Provided by: sanewall-doc_1.0.2+ds-2_all 
NAME
sanewall-variables - Variables controlling Sanewall
DESCRIPTION
There are a number of variables that control the behaviour of Sanewall.
All variables may be set in the main Sanewall configuration file /etc/sanewall/sanewall.conf.
Variables which affect the runtime but not the created firewall may also be set as environment variables
before running sanewall. These can change the default values but will be overwritten by values set in the
configuration file. If a variable can be set by an environment variable it is specified below.
Sanewall also sets some variables before processing the configuration file which you can use as part of
your configuration. These are described in Sanewall configuration: sanewall.conf(5).
VARIABLES
DEFAULT_INTERFACE_POLICY
This variable controls the default action to be taken on traffic not matched by any rule within an
interface. It can be overridden using policy command: sanewall-policy(5).
Packets that reach the end of an interface without an action of return or accept are logged. You can
control the frequency of this logging by altering SANEWALL_LOG_FREQUENCY.
Default:
DEFAULT_INTERFACE_POLICY="DROP"
Example:
DEFAULT_INTERFACE_POLICY="REJECT"
DEFAULT_ROUTER_POLICY
This variable controls the default action to be taken on traffic not matched by any rule within a
router. It can be overridden using policy command: sanewall-policy(5).
Packets that reach the end of a router without an action of return or accept are logged. You can
control the frequency of this logging by altering SANEWALL_LOG_FREQUENCY.
Default:
DEFAULT_ROUTER_POLICY="RETURN"
Example:
DEFAULT_ROUTER_POLICY="REJECT"
UNMATCHED_INPUT_POLICY, UNMATCHED_OUTPUT_POLICY, UNMATCHED_FORWARD_POLICY
These variables control the default action to be taken on traffic not matched by any interface or
router definition that was incoming, outgoing or for forwarding respectively. Any supported value
from actions for rules: sanewall-actions(5) may be set.
All packets that reach the end of a chain are logged, regardless of these settings. You can control
the frequency of this logging by altering SANEWALL_LOG_FREQUENCY.
Defaults:
UNMATCHED_INPUT_POLICY="DROP"
UNMATCHED_OUTPUT_POLICY="DROP"
UNMATCHED_FORWARD_POLICY="DROP"
Example:
UNMATCHED_INPUT_POLICY="REJECT"
UNMATCHED_OUTPUT_POLICY="REJECT"
UNMATCHED_FORWARD_POLICY="REJECT"
SANEWALL_INPUT_ACTIVATION_POLICY, SANEWALL_OUTPUT_ACTIVATION_POLICY, SANEWALL_FORWARD_ACTIVATION_POLICY,
SANEWALL_ESTABLISHED_ACTIVATION_ACCEPT
These variables control the default action to be taken on traffic during firewall activation for
incoming, outgoing and forwarding respectively. Acceptable values are ACCEPT, DROP and REJECT. They
may be set as environment variables.
During activation, Sanewall creates temporary rules to ALLOW already established traffic (new
connections honour the appropriate variable). Set SANEWALL_ESTABLISHED_ACTIVATION_ACCEPT to 0 to
prevent this.
Unlike FireHOL which defaults all values to ACCEPT, Sanewall defaults all values to DROP.
If you wish to reinstate the old FireHOL behaviour, set these values to ACCEPT. Please do not do so
if you are using all or any to match traffic; connections established during activation will continue
even if they would not be allowed once the firewall is established.
Defaults:
SANEWALL_INPUT_ACTIVATION_POLICY="DROP"
SANEWALL_OUTPUT_ACTIVATION_POLICY="DROP"
SANEWALL_FORWARD_ACTIVATION_POLICY="DROP"
SANEWALL_ESTABLISHED_ACTIVATION_ACCEPT="1"
Example:
UNMATCHED_INPUT_POLICY="ACCEPT"
UNMATCHED_OUTPUT_POLICY="ACCEPT"
UNMATCHED_FORWARD_POLICY="ACCEPT"
SANEWALL_ESTABLISHED_ACTIVATION_ACCEPT="0"
SANEWALL_LOG_MODE
This variable controls method that Sanewall uses for logging.
Acceptable values are LOG (normal syslog) and ULOG (netfilter ulogd). When ULOG is selected,
SANEWALL_LOG_LEVEL is ignored.
Default:
SANEWALL_LOG_MODE="LOG"
Example:
SANEWALL_LOG_MODE="ULOG"
To see the available options run: /sbin/iptables -j LOG --help or /sbin/iptables -j ULOG --help
SANEWALL_LOG_LEVEL
This variable controls the level at which events will be logged to syslog.
To avoid packet logs appearing on your console you should ensure klogd only logs traffic that is more
important than that produced by Sanewall.
Use the following option to choose an iptables log level (alpha or numeric) which is higher than the
-c of klogd.
Table 1. iptables/klogd levels
┌─────────────┬───────┬────────────────────────┐
│ iptables │ klogd │ description │
├─────────────┼───────┼────────────────────────┤
│ emerg (0) │ 0 │ system is unusable │
├─────────────┼───────┼────────────────────────┤
│ alert (1) │ 1 │ action must be taken │
│ │ │ immediately │
├─────────────┼───────┼────────────────────────┤
│ crit (2) │ 2 │ critical conditions │
├─────────────┼───────┼────────────────────────┤
│ error (3) │ 3 │ error conditions │
├─────────────┼───────┼────────────────────────┤
│ warning (4) │ 4 │ warning conditions │
├─────────────┼───────┼────────────────────────┤
│ notice (5) │ 5 │ normal but significant │
│ │ │ condition │
├─────────────┼───────┼────────────────────────┤
│ info (6) │ 6 │ informational │
├─────────────┼───────┼────────────────────────┤
│ debug (7) │ 7 │ debug-level messages │
└─────────────┴───────┴────────────────────────┘
Note
The default for klogd is generally to log everything (7 and lower) and the default level for
iptables is to log as warnings (4).
SANEWALL_LOG_OPTIONS
This variable controls the way in which events will be logged to syslog.
Default:
SANEWALL_LOG_OPTIONS="--log-level warning"
Example:
SANEWALL_LOG_OPTIONS="--log-level info \
--log-tcp-options --log-ip-options"
To see the available options run: /sbin/iptables -j LOG --help
SANEWALL_LOG_FREQUENCY, SANEWALL_LOG_BURST
These variables control the frequency that each logging rule will write events to syslog.
SANEWALL_LOG_FREQUENCY is set to the maximum average frequency and SANEWALL_LOG_BURST specifies the
maximum initial number.
Default:
SANEWALL_LOG_FREQUENCY="1/second"
SANEWALL_LOG_BURST="5"
Example:
SANEWALL_LOG_FREQUENCY="30/minute"
SANEWALL_LOG_BURST="2"
To see the available options run: /sbin/iptables -m limit --help
SANEWALL_LOG_PREFIX
This value is added to the contents of each logged line for easy detection of Sanewall lines in the
system logs. By default it is empty.
Default:
SANEWALL_LOG_PREFIX=""
Example:
SANEWALL_LOG_PREFIX="SANEWALL:"
SANEWALL_DROP_INVALID
If set to 1, this variable causes Sanewall to drop all packets matched as INVALID in the iptables(8)
connection tracker.
Note
You can use protection command: sanewall-protection(5) to control matching of INVALID packets and
others on per-interface and per-router basis.
Default:
SANEWALL_DROP_INVALID="0"
Example:
SANEWALL_DROP_INVALID="1"
DEFAULT_CLIENT_PORTS
This variable controls the port range that is used when a remote client is specified. For clients on
the local host, Sanewall finds the exact client ports by querying the kernel options.
Default:
DEFAULT_CLIENT_PORTS="1000:65535"
Example:
DEFAULT_CLIENT_PORTS="0:65535"
SANEWALL_NAT
If set to 1, this variable causes Sanewall to load the NAT kernel modules. If you make use of the NAT
helper commands, the variable will be set to 1 automatically. It may be set as an environment
variable.
Default:
SANEWALL_NAT="0"
Example:
SANEWALL_NAT="1"
SANEWALL_ROUTING
If set to 1, this variable causes Sanewall to enable routing in the kernel. If you make use of router
definitions or certain helper commands the variable will be set to 1 automatically. It may be set as
an environment variable.
Default:
SANEWALL_ROUTING="0"
Example:
SANEWALL_ROUTING="1"
SANEWALL_AUTOSAVE
This variable specifies the file that will be created when Sanewall program: sanewall(1) is called
with the save argument. It may be set as an environment variable.
If the variable is empty, Sanewall will try to detect where to save the file. Currently
/etc/sysconfig/iptables (RedHat) and /var/lib/iptables/autosave (Debian) are tried in order, based on
the existence of the directory.
Default:
SANEWALL_AUTOSAVE=""
Example:
SANEWALL_AUTOSAVE="/tmp/sanewall-saved.txt"
SANEWALL_LOAD_KERNEL_MODULES
If set to 0, this variable forces Sanewall to not load any kernel modules. It is needed only if the
kernel has modules statically included and in the rare event that Sanewall cannot access the kernel
configuration. It may be set as an environment variable.
Default:
SANEWALL_LOAD_KERNEL_MODULES="1"
Example:
SANEWALL_LOAD_KERNEL_MODULES="0"
SANEWALL_TRUST_LOOPBACK
If set to 0, the loopback device "lo" will not be trusted and you can write standard firewall rules
for it.
Warning
If you do not set up appropriate rules, local processes will not be able to communicate with each
other which can result in serious breakages.
By default "lo" is trusted and all INPUT and OUTPUT traffic is accepted (forwarding is not included).
Default:
SANEWALL_TRUST_LOOPBACK="1"
Example:
SANEWALL_TRUST_LOOPBACK="0"
SANEWALL_DROP_ORPHAN_TCP_ACK_FIN
If set to 1, Sanewall will drop all TCP connections with ACK FIN set without logging them.
In busy environments the iptables connection tracker removes connection tracking list entries as soon
as it receives a FIN. This makes the ACK FIN appear as an invalid packet which will normally be
logged by Sanewall.
Default:
SANEWALL_DROP_ORPHAN_TCP_ACK_FIN="0"
Example:
SANEWALL_DROP_ORPHAN_TCP_ACK_FIN="1"
WAIT_FOR_IFACE
If set to the name of a network device (e.g. eth0), Sanewall will wait until the device is up (or
until 60 seconds have elapsed) before continuing.
Note
This variable can only be set as an environment variable, since it determines when the main
configuration file will be processed.
A device does not need to be up in order to have firewall rules created for it, so this option should
only be used if you have a specific need to wait (e.g. the network must be queried to determine the
hosts or ports which will be firewalled).
Default:
WAIT_FOR_IFACE=""
Example:
WAIT_FOR_IFACE="eth0"
SEE ALSO
Sanewall program: sanewall(1)
Sanewall configuration: sanewall.conf(5)
nat, snat, dnat, redirect config helpers: sanewall-nat(5)
administration tool for IPv4 firewalls: iptables(8)
AUTHOR
Sanewall Team
COPYRIGHT
Copyright © 2012, 2013 Phil Whineray <phil@sanewall.org>
Sanewall 1.0.2 Built 01 Jun 2013 CONTROL VARIABLES: S(5)