

# eth0 stuff
# ----------
# ADDRESSING
#
# NB: WATCH LEADING ZEROES - address will not be added to interface!
#
# Use the old style:
#eth0_IPADDR=192.168.1.7
#eth0_MASKLEN=24
#eth0_BROADCAST=192.168.1.255
# 
# Secondary IP addresses/networks on same wire - add them here
#eth0_IP_EXTRA_ADDRS="192.168.1.193 192.168.2.1/24"
#
# -OR- the new style which also supports IPv6...
#
#eth0_IPADDR="0192.168.001.07/24_brd_192.168.1.255  2002:c0a8:010a:0001::000:007/64"
#
# IP spoofing protection on this interface - YES/NO
eth0_IP_SPOOF=YES
#
# Kernel logging of spoofed packets on this interface - YES/NO
eth0_IP_KRNL_LOGMARTIANS=YES
#
# This setting affects the processing of ICMP redirects. Setting it to NO 
# makes this more secure. Don't turn this off if you have two IP 
# networks/subnets on the same media - YES/NO
#eth0_IP_SHARED_MEDIA=NO
#
# This setting configures the interface to either send redirects or not
# This is useful for use with openvpn, due to the fact it can route packets
# out the same interface they came in on! - YES/NO
#eth0_IP_SEND_REDIRECTS=NO
#
# Interface IPv6 MTU - set to 1280 (minimum) so that tunnelling works
# well without packet fragmentation
#eth0_IPV6_MTU=1500
#
# Disable IPv6 on this interface - default NO - YES/NO
#eth0_IPV6_DISABLE=NO 
#
# Set the interface up in forwarding/non-forwarding configuration modes. This
# setting does not control the forwarding of packets via this interface.  Use
# iptables for this. In host mode allows the acceptance of ICMP redirects and 
# router advertisement packets (overridden by above flags in host mode), as 
# well as setting the IsRouter bit in Neighbour advertisements, and whether 
# router solicitation packets are sent - YES/NO
#eth0_IPV6_FWDING=YES
#
# Accept ICMP IPv6 redirects in host mode on this interface - YES/NO 
#eth0_IPV6_ACCEPT_REDIRECTS=NO
#
# Accept IPv6 Router Adverstisement packets in host mode default YES - YES/NO
#eth0_IPV6_ACCEPT_RA=YES
#
# Accept routes advertised by Router Advertisements.  Debian Kernel 2.6.32+
# This is the threshhold for the bit length of the prefixes accepted. Kernel
# defaults to zero, which means accept none. 64 will accept normal IPv6 routes
#eth0_IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN=64
#
# Send router solicitations, gives number to send default 3 - YES/NO/0-9
#eth0_IPV6_ROUTER_SOLICITATIONS=0
#
# Enable IPV6 privacy extensions, default NO - YES/N0/0-2
# 1 enables privacy MAC addresses for global addressing, excluding ULA
# prefixes.  2 enables it for all ULA and global addresses, not recomended
#eth0_IPV6_PRIVACY=NO
#
# Automatically start/stop these interfaces if this interface is manually 
# started/stopped. Interfaces started in order of list, shutdown in reverse
# order.
#eth0_IF_CHAIN_AUTO="tun0"
#
# Automatically stop these interfaces if this interface is manually stopped.
# Interfaces stopped in reverse order of this list before those in 
# IF_CHAIN_AUTO
#eth0_IF_CHAIN=""
#
# Bridge this interface - YES/NO/bridge interface
#eth0_BRIDGE=yes
#
# Proxy-arp from this interface, no other config required to turn on proxy ARP!
# - YES/NO
#eth0_PROXY_ARP=NO
#
# Protocol MTU for interface
# - Set to override default interface value 
#eth0_MTU=1500
#
# Multicast setting for interface
# Set to override configuration default - YES/NO|on/off
#eth0_MULTICAST=YES
#
# Simple QoS/fair queueing support
# Turn on Stochastic Fair Queueing - useful on busy DDS links - YES/NO
#eth0_FAIRQ=NO
#
# Ethernet Transmit Queue Length
#eth0_TXQLEN=100
#
# Complex QoS - Enable all of these + above to turn it on
# Device Bandwidth
#eth0_BNDWIDTH=10Mbit
#
# Queue Handles - both must be unique
# Use for running tunnel daemons or other dynamic inverfaces that 
# can be here and gone very rapidly - not needed for async PPP
# eth0_HNDL1=1
# eth0_HNDL2=2
#
# Interactive Burst parameters - bandwidth and number of packets
#eth0_IABURST=100	# packets
#eth0_IARATE=1Mbit
#
# Device Physical MTU - includes link layer header
# NB FR has 8 bytes LL header, ethernet 14
#eth0_PXMTU=1514
#
# Committed Access Rate 
# - if using FR, set to CIR, else to total combined bulk data
# through put (ie eth0_BULKRATE + sum of special queue rates)
#eth0_CARATE=3Mbit
#
# Optional parameters for Complex QoS
#
# Peak Rate 
# Use this to set FR Burst capacity
#eth0_PEAKRATE=4MBit
#
# Parameters for Bulk Data bandwidth shaping
# Bulk Rate - set for ordinary traffic.
# MUST MUST MUST be used with special queues 
# to indicate the ordinary traffic load.  Has to satisfy
#  BULKRATE <= (CARATE - total_special_queue_bandwidth)
#eth0_BULKRATE=2MBit
# Special Queues - see further down in fair queuing section 
# as this needs unique mark values
#eth0_SPQUEUE

# eth1_IPADDR="192.168.2.1/29_brd_192.168.2.7"
# eth1_IP_SPOOF=YES
# eth1_IP_KRNL_LOGMARTIANS=YES
# eth1_FAIRQ=NO
# eth1_TXQLEN=100
# eth1_BNDWIDTH=10Mbit
# eth1_CARATE=7Mbit
# eth1_HNDL1=3
# eth1_HNDL2=4
# eth1_IABURST=100
# eth1_IARATE=1Mbit
# eth1_PXMTU=1514
# eth1_PEAKRATE=8Mbit
# eth1_BULKRATE=6Mbit

#ppp1_IPADDR=192.168.2.1

#chdlc0_IPADDR=192.168.10.1_peer_192.168.10.2

# PPP interface stuff - these apply to all ASYNC ppp interfaces
ppp_FAIRQ=YES
ppp_TXQLEN=30
# Complex stuff
ppp_BNDWIDTH=30Kbit
ppp_IABURST=20
ppp_CARATE=20Kbit
ppp_IARATE=10Kbit
ppp_PXMTU=1500

############################
# Special Interface Handling
############################
# If the interface requires the running of a daemon or configuration program
# two functions must be supplied taking the interface name as the first
# and only argument.  Both of these functions have names of the form
# <if-name|if-type>_start and <if-name|iftype>_stop, with the former
# starting the interface and the latter shutting it down and deconfiguring it.
# The following global variables will be set for the <if-namei|if-type>_start
# function if they are configured.
#
# IPADDR          - interface IP address/mask -OR- the new form as above
# BROADCAST       - interface broadcast address
# PTPADDR         - PTP address of interface
# IP_EXTRA_ADDRS  - Extra IP addesses/networks bound to interface
#
# The if_addr_start function in if.conf should be used to set the addresses on
# the interface once it is created.  It also sets the interface sysctl 
# /proc flags, and brings the interface up, as well as enabling the use 
# of multiple addresses on the interface. The if_addr_stop compleimentary 
# function should be used to down the itnerface and clear the addresses off it.
#
# BOTH A START AND A STOP FUNCTIONS SHOULD PROBABLY DEFINED if you use them.
#
# The if-type of an interface name is given by the first alpha-numerics
# of the name excluding the instance number on the end - ie the type of "eth1"
# is "eth" and the type of "wan1a2" is "wan1a".
#
# The code in if.conf first of checks for an individual interface function,
# then a typed interface function, and then uses the default which is for
# ethernet type interfaces
#
# If you are starting a tunneling interface that is dependent on another
# interface being up to continue to function correctly, use the intX_IF_CHAIN
# and intX_IF_CHAIN_AUTO interface variables for the hardware interfaces to
# start and stop the tunneled interfaces.  Also add the tunnel interface to 
# IF_AUTO AFTER the hardware interface so that it is started on boot.
#
# Static routes and other network setup can be handled by using the 
# <if-name>_network functions or those above, but the recomendation is to 
# run the zebra routing daemons as this has problems with clearing
# unwanted routes etc.
#
# Here are some example functions, some of which are actually used
#
# PPP - interface ppp0
#
ppp0_start () {
	# don't run pppd if link already exists...
	[ -f /var/run/$1.pid ] && kill -0 `cat /var/run/$1.pid` && return 0
	# call ISP	 
	pppd call provider
}

#ppp1_start () {
#	# don't run pppd if link already exists...
#	[ -f /var/run/$1.pid ] && kill -0 `cat /var/run/$1.pid` && return 0
#	pppd ttyS2 19200 passive local noauth ${IPADDR}:
#}
#
# NB Stop function is provided as a type function as it can cover all
# analogue ppp interface instances.
ppp_stop () {
	[ ! -f /var/run/$1.pid ] && return 0
	qt kill `cat /var/run/$1.pid`
	sleep 5           # Wait for pppd to die
}

#
# DHCP interface setup
#
# Comment out or add change 'eth_' to 'eth0_'
eth_start () {
	if [ -x /sbin/dhclient ]; then
		qt /sbin/dhclient $1
	elif [ -x /sbin/dhcpcd ]; then
        	qt /sbin/dhcpcd -R -N $1
	elif [ -x /sbin/pump ]; then
		/sbin/pump -i $1 -h `cat /etc/hostname`
	fi
}
#
eth_stop () {
	if [ -f /var/run/dhclient.pid ]; then
		qt kill `cat /var/run/dhclient.pid`
	elif [ -f "/var/run/dhcpcd-${1}.pid" ]; then
		qt /sbin/dhcpcd -k $1
	elif [ -e /var/run/pump.sock ]; then
		/sbin/pump -i $1 -r
	fi
	if_addr_stop $1
}

# Openvpn setup
#tun_start () {
#        local PIDFILE="/var/run/openvpn.${1}.pid"
#        # don't run openvpn if link already exists...
#        [ -f $PIDFILE ] && kill -0 `cat $PIDFILE` && return 0
#        openvpn --config /etc/openvpn/$1.netscript \
#        --writepid $PIDFILE \
#        --cd /etc/openvpn \
#        --daemon openvpn.$1
#
#}
#
#tun_stop () {
#        local PIDFILE="/var/run/openvpn.${1}.pid"
#        [ ! -f $PIDFILE ] && return 0
#        qt kill `cat $PIDFILE`
#        [ -f $PIDFILE ] && rm $PIDFILE
#        sleep 5           # Wait for openvpn to die
#}
#
#tap_start () {
#        tun_start "$@"
#}
#
#tap_stop () {
#        tun_stop "$@"
#}
#
#

# Interesting example showing how to set 
# resolvconf nameserver details
#brg1_start () {
#       # default interface startup
#       brg_iface $1 up $BRIDGE $IPV6_DISABLE
#        # Start interface
#        if_addr_start $1
#       local NS="
#nameserver 192.168.110.254
#"
#       echo "$NS" | resolvconf -a $1
#}
#
#brg1_stop () {
#       resolvconf -d $1
#       # default action
#        brg_iface $1 down $IPV6_DISABLE
#        if_addr_stop $1
#}

# More examples...

# inet0_start () {
#         if_addr_start $1
#         echo  | resolvconf -a $1 <<INET0F
# nameserver 203.96.152.4
# nameserver 203.96.152.12
# INET0F
# }
# 
# inet0_stop () {
#         resolvconf -d $1
#         if_addr_stop $1
# }
# 

# Laptops
# 
# Integration with whereami - uses dhclient
#
#if_laptop_fwdata () {
#        local MAPPING=`/bin/cat /var/lib/whereami/iam`
#
#        case $MAPPING in
#        cmonline*)
#                ;;
#        home*)
#                # Tupple of the form protocol_source_dstport(s)
#                LAPTOP_IN="tcp_0/0_ssh tcp_0/0_ipp udp_0/0_ipp"
#                # Tupple of the form protocol_dest_dstport(s)
#                LAPTOP_OUT=""
#                # Tupple of the form protocol_source_dstport(s)
#                #IPV6_LAPTOP_IN="tcp_0/0_ssh tcp_0/0_ipp udp_0/0_ipp"
#                # Tupple of the form protocol_dest_dstport(s)
#                #IPV6_LAPTOP_OUT=""
#                ;;
#        lan)
#                ;;
#        # This is the shutdown/flush state, signal it to ipv4_laptop et al.
#        undocked|shutdown)
#                return 1;
#                ;;
##       '')
##               ;;
#        *)
#                ;;
#        esac
#
#        return 0
#}
##
#eth_start () {
#        qt ip link set dev $1 up
#        local MAPPING=`/usr/sbin/whereami --mapping`
#
#        # set up any RF interfaces
#        /etc/netscript/wep.conf $1 $MAPPING
#
#        case  $MAPPING in
#        cmonline*)
#                # Set up firewall
#                ipf4_laptopfw
#                [ -f /var/run/dhclient.pid ] \
#                        && qt kill -0 `cat /var/run/dhclient.pid` \
#                        && return 0
#                qt /sbin/dhclient $1
#                ;;
#        home*)
#                # Set up firewall
#                ipf4_laptopfw
#                [ -f /var/run/dhclient.pid ] \
#                        && qt kill -0 `cat /var/run/dhclient.pid` \
#                        && return 0
#                qt /sbin/dhclient $1
#                ;;
#        lan)
#                # Set up firewall
#                ipf4_laptopfw
#                [ -f /var/run/dhclient.pid ] \
#                        && qt kill -0 `cat /var/run/dhclient.pid` \
#                        && return 0
#                qt /sbin/dhclient $1
#                ;;
#        undocked)
#                ;;
#
##               Example of what to do if nothing is configured
##       '')
##               if_resolvconf_up $1 "some.place.com internal.some.place.com" 127.0.0.1
##               # default interface startup
##               brg_iface $1 up $BRIDGE
##               # Start interface
##               if_addr_start $1
##
##               ;;
#        *)
#                # Nothing detected, shut link down
#                qt ip link set dev $1 down
#                ;;
#        esac
#}
##
#eth_stop () {
#        [ -f /var/run/dhclient.pid ] && qt kill `cat /var/run/dhclient.pid` || true
#        if_resolvconf_down $1
#        # default action
#        # brg_iface $1 down
#        if_addr_stop $1
#
#        # Handle firewall
#        local MAPPING=`/usr/sbin/whereami --mapping`
#        ipf4_laptopfw -f
#}
#
#
# Routing samples
#
# Using 'ip route replace' will replace the same route, differing in the 
# next hops used.
#eth1_network () {
#       ip route replace 192.168.34.0/24 via 192.168.23.1
#}
# 
# This sample shows you how to use this hook to refresh heartbeat configured 
# for IP address fail over. You have to specify the IP address resource in 
# the haresource configuration file as "router1 192.168.2.254/24/eth2" to 
# get heartbeat to stop failing with large numbers of routing rules, and
# to specify which interface the IP address range is to be configured on.
#HB_NAME="heartbeat"
#HB_PID="/var/run/${HB_NAME}.pid"
#HB_PATH="/usr/lib/${HB_NAME}/${HB_NAME}"
#eth1_network () {
#        # Check that heartbeat is installed
#        [ ! -f "$HB_PATH" ] && return 0
#        killall -9 $HB_NAME
#        $HB_PATH
#}
#
#
# Sangoma Frame Relay
# - Type functions ought to cover this family if you follow a sane
#   naming interface convention
#
# fr_start () {
#        wanconfig card wanpipe1 dev $1 start
#        if_addr_start $1
# }
#
# fr_stop () {
#	if_addr_stop $1
#	qt wanconfig card wanpipe1 dev $1 stop
# }
#
# Sangoma Cisco HDLC
# - needs individual interfacesi for both start and stop
#
#chdlc0_start () {
#      wanconfig card wanpipe1 dev $1 start
#      if_addr_start $1
#}
#
#chdlc0_stop () {
#	if_addr_stop $1
#	qt wanconfig card wanpipe1 dev $1 stop
#}

######################
# Fair Queuing support
######################
#
# List of Mark values
MRK_CRIT=0x1                      # Critical traffic, routing, DNS
MRK_IA=0x2			# Interactive traffic - telnet, ssh, IRC
MRK_T1=0xa
MRK_T2=0x14
#
# List of traffic types and maps to mark values
# Setting this variable turns on the IPv4 fairq chain
CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route ${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh"
#
IPV6_CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route ${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh"
#
# List of tunneling protocols that should not be touched if the tunnel 
# originates on this host - Mangling can cause rerouting to happen, and 
# prevents Free S/WAN from functioning. Tunnels also pass on the mark value
# of tunneled packets, and this means that the special queues are still 
# effective on this originated traffic for this host.
MANGLE_OUTPUT_BYPASS="gre_0/0 esp_0/0 ah_0/0 ipip_0/0 encap_0/0"
IPV6_MANGLE_OUTPUT_BYPASS="gre_0/0 esp_0/0 ipip_0/0 encap_0/0"
#
# Set up per device special queues here 
#eth0_SPQUEUE="${MRK_T1}_128Kbit_bounded ${MRK_T2}_256Kbit_bounded_isolated"
#

############################################################################
# This set of variables is used with the bolierplate chain creation commands
############################################################################

# HINT: Create the log and rejectlog chains before any of the others
#
#       with the 'netscript ipfilter exec log|rejectlog' command.


##################################
# log chain  - for IPv4 and IPv6 #
##################################

# Syslog level for IP tables kernel messages 
LOG_LEVEL=warning

# Maximum log message rate
LOG_MAXRATE=3  # messages per second

# Log target - DROP/REJECT 
LOG_TARGET=REJECT
IPV6_LOG_TARGET=REJECT

###################
# martians chains #
###################

# Net blocks to bypass martians checking on - useful for internal
# RFC 1918 netblocks.
#MARTIAN_BYPASS="10.0.0.0/8 192.168.1.0/24"

# Extra blocks for the martian chain
MARTIAN_NETS=""			# List of additional martian/invalid 
				# IP source addresses - network/mask
IPV6_MARTIAN_NETS=""

###########################################
# ingress chain - for IP spoof protection #
###########################################
        
# List of IP numbers common to the box - this is to protect against
# spoofing of the interface addresses on the machine when using Free S/WAN
# IPSEC.  Insert your interface IPs here, and tie the chain in where 
# appropriate on the INPUT and FORWARD chains
#INGRESS_IPS="127.0.0.1 192.168.1.1 192.168.2.1"
# Same as above but for use in the ingrssfwd chain for FORWARD chain
# Note interface name can be added to end
#INGRESS_FWD_NETS="127.0.0.0/8 192.168.1.0/24_eth0 192.168.2.1_eth1"

##################
# portscan chain #
##################

# Total weight of the latest TCP/UDP packets with different
# destination ports coming from the same host to be treated as port
# scan sequence.
#PORTSCAN_WEIGHT_THRESHOLD=21
# Delay (in hundredths of second) for the packets with different
# destination ports coming from the same host to be treated as
# possible port scan subsequence.
#PORTSCAN_DELAY_THRESHOLD=300
# Weight of the packet with privileged (<=1024) destination port.
#PORTSCAN_LOPORTS_WEIGHT=3
# Weight of the packet with non-priviliged destination port.
#PORTSCAN_HIPORTS_WEIGHT=1

##############
# snmp chain #
##############

# List of IP  Nos used for SNMP management
SNMP_MANAGER_IPS="192.168.1.1"

# Destination block for SNMP blocking - set this to the address containing your
# routers
SNMP_DEST_BLOCK=0/0

########################
# Border router chains #
########################

# This set of variables is used with the inbrdr and outbrdr border
# router chains

# The Link network
#   - Use these if your network link to the outside is in one of your
#     IP Number Blocks
LINK_NET="192.168.1.0/30"

# Our IP number blocks
IP_BLOCKS="10.0.100.2 10.0.0.0/8"

# Block incoming SMB/Netbios - YES/NO
SMB_BLOCK=YES

# Blocked inbound source addresses
BLOCKED_INSRC="all_10.200.1.1"

# Logged blocked inbound source addresses
LOGGED_BLOCKED_INSRC="all_10.200.1.2"

# Blocked inbound destinations
BLOCKED_INDEST="tcp_10.0.2.1_23 udp_10.0.3.4_domain"

# Logged blocked inbound dests
LOGGED_BLOCKED_INDEST="tcp_192.168.45.6_smtp"

# The DNS servers that are to do zone trasfers
DNS_IPS="202.36.174.1"

# Blocked outbound destinations
BLOCKED_OUTDEST="tcp_10.0.0.1_23 udp_10.0.0.2_domain"

# Logged blocked outbound dests
LOGGED_BLOCKED_OUTDEST="tcp_10.0.0.1_smtp"

##################################
# Filter Compile Framework Setup #
##################################
#
# These variables are to control the new ipfilter-defs firewall framework 
# the root functions which are found in ipfilter-defs.conf.  The variables
# only affect the ipf4_POSTROUTING, ipf4_PREROUTING, ipf4_INPUT, and 
# ipf4_FORWARD functions.  The ipf4_iplcl and ipf4_ipfwd functions in there 
# are available for use in general firewall setup, and are called from the 
# previous, and can be used if you do not want to use the whole framework.
# 
# The 'netscript compile' command will compile the firewall rules used for forwarding
# from /etc/netscript/ipfitler-defs directory into a file call 
# ipfilter-defs-compiled.conf, which is used by the functions mentioned in 
# the first paragraph.
#
# Globals
# -------
# Install POSTROUTING and PREROUTING NAT rules, taking 
# control of DNAT and SNAT masquerading - YES/NO 
#USE_COMPILED_NAT=YES

# INPUT chain
# -----------
# Detect portscans on the input chain - YES/NO
#INPUT_DETECT_PORTSCAN=YES

# UDP/TCP/protocol packets to drop - tuples Proto_InIf_DstIp[_Port]
# iptables interface wildcard is '+'
#INPUT_DROP="udp_+_0/0_route tcp_+_0/0_ipp igmp_+_0/0"

# Interfaces on which you want to do martians filtering.  Typically
# interfaces that use real IP addresses and are open to the Internet
#INPUT_MARTIAN_IF="eth0"

# Input interfaces on which you want to do ingress address filtering
# for addresses on local box.  This is because rp_filter has to be 
# turned off on the interface because of running freeswan.
#INPUT_INGRESS_IF="eth0"

# Reject incoming SMB to this box? - YES/NO
#INPUT_REJECT_SMB=YES

# Reject incoming TCP auth connections - helps SMTP and POP3 - YES/NO
#INPUT_REJECT_AUTH=YES

# Log target to go at end on INPUT chain - droplog or log or REJECT/DROP
#INPUT_DEFLOG=log

# List of interfaces which we want to log traffic off of
#INPUT_DEFLOG_IF="eth2"

# FORWARD chain
# -------------
# Detect portscans on the input chain - YES/NO
#FWD_DETECT_PORTSCAN=YES

# UDP/TCP/protocol packets to drop - tuples Proto_InIf_DstIp[_Port]
# iptables interface wildcard is '+'
#FWD_DROP="udp_+_0/0_route tcp_eth0_0/0_ipp igmp_+_0/0 udp_+_0/0_1035 udp_+_0/0_1900"

# Interfaces on which you want to do martians filtering.  Typically
# interfaces that use real IP addresses and are open to the Internet
#FWD_MARTIAN_IF="eth2"

# Input interfaces on which you want to do ingress address filtering
# for addresses on local box.  This is because rp_filter has to be
# turned off on the interface because of running freeswan.
#FWD_INGRESS_IF="eth2"

# Reject incoming SMB to this box? - YES/NO
#FWD_REJECT_SMB=YES

# Reject forwarded TCP auth connections - helps SMTP and POP3 - YES/NO
#FWD_REJECT_AUTH=YES

# Log target to go at end on FORWARD chain - droplog or log or REJECT/DROP
#FWD_DEFLOG=droplog

# List of interfaces which we want to log traffic off of
#FWD_DEFLOG_IF="eth2"