/etc/netscript/network.conf

###############################################################################
# General Settings
###############################################################################
#
# VERBOSE=(YES/NO)			Default: Yes
# Be verbose about settings.
VERBOSE=YES

# IPV6_MODULE=(YES/NO) Default: NO
# If kernel is modular, enable IPv6 support by loading module. Once loaded,
# it cannot be unloaded due to kernel internal dependencies.
IPV6_MODULE=NO

# IPV6_DISABLE=(YES/NO) Default: NO
# Disable IPv6 protocol on all interfaces including lo
IPV6_DISABLE=NO

# IPV4_FWDING_KERNEL=(YES/NO/FILTER_ON)	Default: NO
# IPV6_FWDING_KERNEL=(YES/NO/FILTER_ON)	Default: NO
# Enable IP forwarding in the kernel.  FILTER_ON means forwarding will
# only happen when IP filtering rules are loaded
IPV4_FWDING_KERNEL=FILTER_ON
IPV6_FWDING_KERNEL=FILTER_ON

# IPV4_DEFAULT_GW=nnn.nnn.nnn.nnn|OTHER|OFF|NO|NONE
# IPV4_DEFAULT_GWDEV=eth0
# IPV6_DEFAULT_GW=nnnn:nnnn:nnnn::n|OTHER|OFF|NO|NONE
# IPV6_DEFAULT_GWDEV=eth0
# IPV6_DEFAULT_PREFIX=2000::/3	# Default value
# DEFAULT_METRIC=999999999	# Default value
#
# Default Route Setup
# Use this to set the default route if required - ONLY one to be set.
# routed or gated could be used to set this so only use if not running these.
# These routes are installed at metric DEFAULT_METRIC so that netscript 
# can identify its own routes. This means that it can delete them if these 
# if the IPVn_DEFAULT_GW variables are not set.  You can also specify a 
# Default prefix for IPv6 as the kernel does some funny things around
# default IPv6 routes
# OTHER|OFF|NO|NONE - stop netscript doing ANYTHING with default routes
#			Use if you are going to run a routing daemon such as
#			bird, gated, mrtd, routed, or zebra.
#IPV4_DEFAULT_GW=192.168.1.11
#IPV4_DEFAULT_GWDEV=eth0
#IPV6_DEFAULT_GW=2002:ca31:40dc:1::11
#IPV6_DEFAULT_GWDEV=eth0

# IP_FILTER_KERNEL=(NONE/PACKET/STATEFUL/NAT)	Default: PACKET
# Set the level of NetFilter/IP Filtering in the kernel by controlling
# which classes of NetFilter modules get loaded.
#
# NONE - don't load IP NetFilter modules.  Gives fastest packet forwarding
#        at expense of disabling QoS and any protection.  Use when speed
#        is an absolute necessity.
#
# PACKET - Normal operation as a router.  This satisfies most operational
#          routing conditions.  QoS works as filter chains are used to 
#	   classify the packets.
#
# STATEFUL/NAT - Turns on full connection tracking stateful filtering and NAT.
#          
# **WARNING** - If this was set to STATEFUL everywhere in a network 
# of routers, it can result in TCP connections failing and TCP connection 
# resets. 
#
# ONLY set this to STATEFUL/NAT if the box is a firewall or the single point of
# entry for a network, or an endpoint for port forwarding or a load
# balancer for a WWW server farm.  DO NOT switch to STATEFUL/NAT if the box 
# is a conventional router as it breaks the TCP/IP RFCes.  This option is
# needed when using IP NAT, IP masquerading, IP auto firewalling, IP port
# forwarding, transperent proxying or other kernel operations that intercept a
# packet flow and redirect it.
#
# It is a usful tool when using a packet filtering router to protect
# directly attached ethernet networks of servers as it stops fragment
# attacks on the servers in behind the router. Another use is packet
# filtering router to protect dial-in Internet users on NASes
# (Portmasters, TC racks etc) from various SMB and fragment attacks
# and to redirect all WWW connections into a WWW proxy-caching server.
IP_FILTER_KERNEL=PACKET

NET_GLOBAL_SYSCTL="

# This section is set up so that various network global variables can be set.
# Please refrain from trying to set interface variables using this, and
# use the switches provided in this file.  It is very easy to configure 
# the interfaces insecurely.

# Set whether programs can bind to non local IP addresses.  Useful for wierd
# NAT work
ipv4/ip_nonlocal_bind NO

# Set up the kernel to work with dynamic addressing on diald
ipv4/ip_dynaddr NO

# Control response to ICMP echo requests.  the broadcast one also controls
# the response to multicast packets.
ipv4/icmp_echo_ignore_all NO
ipv4/icmp_echo_ignore_broadcasts YES

# Turn off ecn - a good idea for most situations
ipv4/tcp_ecn NO

"
###########################
# Backups and compilation #
###########################
#
# BACKUP_LEVELS - maximum level of back up kept.  This is done by appending
# the number 0 to the setting below to the file name, and rotating them.
# Suggested minumum for this is 2, for 5 lots of backup. Can't be set 
# any lower than 2.
BACKUP_LEVELS=3
#
# IPV4/IPV6_CONFIGURE_SWITCH - the shell script function (as given to 
# 'netscript ipfilter exec') to run after compiling ipfilter-defs rules 
# instead of loading and saving iptables rules to and from disk.  If set this
# is used to configure the firewall on startup, and turns off the 
# 'netscript ipfilter save' command. The Configure function is the standard
# function in ipfilter-defs used to do this, though another can be used.
#IPV4_CONFIGURE_SWITCH="Configure" 
#
# The counter part of the above for IPv6.  Not used yet though
#IPV6_CONFIGURE_SWITCH="Configure"

###############################################################################
# Interfaces
###############################################################################

# IF_AUTO                       	Default: "eth0"
# A space seperated list of interfaces that get started on boot. Tunneling
# interfaces like CIPE should be after the raw  interfaces they depend on.
# The interfaces are started in the order they occur on the list, and are 
# shutdown in the reverse order of IF_LIST.
IF_AUTO="eth0"

# IF_DYNAMIC                                Default: ""
# A space seperated list of dyanmic interfaces that are not created by
# the loading of a hardware driver etc.  Examples are ppp0 et al.
# Insert an interface in here if it does not exist until the software
# program creates it.  This is so that you can start these dynamic interfaces 
# manually.
#IF_DYNAMIC="ppp0"

# IPv4 global proc flags
#
# Accept ICMP Redirects on ALL interfaces, also depends on /proc 
# per interface IP forwarding flag. - YES/NO 
ALLIF_ACCEPT_REDIRECTS=NO

# IPv6 global proc flags
#
# IF_DEFAULT_IPV6_DISABLE		Default: NO - YES/NO
# Disable IPv6 on new interfaces by default.  Useful when machine
# is a Virtual Machine server, heavily using bridges for network
# connections.
#IF_DEFAULT_IPV6_DISABLE=NO

# Need these both for interfaces run by daemons - ie PPP, CIPE, Sangoma
#	  WAN interfaces
# IPv4 spoofing protection by default for interfaces - YES/NO
DEF_IP_SPOOF=YES
# Kernel logging of spoofed packets by default for interfaces - YES/NO
DEF_IP_KRNL_LOGMARTIANS=YES

#############################
# Bridge Setup - Global stuff
#############################

# Enable bridging - YES/NO/number of bridges
BRG_SWITCH=no
#
# AND Additional named bridges to add
#BRG_LIST="brg0 inet0 dmz0 dbase0 admin0"
#
# Remove Bridges from Nefilter - default YES YES/NO
# Only need to turn this off if creating a transparent
# firewall!
#BRG_NETFILTER_REMOVE=YES

#############################
# Individual Interfaces setup
#############################

# eth0 stuff
# ----------
# ADDRESSING
#
# NB: WATCH LEADING ZEROES - address will not be added to interface!
#
# Use the old style:
#eth0_IPADDR=192.168.1.7
#eth0_MASKLEN=24
#eth0_BROADCAST=192.168.1.255
# 
# Secondary IP addresses/networks on same wire - add them here
#eth0_IP_EXTRA_ADDRS="192.168.1.193 192.168.2.1/24"
#
# -OR- the new style which also supports IPv6...
#
#eth0_IPADDR="0192.168.001.07/24_brd_192.168.1.255  2002:c0a8:010a:0001::000:007/64"
#
# IP spoofing protection on this interface - YES/NO
eth0_IP_SPOOF=YES
#
# Kernel logging of spoofed packets on this interface - YES/NO
eth0_IP_KRNL_LOGMARTIANS=YES
#
# This setting affects the processing of ICMP redirects. Setting it to NO 
# makes this more secure. Don't turn this off if you have two IP 
# networks/subnets on the same media - YES/NO
#eth0_IP_SHARED_MEDIA=NO
#
# This setting configures the interface to either send redirects or not
# This is useful for use with openvpn, due to the fact it can route packets
# out the same interface they came in on! - YES/NO
#eth0_IP_SEND_REDIRECTS=NO
#
# Interface IPv6 MTU - set to 1280 (minimum) so that tunnelling works
# well without packet fragmentation
#eth0_IPV6_MTU=1500
#
# Disable IPv6 on this interface - default NO - YES/NO
#eth0_IPV6_DISABLE=NO 
#
# Set the interface up in forwarding/non-forwarding configuration modes. This
# setting does not control the forwarding of packets via this interface.  Use
# iptables for this. In host mode allows the acceptance of ICMP redirects and 
# router advertisement packets (overridden by above flags in host mode), as 
# well as setting the IsRouter bit in Neighbour advertisements, and whether 
# router solicitation packets are sent - YES/NO
#eth0_IPV6_FWDING=YES
#
# Accept ICMP IPv6 redirects in host mode on this interface - YES/NO 
#eth0_IPV6_ACCEPT_REDIRECTS=NO
#
# Accept IPv6 Router Adverstisement packets in host mode default YES - YES/NO
#eth0_IPV6_ACCEPT_RA=YES
#
# Accept routes advertised by Router Advertisements.  Debian Kernel 2.6.32+
# This is the threshhold for the bit length of the prefixes accepted. Kernel
# defaults to zero, which means accept none. 64 will accept normal IPv6 routes
#eth0_IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN=64
#
# Send router solicitations, gives number to send default 3 - YES/NO/0-9
#eth0_IPV6_ROUTER_SOLICITATIONS=0
#
# Enable IPV6 privacy extensions, default NO - YES/N0/0-2
# 1 enables privacy MAC addresses for global addressing, excluding ULA
# prefixes.  2 enables it for all ULA and global addresses, not recomended
#eth0_IPV6_PRIVACY=NO
#
# Automatically start/stop these interfaces if this interface is manually 
# started/stopped. Interfaces started in order of list, shutdown in reverse
# order.
#eth0_IF_CHAIN_AUTO="tun0"
#
# Automatically stop these interfaces if this interface is manually stopped.
# Interfaces stopped in reverse order of this list before those in 
# IF_CHAIN_AUTO
#eth0_IF_CHAIN=""
#
# Bridge this interface - YES/NO/bridge interface
#eth0_BRIDGE=yes
#
# Proxy-arp from this interface, no other config required to turn on proxy ARP!
# - YES/NO
#eth0_PROXY_ARP=NO
#
# Protocol MTU for interface
# - Set to override default interface value 
#eth0_MTU=1500
#
# Multicast setting for interface
# Set to override configuration default - YES/NO|on/off
#eth0_MULTICAST=YES
#
# Simple QoS/fair queueing support
# Turn on Stochastic Fair Queueing - useful on busy DDS links - YES/NO
#eth0_FAIRQ=NO
#
# Ethernet Transmit Queue Length
#eth0_TXQLEN=100
#
# Complex QoS - Enable all of these + above to turn it on
# Device Bandwidth
#eth0_BNDWIDTH=10Mbit
#
# Queue Handles - both must be unique
# Use for running tunnel daemons or other dynamic inverfaces that 
# can be here and gone very rapidly - not needed for async PPP
# eth0_HNDL1=1
# eth0_HNDL2=2
#
# Interactive Burst parameters - bandwidth and number of packets
#eth0_IABURST=100	# packets
#eth0_IARATE=1Mbit
#
# Device Physical MTU - includes link layer header
# NB FR has 8 bytes LL header, ethernet 14
#eth0_PXMTU=1514
#
# Committed Access Rate 
# - if using FR, set to CIR, else to total combined bulk data
# through put (ie eth0_BULKRATE + sum of special queue rates)
#eth0_CARATE=3Mbit
#
# Optional parameters for Complex QoS
#
# Peak Rate 
# Use this to set FR Burst capacity
#eth0_PEAKRATE=4MBit
#
# Parameters for Bulk Data bandwidth shaping
# Bulk Rate - set for ordinary traffic.
# MUST MUST MUST be used with special queues 
# to indicate the ordinary traffic load.  Has to satisfy
#  BULKRATE <= (CARATE - total_special_queue_bandwidth)
#eth0_BULKRATE=2MBit
# Special Queues - see further down in fair queuing section 
# as this needs unique mark values
#eth0_SPQUEUE

# eth1_IPADDR="192.168.2.1/29_brd_192.168.2.7"
# eth1_IP_SPOOF=YES
# eth1_IP_KRNL_LOGMARTIANS=YES
# eth1_FAIRQ=NO
# eth1_TXQLEN=100
# eth1_BNDWIDTH=10Mbit
# eth1_CARATE=7Mbit
# eth1_HNDL1=3
# eth1_HNDL2=4
# eth1_IABURST=100
# eth1_IARATE=1Mbit
# eth1_PXMTU=1514
# eth1_PEAKRATE=8Mbit
# eth1_BULKRATE=6Mbit

#ppp1_IPADDR=192.168.2.1

#chdlc0_IPADDR=192.168.10.1_peer_192.168.10.2

# PPP interface stuff - these apply to all ASYNC ppp interfaces
ppp_FAIRQ=YES
ppp_TXQLEN=30
# Complex stuff
ppp_BNDWIDTH=30Kbit
ppp_IABURST=20
ppp_CARATE=20Kbit
ppp_IARATE=10Kbit
ppp_PXMTU=1500

############################
# Special Interface Handling
############################
# If the interface requires the running of a daemon or configuration program
# two functions must be supplied taking the interface name as the first
# and only argument.  Both of these functions have names of the form
# <if-name|if-type>_start and <if-name|iftype>_stop, with the former
# starting the interface and the latter shutting it down and deconfiguring it.
# The following global variables will be set for the <if-namei|if-type>_start
# function if they are configured.
#
# IPADDR          - interface IP address/mask -OR- the new form as above
# BROADCAST       - interface broadcast address
# PTPADDR         - PTP address of interface
# IP_EXTRA_ADDRS  - Extra IP addesses/networks bound to interface
#
# The if_addr_start function in if.conf should be used to set the addresses on
# the interface once it is created.  It also sets the interface sysctl 
# /proc flags, and brings the interface up, as well as enabling the use 
# of multiple addresses on the interface. The if_addr_stop compleimentary 
# function should be used to down the itnerface and clear the addresses off it.
#
# BOTH A START AND A STOP FUNCTIONS SHOULD PROBABLY DEFINED if you use them.
#
# The if-type of an interface name is given by the first alpha-numerics
# of the name excluding the instance number on the end - ie the type of "eth1"
# is "eth" and the type of "wan1a2" is "wan1a".
#
# The code in if.conf first of checks for an individual interface function,
# then a typed interface function, and then uses the default which is for
# ethernet type interfaces
#
# If you are starting a tunneling interface that is dependent on another
# interface being up to continue to function correctly, use the intX_IF_CHAIN
# and intX_IF_CHAIN_AUTO interface variables for the hardware interfaces to
# start and stop the tunneled interfaces.  Also add the tunnel interface to 
# IF_AUTO AFTER the hardware interface so that it is started on boot.
#
# Static routes and other network setup can be handled by using the 
# <if-name>_network functions or those above, but the recomendation is to 
# run the zebra routing daemons as this has problems with clearing
# unwanted routes etc.
#
# Here are some example functions, some of which are actually used
#
# PPP - interface ppp0
#
ppp0_start () {
	# don't run pppd if link already exists...
	[ -f /var/run/$1.pid ] && kill -0 `cat /var/run/$1.pid` && return 0
	# call ISP	 
	pppd call provider
}

#ppp1_start () {
#	# don't run pppd if link already exists...
#	[ -f /var/run/$1.pid ] && kill -0 `cat /var/run/$1.pid` && return 0
#	pppd ttyS2 19200 passive local noauth ${IPADDR}:
#}
#
# NB Stop function is provided as a type function as it can cover all
# analogue ppp interface instances.
ppp_stop () {
	[ ! -f /var/run/$1.pid ] && return 0
	qt kill `cat /var/run/$1.pid`
	sleep 5           # Wait for pppd to die
}

#
# DHCP interface setup
#
# Comment out or add change 'eth_' to 'eth0_'
eth_start () {
	if [ -x /sbin/dhclient ]; then
		qt /sbin/dhclient $1
	elif [ -x /sbin/dhcpcd ]; then
        	qt /sbin/dhcpcd -R -N $1
	elif [ -x /sbin/pump ]; then
		/sbin/pump -i $1 -h `cat /etc/hostname`
	fi
}
#
eth_stop () {
	if [ -f /var/run/dhclient.pid ]; then
		qt kill `cat /var/run/dhclient.pid`
	elif [ -f "/var/run/dhcpcd-${1}.pid" ]; then
		qt /sbin/dhcpcd -k $1
	elif [ -e /var/run/pump.sock ]; then
		/sbin/pump -i $1 -r
	fi
	if_addr_stop $1
}

# Openvpn setup
#tun_start () {
#        local PIDFILE="/var/run/openvpn.${1}.pid"
#        # don't run openvpn if link already exists...
#        [ -f $PIDFILE ] && kill -0 `cat $PIDFILE` && return 0
#        openvpn --config /etc/openvpn/$1.netscript \
#        --writepid $PIDFILE \
#        --cd /etc/openvpn \
#        --daemon openvpn.$1
#
#}
#
#tun_stop () {
#        local PIDFILE="/var/run/openvpn.${1}.pid"
#        [ ! -f $PIDFILE ] && return 0
#        qt kill `cat $PIDFILE`
#        [ -f $PIDFILE ] && rm $PIDFILE
#        sleep 5           # Wait for openvpn to die
#}
#
#tap_start () {
#        tun_start "$@"
#}
#
#tap_stop () {
#        tun_stop "$@"
#}
#
#

# Interesting example showing how to set 
# resolvconf nameserver details
#brg1_start () {
#       # default interface startup
#       brg_iface $1 up $BRIDGE $IPV6_DISABLE
#        # Start interface
#        if_addr_start $1
#       local NS="
#nameserver 192.168.110.254
#"
#       echo "$NS" | resolvconf -a $1
#}
#
#brg1_stop () {
#       resolvconf -d $1
#       # default action
#        brg_iface $1 down $IPV6_DISABLE
#        if_addr_stop $1
#}

# More examples...

# inet0_start () {
#         if_addr_start $1
#         echo  | resolvconf -a $1 <<INET0F
# nameserver 203.96.152.4
# nameserver 203.96.152.12
# INET0F
# }
# 
# inet0_stop () {
#         resolvconf -d $1
#         if_addr_stop $1
# }
# 

# Laptops
# 
# Integration with whereami - uses dhclient
#
#if_laptop_fwdata () {
#        local MAPPING=`/bin/cat /var/lib/whereami/iam`
#
#        case $MAPPING in
#        cmonline*)
#                ;;
#        home*)
#                # Tupple of the form protocol_source_dstport(s)
#                LAPTOP_IN="tcp_0/0_ssh tcp_0/0_ipp udp_0/0_ipp"
#                # Tupple of the form protocol_dest_dstport(s)
#                LAPTOP_OUT=""
#                # Tupple of the form protocol_source_dstport(s)
#                #IPV6_LAPTOP_IN="tcp_0/0_ssh tcp_0/0_ipp udp_0/0_ipp"
#                # Tupple of the form protocol_dest_dstport(s)
#                #IPV6_LAPTOP_OUT=""
#                ;;
#        lan)
#                ;;
#        # This is the shutdown/flush state, signal it to ipv4_laptop et al.
#        undocked|shutdown)
#                return 1;
#                ;;
##       '')
##               ;;
#        *)
#                ;;
#        esac
#
#        return 0
#}
##
#eth_start () {
#        qt ip link set dev $1 up
#        local MAPPING=`/usr/sbin/whereami --mapping`
#
#        # set up any RF interfaces
#        /etc/netscript/wep.conf $1 $MAPPING
#
#        case  $MAPPING in
#        cmonline*)
#                # Set up firewall
#                ipf4_laptopfw
#                [ -f /var/run/dhclient.pid ] \
#                        && qt kill -0 `cat /var/run/dhclient.pid` \
#                        && return 0
#                qt /sbin/dhclient $1
#                ;;
#        home*)
#                # Set up firewall
#                ipf4_laptopfw
#                [ -f /var/run/dhclient.pid ] \
#                        && qt kill -0 `cat /var/run/dhclient.pid` \
#                        && return 0
#                qt /sbin/dhclient $1
#                ;;
#        lan)
#                # Set up firewall
#                ipf4_laptopfw
#                [ -f /var/run/dhclient.pid ] \
#                        && qt kill -0 `cat /var/run/dhclient.pid` \
#                        && return 0
#                qt /sbin/dhclient $1
#                ;;
#        undocked)
#                ;;
#
##               Example of what to do if nothing is configured
##       '')
##               if_resolvconf_up $1 "some.place.com internal.some.place.com" 127.0.0.1
##               # default interface startup
##               brg_iface $1 up $BRIDGE
##               # Start interface
##               if_addr_start $1
##
##               ;;
#        *)
#                # Nothing detected, shut link down
#                qt ip link set dev $1 down
#                ;;
#        esac
#}
##
#eth_stop () {
#        [ -f /var/run/dhclient.pid ] && qt kill `cat /var/run/dhclient.pid` || true
#        if_resolvconf_down $1
#        # default action
#        # brg_iface $1 down
#        if_addr_stop $1
#
#        # Handle firewall
#        local MAPPING=`/usr/sbin/whereami --mapping`
#        ipf4_laptopfw -f
#}
#
#
# Routing samples
#
# Using 'ip route replace' will replace the same route, differing in the 
# next hops used.
#eth1_network () {
#       ip route replace 192.168.34.0/24 via 192.168.23.1
#}
# 
# This sample shows you how to use this hook to refresh heartbeat configured 
# for IP address fail over. You have to specify the IP address resource in 
# the haresource configuration file as "router1 192.168.2.254/24/eth2" to 
# get heartbeat to stop failing with large numbers of routing rules, and
# to specify which interface the IP address range is to be configured on.
#HB_NAME="heartbeat"
#HB_PID="/var/run/${HB_NAME}.pid"
#HB_PATH="/usr/lib/${HB_NAME}/${HB_NAME}"
#eth1_network () {
#        # Check that heartbeat is installed
#        [ ! -f "$HB_PATH" ] && return 0
#        killall -9 $HB_NAME
#        $HB_PATH
#}
#
#
# Sangoma Frame Relay
# - Type functions ought to cover this family if you follow a sane
#   naming interface convention
#
# fr_start () {
#        wanconfig card wanpipe1 dev $1 start
#        if_addr_start $1
# }
#
# fr_stop () {
#	if_addr_stop $1
#	qt wanconfig card wanpipe1 dev $1 stop
# }
#
# Sangoma Cisco HDLC
# - needs individual interfacesi for both start and stop
#
#chdlc0_start () {
#      wanconfig card wanpipe1 dev $1 start
#      if_addr_start $1
#}
#
#chdlc0_stop () {
#	if_addr_stop $1
#	qt wanconfig card wanpipe1 dev $1 stop
#}

######################
# Fair Queuing support
######################
#
# List of Mark values
MRK_CRIT=0x1                      # Critical traffic, routing, DNS
MRK_IA=0x2			# Interactive traffic - telnet, ssh, IRC
MRK_T1=0xa
MRK_T2=0x14
#
# List of traffic types and maps to mark values
# Setting this variable turns on the IPv4 fairq chain
CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route ${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh"
#
IPV6_CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route ${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh"
#
# List of tunneling protocols that should not be touched if the tunnel 
# originates on this host - Mangling can cause rerouting to happen, and 
# prevents Free S/WAN from functioning. Tunnels also pass on the mark value
# of tunneled packets, and this means that the special queues are still 
# effective on this originated traffic for this host.
MANGLE_OUTPUT_BYPASS="gre_0/0 esp_0/0 ah_0/0 ipip_0/0 encap_0/0"
IPV6_MANGLE_OUTPUT_BYPASS="gre_0/0 esp_0/0 ipip_0/0 encap_0/0"
#
# Set up per device special queues here 
#eth0_SPQUEUE="${MRK_T1}_128Kbit_bounded ${MRK_T2}_256Kbit_bounded_isolated"
#

############################################################################
# This set of variables is used with the bolierplate chain creation commands
############################################################################

# HINT: Create the log and rejectlog chains before any of the others
#
#       with the 'netscript ipfilter exec log|rejectlog' command.


##################################
# log chain  - for IPv4 and IPv6 #
##################################

# Syslog level for IP tables kernel messages 
LOG_LEVEL=warning

# Maximum log message rate
LOG_MAXRATE=3  # messages per second

# Log target - DROP/REJECT 
LOG_TARGET=REJECT
IPV6_LOG_TARGET=REJECT

###################
# martians chains #
###################

# Net blocks to bypass martians checking on - useful for internal
# RFC 1918 netblocks.
#MARTIAN_BYPASS="10.0.0.0/8 192.168.1.0/24"

# Extra blocks for the martian chain
MARTIAN_NETS=""			# List of additional martian/invalid 
				# IP source addresses - network/mask
IPV6_MARTIAN_NETS=""

###########################################
# ingress chain - for IP spoof protection #
###########################################
        
# List of IP numbers common to the box - this is to protect against
# spoofing of the interface addresses on the machine when using Free S/WAN
# IPSEC.  Insert your interface IPs here, and tie the chain in where 
# appropriate on the INPUT and FORWARD chains
#INGRESS_IPS="127.0.0.1 192.168.1.1 192.168.2.1"
# Same as above but for use in the ingrssfwd chain for FORWARD chain
# Note interface name can be added to end
#INGRESS_FWD_NETS="127.0.0.0/8 192.168.1.0/24_eth0 192.168.2.1_eth1"

##################
# portscan chain #
##################

# Total weight of the latest TCP/UDP packets with different
# destination ports coming from the same host to be treated as port
# scan sequence.
#PORTSCAN_WEIGHT_THRESHOLD=21
# Delay (in hundredths of second) for the packets with different
# destination ports coming from the same host to be treated as
# possible port scan subsequence.
#PORTSCAN_DELAY_THRESHOLD=300
# Weight of the packet with privileged (<=1024) destination port.
#PORTSCAN_LOPORTS_WEIGHT=3
# Weight of the packet with non-priviliged destination port.
#PORTSCAN_HIPORTS_WEIGHT=1

##############
# snmp chain #
##############

# List of IP  Nos used for SNMP management
SNMP_MANAGER_IPS="192.168.1.1"

# Destination block for SNMP blocking - set this to the address containing your
# routers
SNMP_DEST_BLOCK=0/0

########################
# Border router chains #
########################

# This set of variables is used with the inbrdr and outbrdr border
# router chains

# The Link network
#   - Use these if your network link to the outside is in one of your
#     IP Number Blocks
LINK_NET="192.168.1.0/30"

# Our IP number blocks
IP_BLOCKS="10.0.100.2 10.0.0.0/8"

# Block incoming SMB/Netbios - YES/NO
SMB_BLOCK=YES

# Blocked inbound source addresses
BLOCKED_INSRC="all_10.200.1.1"

# Logged blocked inbound source addresses
LOGGED_BLOCKED_INSRC="all_10.200.1.2"

# Blocked inbound destinations
BLOCKED_INDEST="tcp_10.0.2.1_23 udp_10.0.3.4_domain"

# Logged blocked inbound dests
LOGGED_BLOCKED_INDEST="tcp_192.168.45.6_smtp"

# The DNS servers that are to do zone trasfers
DNS_IPS="202.36.174.1"

# Blocked outbound destinations
BLOCKED_OUTDEST="tcp_10.0.0.1_23 udp_10.0.0.2_domain"

# Logged blocked outbound dests
LOGGED_BLOCKED_OUTDEST="tcp_10.0.0.1_smtp"

##################################
# Filter Compile Framework Setup #
##################################
#
# These variables are to control the new ipfilter-defs firewall framework 
# the root functions which are found in ipfilter-defs.conf.  The variables
# only affect the ipf4_POSTROUTING, ipf4_PREROUTING, ipf4_INPUT, and 
# ipf4_FORWARD functions.  The ipf4_iplcl and ipf4_ipfwd functions in there 
# are available for use in general firewall setup, and are called from the 
# previous, and can be used if you do not want to use the whole framework.
# 
# The 'netscript compile' command will compile the firewall rules used for forwarding
# from /etc/netscript/ipfitler-defs directory into a file call 
# ipfilter-defs-compiled.conf, which is used by the functions mentioned in 
# the first paragraph.
#
# Globals
# -------
# Install POSTROUTING and PREROUTING NAT rules, taking 
# control of DNAT and SNAT masquerading - YES/NO 
#USE_COMPILED_NAT=YES

# INPUT chain
# -----------
# Detect portscans on the input chain - YES/NO
#INPUT_DETECT_PORTSCAN=YES

# UDP/TCP/protocol packets to drop - tuples Proto_InIf_DstIp[_Port]
# iptables interface wildcard is '+'
#INPUT_DROP="udp_+_0/0_route tcp_+_0/0_ipp igmp_+_0/0"

# Interfaces on which you want to do martians filtering.  Typically
# interfaces that use real IP addresses and are open to the Internet
#INPUT_MARTIAN_IF="eth0"

# Input interfaces on which you want to do ingress address filtering
# for addresses on local box.  This is because rp_filter has to be 
# turned off on the interface because of running freeswan.
#INPUT_INGRESS_IF="eth0"

# Reject incoming SMB to this box? - YES/NO
#INPUT_REJECT_SMB=YES

# Reject incoming TCP auth connections - helps SMTP and POP3 - YES/NO
#INPUT_REJECT_AUTH=YES

# Log target to go at end on INPUT chain - droplog or log or REJECT/DROP
#INPUT_DEFLOG=log

# List of interfaces which we want to log traffic off of
#INPUT_DEFLOG_IF="eth2"

# FORWARD chain
# -------------
# Detect portscans on the input chain - YES/NO
#FWD_DETECT_PORTSCAN=YES

# UDP/TCP/protocol packets to drop - tuples Proto_InIf_DstIp[_Port]
# iptables interface wildcard is '+'
#FWD_DROP="udp_+_0/0_route tcp_eth0_0/0_ipp igmp_+_0/0 udp_+_0/0_1035 udp_+_0/0_1900"

# Interfaces on which you want to do martians filtering.  Typically
# interfaces that use real IP addresses and are open to the Internet
#FWD_MARTIAN_IF="eth2"

# Input interfaces on which you want to do ingress address filtering
# for addresses on local box.  This is because rp_filter has to be
# turned off on the interface because of running freeswan.
#FWD_INGRESS_IF="eth2"

# Reject incoming SMB to this box? - YES/NO
#FWD_REJECT_SMB=YES

# Reject forwarded TCP auth connections - helps SMTP and POP3 - YES/NO
#FWD_REJECT_AUTH=YES

# Log target to go at end on FORWARD chain - droplog or log or REJECT/DROP
#FWD_DEFLOG=droplog

# List of interfaces which we want to log traffic off of
#FWD_DEFLOG_IF="eth2"
netscript-2.4 5.2.9ubuntu1 / etc / netscript / network.conf
