758 lines
16 KiB
Bash
758 lines
16 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
|
|
## ----------------------------------------------------------------
|
|
## --- Main Configurations Ipv4 Firewall Script ipt-firewall-server
|
|
## ----------------------------------------------------------------
|
|
|
|
|
|
# -------------
|
|
# --- Prevent bridged traffic getting pushed through the host's iptables rules
|
|
# -------------
|
|
|
|
# - Prevent bridged traffic getting pushed through the
|
|
# - host's iptables rules
|
|
# -
|
|
# - Note: Maybe youe have also to activate forwarding
|
|
# -
|
|
# - Set: kernel_forward_between_interfaces=true
|
|
# -
|
|
do_not_firewall_bridged_traffic=false
|
|
|
|
|
|
# -------------
|
|
# --- Do not firewall traffic from and to LX Gust Systems
|
|
# -------------
|
|
|
|
# - Traffic to hosted LX containers are not firewalled here.
|
|
# -
|
|
do_not_firewall_lx_guest_systems=false
|
|
|
|
|
|
# -------------
|
|
# --- Drop ICMP
|
|
# -------------
|
|
|
|
drop_icmp=false
|
|
|
|
|
|
# -------------
|
|
# --- Allow all outgoing traffic
|
|
# -------------
|
|
|
|
# - allow_all_outgoing_traffic
|
|
# -
|
|
# - Posiible values are 'true' and 'false'
|
|
# -
|
|
allow_all_outgoing_traffic=false
|
|
|
|
|
|
# -------------
|
|
# --- Interfaces completly blocked
|
|
# -------------
|
|
|
|
# - Interfaces to block (note: they will all be blocked)
|
|
# -
|
|
# - Example: eth1 is used for DSL Line, that becomes an extra
|
|
# - interface (maybe ppp0). A further use of eth1 (which would
|
|
# - be possible) is not configured at time, so you can block it.
|
|
# - blocked_ifs="eth1"
|
|
# -
|
|
blocked_ifs=""
|
|
|
|
|
|
# -------------
|
|
# --- Interfaces not firewalled
|
|
# -------------
|
|
|
|
# - Note:
|
|
# - Can be (for example) an interface, whose (complete) traffic is
|
|
# - protected by a firewall on an other system in the local area
|
|
# -
|
|
unprotected_ifs=""
|
|
|
|
|
|
# -------------
|
|
# ---- Allow Forwarding (private) IPs / IP-Ranges
|
|
# -------------
|
|
|
|
# - Maybe useful in case of virtual hosts with private addresses or
|
|
# - if using a vpn network to forward into private areas.
|
|
# -
|
|
# - Note: this rules takes affect before rules to protect against
|
|
# - unwanted packages e.g. blocking private addresses on
|
|
# - externel interfaces.
|
|
# -
|
|
# - Note: you can specify networks using CIDR notation
|
|
# - like "192.168.2.0/24"
|
|
# -
|
|
forward_private_ips=""
|
|
|
|
|
|
# -------------
|
|
# ---- Restrict local Servive to given (extern) IP-Address/Network
|
|
# -------------
|
|
|
|
# - restrict_local_service_to_net
|
|
# -
|
|
# - restrict_local_service_to_net="ext-netr,local-address,port,protocol"
|
|
# -
|
|
# - Note:
|
|
# - =====
|
|
# - - Only 'tcp' and 'udp' are allowed valuse for protocol.
|
|
# - - Traffic recieved on natted interfaces will be ommitted!
|
|
# -
|
|
# - Use this parameter to (only) give some extern netwoks access to special local
|
|
# - services.
|
|
# -
|
|
# - Example:
|
|
# - allow access from 2003:45:4612:3a00::/56 to tcp service at 2a01:30:0:13:211:84ff:feb7:7f9c on port 1036
|
|
# - allow access from 2a01:30:1fff:fd00:: to https service at 2a01:30:0:13:211:84ff:feb7:7f9c
|
|
# -
|
|
# - restrict_local_service_to_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c,1036,tcp
|
|
# - 2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c,443,tcp"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
restrict_local_service_to_net=""
|
|
|
|
|
|
# -------------
|
|
# ---- Restrict local Network to given extern IP-Address/Network
|
|
# -------------
|
|
|
|
# - restrict_local_net_to_net
|
|
# -
|
|
# - restrict_local_net_to_net="<src-ext-net>,<dst-local-net> [<src-ext-net>,<dst-local-net>] [..]"
|
|
# -
|
|
# - All traffic from the given first network to the given second network is allowed
|
|
# -
|
|
# - Note:
|
|
# - =====
|
|
# - - Traffic recieved on natted interfaces will be ommitted!
|
|
# - - If you want allow both directions, you have to make two entries - one for evry directions.
|
|
# -
|
|
# - Example:
|
|
# - allow_ext_net_to_local_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c/128
|
|
# - 2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c/128"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
restrict_local_net_to_net=""
|
|
|
|
|
|
# -------------
|
|
# ---- Allow extern Service
|
|
# -------------
|
|
|
|
# - allow_ext_service
|
|
# -
|
|
# - allow_ext_service="<ext-ip>,<ext_port>,<protocol> [<ext-ip>,<ext_port>,<protocol> [ ..
|
|
# -
|
|
# - Allow all traffic to the given extern Service. Only protcols 'tcp' and 'udp'
|
|
# - are allowed
|
|
# -
|
|
# - Example:
|
|
# - - allow_ext_service="
|
|
# - 2a01:4f8:221:3b4e::247,8443,tcp
|
|
# - 2a01:30:0:13:211:84ff:feb7:7f9c,8443,tcp
|
|
# - "
|
|
# - - allow_ext_service="
|
|
# - ::/0,8443,tcp
|
|
# - ::/0,8080,tcp
|
|
# - "
|
|
# -
|
|
# - Note:
|
|
# - =====
|
|
# - To allow traffic on a certain port to all extern networks, set extern network to '::/0'
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
allow_ext_service=""
|
|
|
|
|
|
# -------------
|
|
# ---- Allow extern IP-Address/Network
|
|
# -------------
|
|
|
|
# - allow_ext_net
|
|
# -
|
|
# - allow_ext_net="<ext-ip> [<ext-ip> [ ..!
|
|
# -
|
|
# - Allow all traffic to the given extern network/ip-address.
|
|
# -
|
|
# - Example:
|
|
# - - allow_ext_net="2a01:4f8:221:3b4e::247 2a01:30:0:13:211:84ff:feb7:7f9c"
|
|
# - - allow_ext_net="::/0"
|
|
# -
|
|
# - Note:
|
|
# - =====
|
|
# - To allow traffic to all extern networks, set extern network to '::/0'
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
allow_ext_net=""
|
|
|
|
|
|
# -------------
|
|
# ---- Allow (non-standard) local Services
|
|
# -------------
|
|
|
|
# - allow_local_service
|
|
# -
|
|
# - allow_local_service="<port>,<protocol> [<port>,<protocol> [.."
|
|
# -
|
|
# - Allow all traffic to given local service
|
|
# -
|
|
# - Example:
|
|
# - allow_local_service="8443,tcp 8080,tcp"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
allow_local_service=""
|
|
|
|
|
|
# -------------
|
|
# ---- Allow local Services from given (extern) network
|
|
# -------------
|
|
|
|
# - allow_local_service_from_networks
|
|
# -
|
|
# - allow_local_service_from_networks="<ext-net,local-port,protocol> [<ext-net,local-port>,<protocol> [.."
|
|
# -
|
|
# - Allow all traffic to given local service from given (extern) network
|
|
# -
|
|
# - Example:
|
|
# - allow_local_service="2001:678:a40:3000::/64,8443,tcp 2001:678:a40:3000::/64,8080,tcp"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
allow_local_service_from_networks=""
|
|
|
|
|
|
# -------------
|
|
# --- Services local Network
|
|
# -------------
|
|
|
|
# - VPN Server
|
|
# -
|
|
vpn_server_ips=""
|
|
forward_vpn_server_ips=""
|
|
|
|
# - VPN Port(s) used by local Services
|
|
# -
|
|
# - blank separated list
|
|
# -
|
|
vpn_ports="$standard_vpn_port"
|
|
|
|
|
|
# - WireGuard Service
|
|
# -
|
|
wireguard_server_ips=""
|
|
forward_wireguard_server_ips=""
|
|
|
|
# - Local WireGuard Ports
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
wireguard_server_ports="$standard_wireguard_port"
|
|
|
|
# - Remote WireGuard Ports
|
|
# -
|
|
wireguard_out_ports="$standard_wireguard_port"
|
|
|
|
|
|
# local NTP Server
|
|
#
|
|
local_ntp_service=false
|
|
|
|
# NPT Port used by local service
|
|
#
|
|
ntp_port="$standard_ntp_port"
|
|
|
|
# Network allowed for NTP requests
|
|
#
|
|
# Note: if not set no port will be open!
|
|
#
|
|
# Example:
|
|
# ntp_allowed_net="2001:678:a40:3000::/64"
|
|
#
|
|
ntp_allowed_net=""
|
|
|
|
|
|
# DHCP Server
|
|
#
|
|
# Comma seperated list of Interface supporting DHCP services
|
|
#
|
|
dhcp_server_ifs=""
|
|
|
|
# DHCP Client
|
|
#
|
|
# Comma seperated list of Interface, which are dhcp clients
|
|
#
|
|
dhcp_client_ifs=""
|
|
|
|
|
|
# - DNS Server
|
|
# -
|
|
# - Note:
|
|
# - leave empty if you support only DNS Resolver Service
|
|
# -
|
|
dns_server_ips=""
|
|
forward_dns_server_ips=""
|
|
|
|
|
|
# - local DNS Resolver
|
|
# -
|
|
local_resolver_service=false
|
|
|
|
# Resolover Port used by local service
|
|
# -
|
|
resolver_port="$standard_dns_port"
|
|
|
|
# - Network allowed for DNS requests
|
|
# -
|
|
# - Note: if not set no port will be open!
|
|
# -
|
|
# - Example:
|
|
# - resolver_allowed_net="2001:678:a40:3000::/64 2001:678:a40:4000::/64"
|
|
# -
|
|
# - # Open DNS Resolver
|
|
# - resolver_allowed_net="::/0"
|
|
# -
|
|
resolver_allowed_networks=""
|
|
|
|
|
|
# - SSH Server
|
|
# -
|
|
ssh_server_ips=""
|
|
forward_ssh_server_ips=""
|
|
|
|
# - SSH Port(s) used by local Services
|
|
# -
|
|
# - blank separated list
|
|
# -
|
|
ssh_ports="$standard_ssh_port"
|
|
|
|
|
|
# - HTTP(S) Server
|
|
# -
|
|
http_server_ips=""
|
|
forward_http_server_ips=""
|
|
|
|
# - HTTP(S) Ports used by local Services
|
|
# -
|
|
# - comma separated list
|
|
# -
|
|
http_ports="$standard_http_ports"
|
|
|
|
|
|
# - LOG CGI script Traffic out
|
|
# -
|
|
log_cgi_traffic_out=false
|
|
|
|
# - cgi_script_users
|
|
# -
|
|
# - List of CGI script users (suexec user, php-fpm user. ...)
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
cgi_script_users=""
|
|
|
|
|
|
# - Mattermost (MM) Service
|
|
# -
|
|
mm_server_ips=""
|
|
forward_mm_server_ips=""
|
|
|
|
# - UDP Ports IN and OUT used by MM Servive
|
|
# -
|
|
mm_udp_ports_in="$stansard_mattermost_udp_ports_in"
|
|
mm_udp_ports_out="$stansard_mattermost_udp_ports_out"
|
|
|
|
|
|
# - Mail SMTP Server
|
|
# -
|
|
smtpd_ips=""
|
|
forward_smtpd_ips=""
|
|
|
|
# - Mail Services (smtps/pop(s)/imap(s)
|
|
# -
|
|
mail_server_ips=""
|
|
forward_mail_server_ips=""
|
|
|
|
# - Client Ports used by local Mail Services
|
|
# -
|
|
# - comma separated list
|
|
# -
|
|
mail_user_ports="$standard_mailuser_ports"
|
|
|
|
|
|
# - Mail Client (smtps/pop(s)/imap(s)
|
|
# -
|
|
mail_client_ips=""
|
|
forward_mail_client_ips=""
|
|
|
|
|
|
# - (local) Dovecot auth service
|
|
# -
|
|
dovecot_auth_service=false
|
|
|
|
# - Port listen for dovecot auth requests
|
|
# -
|
|
dovecot_auth_port="$dovecot_external_auth_port"
|
|
|
|
# - Client Network(s) allowed to connect to dovecot's auth service
|
|
# -
|
|
# - Example:
|
|
# - dovecot_auth_allowed_networks="2001:678:a40:3000::/64 2a01:30:0:13:2f7:50ff:fed2:cef7"
|
|
# -
|
|
dovecot_auth_allowed_networks=""
|
|
|
|
|
|
# - FTP Server
|
|
# -
|
|
ftp_server_ips=""
|
|
forward_ftp_server_ips=""
|
|
|
|
# - FTP passive port range use by local ftp service(s)
|
|
# -
|
|
# - example: ftp_passive_port_range="50000:50400"
|
|
# -
|
|
ftp_passive_port_range="50000:50400"
|
|
|
|
|
|
# - XMPP Service (Jabber - Prosody)
|
|
# -
|
|
xmpp_server_ips=""
|
|
forward_xmpp_server_ips=""
|
|
|
|
# - Ports used by XMpp (Prosody) service
|
|
# -
|
|
# - 5222 eingehend, für Client-Verbindungen unverschlüsselt oder TLS-verschlüsselt
|
|
# - 5223 eingehend, für SSL-verschlüsselte Clientverbindungen (veraltet)
|
|
# - 5269 ein- und ausgehend, für Verbindungen zu anderen Servern
|
|
# -
|
|
# - WebSocket (support is provided by mod_websocket)
|
|
# - 5280 eingehend, für Client-Verbindungen über HTTP-Polling (nützlich für Webapplikationen)
|
|
# -
|
|
xmmp_tcp_in_ports="5222 5223 5269"
|
|
xmmp_tcp_out_ports="5269"
|
|
|
|
# - XMPP Remote Dovecote Out Service
|
|
# -
|
|
# - Example:
|
|
# - - xmmp_remote_out_services="
|
|
# - 2a01:4f8:221:3b4e::247,44444
|
|
# - 2a01:30:0:13:2f7:50ff:fed2:cef7,44444
|
|
# - "
|
|
# -
|
|
xmmp_remote_out_services=""
|
|
|
|
|
|
# - Mumble Server
|
|
# -
|
|
mumble_server_ips=""
|
|
forward_mumble_server_ips=""
|
|
|
|
# - Ports used by local Mumble Services
|
|
# -
|
|
# - comma separated list
|
|
# -
|
|
mumble_ports="$standard_mumble_port"
|
|
|
|
|
|
# - Jitsi Video Conferencing Server
|
|
# -
|
|
jitsi_server_ips=""
|
|
forward_jitsi_server_ips=""
|
|
|
|
# - Jitsi (incomming) Ports
|
|
# -
|
|
# - comma separated list of ports/port ranges)
|
|
# -
|
|
jitsi_tcp_ports="$standard_jitsi_tcp_ports"
|
|
jitsi_udp_port_range="$standard_jitsi_udp_port_range"
|
|
|
|
# - Jitsi (outgoing) Ports (STUN Services)
|
|
# -
|
|
jitsi_tcp_ports_out="$standard_turn_service_ports,4443,4444,4445,4446"
|
|
jitsi_udp_ports_out="$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446"
|
|
|
|
# - Jitsi Dovecot Authentication
|
|
# -
|
|
jitsi_dovecot_auth=false
|
|
jitsi_dovecot_host=""
|
|
jitsi_dovecot_port="$default_jitsi_dovecout_auth_port"
|
|
|
|
# - Jibri extern Client Recording / Streamin
|
|
# -
|
|
jitsi_jibri_remote_auth=false
|
|
# - Remote Jibri servers
|
|
# -
|
|
# - colon separated list of ipv6 addresses
|
|
# -
|
|
jitsi_jibri_remote_ips=""
|
|
jitsi_jibri_remote_auth_port="$default_jibri_out_port"
|
|
|
|
|
|
# - Jibri Recording / Streaming Service
|
|
# -
|
|
# - colon separated list of ipv6 addresses
|
|
# -
|
|
jibri_server_ips=""
|
|
# - colon separated list of ipv6 addresses
|
|
# -
|
|
forward_jibri_server_ips=""
|
|
jibri_remote_jitsi_server=""
|
|
jibri_remote_auth_port="$default_jibri_out_port"
|
|
|
|
|
|
# - TURN Server (Stun Server) (for Nextcloud 'talk' app)
|
|
# -
|
|
nc_turn_server_ips=""
|
|
forward_nc_turn_server_ips=""
|
|
|
|
# - Ports used by local TURN Server (Stun Server)
|
|
# -
|
|
# - comma separated list
|
|
# -
|
|
nc_turn_ports="$standard_turn_service_ports"
|
|
nc_turn_udp_ports="$standard_turn_service_udp_ports"
|
|
|
|
|
|
# - TFTP Server
|
|
# -
|
|
# - NOT YET IMPLEMENTED
|
|
# -
|
|
tftp_server_ips=""
|
|
|
|
|
|
# - Prometheus Monitoring - local Server
|
|
# -
|
|
# - blank separated list of IPv6 addresses
|
|
# -
|
|
prometheus_local_server_ips=""
|
|
|
|
# - (Remote) prometheus ports
|
|
# -
|
|
# - !! comma separated list of ports
|
|
# -
|
|
prometheus_remote_client_ports="$standard_prometheus_ports"
|
|
|
|
|
|
# - Prometheus Monitoring - local Client
|
|
# -
|
|
# - blank separated list of IPv6 addresses
|
|
# -
|
|
prometheus_local_client_ips=""
|
|
|
|
# - Local prometheus ports
|
|
# -
|
|
# - !! comma separated list of ports
|
|
# -
|
|
prometheus_local_client_ports="$standard_prometheus_ports"
|
|
|
|
# - blank separated list of IPv6 addresses
|
|
# -
|
|
prometheus_remote_server_ips=""
|
|
|
|
|
|
# - Munin Server
|
|
# -
|
|
munin_server_ips=""
|
|
forward_munin_server_ips=""
|
|
|
|
# - Port used by clients hosted on this (local) Munin Services
|
|
# -
|
|
# - !! Only one port is possible !!
|
|
# -
|
|
munin_remote_port="$standard_munin_port"
|
|
|
|
|
|
# - Remote Munin Server
|
|
# -
|
|
munin_remote_ip="2a01:4f9:4a:2b57::122"
|
|
munin_local_port="4949"
|
|
|
|
# - XyMon Server
|
|
# -
|
|
# - NOT YET IMPLEMENTED
|
|
# -
|
|
xymon_server_ips=""
|
|
local_xymon_client=false
|
|
|
|
# - Port used by local Xymon Services
|
|
# -
|
|
# - !! Only one port is possible !!
|
|
# -
|
|
xymon_port="$standard_xymon_port"
|
|
|
|
|
|
|
|
# -------------
|
|
# - Protocols Out
|
|
# -------------
|
|
|
|
# - Rsync Protocol
|
|
# -
|
|
# - Needed for some integrated provider of clamav-unofficial-sigs
|
|
# -
|
|
rsync_out_ips=""
|
|
forward_rsync_out_ips=""
|
|
rsync_ports="873"
|
|
|
|
|
|
# -------------
|
|
# --- Allow special Ports (OUT)
|
|
# -------------
|
|
|
|
# - TCP Ports
|
|
tcp_out_ports=""
|
|
forward_tcp_out_ports=""
|
|
|
|
# - UDP Ports
|
|
udp_out_ports=""
|
|
forward_udp_out_ports=""
|
|
|
|
|
|
|
|
# =============
|
|
# --- Portforwarding
|
|
# =============
|
|
|
|
# - Portforwarding TCP
|
|
# -
|
|
# - portforward_tcp="<device-in>,<src-ip>,<port-in>,<ip-to-forward>,<port-out>"
|
|
# -
|
|
# - Multiple declarations (blank separated list) are possible
|
|
# -
|
|
# - Example:
|
|
# - portforward_tcp="${ext_if_1},${ext_1_ip},9997,2a01:30:0:13:5054:ff:fe83:dbda,c22
|
|
# - ${ext_if_1},${ext_1_ip},80,2a01:30:0:13:211:84ff:feb7:7f9c,80
|
|
# - ${ext_if_1},2a01:30:0:13:2d1:2bff:fec1:aed0,80,2a01:30:0:13:211:84ff:feb7:7f9c,80
|
|
# - ${ext_if_1},2a01:30:0:13:2d1:2bff:fec1:aed0,443,2a01:30:0:13:211:84ff:feb7:7f9c,443
|
|
# - "
|
|
# -
|
|
# - Note!
|
|
# - be careful if you use a variable (e.g. ext_1_ip) that it contains NO SPACES.
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
portforward_tcp=""
|
|
|
|
|
|
# - Portforwarding UDP
|
|
# -
|
|
# - portforward_udp="<device-in>,<src-ip>,<udp-port-in>,<ip-to-forward>,<udp-port-out>"
|
|
# -
|
|
# - Multiple declarations (blank separated list) are possible
|
|
# -
|
|
# - Example:
|
|
# - portforward_udp="
|
|
# - ${ext_if_1},${ext_1_ip},1094,,1094
|
|
# - ${ext_if_1},${ext_1_ip},1095,,1095
|
|
# - "
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
portforward_udp=""
|
|
|
|
|
|
|
|
# -------------
|
|
# --- Block IP's / IP-Ranges
|
|
# -------------
|
|
|
|
blocked_ips=""
|
|
|
|
|
|
# -------------
|
|
# --- Block Ports
|
|
# -------------
|
|
|
|
# - Generally (for all interfaces) block this ports
|
|
# -
|
|
# - Portmapper
|
|
# - tcp 111
|
|
# - udp 111
|
|
# -
|
|
# - Authentication tap ident
|
|
# - tcp 113
|
|
# -
|
|
# - Location Service
|
|
# - tcp 135
|
|
# -
|
|
# - Windows Stuff
|
|
# - tcp 137:139
|
|
# - udp 137:139
|
|
# - tcp 445
|
|
# -
|
|
block_tcp_ports="111 113 135 137:139 445"
|
|
block_udp_ports="111 137:139"
|
|
|
|
|
|
# -------------
|
|
# - Some special stuff
|
|
# -------------
|
|
|
|
create_traffic_counter=true
|
|
create_iperf_rules=true
|
|
|
|
|
|
# -------------
|
|
# - Protection against ...
|
|
# -------------
|
|
|
|
# - Protection against syn-flooding
|
|
# -
|
|
protection_against_syn_flooding=true
|
|
|
|
# - Protection against port scanning
|
|
# -
|
|
protection_against_port_scanning=true
|
|
|
|
# - Protection against SSH brute-force attacks
|
|
# -
|
|
protection_against_ssh_brute_force_attacks=true
|
|
|
|
|
|
# -------------
|
|
# - Limit Connections
|
|
# -------------
|
|
|
|
# - Limit connections per source IP
|
|
# -
|
|
limit_connections_per_source_IP=true
|
|
per_IP_connection_limit=$default_per_IP_connection_limit
|
|
|
|
# - Limit RST packets
|
|
# -
|
|
limit_rst_packets=true
|
|
|
|
# - Limit new TCP connections per second per source IP
|
|
# -
|
|
limit_new_tcp_connections_per_seconds_per_source_IP=true
|
|
|
|
|
|
# -------------
|
|
# --- Kernel related - Adjust Kernel Parameters (Security/Tuning)
|
|
# -------------
|
|
|
|
# - Disable ip forwarding between interfaces
|
|
# -
|
|
kernel_forward_between_interfaces=false
|
|
|
|
# - Deactivate Source Routed Packets
|
|
# -
|
|
kernel_deactivate_source_route=true
|
|
|
|
# - Deactivate sending ICMP redirects
|
|
# -
|
|
# - ICMP redirects are used by routers to specify better routing paths out of
|
|
# - one network, based on the host choice, so basically it affects the way
|
|
# - packets are routed and destinations.
|
|
# -
|
|
kernel_dont_accept_redirects=true
|
|
|