fiaif 1.23.1-4 / etc / fiaif / zone.dmz

This file is indexed.

/etc/fiaif/zone.dmz is in fiaif 1.23.1-4.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
##############################################################################
## Example zone configuration file.
## Read all configuration parameters, and modify to suit your needs.
##############################################################################

## The DMZ (DeMilitarized Zone) is the most restricted network,
## since it exposes partly unsecure services to the Internet.
## No connections are allowed in either direction between the firewall and this zone.
## The idea is, that if any hacker gains access to a machine in the DMZ,
## This does not pose a security risk for any other zones, only the firewall
## itself.
## To administer the machines within the zone, 'ssh' is allowed from the
## Internal zone.
## The zone is not activated in the default fiaif.conf. To do this please add DMZ to
## ZONES variable.

## Name of the zone. Must match the name in fiaif.conf.
NAME=DMZ
## Network interface name
DEV=eth2

## DYNAMIC:     Set to '1' if the IP can change during operation or
##              if the IP address is unknown when fiaif is started.
## GLOBAL:      Set to '1' if the IP if this zone connects you to the
##              internet. Set to zero for private networks.
DYNAMIC=0
GLOBAL=1

## Network information. Nessesary only if DYNAMIC=0
IP=80.203.xxx.xxx
MASK=255.255.255.0
NET=80.203.xxx.xxx/255.255.255.0
BCAST=80.203.xxx.xxx

## IP_EXTRA specifies that the interface has multiple IP addresses;
## all the interface's extra IP's should be listed here.
IP_EXTRA=""
## Specifies extra networks in this zone (besides NET).
NET_EXTRA=""

## Specify if the zone should respond to DHCP queries.
## This is usefull if a DHCP server is running on the firewall.
## Remember to set this only in the zone for which the DHCP server is running.
DHCP_SERVER=0

## The descriptions of packets coming IN to the interface specifed in DEV and NETWORK to drop|accept|reject
## Use: INPUT[N]="<ACCEPT|REJECT|DROP> <protocol [port[:port][<,port>[:port]]*]> <ip[/mask]=>ip[/mask]>"
INPUT[0]="REJECT ALL 0.0.0.0/0=>0.0.0.0/0"

## The descriptions of packets going OUT of the interface specifed in DEV and NETWORK to drop|accept|reject
## Use: OUTPUT[N]="<ACCEPT|REJECT|DROP> <protocol [port[:port][<,port>[:port]]*]> <ip[/mask]=>ip[/mask]>"
OUTPUT[0]="REJECT ALL 0.0.0.0/0=>0.0.0.0/0"

## Forward rules. Specify where packets entering this zone may originate from.
## Use: FORWARD[N]="<zone|ALL> <ACCEPT|REJECT|DROP> <protocol [port[:port][<,port>[:port]]*]> <ip[/mask]=>ip[/mask]>"
##
## Use this to protect this zone.
## Rules are read in the order they are written.
## Default is to only allow www and https.
## Zone int are also allows ssh connections
FORWARD[0]="ALL ACCEPT tcp www,https 0.0.0.0/0=>0.0.0.0/0"
FORWARD[1]="INT ACCEPT tcp ssh 0.0.0.0/0=>0.0.0.0/0"
FORWARD[2]="ALL DROP ALL 0.0.0.0/0=>0.0.0.0/0"

## Mark rules. Mark packets parsing through the firewall.
## Use MARK[N]="<zone|ALL> <mark number> <protocol [port[:port][<,port>[:port]]*]> <ip[/mask]=>ip[/mask]>"
##
## MARK packets can be used to determine how a packet sould be routed.
## FIAIF does not use marking.
#MARK[0]="ALL 1 tcp ALL 0.0.0.0/0=>0.0.0.0/0"
#MARK[1]="ALL 2 udp ALL 0.0.0.0/0=>0.0.0.0/0"

## Make special replys on incoming packets.
## Use: REPLY_XXX="<zone> <type> <protocol [port[:port][<,port>[:port]]*]> <ip[/mask]=>ip[/mask]>"
## Where type can be one of the following:
##   icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable,
##   icmp-proto-unreachable, icmp-net-prohibited, icmp-host-prohibited or
##   tcp-reset (Only valid if the protocol if TCP)
## If the zone equal this zone, then the rules apply to packets
## originating from this network towards the firewall
REPLY_AUTH="DMZ tcp-reset tcp auth 0.0.0.0/0=>0.0.0.0/0"
REPLY_TRACEROUTE="DMZ icmp-port-unreachable udp 33434:33464 0.0.0.0/0=>0.0.0.0/0"

## Alter the destination of packets.
## Use: REDIRECT_XXX="<protocol [port[:port]]> <ip[/mask]=>ip[/mask]> <[ipaddr[,ipaddr]*] [port]"
## The rule applies only for packet originating from this zone.
#REDIRECT_PROXY="tcp 80 0.0.0.0/0=>0.0.0.0/0 127.0.0.1 3128"

## Log all traffic for these IP addresses
## Use WATCH_IP="[IP[/MASK]]*|[FILE]"
#WATCH_IP="111.111.111.111/32 222.222.222.222/24"

## Strip ECN bits from all packets destined for specified IP-addresses
## in this zone
## Use: ECN_REMOVE="[IP[/MASK]]*|[FILE]"
#ECN_REMOVE="111.111.111.111/32 222.222.222.222/24"

## Dissalow any communication with specified MAC-addresses in this zone
## Use: MAX_DROP="[MAC address]*|[FILE]"
## Inserted on PREROUTING chain
#MAC_DROP="XX:XX:XX:XX:XX:XX YY:YY:YY:YY:YY:YY"

## Dissalow any communication with specified IP-addresses in this zone
## Use: IP_DROP="[IP[/MASK]]*|[FILE]"
#IP_DROP="111.111.111.111/32 222.222.222.222/24"

## Change the source address of a packet comming from this zone.
## This is also called masquerading.
## Use: SNAT[N]="<ZONE> <protocol [port[:port][<,port>[:port]]*]> <ip[/mask]=>ip[/mask]>"
## Where: ZONE    :  Destination zone. The source of matched packets is
##                   changed to all ip numbers for the zone.
## Warning: enabling a default (0.0.0.0=>0.0.0.0) SNAT rule and having
## GLOBAL=1 or DYNAMIC=1 enables NAT for *all* zones since there is no way
## to know the networks for NAT beforehand. Be sure to restrict the
## FORWARD[x] rules in zone.ext to only forward traffic from this network.
#SNAT[0]="EXT ALL 0.0.0.0/0=>0.0.0.0/0"

## Limit new packets.
## Use: LIMIT_XXX="<zone> <policy> <limit> <burst> <protocol [port[<,port>*|<:port>]> <ip[/mask]=>ip[/mask]>"
## Where:
##   ZONE     : Is the zone from which the packet originates. This can be this zone itself.
##   POLICY   : Is waht to do with the packet: ACCEPT|REJECT|DROP
##   LIMIT    : Maximum  average matching rate: specified as a number,  with  an   optional
##	        '/second', '/minute', '/hour', or '/day' suffix.
##   BURST    : Maximum  initial  number  of packets to match: this
##              number gets recharged by one every time  the  limit
##              specified  above is not reached, up to this number.
##   PROTOCOL : The protocol: tcp|udp|icmp|all. This parameter is optional
##   PORTS    : If protocol is tcp|udp: A list of ports or a port range.
##		               icmp   : A single icmp type.
##		this parameter is optional, and must only be specified,
##		if a protocol is specified.
##   IP/MASK  : If PORTS are specified, then an optional IP/MASK source and address can be specified.
LIMIT_PING="EXT DROP 5/second 10 TCP www,https 0.0.0.0/0=>0.0.0.0/0"

APT Browse - Built by Thomas Orozco.