# # Configuration file for FloppyT-0.9 # # To configure the modules edit /config/standard-modules.lst or /config/user-modules.lst # !! Note that this version of syslogd ignores /etc/syslog.conf. # # If provider is not xs4all replace all "xs4all.nl" into your own provider. # # Enter login data. # Replace with your own settings. # Remove "<" and the ">". # Example : password = Gf$k#ls becomes USER_PASSWORD='Gf$k#ls' # # For Basic-adsl @xs4all-basic-adsl # For Fast-adsl @xs4all-fast-adsl # USER_IDENT='xxxxxxxx@adsl-comfort' USER_PASSWORD='xxxxxx' # Please set your hostname and dns settings here. # HOSTNAME=floppyt NAME_SERVER_IP1=195.121.1.34 NAME_SERVER_IP2=195.121.1.66 DOMAIN=planet.nl # The outside network. # MODEMSIDE_DEV=ppp0 OUTSIDE_DEV=eth0 OUTSIDE_IP=10.0.0.150 OUTSIDE_BROADCAST=10.0.0.255 OUTSIDE_NETMASK=255.255.255.0 MODEM_IP=10.0.0.138 # Inside Network: # INSIDE_DEV=eth1 INSIDE_IP=192.168.0.2 INSIDE_NETMASK=255.255.255.0 INSIDE_BROADCAST=192.168.0.255 # Dhcp stuf will go here. # IP_RANGE_MIN=192.168.0.100 IP_RANGE_MAX=192.168.0.125 WINS_SERVER_IP1=131.155.2.26 WINS_SERVER_IP2=131.155.2.25 #Timezone in seconds from UTC: +1 hour = 3600 seconds TIMEZONE=3600 #Lease time in seconds: 24 hours = 86400 seconds LEASE=86400 # Syslog stuff # If you turn this on everything will be logged. But it eats CPU time. SYSLOG=y # Note that this version of syslogd ignores /etc/syslog.conf. # Additional syslog flags: # -O /dev/tty? Set the tty to log to. !DO NOT LOG TO A FILE! # -R : Put the ip and port here if you want to log to a remote host # -L Log to both host and tty/file # -m ? This sets the time between the --MARK-- signs # -n Run as a foreground process SYSLOG_FLAGS="-O /dev/tty5" # Set this to y if you have and want to use a second floppydisk. # SECOND_DEVICE=n # ---------------------------------------------------------------------------- # Extra settings for the firewall. Add this to the bottom of your config.ini # # Make sure you use the latest version of BOTH the firewall.ini & config.ini # # Filename: config.ini # # Version 0.9-pre9 (Beta) # ---------------------------------------------------------------------------- # Maintained by Tom Siebeling mailto:T.Siebeling@student.tue.nl # Get the latest version from: http://home.wxs.nl/~siebe398/firewall.html # Mirrored by Walther Ligtvoet: http://www.aesir.nl/downloads.html # Last time edited: 12 October 2002 # # Based on: the firewall script by Henk de Jong V0.5 (http://www.nu2.nu), # the changes by Willem (http://www.xs4all.nl/~aroa/uitleg_firewall.htm) # and the FloppyT 0.9 config.ini by EMJ (www.lintegrate.nl) # ---------------------------------------------------------------------------- # ============================================================================ # Section 1: Settings for everyone # ============================================================================ # Setting the verbosity of the firewall startup # --------------------------------------------- # Setting verbose to 'y' will list all rules that are set. verbose=n will only # list those rules that are opening ports i.e. are dangerous. # Setting detail to 'y' will list all ports/nets that are blocked for spoofing # or trojan protection. Only usefull for trouble shooting. detail=n will list # a progress indicator. If verbose=n nothing will be listed, regardless of how # the detail option is set. Default is verbose=y; detail=n # verbose=y detail=n # Synchronise time with the Internet # ---------------------------------- # Setting the option to 'y' will synchronise FloppyT's time to an Internet # time server once, when the firewall is up and running. Handy for old PC's # with faulty batteries. You'll also need to set an ntp time server. Defaults: # synchronise_floppty=y and synchronise_ntp=ntp.xs4all.nl (ntp.planet.nl # doesn't seem to work...) # synchronise_floppty=y synchronise_ntp=ntp.xs4all.nl # Generic protection against spoofing # ----------------------------------- # Setting this option to 'y' will prevent hackers from using fake IP addresses # from the reserved addres space to break into your network. Default=y # spoofing_protection=y # Block commonly probed ports # --------------------------- # This setting will disable incoming connections to ports that are commonly # probed by hackers. It is especially necessary to set this feature when # opening ALL unpriv_ports for instance due to ICQ filetransfer or active FTP # clients. Default=y # refuse_common_ports=y # Block Trojan-ports # ------------------ # This setting will disable incoming connections to ports that are know to be # used by trojans. It is especially necessary to set this feature when opening # ALL unpriv_ports for instance due to ICQ filetransfer or active FTP clients. # Default=y # block_trojans=y # ICMP (Ping) settings # -------------------- # You can block the ICMP (Ping) requests from other servers, so that FloppyT # is not visible to others on the Internet. When set to 'n' only pings from # www.watchmyserver.com (195.179.115.45) will be accepted. Default=y # accept_pings=y # Block IP-numbers from certain file # ---------------------------------- # Read IP addresses from the floppy and block and block all traffic from these # IP addresses to FloppyT and your network. The file should be in UNIX style # and should contain ONE line with all IP addresses, separated by spaces. # Default=n # ip_block=n path_ip_block_file="blockips" # ============================================================================ # Section 2: Settings for communication from FloppyT to your Internal Network # ============================================================================ # Open port 67 & 68 (DHCP) # ------------------------ # Open port 67 & 68 (DHCP) on the inside network for DHCP communication between # a DHCP server on FloppyT and the DHCP clients on the inside network. You need # to set this to 'y' ONLY if you use FloppyT as a DHCP server. i.e. use the # DHCPd package. Default=y dhcp=y # Open port 514 for remote Syslog # ------------------------------- # Open port 514 on the inside network for remote Syslogging. You need to set # this option to 'y' ONLY if you use a remote Syslogger such as Kiwi SysLog. # You should ALSO set the SYSLOG_FLAGS accordingly! Default=y remote_syslog=y # ============================================================================ # Section 3: Settings for Clients on your Internal network # ============================================================================ # ICQ filetransfer # ---------------- # Unfortunatelly ICQ uses the whole unpriv_port range for client to client # connections (filetransfer). Enabling this feature will open ALL unpriv_ports. # Hackers are then able to establish a connection to these ports. When you set # this option to 'y', make SURE that you use both blocking of commonly probed # ports & blockinf of Trojan-ports. Default=n # icq_filetransfer_all=n # Restricted ICQ filetransfer based on IP-address # ----------------------------------------------- # Only allow connections to the whole unpriv_port range for certain IP addresses. # This wil still open the whole unpriv_port range, but only to your friends IP # addresses. Default=n # icq_filetransfer_friends=n icq_friends="XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX" # Active FTP client # ----------------- # Please note that port 20 (ftp-data) for ACTIVE FTP sessions should NOT use # SYN-filtering. Because of this, we must specifically allow it in! You'lld # better not use active FTP, but set your FTP-client into passive mode. # Default=n # ftp_client=n # VPN IPsec client # ---------------- # When using a NAT capable VPN IPsec client (like the Cisco VPN client) for # connection to a corporate network accross the internet, set the VPN_IPsec # option to 'y'. You may specify to use TCP and/or UDP (separated by spaces) # in the VPN_IPsec_mode option. VPN_IPsec_ip holds the IP address(es) # (separated by spaces) of the VPN server(s) you want to connect with. # VPN_IPsec=n VPN_IPsec_mode="UDP" VPN_IPsec_TCP_port=10000 VPN_IPsec_ip="xxx.xxx.xxx.xxx" # MSN Messenger [ Still expirimental !! ] # ------------- # msn=y opens port 1863 (TCP) for MSN Messenger # msn_speech=y opens port 6901 (TCP & UDP) for speech # msn_n2p=y opens 7801:7825 (TCP) and 6801,2001:2120 (UDP) for Net2Phone # msn_ft=y opens 6891:6900 (TCP) for File transfer # msn=y msn_speech=n msn_n2p=n msn_ft=y # Windows XP Messenger [ Still expirimental !! ] # -------------------- # If you set messenger to 'y' connections to ports 5060 (SIP signaling # in Messenger XP) will be allowed in. If you want to enable audio # and video connections, you have to set messenger_av to 'y', but this will # open the whole UDP port range 5004-65535. So make SURE that you have both # blocking of commonly probed ports & blocking of Trojan-ports enabled when # using this option. For Application Sharing and WhiteBoard you have to # set messenger_as_wb to 'y' and set the MESSENGER_IP= to the ONE client that # wants to user these options. Only ONE client in your inside network can use # these features. For file transfers set messenger_ft to 'y' and for Remote # Assistance set messenger_ra to 'y'. File SENDING still does not work... # messenger=n messenger_av=n messenger_as_wb=n MESSENGER_IP=192.168.0.xxx messenger_ft=n messenger_ra=n # ============================================================================ # Section 4: Settings for access to Clients/Servers on FloppyT # # All settings have a default of 'n' # ============================================================================ # NTP Client on FloppyT # --------------------- # This is NOT needed for synchronisation of FloppyT under section 1. ONLY set # this option if you want to run a client on FloppyT that requires the NTP # server to INITIATE the time-updating process. Setting these options allows # external computers to connect to FloppyT for NTP (time) updates. It opens # port 123 from the NTP server(s) on the Internet to FloppyT (in TCP and/ or # UDP) mode. ntp_address= may hold multiple NTP server IPs. Defaults: # ntp_tcp=n & ntp_udp=n # ntp_address="ntp.planet.nl ntp.xs4all.nl" ntp_tcp=n ntp_udp=n # SSH deamon on FloppyT # --------------------- # If you run an SSH deamon on FloppyT and want to connect to FloppyT using SSH # from any computer on the Internet, set the ssh option to 'y'. If you run an # SSH deamon on your Internal network and want to connect to that system from # over the Internet, also set the ssh_pfw (SSH port forward) to 'y' and supply # the internal IP address of your SSH deamon. Defaults are: ssh=n & ssh_pfw=n # ssh=n ssh_pfw=n SSH_IP=192.168.0.XXX # ============================================================================ # Section 5: Settings for Servers on your Internal network # # All settings have a default of 'n' # ============================================================================ # FTP Server (port 20 & 21) # ---------- # To open port 20 & 21 for an active FTP server in your internal network, set # ftp_active to 'y' and set the FTP_IP to the IP address of your FTP server. # # If you need to use a passive FTP server, you can set ftp_passive to 'y' and # set the FTP_IP to the IP address of your FTP server. CAUTION: this will open # ALL unpriv_ports! Hackers are then able to establish a connection to these # ports. When you set this option to 'y', make SURE that you use both blocking # of commonly probed ports & blockinf of Trojan-ports. # ftp_active=n ftp_passive=n FTP_IP=192.168.0.XXX # Telnet Server (port 23) # ------------- # To open port 23 for a Telnet server in your internal network, set telnet to # 'y' and set the TELNET_IP to the IP address of your Telnet server. # telnet=n TELNET_IP=192.168.0.XXX # SMTP Server (port 25) # ----------- # To open port 25 for an SMTP (mail) server in your internal network, set smtp # to 'y' and set the SMTP_IP to the IP address of your SMTP server. # smtp=n SMTP_IP=192.168.0.XXX # DNS Server (port 53) # ---------- # To open port 53 for a DNS server in your internal network, set dns # to 'y' and set the DNS_IP to the IP address of your DNS server. # dns=n DNS_IP=192.168.0.XXX # HTTP Server (port 80) # ----------- # To open port 80 for a HTTP (web) server in your internal network, set http # to 'y' and set the WEB_IP to the IP address of your HTTP server. # http=n WEB_IP=192.168.0.XXX # HTTPS Server (port 443) # ------------ # To open port 443 for a HTTPS (web) server in your internal network, set https # to 'y' and set the HTTPS_IP to the IP address of your HTTPS server. # https=n HTTPS_IP=192.168.0.XXX # POP3 Server (port 110) # ----------- # To open port 110 for a POP3 server in your internal network, set pop3 # to 'y' and set the POP_IP to the IP address of your POP3 server. # pop3=n POP_IP=192.168.0.XXX # POP3S Server (port 995) # ------------ # To open port 995 for a POP3S server in your internal network, set pop3s # to 'y' and set the POP3S_IP to the IP address of your POP3S server. # pop3s=n POP3S_IP=192.168.0.XXX # Auth/Ident Server (port 113) # ----------------- # To open port 113 for a Auth/Ident server in your internal network, set auth # to 'y' and set the AUTH_IP to the IP address of your Auth/Ident server. # auth=n AUTH_IP=XXX.XXX.XXX.XXX # NNTP Server (port 119) # ----------- # To open port 119 for a NNTP (news) server in your internal network, set nntp # to 'y' and set the NNTP_IP to the IP address of your NNTP server. # nntp=n NNTP_IP=192.168.0.XXX # IMAP Server (port 143) # ----------- # To open port 143 for a IMAP server in your internal network, set imap # to 'y' and set the IMAP_IP to the IP address of your IMAP server. # imap=n IMAP_IP=192.168.0.XXX # IMAPS Server (port 993) # ------------ # To open port 993 for a IMAPS server in your internal network, set imaps # to 'y' and set the IMAPS_IP to the IP address of your IMAPS server. # imaps=n IMAPS_IP=192.168.0.XXX # VNC Server # ------------ # To open port 5900 for a VNC server in your internal network, set vnc_with_server # to 'y' and set the VNC_IP to the IP address of your VNC server. # vnc_with_server=n VNC_IP=192.168.0.XXX # VNC Web Server # -------------- # To open port 5800 for a VNC Web server in your internal network, set vnc_with_webserver # to 'y' and set the VNCWEB_IP to the IP address of your VNC Web server. # vnc_with_webserver=n VNCWEB_IP=192.168.0.XXX # WEBMAIL Server # -------------- # To open port 5108 for a WEBMAIL server in your internal network, set webmail # to 'y' and set the WEBMAIL_IP to the IP address of your WEBMAIL server. # webmail=n WEBMAIL_IP=192.168.0.XXX # WEBNEWS Server # -------------- # To open port 7119 for a WEBNEWS server in your internal network, set webnews # to 'y' and set the WEBNEWS_IP to the IP address of your WEBMAIL server. # webnews=n WEBNEWS_IP=192.168.0.XXX # PROXY Server # -------------- # To open port 8080 for a PROXY server in your internal network, set proxy # to 'y' and set the PROXY_IP to the IP address of your PROXY server. # proxy=n PROXY_IP=192.168.0.XXX # Webmin Server # -------------- # To open port 10000 for a WEBMIN server in your internal network, set webmin # to 'y' and set the WEBMIN_IP to the IP address of your WEBMIN server. # webmin=n WEBMIN_IP=192.168.0.XXX # ============================================================================ # Section 6: Some other definitions that don't need to be changed # # ============================================================================ # Define local net # ---------------- # Change only if your local net is different. Default is 192.168.0.0/24 # LOCAL_NET=192.168.0.0/24 unpriv_ports="1024:65535" path_ipchains=ipchains path_ipmasqadm=ipmasqadm # class A private networks class_a="10.0.0.0/8" # class B private networks class_b="172.16.0.0/12" # class C private networks class_c="192.168.0.0/16" # class D multicast addresses class_d="224.0.0.0/4" # class E reserved addresses class_e="240.0.0.0/5"