Provided by: firehol-doc_3.1.7+ds-2.1_all
NAME
firehol-defaults.conf - control variables for FireHOL
SYNOPSIS
Defaults in /etc/firehol/firehol-defaults.conf: • DEFAULT_INTERFACE_POLICY=“DROP” • DEFAULT_ROUTER_POLICY=“RETURN” • UNMATCHED_INPUT_POLICY=“DROP” • UNMATCHED_OUTPUT_POLICY=“DROP” • UNMATCHED_FORWARD_POLICY=“DROP” • FIREHOL_INPUT_ACTIVATION_POLICY=“ACCEPT” • FIREHOL_OUTPUT_ACTIVATION_POLICY=“ACCEPT” • FIREHOL_FORWARD_ACTIVATION_POLICY=“ACCEPT” • FIREHOL_LOG_MODE=“LOG” • FIREHOL_LOG_LEVEL=see notes • FIREHOL_LOG_OPTIONS=“–log-level warning” • FIREHOL_LOG_FREQUENCY=“1/second” • FIREHOL_LOG_BURST=“5” • FIREHOL_LOG_PREFIX=“” • FIREHOL_DROP_INVALID=“0” • DEFAULT_CLIENT_PORTS=“1000:65535” • FIREHOL_NAT=“0” • FIREHOL_ROUTING=“0” • FIREHOL_AUTOSAVE=see notes • FIREHOL_AUTOSAVE6=see notes • FIREHOL_LOAD_KERNEL_MODULES=“1” • FIREHOL_TRUST_LOOPBACK=“1” • FIREHOL_DROP_ORPHAN_TCP_ACK_FIN=“1” • FIREHOL_DROP_ORPHAN_TCP_ACK_RST=“1” • FIREHOL_DROP_ORPHAN_TCP_ACK=“1” • FIREHOL_DROP_ORPHAN_TCP_RST=“1” • FIREHOL_DROP_ORPHAN_IPV4_ICMP_TYPE3=“1” • WAIT_FOR_IFACE=“”
DESCRIPTION
From FireHOL 3 upwards, variables which control FireHOL behaviour are held in a separate file: /etc/firehol/firehol-defaults.conf. Some variables can also be set in the main firehol.conf file but that is not recommended, since they may be used before the main configuration is processed. FireHOL also sets some variables before processing the configuration file which you can use as part of your configuration. These are described in firehol.conf(5).
VARIABLES
DEFAULT_INTERFACE_POLICY This variable controls the default action to be taken on traffic not matched by any rule within an interface. It can be overridden using firehol-policy(5). Packets that reach the end of an interface without an action of return or accept are logged. You can control the frequency of this logging by altering FIREHOL_LOG_FREQUENCY. Example: DEFAULT_INTERFACE_POLICY="REJECT" DEFAULT_ROUTER_POLICY This variable controls the default action to be taken on traffic not matched by any rule within a router. It can be overridden using firehol-policy(5). Packets that reach the end of a router without an action of return or accept are logged. You can control the frequency of this logging by altering FIREHOL_LOG_FREQUENCY. Example: DEFAULT_ROUTER_POLICY="REJECT" UNMATCHED_{INPUT|OUTPUT|FORWARD}_POLICY These variables control the default action to be taken on traffic not matched by any interface or router definition that was incoming, outgoing or for forwarding respectively. Any supported value from firehol-actions(5) may be set. All packets that reach the end of a chain are logged, regardless of these settings. You can control the frequency of this logging by altering FIREHOL_LOG_FREQUENCY. Example: UNMATCHED_INPUT_POLICY="REJECT" UNMATCHED_OUTPUT_POLICY="REJECT" UNMATCHED_FORWARD_POLICY="REJECT" FIREHOL_{INPUT|OUTPUT|FORWARD}_ACTIVATION_POLICY These variables control the default action to be taken on traffic during firewall activation for incoming, outgoing and forwarding respectively. Acceptable values are ACCEPT, DROP and REJECT. FireHOL defaults all values to ACCEPT so that your communications continue to work uninterrupted. If you wish to prevent connections whilst the new firewall is activating, set these values to DROP. This is important to do if you are using all or any to match traffic; connections established during activation will continue even if they would not be allowed once the firewall is established. Example: FIREHOL_INPUT_ACTIVATION_POLICY="DROP" FIREHOL_OUTPUT_ACTIVATION_POLICY="DROP" FIREHOL_FORWARD_ACTIVATION_POLICY="DROP" FIREHOL_LOG_MODE This variable controls method that FireHOL uses for logging. Acceptable values are LOG (normal syslog) and ULOG (netfilter ulogd). When ULOG is selected, FIREHOL_LOG_LEVEL is ignored. Example: FIREHOL_LOG_MODE="ULOG" To see the available options run: /sbin/iptables -j LOG --help or /sbin/iptables -j ULOG --help FIREHOL_LOG_LEVEL This variable controls the level at which events will be logged to syslog. To avoid packet logs appearing on your console you should ensure klogd only logs traffic that is more important than that produced by FireHOL. Use the following option to choose an iptables(8) log level (alpha or numeric) which is higher than the -c of klogd. iptables/klogd levels iptables klogd description ─────────────────────────────────────────────── emerg (0) 0 system is unusable alert (1) 1 action must be taken immediately crit (2) 2 critical conditions error (3) 3 error conditions warning (4) 4 warning conditions notice (5) 5 normal but significant condition info (6) 6 informational debug (7) 7 debug-level messages Note The default for klogd is generally to log everything (7 and lower) and the default level for iptables(4) is to log as warning (4). FIREHOL_LOG_OPTIONS This variable controls the way in which events will be logged to syslog. Example: FIREHOL_LOG_OPTIONS="--log-level info \ --log-tcp-options --log-ip-options" To see the available options run: /sbin/iptables -j LOG --help FIREHOL_LOG_FREQUENCY; FIREHOL_LOG_BURST These variables control the frequency that each logging rule will write events to syslog. FIREHOL_LOG_FREQUENCY is set to the maximum average frequency and FIREHOL_LOG_BURST specifies the maximum initial number. Example: FIREHOL_LOG_FREQUENCY="30/minute" FIREHOL_LOG_BURST="2" To see the available options run: /sbin/iptables -m limit --help FIREHOL_LOG_PREFIX This value is added to the contents of each logged line for easy detection of FireHOL lines in the system logs. By default it is empty. Example: FIREHOL_LOG_PREFIX="FIREHOL:" FIREHOL_DROP_INVALID If set to 1, this variable causes FireHOL to drop all packets matched as INVALID in the iptables(8) connection tracker. You may be better off using firehol-protection(5) to control matching of INVALID packets and others on a per-interface and per-router basis. Note Care must be taken on IPv6 interfaces, since ICMPv6 packets such as Neighbour Discovery are not tracked, meaning they are marked as INVALID. Example: FIREHOL_DROP_INVALID="1" DEFAULT_CLIENT_PORTS This variable controls the port range that is used when a remote client is specified. For clients on the local host, FireHOL finds the exact client ports by querying the kernel options. Example: DEFAULT_CLIENT_PORTS="0:65535" FIREHOL_NAT If set to 1, this variable causes FireHOL to load the NAT kernel modules. If you make use of the NAT helper commands, the variable will be set to 1 automatically. Example: FIREHOL_NAT="1" FIREHOL_ROUTING If set to 1, this variable causes FireHOL to enable routing in the kernel. If you make use of router definitions or certain helper commands the variable will be set to 1 automatically. Example: FIREHOL_ROUTING="1" FIREHOL_AUTOSAVE; FIREHOL_AUTOSAVE6 These variables specify the file of IPv4/IPv6 rules that will be created when firehol(1) is called with the save argument. If the variable is not set, a system-specific value is used which was defined at configure-time. If no value was chosen then the save fails. Example: FIREHOL_AUTOSAVE="/tmp/firehol-saved-ipv4.txt" FIREHOL_AUTOSAVE6="/tmp/firehol-saved-ipv6.txt" FIREHOL_LOAD_KERNEL_MODULES If set to 0, this variable forces FireHOL to not load any kernel modules. It is needed only if the kernel has modules statically included and in the rare event that FireHOL cannot access the kernel configuration. Example: FIREHOL_LOAD_KERNEL_MODULES="0" FIREHOL_TRUST_LOOPBACK If set to 0, the loopback device “lo” will not be trusted and you can write standard firewall rules for it. Warning If you do not set up appropriate rules, local processes will not be able to communicate with each other which can result in serious breakages. By default “lo” is trusted and all INPUT and OUTPUT traffic is accepted (forwarding is not included). Example: FIREHOL_TRUST_LOOPBACK="0" FIREHOL_DROP_ORPHAN_TCP_ACK_FIN If set to 1, FireHOL will drop all orphan such packets without logging them. In busy environments the iptables(8) connection tracker removes connection tracking list entries as soon as it receives a FIN. This makes the ACK FIN appear as an invalid packet which will normally be logged by FireHOL. Example: FIREHOL_DROP_ORPHAN_TCP_ACK_FIN="1" FIREHOL_DROP_ORPHAN_TCP_ACK_RST If set to 1, FireHOL will drop all orphan such packets without logging them. In busy environments the iptables(8) connection tracker removes connection tracking list entries as soon as it receives a RST. This makes the ACK RST appear as an invalid packet which will normally be logged by FireHOL. Example: FIREHOL_DROP_ORPHAN_TCP_ACK_RST="1" FIREHOL_DROP_ORPHAN_TCP_ACK If set to 1, FireHOL will drop all orphan such packets without logging them. In busy environments the iptables(8) connection tracker removes unneeded connection tracking list entries. This makes ACK packets appear as an invalid packet which will normally be logged by FireHOL. Example: FIREHOL_DROP_ORPHAN_TCP_ACK="1" FIREHOL_DROP_ORPHAN_TCP_RST If set to 1, FireHOL will drop all orphan such packets without logging them. In busy environments the iptables(8) connection tracker removes unneeded connection tracking list entries. This makes RST packets appear as an invalid packet which will normally be logged by FireHOL. Example: FIREHOL_DROP_ORPHAN_TCP_RST="1" FIREHOL_DROP_ORPHAN_IPV4_ICMP_TYPE3 If set to 1, FireHOL will drop all orphan ICMP destination unreachable packets without logging them. In busy environments the iptables(8) connection tracker removes unneeded connection tracking list entries. This makes ICMP destination unreachable appear as an invalid packet which will normally be logged by FireHOL. Example: FIREHOL_DROP_ORPHAN_IPV4_ICMP_TYPE3="1" WAIT_FOR_IFACE If set to the name of a network device (e.g. eth0), FireHOL will wait until the device is up (or until 60 seconds have elapsed) before continuing. A device does not need to be up in order to have firewall rules created for it, so this option should only be used if you have a specific need to wait (e.g. the network must be queried to determine the hosts or ports which will be firewalled). Example: WAIT_FOR_IFACE="eth0"
SEE ALSO
• firehol(1) - FireHOL program • firehol.conf(5) - FireHOL configuration • firehol-nat(5) - nat, snat, dnat, redirect helpers • firehol-actions(5) - actions for rules • iptables(8) (http://ipset.netfilter.org/iptables.man.html) - administration tool for IPv4 firewalls • ip6tables(8) (http://ipset.netfilter.org/ip6tables.man.html) - administration tool for IPv6 firewalls • FireHOL Website (http://firehol.org/) • FireHOL Online PDF Manual (http://firehol.org/firehol-manual.pdf) • FireHOL Online Documentation (http://firehol.org/documentation/)
AUTHORS
FireHOL Team.