forked from rfxn/advanced-policy-firewall
-
Notifications
You must be signed in to change notification settings - Fork 0
/
.ca.def
executable file
·573 lines (483 loc) · 24.9 KB
/
.ca.def
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
cat > .conf.apf <<EOF
#!/bin/sh
#
##
# Advanced Policy Firewall (APF) v1.7.5
# (C) 2002-2019, R-fx Networks <[email protected]>
# (C) 2019, Ryan MacDonald <[email protected]>
# This program may be freely redistributed under the terms of the GNU GPL v2
##
# NOTE: This file should be edited with word/line wrapping off,
# if your using pico/nano please start use the -w switch
# (e.g: nano -w filename)
##
# [Main]
##
# !!! Do not leave set to (1) !!!
# When set to enabled; 5 minute cronjob is set to stop the firewall. Set
# this off (0) when firewall is determined to be operating as desired.
DEVEL_MODE="1"
# The installation path of APF; this can be changed but it is not recommended.
INSTALL_PATH="$INSTALL_PATH"
# Untrusted Network interface; all traffic on defined interface will be
# subject to all firewall rules. This should be your internet exposed
# interface.
IFACE_UNTRUSTED="$IFACE_UNTRUSTED"
# Trusted Network interface(s); all traffic on defined interface(s) will by-pass
# ALL firewall rules, format is white space or comma separated list.
IFACE_TRUSTED="$IFACE_TRUSTED"
# This option enables IPv6 support for APF and loads all appropriate IPv6 kernel
# modules. This feature depends on IPv6 support being enabled in your networking
# configuration and that the modules are explicitly available. Please ensure that
# you do not have IPv6 disabled via modprobe.conf/.d or in sysconfig files.
# Note: The VNET (virtual network) feature does not currently support IPv6.
USE_IPV6="$USE_IPV6"
# This option will allow for all status events to be displayed in real time on
# the console as you use the firewall. Typically, APF used to operate silent
# with all logging piped to \$LOG_APF. The use of this option will not disable
# the standard log file displayed by apf --status but rather compliment it.
SET_VERBOSE="$SET_VERBOSE"
# The fast load feature makes use of the iptables-save/restore facilities to do
# a snapshot save of the current firewall rules on an APF stop then when APF is
# instructed to start again it will restore the snapshot. This feature allows
# APF to load hundreds of rules back into the firewall without the need to
# regenerate every firewall entry.
# Note: a) if system uptime is below 5 minutes, the snapshot is expired
# b) if snapshot age exceeds 12 hours, the snapshot is expired
# c) if conf or a .rule has changed since last load, snapshot is expired
# d) if it is your first run of APF since install, snapshot is generated
# - an expired snapshot means APF will do a full start rule-by-rule
SET_FASTLOAD="$SET_FASTLOAD"
# Virtual Network Sub-System (VNET) creates independent policy rule set for
# each IP on a system to /etc/apf/vnet/IP.rules. These rule files can be
# configured with conf.apf variables for unique but convenient firewall
# policies or custom iptables entries for even greater flexibility.
SET_VNET="$SET_VNET"
# This feature firewalls any additional interfaces on the server as untrusted
# through the VNET sub-system. Excluded are interfaces that have already been
# defined by IFACE_* variables. This feature is ideal for systems running
# private interfaces where not all hosts on the private network are trusted or
# are otherwise exposed to "open" networks through this private interface
# (i.e: the Internet, network accessible storage LAN, corporate WAN, etc..)
SET_ADDIFACE="$SET_ADDIFACE"
# This allows the firewall to work around modular kernel issues by assuming
# that the system has all required firewall modules compiled directly into
# kernel. This mode of operation is not generally recommended but can be used
# scale APF to unique situations.
SET_MONOKERN="$SET_MONOKERN"
# The expiry interval, in seconds, that bans will be expired out of the trust
# system. This only applies to local bans from deny_hosts.rules and not global
# import rules. The value must not be less than equiv. seconds of SET_REFRESH.
# [value in seconds, 0 to disable, recommended 600]
SET_EXPIRE="$SET_EXPIRE"
# This controls how often, if at all, we want the trust system to refresh rules.
# The firewall will flush & reload all static rules, redownload global rules and
# re-resolve any dns names in the rules. This is ideal when using dynamic dns
# names or downloadable global trust rules. [value in minutes, 0 to disable]
SET_REFRESH="$SET_REFRESH"
# The refreshing of large allow/deny trust files can be resource intensive, this
# feature checks for changes to trust files between refreshes and only performs
# a refresh if contents have changed. If you are using dynamic DNS names in trust
# rules, which require regular DNS refreshes, you should keep this disabled.
# [value in minutes, 0 to disable]
SET_REFRESH_MD5="$SET_REFRESH_MD5"
# This is the total amount of rules allowed inside of the deny trust system.
# When this limit is reached, the deny rule files will begin to purge older
# entries to maintain the set limit. [value is max lines, 0 for unlimited]
SET_TRIM="250"
# Verifies that the IFACE_* and IFACE_TRUSTED interfaces are actually routed
# to something. If configured interfaces are found with no routes setup then
# APF will exit with an error to prevent further issues (such as being locked
# out of the system).
VF_ROUTE="$VF_ROUTE"
# Verifies that all inbound traffic is sourced from a defined local gateway MAC
# address. All other traffic that does not match this MAC address will be
# rejected as untrusted traffic. It is quite easy to forge a MAC address and as
# such this feature executes NO default accept policy. Leave this option empty
# to disable or enter a 48-bit MAC address to enable.
VF_LGATE="$VF_LGATE"
##
# [Reactive Address Blocking]
##
# The use of RAB is such that it allows the firewall to track an address as it
# traverses the firewall rules and subsequently associate that address across
# any number of violations. This allows the firewall to react to critical
# policy violations by blocking addresses temporarily on the assumed precaution
# that we are protecting the host from what the address may do on the pretext
# of what the address has already done. The interface that allows RAB to work
# resides inside the kernel and makes use of the iptables 'ipt_recent' module,
# so there is no external programs causing any additional load.
RAB="$RAB"
# This enables RAB for sanity violations, which is when an address breaks a
# strict conformity standard such as trying to spoof an address or modify
# packet flags. It is strongly recommended that this option NOT be disabled.
RAB_SANITY="$RAB_SANITY"
# This enables RAB for port scan violations, which is when an address attempts
# to connect to a port that has been classified as malicious. These types of
# ports are those which are not commonly used in today's Internet but are
# the subject of scrutiny by attackers, such as ports 1,7,9,11. Each security
# level defines the amount of ports that RAB will react against. The port
# security groups can be customized in 'internals/rab.ports'.
# 0 = disabled | 1 = low security | 2 = medium security | 3 = high security
RAB_PSCAN_LEVEL="$RAB_PSCAN_LEVEL"
# This controls the amount of violation hits an address must have before it
# is blocked. It is a good idea to keep this very low to prevent evasive
# measures. The default is 0 or 1, meaning instant block on first violation.
RAB_HITCOUNT="$RAB_HITCOUNT"
# This is the amount of time (in seconds) that an address gets blocked for if
# a violation is triggered, the default is 300s (5 minutes).
RAB_TIMER="$RAB_TIMER"
# This allows RAB to 'trip' the block timer back to 0 seconds if an address
# attempts ANY subsiquent communication while still on the inital block period.
RAB_TRIP="$RAB_TRIP"
# This controls if the firewall should log all violation hits from an address.
# The use of LOG_DROP variable set to 1 will override this to force logging.
RAB_LOG_HIT="$RAB_LOG_HIT"
# This controls if the firewall should log all subsiqent traffic from an address
# that is already blocked for a violation hit, this can generate allot of logs.
# The use of LOG_DROP variable set to 1 will override this to force logging.
RAB_LOG_TRIP="$RAB_LOG_TRIP"
##
# [Packet Filtering/Handling]
##
# How to handle TCP packet filtering?
#
# RESET (sends a tcp-reset; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
TCP_STOP="$TCP_STOP"
# How to handle UDP packet filtering?
#
# RESET (sends a icmp-port-unreachable; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
# PROHIBIT (send an icmp-host-prohibited)
UDP_STOP="$UDP_STOP"
# How to handle all other packet filtering?
#
# DROP (drop the packet)
# REJECT (reject the packet)
ALL_STOP="$ALL_STOP"
# The sanity options control the way packets are scrutinized as they flow
# through the firewall. The main PKT_SANITY option is a top level toggle for
# all SANITY options and provides general packet flag sanity as a pre-scrub
# for the other sanity options. In short, this makes sure that all packets
# coming and going conform to strict TCP/IP standards. In doing so we make it
# very difficult for attackers to inject raw/custom packets into the server.
PKT_SANITY="$PKT_SANITY"
# Block any packets that do not conform as VALID, this feature is safe for most
# but some may experience protocol issues with broken remote clients. This is
# very similar to PKT_SANITY but has a wider scope and as such has the ability
# to affect many application protocols in undesirable ways.
PKT_SANITY_INV="$PKT_SANITY_INV"
# Block any fragmented UDP packets, this is safe as no UDP packets should
# ever be fragmented.
PKT_SANITY_FUDP="$PKT_SANITY_FUDP"
# Block packets with a source or destination of port 0, this is safe as
# nothing should ever communicate on port 0 (technically does not exist).
PKT_SANITY_PZERO="$PKT_SANITY_PZERO"
# The implementation of Type of Service (TOS) in APF is such that it allows
# you to classify service priorities by port. These priorities are broken down
# into 5 groups and they are:
# 0 = No Change
# 2 = Minimize-Cost
# 4 = Minimize Delay - Maximize Reliability
# 8 = Maximum Throughput - Minimum Delay
# 16 = No Delay - Moderate Throughput - High Reliability
#
# Set the default TOS value [0,2,4,8,16]
TOS_DEF="$TOS_DEF"
# Set the default TOS port range
TOS_DEF_RANGE="512:65535"
# 0: Ports for Normal-Service
TOS_0="$TOS_0"
# 2: Ports for Minimize-Cost
TOS_2="$TOS_2"
# 4: Ports for Minimize Delay - Maximize Reliability
TOS_4="$TOS_4"
# 8: Ports for Maximum Throughput - Minimum Delay
TOS_8="$TOS_8"
# 16: Ports for No Delay - Moderate Throughput - High Reliability
TOS_16="$TOS_16"
# Allow traceroute requests on the defined range of ports. This feature
# is not required for normal operations and some even prefer it disabled.
# Enable Traceroute # Traceroute ports
TCR_PASS="$TCR_PASS" TCR_PORTS="33434:33534"
# Set a reasonable packet/time ratio for ICMP packets, exceeding this flow
# will result in dropped ICMP packets. Supported values are in the form of:
# pkt/s (packets/seconds), pkt/m (packets/minutes)
# Set value to 0 for unlimited, anything above is enabled.
ICMP_LIM="$ICMP_LIM"
# Creates firewall rules based on the local name servers as defined in the
# /etc/resolv.conf file. This is the preferred secure method for client side
# name server requests. This option has no bearing on a locally hosted DNS
# service.
RESV_DNS="$RESV_DNS"
# When RESV_DNS is enabled, all the untrusted name server traffic can fill the
# logs with client DNS traffic. This can be suppressed with an implicit drop
# of all such traffic (sport 53 inbound) as so to avoid log chains. If you run
# applications that have unique name servers configured, this may break them.
RESV_DNS_DROP="$RESV_DNS_DROP"
# A common set of known Peer-To-Peer (p2p) protocol ports that are often
# considered undesirable traffic on public Internet servers. These ports
# are also often abused on web hosting servers where clients upload p2p
# client agents for the purpose of distributing or downloading pirated media.
# Format is comma separated for single ports and an underscore separator for
# ranges (4660_4678).
BLK_P2P_PORTS="$BLK_P2P_PORTS"
# These are common Internet service ports that are understood in the wild
# services you would not want logged under normal circumstances. All ports
# that are defined here will be implicitly dropped with no logging for
# TCP/UDP traffic inbound or outbound. Format is comma separated for single
# ports and an underscore separator for ranges (135_139).
BLK_PORTS="$BLK_PORTS"
# You need multicasting if you intend to participate in the MBONE, a high
# bandwidth network on top of the Internet which carries audio and video
# broadcasts. More about MBONE at: www-itg.lbl.gov/mbone/, this is generally
# safe to enable.
BLK_MCATNET="$BLK_MCATNET"
# Block all private ipv4 addresses, this is address space reserved for private
# networks or otherwise unroutable on the Internet. If this host resides behind
# a router with NAT or routing scheme that otherwise uses private addressing,
# leave this option OFF. Refer to the 'internals/private.networks' file for
# listing of private address space.
BLK_PRVNET="$BLK_PRVNET"
# Block all ipv4 address space marked reserved for future use (unassigned),
# such networks have no business talking on the Internet. However they may at
# some point become live address space. The USE_RD option further in this file
# allows for dynamic updating of this list on every full restart of APF. Refer
# to the 'internals/reserved.networks' file for listing of address space.
BLK_RESNET="$BLK_RESNET"
# Block all ident (tcp 113) requests in and out of the server IF the port is
# not already opened in *_TCP_CPORTS. This uses a REJECT target to make sure
# the ident requests terminate quickly. You can see an increase in irc and
# other connection performance with this feature.
BLK_IDENT="$BLK_IDENT"
# Three related flaws were found in the Linux kernel’s handling of TCP Selective
# Acknowledgement (SACK) packets handling with low MSS size. The extent of impact
# is understood to be limited to denial of service at this time.
#
# ref: https://access.redhat.com/security/vulnerabilities/tcpsack
# CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
#
# This may affect traffic from legitimate sources that require the lower MSS values
# to transmit correctly.
#
# The recommended safe path is to disable TCP SACK with SYSCTL_TCP_NOSACK=1
# This can be safely ignored if you are running on a modern patched kernel newer
# than June 16th 2019.
BLK_TCP_SACK_PANIC="$BLK_TCP_SACK_PANIC"
# This is the maximum number of "sessions" (connection tracking entries) that
# can be handled simultaneously by the firewall in kernel memory. Increasing
# this value too high will simply waste memory - setting it too low may result
# in some or all connections being refused, in particular during denial of
# service attacks.
SYSCTL_CONNTRACK="$SYSCTL_CONNTRACK"
# These are system control (sysctl) option changes to disable TCP features
# that can be abused in addition to tweaking other TCP features for increased
# performance and reliability.
SYSCTL_TCP="$SYSCTL_TCP"
# Three related flaws were found in the Linux kernel’s handling of TCP Selective
# Acknowledgement (SACK) packets handling with low MSS size. The extent of impact
# is understood to be limited to denial of service at this time.
#
# ref: https://access.redhat.com/security/vulnerabilities/tcpsack
# CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
#
# This can be safely ignored if you are running on a modern patched kernel newer
# than June 16th 2109.
SYSCTL_TCP_NOSACK="$SYSCTL_TCP_NOSACK"
# These are system control (sysctl) option changes intended to help mitigate
# syn-flood attacks by lowering syn retry, syn backlog & syn time-out values.
SYSCTL_SYN="$SYSCTL_SYN"
# These are system control (sysctl) option changes to provide protection from
# spoofed packets and ip/arp/route redirection. If you are performing advanced
# routing policies on this host such as NAT/MASQ you should disable this.
SYSCTL_ROUTE="0"
# This system control (sysctl) option will log all network traffic that is
# from impossible source addresses. This option can discover attacks or issues
# on your network you may otherwise not be aware of.
SYSCTL_LOGMARTIANS="$SYSCTL_LOGMARTIANS"
# This system control (sysctl) option will allow you to control ECN support
# (Explicit Congestion Notification). This feature provides an improved method
# for congestion avoidance by allowing the network to mark packets for
# transmission later, rather than dropping them from the queue. Please also
# see related USE_ECNSHAME option further down in this file.
SYSCTL_ECN="$SYSCTL_ECN"
# This system control (sysctl) option will allow you to make use of SynCookies
# support. This feature will send out a 'syn-cookie' when the syn backlog for a
# socket becomes overflowed. The cookie is used to interrupt the flow of syn
# transmissions with a hashed sequence number that must be correlated with the
# sending host. The hash is made up of the sending host address, packet flags
# etc..; if the sending host does not validate against the hash then the tcp
# hand-shake is terminated. In short, this helps to mitigate syn-flood attacks.
# Note: syncookies seriously violates TCP protocol and can result in serious
# degradation of some services (i.e. SMTP); visible not by you, but your
# clients and relays whom are contacting your system.
SYSCTL_SYNCOOKIES="$SYSCTL_SYNCOOKIES"
# This system control (sysctl) option allows for the use of Abort_On_Overflow
# support. This feature will help mitigate burst floods if a listening service
# is too slow to accept new connections. This option is an alternative for
# SynCookies and both should NEVER be enabled at once.
# Note: This option can harm clients contacting your system. Enable option only
# if you are sure that the listening daemon can not be tuned to accept
# connections faster.
SYSCTL_OVERFLOW="$SYSCTL_OVERFLOW"
# The helper chains are designed to assist applications in working with the
# stateful firewall in a more reliable fashion. You should keep these settings
# current with the ports SSH and FTP are operating on. Please DO NOT CONFUSE
# these settings with opening the SSH/FTP port as they have no bearing on
# actually connecting to the services. They are only for helping maintain your
# connection to the services [ESTABLISHED,RELATED connection states, not NEW].
HELPER_SSH="$HELPER_SSH"
HELPER_SSH_PORT="$HELPER_SSH_PORT"
HELPER_FTP="$HELPER_FTP"
HELPER_FTP_PORT="$HELPER_FTP_PORT"
HELPER_FTP_DATA="$HELPER_FTP_DATA"
# Configure inbound (ingress) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory. Format is comma separated
# and underscore separator for ranges.
#
# Example:
# IG_TCP_CPORTS="21,22,25,53,80,443,110,143,6000_7000"
# IG_UDP_CPORTS="20,21,53,123"
# IG_ICMP_TYPES="3,5,11,0,30,8"
# Common inbound (ingress) TCP ports
IG_TCP_CPORTS="$IG_TCP_CPORTS"
# Common inbound (ingress) UDP ports
IG_UDP_CPORTS="$IG_UDP_CPORTS"
# Common ICMP inbound (ingress) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="$IG_ICMP_TYPES"
# Configure outbound (egress) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory.
#
# Outbound (egress) filtering is not required but makes your firewall setup
# complete by providing full inbound and outbound packet filtering. You can
# toggle outbound filtering on or off with the EGF variable. Format is comma
# separated and underscore separator for ranges.
#
# Example:
# EG_TCP_CPORTS="21,25,80,443,43"
# EG_UDP_CPORTS="20,21,53"
# EG_ICMP_TYPES="all"
# Outbound (egress) filtering
EGF="$EGF"
# Common outbound (egress) TCP ports
EG_TCP_CPORTS="$EG_TCP_CPORTS"
# Common outbound (egress) UDP ports
EG_UDP_CPORTS="$EG_UDP_CPORTS"
# Common ICMP outbound (egress) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="$EG_ICMP_TYPES"
# Configure user-id specific outbound (egress) port access. This is a more
# granular feature to limit the scope of outbound packet flows with user-id
# conditioning. Format is comma separated and underscore separator for ranges.
# This is NOT A FILTERING FEATURE, this is an ACCESS CONTROL feature. That
# means EG_TCP_UID and EG_UDP_UID are intended to ALLOW outbound access for
# specified users, not DENY.
#
# Format: EG_[TCP|UDP]_UID="uid:port"
# Example:
# Allow outbound access to destination port 22 for uid 0
# EG_TCP_UID="0:22"
# UID-Match outbound (egress) TCP ports
EG_TCP_UID="$EG_TCP_UID"
# UID-Match outbound (egress) UDP ports
EG_UDP_UID="$EG_UDP_UID"
# Configure executable specific outbound (egress) filtering. This is a more
# granular feature to limit the scope of outbound packet flows with executable
# conditioning. The packet filtering is based on the CMD process field being
# passed along to iptables. All logged events for these rules will also include
# the executable CMD name in the log chain. This is A FILTERING FEATURE, not an
# ACCESS CONTROL feature. That means EG_DROP_CMD is intended to DENY outbound
# access for specified programs, not ALLOW.
#
# Format is comma separated list of executable names you wish to ban from being
# able to transmit data out of your server.
# CMD-Match outbound (egress) denied applications
EG_DROP_CMD="$EG_DROP_CMD"
##
# [Remote Rule Imports]
##
# Project Honey Pot is the first and only distributed system for identifying
# spammers and the spambots they use to scrape addresses from your website.
# This aggregate list combines Harvesters, Spammers and SMTP Dictionary attacks
# from the PHP IP Data at: http://www.projecthoneypot.org/list_of_ips.php
DLIST_PHP="$DLIST_PHP"
DLIST_PHP_URL="http://rfxn.com/downloads/php_list"
# The Spamhaus Don't Route Or Peer List (DROP) is an advisory "drop all
# traffic" list, consisting of stolen 'zombie' netblocks and netblocks
# controlled entirely by professional spammers. For more information please
# see http://www.spamhaus.org/drop/.
DLIST_SPAMHAUS="$DLIST_SPAMHAUS"
DLIST_SPAMHAUS_URL="http://www.spamhaus.org/drop/drop.lasso"
# DShield collects data about malicious activity from across the Internet.
# This data is cataloged, summarized and can be used to discover trends in
# activity, confirm widespread attacks, or assist in preparing better firewall
# rules. This is a list of top networks that have exhibited suspicious activity.
DLIST_DSHIELD="$DLIST_DSHIELD"
DLIST_DSHIELD_URL="http://feeds.dshield.org/top10-2.txt"
# The reserved networks list is addresses which ARIN has marked as reserved
# for future assignement and have no business as valid traffic on the internet.
# Such addresses are often used as spoofed (Fake) hosts during attacks, this
# will update the reserved networks list in order to prevent new ip assignments
# on the internet from getting blocked; this option is only important when
# BLK_RESNET is set to enabled.
DLIST_RESERVED="1"
DLIST_RESERVED_URL="http://rfxn.com/downloads/reserved.networks"
# ECN is an extension which helps reduce congestion. Unfortunately some
# clueless software/hardware vendors have setup their sites or implemented
# TCP/IP in a very broken manner. If you try to talk to these sites with ECN
# turned on, they will drop all packets from you. This feature uses the ECN
# hall of shame list to turn off ECN in packets to these hosts so your traffic
# is accepted as intended. This option is dependent on setting SYSCTL_ECN="1"
# otherwise it stays disabled.
DLIST_ECNSHAME="$DLIST_ECNSHAME"
DLIST_ECNSHAME_URL="http://rfxn.com/downloads/ecnshame.lst"
##
# Global Trust
##
# This is an implementation of the trust rules (allow/deny_hosts) but
# on a global perspective. You can define below remote addresses from
# which the glob_allow/deny.rules files should be downloaded from on
# a daily basis. The files can be maintained in a static fashion by
# leaving USE_RGT=0, ideal for a host serving the files.
USE_RGT="$USE_RGT"
GA_URL="$GA_URL"
GD_URL="$GD_URL"
##
# [Logging and control settings]
##
# Log all traffic that is filtered by the firewall
LOG_DROP="$LOG_DROP"
# What log level should we send all log data too?
# refer to man syslog.conf for levels
LOG_LEVEL="$LOG_LEVEL"
# Where should we send all the logging data?
# ULOG (Allow ulogd to handle the logging)
# LOG (Default; sends logging to kernel log)
LOG_TARGET="$LOG_TARGET"
# Log interactive access over telnet & ssh; uses
# custom log prefix of ** SSH ** & ** TELNET **
LOG_IA="$LOG_IA"
# Log all foreign gateway traffic
LOG_LGATE="$LOG_LGATE"
# Extended logging information; this forces the output of tcp options and
# ip options for packets passing through the log chains
LOG_EXT="$LOG_EXT"
# Max firewall events to log per/minute. Log events exceeding these limits
# will be lost (1440 minutes/day * 30 events/minute = 43200 events per/day)
LOG_RATE="$LOG_RATE"
# Location of the apf status log; all startup, shutdown and runtime status
# sends outputs to this file
LOG_APF="$LOG_APF"
##
# [Import misc. conf]
##
# Internal variable file
CNFINT="\$INSTALL_PATH/internals/internals.conf"
. \$CNFINT
EOF