Bugzilla – Attachment 65523 Details for
Bug 146338
yast2-modem breaks SuSE firewall2
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
Configuration file /etc/sysconfig/SuSEfirewall2 after running kppp
SuSEfirewall2 (text/plain), 24.60 KB, created by
Hartmut Buhrmester
on 2006-01-27 20:50:26 UTC
(
hide
)
Description:
Configuration file /etc/sysconfig/SuSEfirewall2 after running kppp
Filename:
MIME Type:
Creator:
Hartmut Buhrmester
Created:
2006-01-27 20:50:26 UTC
Size:
24.60 KB
patch
obsolete
> >## Type: string ># ># 3.) ># Which are the interfaces that point to the internal network? ># ># Enter all trusted network interfaces here. If you are not ># connected to a trusted network (e.g. you have just a dialup) leave ># this empty. ># ># Format: space separated list of interface or configuration names ># ># Examples: "eth-id-00:e0:4c:9f:61:9a", "tr0", "eth0 eth1" ># >FW_DEV_INT="eth-id-00:50:ba:34:8b:cf" > >## Type: string ># ># 4.) ># Which are the interfaces that point to the dmz or dialup network? ># ># Enter all the network devices here which point to the dmz/dialups. ># A "dmz" is a special, seperated network, which is only connected ># to the firewall, and should be reachable from the internet to ># provide services, e.g. WWW, Mail, etc. and hence is at risk from ># attacks. See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an ># example. ># ># Note: You have to configure FW_FORWARD to define the services ># which should be available to the internet and set FW_ROUTE to yes. ># ># Format: space separated list of interface or configuration names ># ># Examples: "eth-id-00:e0:4c:9f:61:9a", "tr0", "eth0 eth1" ># >FW_DEV_DMZ="" > >## Type: yesno >## Default: no ># ># 5.) ># Should routing between the internet, dmz and internal network be ># activated? ># ># Set this to "yes" if you either want to masquerade internal ># machines or allow access to the dmz (or internal machines, but ># this is not a good idea). ># ># This option overrides IP_FORWARD from ># /etc/sysconfig/network/options ># ># Setting this option one alone doesn't do anything. Either activate ># masquerading with FW_MASQUERADE below if you want to masquerade ># your internal network to the internet, or configure FW_FORWARD to ># define what is allowed to be forwarded. You also need to define ># internal or dmz interfaces in FW_DEV_INT or FW_DEV_DMZ. ># ># defaults to "no" if not set ># >FW_ROUTE="yes" > >## Type: yesno >## Default: no ># ># 6.) ># Do you want to masquerade internal networks to the outside? ># ># Requires: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE, FW_MASQ_DEV ># ># "Masquerading" means that all your internal machines which use ># services on the internet seem to come from your firewall. Please ># note that it is more secure to communicate via proxies to the ># internet than to use masquerading. ># ># This option is required for FW_MASQ_NETS and FW_FORWARD_MASQ. ># ># defaults to "no" if not set ># >FW_MASQUERADE="yes" > >## Type: string >## Default: $FW_DEV_EXT ># ># 6a.) ># You must also define on which interfaces to masquerade on. Those ># are usually the same as the external interfaces. Most users can ># leave the default. ># ># Examples: "ippp0", "$FW_DEV_EXT" ># >FW_MASQ_DEV="$FW_DEV_EXT" > >## Type: string >## Default: 0/0 ># ># Which internal computers/networks are allowed to access the ># internet via masquerading (not via proxys on the firewall)? ># ># Format: space separated list of ># <source network>[,<destination network>,<protocol>[,port[:port]] ># ># If the protocol is icmp then port is interpreted as icmp type ># ># Examples: - "0/0" unrestricted access to the internet ># - "10.0.0.0/8" allows the whole 10.0.0.0 network with ># unrestricted access. ># - "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0,tcp,21" allows ># the 10.0.1.0 network to use www/ftp to the internet. - ># - "10.0.1.0/24,0/0,tcp,1024:65535 10.0.2.0/24" the ># 10.0.1.0/24 network is allowed to access unprivileged ># ports whereas 10.0.2.0/24 is granted unrestricted ># access. ># >FW_MASQ_NETS="0/0" > >## Type: yesno >## Default: no ># ># 7.) ># Do you want to protect the firewall from the internal network? ># Requires: FW_DEV_INT ># ># If you set this to "yes", internal machines may only access ># services on the firewall you explicitly allow. If you set this to ># "no", any internal user can connect (and attack) any service on ># the firewall. ># ># defaults to "yes" if not set ># >FW_PROTECT_FROM_INT="no" > >## Type: string ># ># 9.) ># Which TCP services _on the firewall_ should be accessible from ># untrusted networks? ># ># Enter all ports or known portnames below, seperated by a space. ># TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and ># UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP. ># e.g. if a webserver on the firewall should be accessible from the internet: ># FW_SERVICES_EXT_TCP="www" ># e.g. if the firewall should receive syslog messages from the dmz: ># FW_SERVICES_DMZ_UDP="syslog" ># For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set ># FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols) ># ># Format: space separated list of ports, port ranges or well known ># service names (see /etc/services) ># ># Examples: "ssh", "123 514", "3200:3299", "ftp 22 telnet 512:514" ># >FW_SERVICES_EXT_TCP="" > >## Type: string ># ># Which UDP services _on the firewall_ should be accessible from ># untrusted networks? ># ># see comments for FW_SERVICES_EXT_TCP ># ># Example: "53" ># >FW_SERVICES_EXT_UDP="" > >## Type: string ># ># Which UDP services _on the firewall_ should be accessible from ># untrusted networks? ># ># Usually for VPN/Routing which END at the firewall ># ># Example: "esp" ># >FW_SERVICES_EXT_IP="" > >## Type: string ># ># Which RPC services _on the firewall_ should be accessible from ># untrusted networks? ># ># Port numbers of RPC services are dynamically assigned by the ># portmapper. Therefore "rpcinfo -p localhost" has to be used to ># automatically determine the currently assigned port for the ># services specified here. ># ># USE WITH CAUTION! ># regular users can register rpc services and therefore may be able ># to have SuSEfirewall2 open arbitrary ports ># ># Example: "mountd nfs" >FW_SERVICES_EXT_RPC="" > >## Type: string ># ># see comments for FW_SERVICES_EXT_TCP >FW_SERVICES_DMZ_TCP="" > >## Type: string ># ># see comments for FW_SERVICES_EXT_UDP >FW_SERVICES_DMZ_UDP="" > >## Type: string ># ># see comments for FW_SERVICES_EXT_IP >FW_SERVICES_DMZ_IP="" > >## Type: string ># ># see comments for FW_SERVICES_EXT_RPC >FW_SERVICES_DMZ_RPC="" > >## Type: string ># ># see comments for FW_SERVICES_EXT_TCP >FW_SERVICES_INT_TCP="" > >## Type: string ># ># see comments for FW_SERVICES_EXT_UDP >FW_SERVICES_INT_UDP="" > >## Type: string ># ># see comments for FW_SERVICES_EXT_IP >FW_SERVICES_INT_IP="" > >## Type: string ># ># see comments for FW_SERVICES_EXT_RPC >FW_SERVICES_INT_RPC="" > >## Type: string ># ># Packets to silently drop without log message ># ># Format: space separated list of net,protocol[,port][,sport] ># Example: "0/0,tcp,445 0/0,udp,4662" ># ># The special value _rpc_ is recognized as protocol and means that dport is ># interpreted as rpc service name. See FW_SERVICES_EXT_RPC for ># details. ># >FW_SERVICES_DROP_EXT="" > >## Type: string >## Default: 0/0,tcp,113 ># ># Packets to silently reject without log message. Common usage is ># TCP port 113 which if dropped would cause long timeouts when ># sending mail or connecting to IRC servers. ># ># Format: space separated list of net,protocol[,dport][,sport] ># Example: "0/0,tcp,113" ># ># The special value _rpc_ is recognized as protocol and means that dport is ># interpreted as rpc service name. See FW_SERVICES_EXT_RPC for ># details. ># >FW_SERVICES_REJECT_EXT="0/0,tcp,113" > >## Type: string >## Default: 0/0,tcp,113 ># ># Services to allow. This is a more generic form of FW_SERVICES_{IP,UDP,TCP} ># and more specific than FW_TRUSTED_NETS ># ># Format: space separated list of net,protocol[,dport][,sport] ># Example: "0/0,tcp,22" ># ># The special value _rpc_ is recognized as protocol and means that dport is ># interpreted as rpc service name. See FW_SERVICES_EXT_RPC for ># details. ># >FW_SERVICES_ACCEPT_EXT="" > >## Type: string ># ># 10.) ># Which services should be accessible from 'trusted' hosts or nets? ># ># Define trusted hosts or networks (doesn't matter whether they are internal or ># external) and the services (tcp,udp,icmp) they are allowed to use. This can ># be used instead of FW_SERVICES_* for further access restriction. Please note ># that this is no replacement for authentication since IP addresses can be ># spoofed. Also note that trusted hosts/nets are not allowed to ping the ># firewall until you also permit icmp. ># ># Format: space separated list of network[,protocol[,port]] ># in case of icmp, port means the icmp type ># ># Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22" ># >FW_TRUSTED_NETS="" > >## Type: string >## Default: ># ># 11.) ># Specify which ports are allowed to access unprivileged ports (>1023) ># ># Format: yes, no or space separated list of ports ># ># You may either allow everyone from anyport access to your highports ("yes"), ># disallow anyone ("no"), anyone who comes from a defined port (portnumber or ># known portname). Note that this is easy to circumvent! The best choice is to ># keep this option unset or set to 'no' ># ># defaults to "no" if not set (good choice) ># ># Note: Use of this variable is deprecated and it will likely be ># removed in the future. If you think it should be kept please ># report your use case at ># http://forge.novell.com/modules/xfmod/project/?susefirewall2 ># >FW_ALLOW_INCOMING_HIGHPORTS_TCP="" > >## Type: string >## Default: ># ># See FW_ALLOW_INCOMING_HIGHPORTS_TCP ># ># defaults to "no" if not set (good choice) ># ># Note: Use of this variable is deprecated and it will likely be ># removed in the future. If you think it should be kept please ># report your use case at ># http://forge.novell.com/modules/xfmod/project/?susefirewall2 ># >FW_ALLOW_INCOMING_HIGHPORTS_UDP="" > >## Type: string ># ># 13.) ># Which services or networks are allowed to be routed through the ># firewall, no matter which zone they are in? ># Requires: FW_ROUTE ># ># With this option you may allow access to e.g. your mailserver. The ># machines must have valid, non-private, IP addresses which were ># assigned to you by your ISP. This opens a direct link to the ># specified network, so please think twice befor using this option! ># ># Format: space separated list of ># <source network>,<destination network>[,protocol[,port[,flags]]] ># ># If the protocol is icmp then port is interpreted as icmp type ># ># The only flag currently supported is 'ipsec' which means to only ># match packets that originate from an IPsec tunnel ># ># Examples: - "1.1.1.1,2.2.2.2" allow the host 1.1.1.1 to access any ># service on the host 2.2.2.2 ># - "3.3.3.3/16,4.4.4.4/24" allow the network 3.3.3.3/16 ># to access any service in the network 4.4.4.4/24 ># - "5.5.5.5,6.6.6.6,igmp" allow routing of IGMP messages ># from 5.5.5.5 to 6.6.6.6 ># - "0/0,0/0,udp,514" always permit udp port 514 to pass ># the firewall ># - "192.168.1.0/24,10.10.0.0/16,,,ipsec \ ># 10.10.0.0/16,192.168.1.0/24,,,ipsec" permit traffic ># from 192.168.1.0/24 to 10.10.0.0/16 and vice versa ># provided that both networks are connected via an ># IPsec tunnel. >FW_FORWARD="" > >## Type: string ># ># 14.) ># Which services accessed from the internet should be allowed to masqueraded ># servers (on the internal network or dmz)? ># Requires: FW_ROUTE ># ># With this option you may allow access to e.g. your mailserver. The ># machines must be in a masqueraded segment and may not have public ># IP addesses! Hint: if FW_DEV_MASQ is set to the external interface ># you have to set FW_FORWARD from internal to DMZ for the service as ># well to allow access from internal! ># ># Please note that this should *not* be used for security reasons! ># You are opening a hole to your precious internal network. If e.g. ># the webserver there is compromised - your full internal network is ># compromised! ># ># Format: space separated list of ># <source network>,<ip to forward to>,<protocol>,<port>[,redirect port,[destination ip]] ># ># Protocol must be either tcp or udp ># ># Examples: - "4.0.0.0/8,10.0.0.10,tcp,80" forward all tcp request on ># port 80 coming from the 4.0.0.0/8 network to the ># internal server 10.10.0.10 ># - "4.0.0.0/8,10.0.0.10,tcp,80,81" forward all tcp request on ># port 80 coming from the 4.0.0.0/8 network to the ># internal server 10.10.0.10 on port 81 ># - "200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202" ># the network 200.200.200.0/24 trying to access the ># address 202.202.202.202 on port 80 will be forwarded ># to the internal server 10.0.0.10 on port 81 ># ># Note: du to inconsitent iptables behaviour only port numbers are possible but ># no service names (https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=273) ># >FW_FORWARD_MASQ="" > >## Type: string ># ># 15.) ># Which accesses to services should be redirected to a local port on ># the firewall machine? ># ># This option can be used to force all internal users to surf via ># your squid proxy, or transparently redirect incoming webtraffic to ># a secure webserver. ># ># Format: list of <source network>[,<destination network>,<protocol>[,dport[:lport]] ># Where protocol is either tcp or udp. dport is the original ># destination port and lport the port on the local machine to ># redirect the traffic to ># ># An exclamation mark in front of source or destination network ># means everything EXCEPT the specified network ># ># Example: "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080" ># ># Note: contrary to previous SuSEfirewall2 versions it is no longer necessary ># to additionally open the local port >FW_REDIRECT="" > >## Type: yesno >## Default: yes ># ># 16.) ># Which kind of packets should be logged? ># ># When set to "yes", packages that got dropped and are considered ># 'critical' will be logged. Such packets include for example ># spoofed packets, tcp connection requests and certain icmp types. ># ># defaults to "yes" if not set ># >FW_LOG_DROP_CRIT="yes" > >## Type: yesno >## Default: no ># ># whether all dropped packets should be logged ># ># Note: for broadcasts to be logged you also need to set ># FW_IGNORE_FW_BROADCAST_* to 'no' ># ># defaults to "no" if not set ># >FW_LOG_DROP_ALL="yes" > >## Type: yesno >## Default: yes ># ># When set to "yes", packages that got accepted and are considered ># 'critical' will be logged. Such packets include for example tcp ># connection requests, rpc connection requests, access to high ># udp/tcp port and forwarded pakets. ># ># defaults to "yes" if not set ># >FW_LOG_ACCEPT_CRIT="yes" > >## Type: yesno >## Default: no ># ># whether all accepted packets should be logged ># ># Note: setting this to 'yes' causes _LOTS_ of log entries and may ># fill your disk quickly. It also disables FW_LOG_LIMIT ># ># defaults to "no" if not set ># >FW_LOG_ACCEPT_ALL="yes" > >## Type: string ># ># How many packets per time unit get logged for each logging rule. ># When empty a default of 3/minute is used to prevent port scans ># flooding your log files. For desktop usage it's a good idea to ># have the limit, if you are using logfile analysis tools however ># you might want to disable it. ># ># Set to 'no' to disable the rate limit. Setting FW_LOG_ACCEPT_ALL ># to 'yes' disables this option as well. ># ># Format: a digit and suffix /second, /minute, /hour or /day >FW_LOG_LIMIT="" > >## Type: string ># ># iptables logging option. Must end with --log-prefix and some prefix ># characters ># ># only change this if you know what you are doing! >FW_LOG="" > >## Type: yesno >## Default: yes ># ># 17.) ># Do you want to enable additional kernel TCP/IP security features? ># If set to yes, some obscure kernel options are set. ># (icmp_ignore_bogus_error_responses, icmp_echoreply_rate, ># icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate, ># ip_local_port_range, log_martians, mc_forwarding, mc_forwarding, ># rp_filter, routing flush) ># Tip: Set this to "no" until you have verified that you have got a ># configuration which works for you. Then set this to "yes" and keep it ># if everything still works. (It should!) ;-) ># ># Choice: "yes" or "no", if not set defaults to "yes" ># >FW_KERNEL_SECURITY="yes" > >## Type: yesno >## Default: no ># ># 18.) ># Keep the routing set on, if the firewall rules are unloaded? ># REQUIRES: FW_ROUTE ># ># Choices "yes" or "no", if not set defaults to "no" ># >FW_STOP_KEEP_ROUTING_STATE="no" > >## Type: yesno >## Default: yes ># ># 19.) ># Allow the firewall to reply to icmp echo requests ># ># defaults to "no" if not set ># >FW_ALLOW_PING_FW="no" > >## Type: yesno >## Default: no ># ># 19a.) ># Allow hosts in the dmz to be pinged by internal and external hosts ># REQUIRES: FW_ROUTE ># ># defaults to "no" if not set ># >FW_ALLOW_PING_DMZ="no" > >## Type: yesno >## Default: no ># ># 19b.) ># Allow external hosts to be pinged from internal or dmz hosts ># REQUIRES: FW_ROUTE ># ># defaults to "no" if not set ># >FW_ALLOW_PING_EXT="no" > >## ># END of /etc/sysconfig/SuSEfirewall2 >## > ># # >#-------------------------------------------------------------------------# ># # ># EXPERT OPTIONS - all others please don't change these! # ># # >#-------------------------------------------------------------------------# ># # > >## Type: yesno >## Default: yes ># ># 21.) ># Allow ICMP sourcequench from your ISP? ># ># If set to yes, the firewall will notice when connection is choking, however ># this opens yourself to a denial of service attack. Choose your poison. ># ># Defaults to "yes" if not set ># >FW_ALLOW_FW_SOURCEQUENCH="" > >## Type: string(yes,no) ># ># 22.) ># Allow IP Broadcasts? ># ># Whether the firewall allows broadcasts packets. ># Broadcasts are used for e.g. for Netbios/Samba, RIP, OSPF and Games. ># ># If you want to drop broadcasts however ignore the annoying log entries, set ># FW_IGNORE_FW_BROADCAST_* to yes. ># ># Note that if you allow specifc ports here it just means that broadcast ># packets for that port are not dropped. You still need to set ># FW_SERVICES_*_UDP to actually allow regular unicast packets to ># reach the applications. ># ># Format: either ># - "yes" or "no" ># - list of udp destination ports ># ># Examples: - "631 137" allow broadcast packets on port 631 and 137 ># to enter the machine but drop any other broadcasts ># - "yes" do not install any extra drop rules for ># broadcast packets. They'll be treated just as unicast ># packets in this case. ># - "no" drop all broadcast packets before other filtering ># rules ># ># defaults to "no" if not set ># >FW_ALLOW_FW_BROADCAST_EXT="" > >## Type: string ># ># see comments for FW_ALLOW_FW_BROADCAST_EXT >FW_ALLOW_FW_BROADCAST_INT="" > >## Type: string ># ># see comments for FW_ALLOW_FW_BROADCAST_EXT >FW_ALLOW_FW_BROADCAST_DMZ="" > >## Type: string(yes,no) ># ># Suppress logging of dropped broadcast packets. Useful if you don't allow ># broadcasts on a LAN interface. ># ># This setting only affects packets that are not allowed according ># to FW_ALLOW_FW_BROADCAST_* ># ># Format: either ># - "yes" or "no" ># - list of udp destination ports ># ># Examples: - "631 137" silently drop broadcast packets on port 631 and 137 ># - "yes" do not log dropped broadcast packets ># - "no" log all dropped broadcast packets ># ># ># defaults to "no" if not set >FW_IGNORE_FW_BROADCAST_EXT="yes" > >## Type: string ># ># see comments for FW_IGNORE_FW_BROADCAST_EXT >FW_IGNORE_FW_BROADCAST_INT="no" > >## Type: string ># ># see comments for FW_IGNORE_FW_BROADCAST_EXT >FW_IGNORE_FW_BROADCAST_DMZ="no" > >## Type: yesno >## Default: no ># ># 23.) ># Allow same class routing per default? ># REQUIRES: FW_ROUTE ># ># Do you want to allow routing between interfaces of the same class ># (e.g. between all internet interfaces, or all internal network interfaces) ># be default (so without the need setting up FW_FORWARD definitions)? ># ># Choice: "yes" or "no", if not set defaults to "no" ># ># Defaults to "no" if not set ># >FW_ALLOW_CLASS_ROUTING="" > >## Type: string ># ># 25.) ># Do you want to load customary rules from a file? ># ># This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! ># READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom ># >#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" >FW_CUSTOMRULES="" > >## Type: yesno >## Default: no ># ># 26.) ># Do you want to REJECT packets instead of DROPing? ># ># DROPing (which is the default) will make portscans and attacks much ># slower, as no replies to the packets will be sent. REJECTing means, that ># for every illegal packet, a connection reject packet is sent to the ># sender. ># ># Choice: "yes" or "no", if not set defaults to "no" ># ># Defaults to "no" if not set ># >FW_REJECT="" > >## Type: string ># ># 27.) ># Tuning your upstream a little bit via HTB (Hierarchical Token Bucket) ># for more information about HTB see http://www.lartc.org ># ># If your download collapses while you have a parallel upload, ># this parameter might be an option for you. It manages your ># upload stream and reserves bandwidth for special packets like ># TCP ACK packets or interactive SSH. ># It's a list of devices and maximum bandwidth in kbit. ># For example, the german TDSL account, provides 128kbit/s upstream ># and 768kbit/s downstream. We can only tune the upstream. ># ># Example: ># If you want to tune a 128kbit/s upstream DSL device like german TDSL set ># the following values: ># FW_HTB_TUNE_DEV="dsl0,125" ># where dsl0 is your pppoe device and 125 stands for 125kbit/s upstream ># ># you might wonder why 125kbit/s and not 128kbit/s. Well practically you'll ># get a better performance if you keep the value a few percent under your ># real maximum upload bandwidth, to prevent the DSL modem from queuing traffic in ># it's own buffers because queing is done by us now. ># So for a 256kbit upstream ># FW_HTB_TUNE_DEV="dsl0,250" ># might be a better value than "dsl0,256". There is no perfect value for a ># special kind of modem. The perfect value depends on what kind of traffic you ># have on your line but 5% under your maximum upstream might be a good start. ># Everthing else is special fine tuning. ># If you want to know more about the technical background, ># http://tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/ ># is a good start ># >FW_HTB_TUNE_DEV="" > >## Type: list(no,drop,reject) >## Default: drop ># ># 28.) ># What to do with IPv6 Packets? ># ># On older kernels ip6tables was not stateful so it's not possible to implement ># the same features as for IPv4 on such machines. For these there are three ># choices: ># ># - no: do not set any IPv6 rules at all. Your Host will allow any IPv6 ># traffic unless you setup your own rules. ># ># - drop: drop all IPv6 packets. This is the default if stateful matching is ># not available. ># ># - reject: reject all IPv6 packets ># ># Disallowing IPv6 packets may lead to long timeouts when connecting to IPv6 ># Adresses. See FW_IPv6_REJECT_OUTGOING to avoid this. ># ># Leave empty to automatically detect whether your kernel supports stateful matching. ># >FW_IPv6="" > >## Type: yesno >## Default: yes ># ># 28a.) ># Reject outgoing IPv6 Packets? ># ># Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option ># does only make sense with FW_IPv6 != no ># ># Defaults to "yes" if not set ># >FW_IPv6_REJECT_OUTGOING="" > >## Type: list(yes,no,int,ext,dmz) >## Default: no ># ># 29.) ># Trust level of IPsec packets. ># ># You do not need to change this if you do not intend to run ># services that should only be available trough an IPsec tunnel. ># ># The value specifies how much IPsec packets are trusted. 'int', 'ext' or 'dmz' ># are the respective zones. 'yes' is the same as 'int. 'no' means that IPsec ># packets belong to the same zone as the interface they arrive on. ># ># Note: you still need to explicitely allow IPsec traffic. ># Example: ># FW_IPSEC_TRUST="int" ># FW_SERVICES_EXT_IP="esp" ># FW_SERVICES_EXT_UDP="isakmp" ># FW_PROTECT_FROM_INT="no" ># ># Defaults to "no" if not set ># >FW_IPSEC_TRUST="no" > >## Type: string >## Default: ># ># 30.) ># Define additional firewall zones ># ># The built-in zones INT, EXT and DMZ must not be listed here. Names ># of additional zones must only contain lowercase ascii characters. ># To define rules for the additional zone, take the approriate ># variable for a built-in zone and substitute INT/EXT/DMZ with the ># name of the additional zone. ># ># Example: ># FW_ZONES="wlan" ># >FW_ZONES="" > >## Type: list(yes,no,auto,) >## Default: ># ># 31.) ># Whether to use iptables-batch ># ># iptables-batch commits all rules in an almost atomic way similar ># to iptables-restore. This avoids excessive iptables calls and race ># conditions. ># ># Choice: ># - yes: use iptables-batch if available and warn if it isn't ># - no: don't use iptables-batch ># - auto: use iptables-batch if available, silently fall back to ># iptables if it isn't ># ># Defaults to "auto" if not set ># >FW_USE_IPTABLES_BATCH="" > >## Type: string >## Default: ># ># 32.) ># Which additional kernel modules to load at startup ># ># Example: ># FW_LOAD_MODULES="ip_conntrack_ftp ip_nat_ftp" ># >FW_LOAD_MODULES="" >FW_DEV_EXT="modem0 ppp0" ># FW_DEV_wlan="wlan0" ># FW_SERVICES_wlan_TCP="80" ># FW_ALLOW_FW_BROADCAST_wlan="yes"
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=65523">View the attachment on a separate page</a>.</b>
Actions:
View
Attachments on
bug 146338
: 65523 |
65541
|
65562