NAME firewall.conf - rcf(8) configuration file. DESCRIPTION The firewall.conf file is the main configuration file for rcf(8), an ipchains-based firewall script. rcf(8) is dis- tributed under the General Public License (GPL) terms . Lines starting with a hash (``#'') and empty lines are ignored. Every configuration option must be followed by an equal (``='') sign and the option's value. Several configuration options include an interface name within their own names. When changing the selection of private, public, etc. interfaces, you must execute rcf(8) with the --update-config command line parameter. This will add and/or remove options which depend on these interface names. OPTIONS [public|private|dmz|mz]-interfaces-security = [strict|relaxed|paranoid] relaxed mode allows outgoing TCP connections and incoming/outgoing UDP traffic on high ports. This mode will allow port-scanning of remote hosts from your firewall. Access must be granted for each local service offered (web and ftp servers, etc.). strict mode allows outgoing TCP connections except to known hacker-friendly service ports (sunrpc, rlogin, telnet, etc.). All UDP traffic is denied. Access must be given for each UDP based service and local TCP services offered to remote users (web and ftp servers, etc.). paranoid mode denies all incoming/outgoing TCP and UDP traffic. Each service (local and remote) must be granted access. Make sure you execute rcf with the --update-config parameter after switching to paranoid mode. This will add several options to the configuration file. You should review these before running rcf again. debug = option-value Log all accept, deny, forward, and masq ipchains matches to syslogd(8) using the kern.info cate- gory/priority. Valid option-values are "yes" or "no". This option is most useful to debug firewall rules. You can over-ride this option using the --debug and --nodebug command line parameters. ipac-bindir = dir-path If you have IP Accounting installed, enter the path to your ipacset file. If ipacset is found in this directory, it will be executed to add your ipchains accounting rules. private-interfaces = interfaces One or more private network interfaces. Seperate each interface name by a space. Leave this string empty if you don't have a private LAN - i.e. you're only connected to the Internet. If you add and/or remove an interface from this variable, you should execute rcf(8) with the --update-config parameter. This will create/remove configuration options for the new interfaces. You will probably want to review any new options and re-run the firewall script. Dont't forget to review the forward-[inter- face]-masq-networks option to masquerade private networks. public-interfaces = interfaces One or more public (i.e. Internet connected) net- work interfaces. If necessary, you can specify interfaces which are down and/or may not exist. This will maintain the necessary options in the configuration file, but the interfaces will not be used until they are up. If you add and/or remove an interface from this variable, you should execute rcf(8) with the --update-config parameter. This will create/remove configuration options for the new interfaces. You will probably want to review any new options and re-run the firewall script. action-interface-service-type = option-value Most configuration file options control access to local and/or remote services. Since these options are explained in (more or less) detail within the configuration file, we won't repeat ourselves here. Instead, we'll explain their syntax. action [accept|deny|ignore|forward|enable] The accept action opens access to a service. Options starting with deny will over-ride the accept options. Say you open the HTTP service to anyone (using the accept option), you can then use a deny option to exclude a few hosts and/or net- works. The ignore and deny options are identical, except that ignored packets are not logged. The forward action field is used for variables which forward firewall ports to another server on the internal (LAN) network. The enable action is used for yes/no options. interface An interface device name (eth0, eth1, eth1:1, etc.). service The name of a service (dhcp, telnet, ssh, ping, etc.). The blacklist service is perhaps the only exception. It's used on one occasion to completely block inbound and outbound traffic to/from a host or network. type [clients|servers|hosts|rhostlports|networks] The type field reflects where the service is run- ning and/or the expected option-value syntax to be entered. A clients type means the service is run- ning on the firewall and external clients are given access (or not) to the local service. The servers type denotes options which control the firewall's access to remote services. All outgoing TCP traffic is permitted, so the servers type is often used to open UDP access, over-ride restricted services (in strict mode), or define non-standard services like FTP. The hosts type is used for peer-to-peer ser- vices, line Virtual Private Networks (VPNs), where client/server roles are not clearly defined. The rhostlports type defines an option with remote hostnames and local ports in the option-value (see the accept-{int}-tcp-rhostlports option bellow). Examples: enable-eth0-dhcp-clients = yes deny-eth1-blacklist-hosts = 207.253.78.0/24 accept-eth1-telnet-clients = first.host.com sec- ond.host.com accept-eth1:1-tcp-rhostlports = 1.2.3.0/24 6112:6119, myfriend.com 81 8080 masq-modules = module-list Most TCP/IP-enabled applications work fine behind a Linux IP masquerade server, but some applications need a special kernel module to get their traffic in and out properly. These include cuseeme, ftp, icq, irc, quake, raudio, vdolive, and others. Some of these modules, like icq, aren't supplied with standard Linux distributions. masq-timeouts = tcp tcpfin udp Change the timeout values used for masquerading. This option always takes 3 parameters, representing the timeout values (in seconds) for TCP sessions, TCP sessions after receiving a FIN packet, and UDP packets, respectively. The default values are 7200, 10, and 160. FILES /etc/firewall.conf Default location of the rcf(8) configuration file. /etc/firewall/ Default location of the rcf(8) groups, modules, and sbin directories. FAQ The rcf Frequently Asked Questions (FAQ) are available at: BUGS If you experience any problems using rcf, please subscribe to our mailing list . If you'd like to contribute to the evolution of rcf, you can also join the development list at . UPDATES Releases of rcf are announced on Freshmeat . Development and production releases are also announced on our mailing list . The latest versions are always available from: AUTHOR Jean-Sebastien Morisset SEE ALSO rcf-groups(5) rcf-modules(5) rcf(8)