Provided by: sanewall-doc_1.0.2+ds-2_all 
NAME
sanewall-variables - Variables controlling Sanewall
DESCRIPTION
There are a number of variables that control the behaviour of Sanewall.
All variables may be set in the main Sanewall configuration file
/etc/sanewall/sanewall.conf.
Variables which affect the runtime but not the created firewall may also be set as
environment variables before running sanewall. These can change the default values but
will be overwritten by values set in the configuration file. If a variable can be set by
an environment variable it is specified below.
Sanewall also sets some variables before processing the configuration file which you can
use as part of your configuration. These are described in Sanewall configuration:
sanewall.conf(5).
VARIABLES
DEFAULT_INTERFACE_POLICY
This variable controls the default action to be taken on traffic not matched by any
rule within an interface. It can be overridden using policy command:
sanewall-policy(5).
Packets that reach the end of an interface without an action of return or accept are
logged. You can control the frequency of this logging by altering
SANEWALL_LOG_FREQUENCY.
Default:
DEFAULT_INTERFACE_POLICY="DROP"
Example:
DEFAULT_INTERFACE_POLICY="REJECT"
DEFAULT_ROUTER_POLICY
This variable controls the default action to be taken on traffic not matched by any
rule within a router. It can be overridden using policy command: sanewall-policy(5).
Packets that reach the end of a router without an action of return or accept are
logged. You can control the frequency of this logging by altering
SANEWALL_LOG_FREQUENCY.
Default:
DEFAULT_ROUTER_POLICY="RETURN"
Example:
DEFAULT_ROUTER_POLICY="REJECT"
UNMATCHED_INPUT_POLICY, UNMATCHED_OUTPUT_POLICY, UNMATCHED_FORWARD_POLICY
These variables control the default action to be taken on traffic not matched by any
interface or router definition that was incoming, outgoing or for forwarding
respectively. Any supported value from actions for rules: sanewall-actions(5) may be
set.
All packets that reach the end of a chain are logged, regardless of these settings.
You can control the frequency of this logging by altering SANEWALL_LOG_FREQUENCY.
Defaults:
UNMATCHED_INPUT_POLICY="DROP"
UNMATCHED_OUTPUT_POLICY="DROP"
UNMATCHED_FORWARD_POLICY="DROP"
Example:
UNMATCHED_INPUT_POLICY="REJECT"
UNMATCHED_OUTPUT_POLICY="REJECT"
UNMATCHED_FORWARD_POLICY="REJECT"
SANEWALL_INPUT_ACTIVATION_POLICY, SANEWALL_OUTPUT_ACTIVATION_POLICY,
SANEWALL_FORWARD_ACTIVATION_POLICY, SANEWALL_ESTABLISHED_ACTIVATION_ACCEPT
These variables control the default action to be taken on traffic during firewall
activation for incoming, outgoing and forwarding respectively. Acceptable values are
ACCEPT, DROP and REJECT. They may be set as environment variables.
During activation, Sanewall creates temporary rules to ALLOW already established
traffic (new connections honour the appropriate variable). Set
SANEWALL_ESTABLISHED_ACTIVATION_ACCEPT to 0 to prevent this.
Unlike FireHOL which defaults all values to ACCEPT, Sanewall defaults all values to
DROP.
If you wish to reinstate the old FireHOL behaviour, set these values to ACCEPT. Please
do not do so if you are using all or any to match traffic; connections established
during activation will continue even if they would not be allowed once the firewall is
established.
Defaults:
SANEWALL_INPUT_ACTIVATION_POLICY="DROP"
SANEWALL_OUTPUT_ACTIVATION_POLICY="DROP"
SANEWALL_FORWARD_ACTIVATION_POLICY="DROP"
SANEWALL_ESTABLISHED_ACTIVATION_ACCEPT="1"
Example:
UNMATCHED_INPUT_POLICY="ACCEPT"
UNMATCHED_OUTPUT_POLICY="ACCEPT"
UNMATCHED_FORWARD_POLICY="ACCEPT"
SANEWALL_ESTABLISHED_ACTIVATION_ACCEPT="0"
SANEWALL_LOG_MODE
This variable controls method that Sanewall uses for logging.
Acceptable values are LOG (normal syslog) and ULOG (netfilter ulogd). When ULOG is
selected, SANEWALL_LOG_LEVEL is ignored.
Default:
SANEWALL_LOG_MODE="LOG"
Example:
SANEWALL_LOG_MODE="ULOG"
To see the available options run: /sbin/iptables -j LOG --help or /sbin/iptables -j
ULOG --help
SANEWALL_LOG_LEVEL
This variable controls the level at which events will be logged to syslog.
To avoid packet logs appearing on your console you should ensure klogd only logs
traffic that is more important than that produced by Sanewall.
Use the following option to choose an iptables log level (alpha or numeric) which is
higher than the -c of klogd.
Table 1. iptables/klogd levels
┌────────────┬───────┬────────────────────────┐
│iptables │ klogd │ description │
├────────────┼───────┼────────────────────────┤
│emerg (0) │ 0 │ system is unusable │
├────────────┼───────┼────────────────────────┤
│alert (1) │ 1 │ action must be taken │
│ │ │ immediately │
├────────────┼───────┼────────────────────────┤
│crit (2) │ 2 │ critical conditions │
├────────────┼───────┼────────────────────────┤
│error (3) │ 3 │ error conditions │
├────────────┼───────┼────────────────────────┤
│warning (4) │ 4 │ warning conditions │
├────────────┼───────┼────────────────────────┤
│notice (5) │ 5 │ normal but significant │
│ │ │ condition │
├────────────┼───────┼────────────────────────┤
│info (6) │ 6 │ informational │
├────────────┼───────┼────────────────────────┤
│debug (7) │ 7 │ debug-level messages │
└────────────┴───────┴────────────────────────┘
Note
The default for klogd is generally to log everything (7 and lower) and the default
level for iptables is to log as warnings (4).
SANEWALL_LOG_OPTIONS
This variable controls the way in which events will be logged to syslog.
Default:
SANEWALL_LOG_OPTIONS="--log-level warning"
Example:
SANEWALL_LOG_OPTIONS="--log-level info \
--log-tcp-options --log-ip-options"
To see the available options run: /sbin/iptables -j LOG --help
SANEWALL_LOG_FREQUENCY, SANEWALL_LOG_BURST
These variables control the frequency that each logging rule will write events to
syslog. SANEWALL_LOG_FREQUENCY is set to the maximum average frequency and
SANEWALL_LOG_BURST specifies the maximum initial number.
Default:
SANEWALL_LOG_FREQUENCY="1/second"
SANEWALL_LOG_BURST="5"
Example:
SANEWALL_LOG_FREQUENCY="30/minute"
SANEWALL_LOG_BURST="2"
To see the available options run: /sbin/iptables -m limit --help
SANEWALL_LOG_PREFIX
This value is added to the contents of each logged line for easy detection of Sanewall
lines in the system logs. By default it is empty.
Default:
SANEWALL_LOG_PREFIX=""
Example:
SANEWALL_LOG_PREFIX="SANEWALL:"
SANEWALL_DROP_INVALID
If set to 1, this variable causes Sanewall to drop all packets matched as INVALID in
the iptables(8) connection tracker.
Note
You can use protection command: sanewall-protection(5) to control matching of
INVALID packets and others on per-interface and per-router basis.
Default:
SANEWALL_DROP_INVALID="0"
Example:
SANEWALL_DROP_INVALID="1"
DEFAULT_CLIENT_PORTS
This variable controls the port range that is used when a remote client is specified.
For clients on the local host, Sanewall finds the exact client ports by querying the
kernel options.
Default:
DEFAULT_CLIENT_PORTS="1000:65535"
Example:
DEFAULT_CLIENT_PORTS="0:65535"
SANEWALL_NAT
If set to 1, this variable causes Sanewall to load the NAT kernel modules. If you make
use of the NAT helper commands, the variable will be set to 1 automatically. It may be
set as an environment variable.
Default:
SANEWALL_NAT="0"
Example:
SANEWALL_NAT="1"
SANEWALL_ROUTING
If set to 1, this variable causes Sanewall to enable routing in the kernel. If you
make use of router definitions or certain helper commands the variable will be set to
1 automatically. It may be set as an environment variable.
Default:
SANEWALL_ROUTING="0"
Example:
SANEWALL_ROUTING="1"
SANEWALL_AUTOSAVE
This variable specifies the file that will be created when Sanewall program:
sanewall(1) is called with the save argument. It may be set as an environment
variable.
If the variable is empty, Sanewall will try to detect where to save the file.
Currently /etc/sysconfig/iptables (RedHat) and /var/lib/iptables/autosave (Debian) are
tried in order, based on the existence of the directory.
Default:
SANEWALL_AUTOSAVE=""
Example:
SANEWALL_AUTOSAVE="/tmp/sanewall-saved.txt"
SANEWALL_LOAD_KERNEL_MODULES
If set to 0, this variable forces Sanewall to not load any kernel modules. It is
needed only if the kernel has modules statically included and in the rare event that
Sanewall cannot access the kernel configuration. It may be set as an environment
variable.
Default:
SANEWALL_LOAD_KERNEL_MODULES="1"
Example:
SANEWALL_LOAD_KERNEL_MODULES="0"
SANEWALL_TRUST_LOOPBACK
If set to 0, the loopback device "lo" will not be trusted and you can write standard
firewall rules for it.
Warning
If you do not set up appropriate rules, local processes will not be able to
communicate with each other which can result in serious breakages.
By default "lo" is trusted and all INPUT and OUTPUT traffic is accepted (forwarding is
not included).
Default:
SANEWALL_TRUST_LOOPBACK="1"
Example:
SANEWALL_TRUST_LOOPBACK="0"
SANEWALL_DROP_ORPHAN_TCP_ACK_FIN
If set to 1, Sanewall will drop all TCP connections with ACK FIN set without logging
them.
In busy environments the iptables connection tracker removes connection tracking list
entries as soon as it receives a FIN. This makes the ACK FIN appear as an invalid
packet which will normally be logged by Sanewall.
Default:
SANEWALL_DROP_ORPHAN_TCP_ACK_FIN="0"
Example:
SANEWALL_DROP_ORPHAN_TCP_ACK_FIN="1"
WAIT_FOR_IFACE
If set to the name of a network device (e.g. eth0), Sanewall will wait until the
device is up (or until 60 seconds have elapsed) before continuing.
Note
This variable can only be set as an environment variable, since it determines when
the main configuration file will be processed.
A device does not need to be up in order to have firewall rules created for it, so
this option should only be used if you have a specific need to wait (e.g. the network
must be queried to determine the hosts or ports which will be firewalled).
Default:
WAIT_FOR_IFACE=""
Example:
WAIT_FOR_IFACE="eth0"
SEE ALSO
Sanewall program: sanewall(1)
Sanewall configuration: sanewall.conf(5)
nat, snat, dnat, redirect config helpers: sanewall-nat(5)
administration tool for IPv4 firewalls: iptables(8)
AUTHOR
Sanewall Team
COPYRIGHT
Copyright © 2012, 2013 Phil Whineray <phil@sanewall.org>