|
Introduction Main Features What's new License Downloads Mirrors CVS Support Mailing lists Useful links Documentation Installation Configuration Modules Gateway About us Thanks Testimonials Help Us |
|
| Thanks to our friends from Open Network Architecture for their support! |
Written by: Adrian Pascalau apascalau@openna.com
Written by: Gerhard Mourani gmourani@openna.com
Last update: June 08, 2002
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST. A copy of the license is included in the section entitled GNU Free Documentation License.This document describe the configuration procedure of the GIPTables Firewall package for a Gateway/Proxy server on a RedHat Linux or compatible system.
You should allready have the firewall installed on your system. See the GIPTables Firewall Installation Guide page for installation instructions. If you are using OpenNA Linux BETA3 or newer, GIPTables Firewall comes by default installed as a
rpm package, but the configuration procedure is the same.The main configuration procedure of GIPTables Firewall should already be done. See GIPTables Firewall Main Configuration Guide for main configuration instructions.
Running the type of GIPTables Firewall that you need
All servers should be configured to block at least the unused ports, even if they are not a firewall server. This is required for increased security. Imagine that someone gains access to your main firewall server: if your other servers are not configured to block unused ports, this is a serious network security risk. The same is true for local connections; unauthorized employees can gain access from the inside to your other servers.
As you supposed to know now, before running GIPTables into your system, you have to create a symbolic link under the
/etc directory that point to the GIPTables configuration file suitable
for the type of server that you expect to run on your system. Once this configuration file exist
under your /etc directory, all you have to do is to edit it and set-up your networking configuration
to make it work for you. This is true with all kind of server type except for a Gateway Server type
which differ for some reasons as explained below:
- You may have the need to forward external traffics to your internal network.
- You may have the need of some specific services not available by default.
- You need to use the SNAT feature of Linux kernel.
- You need to use the DNAT feature of Linux kernel.
All of the following steps and explanations are valid for a Gateway/Proxy Server. For any other type of servers, you only need to create the required symbolic link under your
/etc directory that
point to the type of server configuration that you need and start your firewall after setting up your
networking configuration into the giptables.conf file.Unlike other types of GIPTables Firewall configurations file like a Web, Mail, DNS Servers, configuring a GNU/Linux Server to masquerade and forward traffic generally from the inside private network that has unregistered IP addresses (i.e. 192.168.1.0/24) to the outside network (i.e. the Internet) requires a special setup of your kernel and your GIPTables firewall configuration file. This kind of configuration is also known as a Gateway Server or Proxy Server (a machine that serves as a gateway for internal traffic to external traffic). This configuration must be set only if you have the intentions and the needs for this kind of service.
Some Points to Consider
You can safely assume that you are potentially at risk if you connect your system to the Internet. Your gateway to the Internet is your greatest exposure, so we recommend the following:
- The Gateway should not run any more applications than are absolutely necessary.
- The Gateway should strictly limit the type and number of protocols allowed to flow through it (protocols potentially provide security holes, such as FTP and telnet).
- Any system containing confidential or sensitive information should not be directly accessible from the Internet.
- A Proxy program like Squid is highly recommended on the Gateway Server.
Masquerading means that if one of the computers on your local network for which your GNU/Linux machine (or Gateway/Proxy) acts as a firewall wants to send something to the outside, your machine can "masquerade" as that computer. In other words, it forwards the traffic to the intended outside destination, but makes it look like it came from the firewall machine itself.
It works both ways: if the outside host replies, the GNU/Linux firewall will silently forward the traffic to the corresponding local computer. This way, the computers on your local network are completely invisible to the outside world, even though they can reach outside and can receive replies. This makes it possible to have the computers on the local network participate on the Internet even if they don't have officially registered IP addresses.
Step 1
The IP masquerading code will only work if IP forwarding is enabled on your system. This feature is by default disabled and you should enable it.
To enable IPv4 forwarding on your GNU/Linux system, do the following:
Edit the sysctl.conf file:
[root@deep /]# vi /etc/sysctl.confAdd the following lines:
# Enable packet forwarding (required only for Gateway, VPN, Proxy, PPP) net.ipv4.ip_forward = 1You must restart your network for the change to take effect. The command to restart the network is the following:
[root@deep /]# /etc/rc.d/init.d/network restart Setting network parameters [OK] Bringing up interface lo [OK] Bringing up interface eth0 [OK] Bringing up interface eth1 [OK]Step 2
Create the symbolic link
giptables.conf file that point to the right GIPTables configuration
file suitable for our setup of a Gateway Server.These procedures can be accomplished with the following commands:
[root@deep /]# cd /lib/giptables/conf/ [root@deep conf]# cp giptables.conf.gateway giptables.conf.mygw [root@deep conf]# ln -sf /lib/giptables/conf/giptables.conf.mygw /etc/giptables.confIn the above step, we make a copy of our original
giptables.conf.gateway file and create
a symbolic link pointing to the copy.NOTE: It is a good idea to not modifying directly an example configuration file, because if you damage it, then you have to install the package again in order to get it back.
Step 3
Once the symbolic link is created, we will edit it to suit our requirement. The texts in bold are the parts of the configuration that must be customized and adjusted to satisfy your needs.
This is the configuration script file for a Gateway/Proxy Server, it will:
- Enable SNAT (MASQUERADING) feature for the internal network
- Limit the amount of incoming dropped packets that gets sent to the logs
- Implement the Syn-flood protection.
- Implement TCP packets sanity check.
- Protect from Spoofing and bad addresses.
- Allow DNS outgoing client requests on external interface and from internal subnet.
- Allow DNS incoming client requests on internal interface if the gateway is also a forward-only nameserver.
- Allow FTP outgoing client requests on external and internal interface, and from internal subnet.
- Allow FTP incoming client requests on internal interface.
- Allow SSH outgoing client requests on external and internal interface, and from internal subnet.
- Allow SSH incoming client requests on external and internal interfaces.
- Allow SMTP outgoing client requests on external interface and from internal network.
- Allow SMTP incoming client requests on external and internal interfaces if the gateway is also a smtp server.
- Allow POP3 outgoing client requests from internal subnet.
- Allow POP3 incoming client requests on external and internal interfaces if the gateway is also a POP3 server.
- Allow POP3S outgoing client requests from internal subnet.
- Allow POP3S incoming client requests on external and internal interfaces if the gateway is also a POP3S server.
- Allow IMAP outgoing client requests from internal subnet.
- Allow IMAP incoming client requests on external and internal interfaces if the gateway is also an IMAP server.
- Allow IMAPS outgoing client requests from internal subnet.
- Allow IMAPS incoming client requests on external and internal interfaces if the gateway is also an IMAPS server.
- Allow HTTP outgoing client requests from internal subnet.
- Allow HTTP incoming client requests on external and internal interface if the gateway is also a web server.
- Allow HTTPS outgoing client requests from internal subnet.
- Allow HTTPS incoming client requests on external and internal interface if the gateway is also a web server.
- Allow WEBCACHE outgoing client requests from internal subnet.
- Allow WEBCACHE incoming client requests on external and internal interface if the gateway is also a web server.
- Allow NNTP outgoing client requests from internal subnet.
- Allow AUTH outgoing client requests on external and internal interfaces and from internal subnet.
- Allow WHOIS outgoing client requests on external and internal interfaces and from internal subnet.
- Allow FINGER outgoing client requests on external and internal interfaces and from internal subnet.
- Allow NTP outgoing client requests on external and internal interfaces and from internal subnet.
- Allow NETBIOS outgoing client requests on internal interface.
- Allow NETBIOS incoming client requests on internal interface if the gateway is a file sharing samba server.
- Allow SYSLOG outgoing client requests on internal interface.
- Allow TRACEROUTE outgoing client requests on external and internal interfaces and from internal subnet.
- Allow TRACEROUTE incoming client requests on internal interfaces.
- Allow ICMP outgoing client requests on external and internal interface and from internal subnet.
- Allow ICMP incoming client requests on internal interface.
- Allow DHCP incoming client requests on internal interface.
"no" to the question. If you want some other services that are not enable,
simply say, "yes" to the question. If the service does not exist, add it to your configuration based
on the available examples from the giptables.conf.README file.To edit the giptales.conf file, use the following command:
# ----------------------------------------------------------------------------
# GIPTables Firewall v1.1 http://www.giptables.org
# Copyright (C) 2002 Adrian Pascalau <apascalau@openna.com>
# GATEWAY main configuration file
#
# ----------------------------------------------------------------------------
# This file is part of GIPTables Firewall
#
# GIPTables Firewall is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
# ----------------------------------------------------------------------------
# DEBUG
#
DEBUG="off"
# ----------------------------------------------------------------------------
# Some definitions for easy maintenance
# Edit these to suit your system
#
MONOLITIC_KERNEL="no"
# Interface 0: This is our external network interface
# It is directly connected to Internet
INTERFACE0="eth0"
INTERFACE0_IPADDR="x.x.x.x"
ANY_IPADDR="0/0"
# Interface 1: This is our internal network interface
# It is directly connected to our internal Network 1
INTERFACE1="eth1"
INTERFACE1_IPADDR="192.168.1.254"
NETWORK1="192.168.1.0/24"
# Do you need Network Address Translation for your internal network?
NETWORK1_NAT="yes"
# Your name servers ip address
ISP_PRIMARY_DNS_SERVER="a.a.a.a"
ISP_SECONDARY_DNS_SERVER="b.b.b.b"
# SYSLOG server ip address
SYSLOG_SERVER="c.c.c.c"
# Loopback interface
LOOPBACK_INTERFACE="lo" # Loopback interface
# Port declarations, do not change them
PRIV_PORTS="0:1023"
UNPRIV_PORTS="1024:65535"
# ----------------------------------------------------------------------------
# Loading custom firewall rules from /etc/rc.d/rc.giptables.custom
#
LOAD_CUSTOM_RULES="yes"
# ----------------------------------------------------------------------------
# Logging
# Limit the amount of incoming dropped packets that gets sent to the logs
#
# We log & drop all the packets that are not expected. In order to avoid
# our logs beeing flooded, we rate limit the logging
# Interface 0 log dropped packets
INTERFACE0_LOG_DROPPED_PACKETS="yes"
INTERFACE0_LOG_LIMIT="5/m"
INTERFACE0_LOG_LIMIT_BURST="7"
# Interface 1 log dropped packets
INTERFACE1_LOG_DROPPED_PACKETS="yes"
INTERFACE1_LOG_LIMIT="7/m"
INTERFACE1_LOG_LIMIT_BURST="9"
# Network 1 log forwarded dropped packets
NETWORK1_LOG_DROPPED_PACKETS="yes"
NETWORK1_LOG_LIMIT="9/m"
NETWORK1_LOG_LIMIT_BURST="11"
# ----------------------------------------------------------------------------
# Network Ghouls
# Refuse any connection from problem sites
#
# The /etc/rc.d/rc.giptables.blocked file contains a list of ip addresses that
# will be blocked from having any kind of access to your server on all your
# interfaces if the next option is "yes"
NETWORK_GHOULS="yes"
# ----------------------------------------------------------------------------
# Syn-flood protection
# Limit the number of incoming tcp connections
#
SYN_FLOOD_PROTECTION="yes"
# Interface 0 incoming syn-flood protection
INTERFACE0_IN_SYN_FLOOD_PROTECTION="yes"
INTERFACE0_IN_TCP_CONN_LIMIT="1/s"
INTERFACE0_IN_TCP_CONN_LIMIT_BURST="3"
# Interface 1 incoming syn-flood protection
INTERFACE1_IN_SYN_FLOOD_PROTECTION="yes"
INTERFACE1_IN_TCP_CONN_LIMIT="3/s"
INTERFACE1_IN_TCP_CONN_LIMIT_BURST="5"
# Network 1 forwarded incoming syn-flood protection
NETWORK1_IN_SYN_FLOOD_PROTECTION="yes"
NETWORK1_IN_TCP_CONN_LIMIT="5/s"
NETWORK1_IN_TCP_CONN_LIMIT_BURST="7"
# ----------------------------------------------------------------------------
# Sanity check
#
SANITY_CHECK="yes"
# Make sure NEW incoming tcp connections are SYN packets
INTERFACE0_IN_DROP_NEW_WITHOUT_SYN="yes"
INTERFACE1_IN_DROP_NEW_WITHOUT_SYN="yes"
NETWORK1_IN_DROP_NEW_WITHOUT_SYN="yes"
# Drop all incoming fragments
INTERFACE0_IN_DROP_ALL_FRAGMENTS="yes"
INTERFACE1_IN_DROP_ALL_FRAGMENTS="yes"
NETWORK1_IN_DROP_ALL_FRAGMENTS="yes"
# Drop all incoming malformed XMAS packets
INTERFACE0_IN_DROP_XMAS_PACKETS="yes"
INTERFACE1_IN_DROP_XMAS_PACKETS="yes"
NETWORK1_IN_DROP_XMAS_PACKETS="yes"
# Drop all incoming malformed NULL packets
INTERFACE0_IN_DROP_NULL_PACKETS="yes"
INTERFACE1_IN_DROP_NULL_PACKETS="yes"
NETWORK1_IN_DROP_NULL_PACKETS="yes"
# ----------------------------------------------------------------------------
# Spoofing and bad addresses
#
REFUSE_SPOOFING="yes"
# Refuse incoming packets claiming to be from the ip addresses of our interfaces
REFUSE_SPOOFING_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_IN_REFUSE_SPOOFING[0]="yes"
INTERFACE1_IN_REFUSE_SPOOFING[0]="no"
NETWORK1_IN_REFUSE_SPOOFING[0]="yes"
REFUSE_SPOOFING_IPADDR[1]=$INTERFACE1_IPADDR
INTERFACE0_IN_REFUSE_SPOOFING[1]="no"
INTERFACE1_IN_REFUSE_SPOOFING[1]="yes"
NETWORK1_IN_REFUSE_SPOOFING[1]="no"
# Refuse incoming packets claiming to be from broadcast-src address range
REFUSE_SPOOFING_IPADDR[2]="0.0.0.0/8"
# If you provide DHCP services on one of your interfaces, do not forget to
# set the following option related to that interface to "no"
INTERFACE0_IN_REFUSE_SPOOFING[2]="yes"
INTERFACE1_IN_REFUSE_SPOOFING[2]="no"
NETWORK1_IN_REFUSE_SPOOFING[2]="yes"
# Refuse incoming packets claiming to be from reserved loopback address range
REFUSE_SPOOFING_IPADDR[3]="127.0.0.0/8"
INTERFACE0_IN_REFUSE_SPOOFING[3]="yes"
INTERFACE1_IN_REFUSE_SPOOFING[3]="yes"
NETWORK1_IN_REFUSE_SPOOFING[3]="yes"
# Refuse incoming packets claiming to be from class A private network
REFUSE_SPOOFING_IPADDR[4]="10.0.0.0/8"
INTERFACE0_IN_REFUSE_SPOOFING[4]="yes"
INTERFACE1_IN_REFUSE_SPOOFING[4]="yes"
NETWORK1_IN_REFUSE_SPOOFING[4]="yes"
# Refuse incoming packets claiming to be from class B private network
REFUSE_SPOOFING_IPADDR[5]="172.16.0.0/12"
INTERFACE0_IN_REFUSE_SPOOFING[5]="yes"
INTERFACE1_IN_REFUSE_SPOOFING[5]="yes"
NETWORK1_IN_REFUSE_SPOOFING[5]="yes"
# Refuse incoming packets claiming to be from class C private network
REFUSE_SPOOFING_IPADDR[6]="192.168.0.0/16"
INTERFACE0_IN_REFUSE_SPOOFING[6]="yes"
INTERFACE1_IN_REFUSE_SPOOFING[6]="no"
NETWORK1_IN_REFUSE_SPOOFING[6]="yes"
# Refuse incoming packets claiming to be from class D, E, and unallocated
REFUSE_SPOOFING_IPADDR[7]="224.0.0.0/3"
INTERFACE0_IN_REFUSE_SPOOFING[7]="yes"
INTERFACE1_IN_REFUSE_SPOOFING[7]="yes"
NETWORK1_IN_REFUSE_SPOOFING[7]="yes"
# ****************************************************************************
# *
# A N Y *
# *
# ****************************************************************************
ACCEPT_ANY="no"
# ****************************************************************************
# *
# D N S *
# *
# ****************************************************************************
ACCEPT_DNS="yes"
# ----------------------------------------------------------------------------
# DNS outgoing client request
#
# Interface 0 DNS outgoing client request
INTERFACE0_DNS_CLIENT="yes"
INTERFACE0_DNS_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_DNS_OUT_DST_IPADDR[0]=$ISP_PRIMARY_DNS_SERVER
INTERFACE0_DNS_OUT_UDP_REQUEST[0]="yes"
INTERFACE0_DNS_OUT_TCP_REQUEST[0]="yes"
INTERFACE0_DNS_OUT_SPORT53_REQUEST[0]="no"
INTERFACE0_DNS_OUT_SRC_IPADDR[1]=$INTERFACE0_IPADDR
INTERFACE0_DNS_OUT_DST_IPADDR[1]=$ISP_SECONDARY_DNS_SERVER
INTERFACE0_DNS_OUT_UDP_REQUEST[1]="yes"
INTERFACE0_DNS_OUT_TCP_REQUEST[1]="yes"
INTERFACE0_DNS_OUT_SPORT53_REQUEST[1]="no"
# Network 1 DNS forwarded outgoing client request
NETWORK1_DNS_CLIENT="yes"
NETWORK1_DNS_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_DNS_OUT_DST_IPADDR[0]=$ISP_PRIMARY_DNS_SERVER
NETWORK1_DNS_OUT_UDP_REQUEST[0]="yes"
NETWORK1_DNS_OUT_TCP_REQUEST[0]="yes"
NETWORK1_DNS_OUT_SPORT53_REQUEST[0]="no"
NETWORK1_DNS_OUT_SRC_IPADDR[1]=$NETWORK1
NETWORK1_DNS_OUT_DST_IPADDR[1]=$ISP_SECONDARY_DNS_SERVER
NETWORK1_DNS_OUT_UDP_REQUEST[1]="yes"
NETWORK1_DNS_OUT_TCP_REQUEST[1]="yes"
NETWORK1_DNS_OUT_SPORT53_REQUEST[1]="no"
# ----------------------------------------------------------------------------
# DNS incoming client request
#
# Interface 1 DNS incoming client request
INTERFACE1_DNS_SERVER="no"
INTERFACE1_DNS_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_DNS_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_DNS_IN_UDP_REQUEST[0]="yes"
INTERFACE1_DNS_IN_TCP_REQUEST[0]="yes"
INTERFACE1_DNS_IN_SPORT53_REQUEST[0]="no"
INTERFACE1_DNS_IN_SRC_IPADDR[1]=$NETWORK1
INTERFACE1_DNS_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
INTERFACE1_DNS_IN_UDP_REQUEST[1]="yes"
INTERFACE1_DNS_IN_TCP_REQUEST[1]="yes"
INTERFACE1_DNS_IN_SPORT53_REQUEST[1]="no"
# ****************************************************************************
# *
# F T P *
# *
# ****************************************************************************
ACCEPT_FTP="yes"
# ----------------------------------------------------------------------------
# FTP outgoing client request
#
# Interface 0 FTP outgoing client request
INTERFACE0_FTP_CLIENT="yes"
INTERFACE0_FTP_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_FTP_OUT_DST_IPADDR[0]=$ANY_IPADDR
INTERFACE0_FTP_OUT_PASIVE[0]="yes"
INTERFACE0_FTP_OUT_ACTIVE[0]="no"
# Interface 1 FTP outgoing client request
INTERFACE1_FTP_CLIENT="yes"
INTERFACE1_FTP_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDR
INTERFACE1_FTP_OUT_DST_IPADDR[0]=$NETWORK1
INTERFACE1_FTP_OUT_PASIVE[0]="yes"
INTERFACE1_FTP_OUT_ACTIVE[0]="yes"
# Network 1 FTP forwarded outgoing client request
NETWORK1_FTP_CLIENT="yes"
NETWORK1_FTP_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_FTP_OUT_DST_IPADDR[0]=$ANY_IPADDR
NETWORK1_FTP_OUT_PASIVE[0]="yes"
NETWORK1_FTP_OUT_ACTIVE[0]="no"
# ----------------------------------------------------------------------------
# FTP incoming client request
#
# Interface 1 FTP incoming client request
INTERFACE1_FTP_SERVER="yes"
INTERFACE1_FTP_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_FTP_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_FTP_IN_PASIVE[0]="yes"
INTERFACE1_FTP_IN_ACTIVE[0]="yes"
INTERFACE1_FTP_IN_SRC_IPADDR[1]=$NETWORK1
INTERFACE1_FTP_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
INTERFACE1_FTP_IN_PASIVE[1]="yes"
INTERFACE1_FTP_IN_ACTIVE[1]="yes"
# ****************************************************************************
# *
# S S H *
# *
# ****************************************************************************
ACCEPT_SSH="yes"
# ----------------------------------------------------------------------------
# SSH outgoing client request
#
# Interface 0 SSH outgoing client request
INTERFACE0_SSH_CLIENT="yes"
INTERFACE0_SSH_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_SSH_OUT_DST_IPADDR[0]=$ANY_IPADDR
# Interface 1 SSH outgoing client request
INTERFACE1_SSH_CLIENT="yes"
INTERFACE1_SSH_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDR
INTERFACE1_SSH_OUT_DST_IPADDR[0]=$NETWORK1
# Network 1 SSH forwarded outgoing client request
NETWORK1_SSH_CLIENT="yes"
NETWORK1_SSH_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_SSH_OUT_DST_IPADDR[0]=$ANY_IPADDR
# ----------------------------------------------------------------------------
# SSH incoming client request
#
# Interface 0 SSH incoming client request
INTERFACE0_SSH_SERVER="yes"
INTERFACE0_SSH_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_SSH_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
# Interface 1 SSH incoming client request
INTERFACE1_SSH_SERVER="yes"
INTERFACE1_SSH_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_SSH_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_SSH_IN_SRC_IPADDR[1]=$NETWORK1
INTERFACE1_SSH_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
# ****************************************************************************
# *
# T E L N E T *
# *
# ****************************************************************************
ACCEPT_TELNET="no"
# ----------------------------------------------------------------------------
# TELNET outgoing client request
#
# Interface 0 TELNET outgoing client request
INTERFACE0_TELNET_CLIENT="yes"
INTERFACE0_TELNET_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_TELNET_OUT_DST_IPADDR[0]=$ANY_IPADDR
# Interface 1 TELNET outgoing client request
INTERFACE1_TELNET_CLIENT="yes"
INTERFACE1_TELNET_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDR
INTERFACE1_TELNET_OUT_DST_IPADDR[0]=$NETWORK1
# Network 1 TELNET forwarded outgoing client request
NETWORK1_TELNET_CLIENT="yes"
NETWORK1_TELNET_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_TELNET_OUT_DST_IPADDR[0]=$ANY_IPADDR
# ----------------------------------------------------------------------------
# TELNET incoming client request
#
# Interface 1 TELNET incoming client request
INTERFACE1_TELNET_SERVER="no"
INTERFACE1_TELNET_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_TELNET_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_TELNET_IN_SRC_IPADDR[1]=$NETWORK1
INTERFACE1_TELNET_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
# ****************************************************************************
# *
# T E L N E T S *
# *
# ****************************************************************************
ACCEPT_TELNETS="no"
# ****************************************************************************
# *
# S M T P *
# *
# ****************************************************************************
ACCEPT_SMTP="yes"
# ----------------------------------------------------------------------------
# SMTP outgoing client request
#
# Interface 0 SMTP outgoing client request
INTERFACE0_SMTP_CLIENT="yes"
INTERFACE0_SMTP_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_SMTP_OUT_DST_IPADDR[0]=$ANY_IPADDR
# Network 1 SMTP forwarded outgoing client request
NETWORK1_SMTP_CLIENT="yes"
NETWORK1_SMTP_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_SMTP_OUT_DST_IPADDR[0]=$ANY_IPADDR
# ----------------------------------------------------------------------------
# SMTP incoming client request
#
# Interface 0 SMTP incoming client request
INTERFACE0_SMTP_SERVER="no"
INTERFACE0_SMTP_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_SMTP_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
# Interface 1 SMTP incoming client request
INTERFACE1_SMTP_SERVER="no"
INTERFACE1_SMTP_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_SMTP_IN_DST_IPADDR[0]=$INTERFACE1_IPADDR
# ****************************************************************************
# *
# S M T P S *
# *
# ****************************************************************************
ACCEPT_SMTPS="no"
# ****************************************************************************
# *
# P O P 3 *
# *
# ****************************************************************************
ACCEPT_POP3="yes"
# ----------------------------------------------------------------------------
# POP3 outgoing client request
#
# Network 1 POP3 forwarded outgoing client request
NETWORK1_POP3_CLIENT="yes"
NETWORK1_POP3_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_POP3_OUT_DST_IPADDR[0]=$ANY_IPADDR
# ----------------------------------------------------------------------------
# POP3 incoming client request
#
# Interface 0 POP3 incoming client request
INTERFACE0_POP3_SERVER="no"
INTERFACE0_POP3_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_POP3_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
# Interface 1 POP3 incoming client request
INTERFACE1_POP3_SERVER="no"
INTERFACE1_POP3_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_POP3_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_POP3_IN_SRC_IPADDR[1]=$NETWORK1
INTERFACE1_POP3_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
# ****************************************************************************
# *
# P O P 3 S *
# *
# ****************************************************************************
ACCEPT_POP3S="no"
# ----------------------------------------------------------------------------
# POP3S outging client request
#
# Network 1 POP3S forwarded outging client request
NETWORK1_POP3S_CLIENT="yes"
NETWORK1_POP3S_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_POP3S_OUT_DST_IPADDR[0]=$ANY_IPADDR
# ----------------------------------------------------------------------------
# POP3S incoming client request
#
# Interface 0 POP3S incoming client request
INTERFACE0_POP3S_SERVER="no"
INTERFACE0_POP3S_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_POP3S_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
# Interface 1 POP3S incoming client request
INTERFACE1_POP3S_SERVER="no"
INTERFACE1_POP3S_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_POP3S_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_POP3S_IN_SRC_IPADDR[1]=$NETWORK1
INTERFACE1_POP3S_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
# ****************************************************************************
# *
# I M A P *
# *
# ****************************************************************************
ACCEPT_IMAP="yes"
# ----------------------------------------------------------------------------
# IMAP outgoing client request
#
# Network 1 IMAP forwarded outgoing client request
NETWORK1_IMAP_CLIENT="yes"
NETWORK1_IMAP_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_IMAP_OUT_DST_IPADDR[0]=$ANY_IPADDR
# ----------------------------------------------------------------------------
# IMAP incoming client request
#
# Interface 0 IMAP incoming client request
INTERFACE0_IMAP_SERVER="no"
INTERFACE0_IMAP_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_IMAP_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
# Interface 1 IMAP incoming client request
INTERFACE1_IMAP_SERVER="no"
INTERFACE1_IMAP_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_IMAP_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_IMAP_IN_SRC_IPADDR[1]=$NETWORK1
INTERFACE1_IMAP_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
# ****************************************************************************
# *
# I M A P S *
# *
# ****************************************************************************
ACCEPT_IMAPS="no"
# ----------------------------------------------------------------------------
# IMAPS outgoing client request
#
# Network 1 IMAPS forwarded outgoing client request
NETWORK1_IMAPS_CLIENT="yes"
NETWORK1_IMAPS_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_IMAPS_OUT_DST_IPADDR[0]=$ANY_IPADDR
# ----------------------------------------------------------------------------
# IMAPS incoming client request
#
# Interface 0 IMAPS incoming client request
INTERFACE0_IMAPS_SERVER="no"
INTERFACE0_IMAPS_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_IMAPS_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
# Interface 1 IMAPS incoming client request
INTERFACE1_IMAPS_SERVER="no"
INTERFACE1_IMAPS_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_IMAPS_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_IMAPS_IN_SRC_IPADDR[1]=$NETWORK1
INTERFACE1_IMAPS_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
# ****************************************************************************
# *
# H T T P *
# *
# ****************************************************************************
ACCEPT_HTTP="yes"
# ----------------------------------------------------------------------------
# HTTP outgoing client request
#
# Network 1 HTTP forwarded outgoing client request
NETWORK1_HTTP_CLIENT="yes"
NETWORK1_HTTP_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_HTTP_OUT_DST_IPADDR[0]=$ANY_IPADDR
# ----------------------------------------------------------------------------
# HTTP incoming client request
#
# Interface 0 HTTP incoming client request
INTERFACE0_HTTP_SERVER="no"
INTERFACE0_HTTP_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_HTTP_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
# Interface 1 HTTP incoming client request
INTERFACE1_HTTP_SERVER="no"
INTERFACE1_HTTP_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_HTTP_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_HTTP_IN_SRC_IPADDR[1]=$NETWORK1
INTERFACE1_HTTP_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
# ****************************************************************************
# *
# H T T P S *
# *
# ****************************************************************************
ACCEPT_HTTPS="yes"
# ----------------------------------------------------------------------------
# HTTPS outgoing client request
#
# Network 1 HTTPS forwarded outgoing client request
NETWORK1_HTTPS_CLIENT="yes"
NETWORK1_HTTPS_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_HTTPS_OUT_DST_IPADDR[0]=$ANY_IPADDR
# ----------------------------------------------------------------------------
# HTTPS incoming client request
#
# Interface 0 HTTPS incoming client request
INTERFACE0_HTTPS_SERVER="no"
INTERFACE0_HTTPS_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_HTTPS_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
# Interface 1 HTTPS incoming client request
INTERFACE1_HTTPS_SERVER="no"
INTERFACE1_HTTPS_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_HTTPS_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_HTTPS_IN_SRC_IPADDR[1]=$NETWORK1
INTERFACE1_HTTPS_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
# ****************************************************************************
# *
# S Q U I D *
# *
# ****************************************************************************
ACCEPT_SQUID="no" # Squid in Proxy-Caching Mode
# ****************************************************************************
# *
# W E B C A C H E *
# *
# ****************************************************************************
ACCEPT_WEBCACHE="no" # Squid in HTTPD-Accelerator Mode
# ----------------------------------------------------------------------------
# WEBCACHE outgoing client request
#
# Network 1 WEBCACHE forwarded outgoing client request
NETWORK1_WEBCACHE_CLIENT="yes"
NETWORK1_WEBCACHE_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_WEBCACHE_OUT_DST_IPADDR[0]=$ANY_IPADDR
# ----------------------------------------------------------------------------
# WEBCACHE incoming client request
#
# Interface 0 WEBCACHE incoming client request
INTERFACE0_WEBCACHE_SERVER="no"
INTERFACE0_WEBCACHE_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_WEBCACHE_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
# Interface 1 WEBCACHE incoming client request
INTERFACE1_WEBCACHE_SERVER="no"
INTERFACE1_WEBCACHE_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_WEBCACHE_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_WEBCACHE_IN_SRC_IPADDR[1]=$NETWORK1
INTERFACE1_WEBCACHE_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
# ****************************************************************************
# *
# S O C K S *
# *
# ****************************************************************************
ACCEPT_SOCKS="no"
# ****************************************************************************
# *
# N N T P *
# *
# ****************************************************************************
ACCEPT_NNTP="yes"
# ----------------------------------------------------------------------------
# NNTP outgoing client request
#
# Network 1 NNTP forwarded outgoing client request
NETWORK1_NNTP_CLIENT="yes"
NETWORK1_NNTP_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_NNTP_OUT_DST_IPADDR[0]=$ANY_IPADDR
# ****************************************************************************
# *
# N N T P S *
# *
# ****************************************************************************
ACCEPT_NNTPS="no"
# ****************************************************************************
# *
# M Y S Q L *
# *
# ****************************************************************************
ACCEPT_MYSQL="no"
# ****************************************************************************
# *
# P O S T G R E S *
# *
# ****************************************************************************
ACCEPT_POSTGRES="no"
# ****************************************************************************
# *
# O R A C L E *
# *
# ****************************************************************************
ACCEPT_ORACLE="no"
# ****************************************************************************
# *
# M S S Q L *
# *
# ****************************************************************************
ACCEPT_MSSQL="no"
# ****************************************************************************
# *
# L D A P *
# *
# ****************************************************************************
ACCEPT_LDAP="no"
# ****************************************************************************
# *
# L D A P S *
# *
# ****************************************************************************
ACCEPT_LDAPS="no"
# ****************************************************************************
# *
# A U T H *
# *
# ****************************************************************************
ACCEPT_AUTH="no"
# ----------------------------------------------------------------------------
# AUTH outgoing client request
#
# Interface 0 AUTH outgoing client request
INTERFACE0_AUTH_CLIENT="yes"
INTERFACE0_AUTH_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_AUTH_OUT_DST_IPADDR[0]=$ANY_IPADDR
# Interface 1 AUTH outgoing client request
INTERFACE1_AUTH_CLIENT="yes"
INTERFACE1_AUTH_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDR
INTERFACE1_AUTH_OUT_DST_IPADDR[0]=$NETWORK1
# Network 1 AUTH forwarded outgoing client request
NETWORK1_AUTH_CLIENT="yes"
NETWORK1_AUTH_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_AUTH_OUT_DST_IPADDR[0]=$ANY_IPADDR
# ****************************************************************************
# *
# W H O I S *
# *
# ****************************************************************************
ACCEPT_WHOIS="no"
# ----------------------------------------------------------------------------
# WHOIS outgoing client request
#
# Interface 0 WHOIS outgoing client request
INTERFACE0_WHOIS_CLIENT="yes"
INTERFACE0_WHOIS_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_WHOIS_OUT_DST_IPADDR[0]=$ANY_IPADDR
# Interface 1 WHOIS outgoing client request
INTERFACE1_WHOIS_CLIENT="yes"
INTERFACE1_WHOIS_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDR
INTERFACE1_WHOIS_OUT_DST_IPADDR[0]=$NETWORK1
# Network 1 WHOIS forwarded outgoing client request
NETWORK1_WHOIS_CLIENT="yes"
NETWORK1_WHOIS_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_WHOIS_OUT_DST_IPADDR[0]=$ANY_IPADDR
# ****************************************************************************
# *
# F I N G E R *
# *
# ****************************************************************************
ACCEPT_FINGER="no"
# ----------------------------------------------------------------------------
# FINGER outgoing client request
#
# Interface 0 FINGER outgoing client request
INTERFACE0_FINGER_CLIENT="yes"
INTERFACE0_FINGER_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_FINGER_OUT_DST_IPADDR[0]=$ANY_IPADDR
# Interface 1 FINGER outgoing client request
INTERFACE1_FINGER_CLIENT="yes"
INTERFACE1_FINGER_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDR
INTERFACE1_FINGER_OUT_DST_IPADDR[0]=$NETWORK1
# Network 1 FINGER forwarded outgoing client request
NETWORK1_FINGER_CLIENT="yes"
NETWORK1_FINGER_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_FINGER_OUT_DST_IPADDR[0]=$ANY_IPADDR
# ****************************************************************************
# *
# N T P *
# *
# ****************************************************************************
ACCEPT_NTP="no"
# ----------------------------------------------------------------------------
# NTP outgoing client request
#
# Interface 0 NTP outgoing client request
INTERFACE0_NTP_CLIENT="yes"
INTERFACE0_NTP_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_NTP_OUT_DST_IPADDR[0]=$ANY_IPADDR
# Interface 1 NTP outgoing client request
INTERFACE1_NTP_CLIENT="yes"
INTERFACE1_NTP_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDR
INTERFACE1_NTP_OUT_DST_IPADDR[0]=$NETWORK1
# Network 1 NTP forwarded outgoing client request
NETWORK1_NTP_CLIENT="yes"
NETWORK1_NTP_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_NTP_OUT_DST_IPADDR[0]=$ANY_IPADDR
# ****************************************************************************
# *
# S N M P *
# *
# ****************************************************************************
ACCEPT_SNMP="no"
# ****************************************************************************
# *
# X 1 1 *
# *
# ****************************************************************************
ACCEPT_X11="no"
# ****************************************************************************
# *
# V N C *
# *
# ****************************************************************************
ACCEPT_VNC="no"
# ****************************************************************************
# *
# L P D *
# *
# ****************************************************************************
ACCEPT_LPD="no"
# ****************************************************************************
# *
# N E T B I O S *
# *
# ****************************************************************************
ACCEPT_NETBIOS="no"
# ----------------------------------------------------------------------------
# NETBIOS outgoing client request
#
# Interface 1 NETBIOS outgoing client request
INTERFACE1_NETBIOS_CLIENT="yes"
INTERFACE1_NETBIOS_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDR
INTERFACE1_NETBIOS_OUT_DST_IPADDR[0]=$NETWORK1
# ----------------------------------------------------------------------------
# NETBIOS incoming client request
#
# Interface 1 NETBIOS incoming client request
INTERFACE1_NETBIOS_SERVER="no"
INTERFACE1_NETBIOS_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_NETBIOS_IN_DST_IPADDR[0]=$INTERFACE1_IPADDR
# ****************************************************************************
# *
# S Y S L O G *
# *
# ****************************************************************************
ACCEPT_SYSLOG="no"
# ----------------------------------------------------------------------------
# SYSLOG outgoing client request
#
# Interface 1 SYSLOG outgoing client request
INTERFACE1_SYSLOG_CLIENT="yes"
INTERFACE1_SYSLOG_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDR
INTERFACE1_SYSLOG_OUT_DST_IPADDR[0]=$SYSLOG_SERVER
# ****************************************************************************
# *
# T R A C E R O U T E *
# *
# ****************************************************************************
ACCEPT_TRACEROUTE="yes"
# ----------------------------------------------------------------------------
# TRACEROUTE outgoing client request
#
# Interface 0 TRACEROUTE outgoing client request
INTERFACE0_TRACEROUTE_CLIENT="yes"
INTERFACE0_TRACEROUTE_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_TRACEROUTE_OUT_DST_IPADDR[0]=$ANY_IPADDR
# Interface 1 TRACEROUTE outgoing client request
INTERFACE1_TRACEROUTE_CLIENT="yes"
INTERFACE1_TRACEROUTE_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDR
INTERFACE1_TRACEROUTE_OUT_DST_IPADDR[0]=$NETWORK1
# Network 1 TRACEROUTE forwarded outgoing client request
NETWORK1_TRACEROUTE_CLIENT="yes"
NETWORK1_TRACEROUTE_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_TRACEROUTE_OUT_DST_IPADDR[0]=$ANY_IPADDR
# ----------------------------------------------------------------------------
# TRACEROUTE incoming client request
#
# Interface 1 TRACEROUTE incoming client request
INTERFACE1_TRACEROUTE_SERVER="yes"
INTERFACE1_TRACEROUTE_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_TRACEROUTE_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_TRACEROUTE_IN_SRC_IPADDR[1]=$NETWORK1
INTERFACE1_TRACEROUTE_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
# ****************************************************************************
# *
# I C M P *
# *
# ****************************************************************************
ACCEPT_ICMP="yes"
# ----------------------------------------------------------------------------
# ICMP outgoing client request
#
# Interface 0 ICMP outgoing client request
INTERFACE0_ICMP_CLIENT="yes"
INTERFACE0_ICMP_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_ICMP_OUT_DST_IPADDR[0]=$ANY_IPADDR
# Interface 1 ICMP outgoing client request
INTERFACE1_ICMP_CLIENT="yes"
INTERFACE1_ICMP_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDR
INTERFACE1_ICMP_OUT_DST_IPADDR[0]=$NETWORK1
# Network 1 ICMP forwarded outgoing client request
NETWORK1_ICMP_CLIENT="yes"
NETWORK1_ICMP_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_ICMP_OUT_DST_IPADDR[0]=$ANY_IPADDR
# ----------------------------------------------------------------------------
# ICMP incoming client request
#
# Interface 1 ICMP incoming client request
INTERFACE1_ICMP_SERVER="yes"
INTERFACE1_ICMP_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_ICMP_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_ICMP_IN_SRC_IPADDR[1]=$NETWORK1
INTERFACE1_ICMP_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
# ****************************************************************************
# *
# D H C P *
# *
# ****************************************************************************
ACCEPT_DHCP="yes"
# ----------------------------------------------------------------------------
# DHCP incoming client request
#
# Interface 1 DHCP incoming client request
INTERFACE1_DHCP_SERVER="yes"
# If above option is "yes", do not forget to configure the following
# lines in the "Spoofing and bad addresses" section
# REFUSE_SPOOFING_IPADDR[2]="0.0.0.0/8"
# INTERFACE1_IN_REFUSE_SPOOFING[2]="no"
INTERFACE1_DHCP_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_DHCP_IN_DST_IPADDR[0]=$INTERFACE1_IPADDR
# ****************************************************************************
# *
# E N D *
# *
# ****************************************************************************
DROP_EVERYTHING_FROM_HERE="yes"
# ----------------------------------------------------------------------------
# LOG & DROP everything from here... just in case.
#
INTERFACE0_IN_DROP_EVERYTHING_FROM_HERE="yes"
INTERFACE1_IN_DROP_EVERYTHING_FROM_HERE="yes"
NETWORK1_IN_DROP_EVERYTHING_FROM_HERE="yes"
# ----------------------------------------------------------------------------
# End of file
Step 4Once the configuration file has been configured, it is time to start the firewall on your system.
To start the firewall on your system, use the following command:
[root@deep /]# /etc/init.d/giptables start Starting Firewalling Services: [OK]In this stage, your gateway is already protect by a powerfull firewall.
Back
Written by: Adrian Pascalau apascalau@openna.com
Written by: Gerhard Mourani gmourani@openna.com
Last update: June 08, 2002
 |
|
Copyright © 2002 Adrian Pascalau. All Rights Reserved. All other logos and trademarks in this site are property of their respective owner. |