/usr/share/fwbuilder-5.1.0.3599/configlets/ipcop/automatic_rules is in fwbuilder-common 5.1.0-4.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 | ## -*- mode: shell-script; -*-
##
## To be able to make changes to the part of configuration created
## from this configlet you need to copy this file to the directory
## fwbuilder/configlets/linux24/ in your home directory and modify it.
## Double "##" comments are removed during processing but single "#"
## comments are be retained and appear in the generated script. Empty
## lines are removed as well.
##
## Configlets support simple macro language with these constructs:
## {{$var}} is variable expansion
## {{if var}} is conditional operator.
## Each rule must start with {{$begin_rule}} and end with
## {{$end_rule}}. Variable $begin_rule has value "$IPTABLES -A" if
## generated script is in the shell script format, or just empty
## string if it is in iptables-restore format
## IPCOP runs ssh on port 222
{{if mgmt_access}}
# backup ssh access
{{$begin_rule}} INPUT -p tcp -m tcp -s {{$ssh_management_address}} --dport 222 -m state --state NEW,ESTABLISHED -j ACCEPT {{$end_rule}}
{{$begin_rule}} OUTPUT -p tcp -m tcp -d {{$ssh_management_address}} --sport 222 -m state --state ESTABLISHED,RELATED -j ACCEPT {{$end_rule}}
{{endif}}
{{if drop_new_tcp_with_no_syn}}
# drop TCP sessions opened prior firewall restart
{{$begin_rule}} INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP {{$end_rule}}
{{$begin_rule}} OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP {{$end_rule}}
{{if ipforw}}
{{$begin_rule}} FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP {{$end_rule}}
{{endif}}
{{endif}}
{{if add_rules_for_ipv6_neighbor_discovery}}
# rules to permit IPv6 Neighbor discovery
{{$begin_rule}} INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT {{$end_rule}}
{{$begin_rule}} OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT {{$end_rule}}
{{$begin_rule}} INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -j ACCEPT {{$end_rule}}
{{$begin_rule}} OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -j ACCEPT {{$end_rule}}
{{$begin_rule}} INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT {{$end_rule}}
{{$begin_rule}} OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT {{$end_rule}}
{{$begin_rule}} INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j ACCEPT {{$end_rule}}
{{$begin_rule}} OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j ACCEPT {{$end_rule}}
{{endif}}
{{if drop_invalid}}
# drop packets that do not match any valid state
{{$begin_rule}} OUTPUT -m state --state INVALID -j DROP {{$end_rule}}
{{$begin_rule}} INPUT -m state --state INVALID -j DROP {{$end_rule}}
{{if ipforw}}
{{$begin_rule}} FORWARD -m state --state INVALID -j DROP {{$end_rule}}
{{endif}}
{{endif}}
{{if drop_invalid_and_log}}
# drop packets that do not match any valid state and log them
{{$create_drop_invalid_chain}}
{{$begin_rule}} OUTPUT -m state --state INVALID -j drop_invalid {{$end_rule}}
{{$begin_rule}} INPUT -m state --state INVALID -j drop_invalid {{$end_rule}}
{{if ipforw}}
{{$begin_rule}} FORWARD -m state --state INVALID -j drop_invalid {{$end_rule}}
{{endif}}
{{if use_ulog}}
{{$begin_rule}} drop_invalid -j ULOG {{if use_nlgroup}}--ulog-nlgroup {{$nlgroup}}{{endif}} {{if use_cprange}}--ulog-cprange {{$cprange}}{{endif}} {{if use_qthreshold}}--ulog-qthreshold {{$qthreshold}}{{endif}} --ulog-prefix {{$invalid_match_log_prefix}}{{$end_rule}}
{{endif}}
{{if not_use_ulog}}
{{$begin_rule}} drop_invalid -j LOG --log-level debug --log-prefix {{$invalid_match_log_prefix}}{{$end_rule}}
{{endif}}
{{$begin_rule}} drop_invalid -j DROP {{$end_rule}}
{{endif}}
|