This repository has been archived by the owner on Mar 2, 2019. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
116 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,116 @@ | ||
| [tollgate] | ||
| ; These are system settings for the firewall controller component of tollgate. | ||
| ; | ||
| ; This is an example configuration. | ||
| ; Please leave it as such in version control. | ||
| ; | ||
| ; This program is free software: you can redistribute it and/or modify | ||
| ; it under the terms of the GNU Affero General Public License as published by | ||
| ; the Free Software Foundation, either version 3 of the License, or | ||
| ; (at your option) any later version. | ||
| ; | ||
| ; This program is distributed in the hope that it will be useful, | ||
| ; but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| ; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
| ; GNU Affero General Public License for more details. | ||
| ; | ||
| ; You should have received a copy of the GNU Affero General Public License | ||
| ; along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
|
|
||
|
|
||
| ; What message to send to reject packets. | ||
| ; `icmp-admin-prohibited` | ||
| ; - is best, however not everything supports it. (RFC 1812, released 1995) | ||
| ; - requires linux kernel >=2.4.21 on firewall (November 2002) | ||
| ; | ||
| ; `icmp-net-unreachable` | ||
| ; - this is the default behaviour. | ||
| ; - everything supports it. | ||
| ; - makes it seem the internet is down or disconnected. | ||
| reject_mode = icmp-net-unreachable | ||
|
|
||
| ; Should TCP RST (reset) packets be used for TCP connections that are denied? | ||
| ; This will terminate open connections that are rejected, and issue "connection | ||
| ; failed" messages. | ||
| ; | ||
| ; This will generally make rejected connections made by software fail a LOT | ||
| ; faster than using ICMP error codes, so it is generally recommended. | ||
| reject_reset_tcp = yes | ||
|
|
||
| ; You shouldn't have to change this. | ||
| ; Set to /bin/echo for debugging | ||
| iptables = /sbin/iptables | ||
|
|
||
| ; Interface that faces the LAN | ||
| internal_iface = eth1 | ||
|
|
||
| ; Interface that faces externally. | ||
| external_iface = eth0 | ||
|
|
||
| ; You shouldn't need to change these... | ||
| allowed_rule = p2_allowed | ||
| unmetered_rule = p2_unmetered | ||
| blacklist_rule = p2_blacklist | ||
| ip4pf_rule = p2_ip4pf | ||
| captive_rule = p2_captive | ||
| user_rule_prefix = p2u_ | ||
| limit_rule_prefix = p2l_ | ||
|
|
||
| ; Enables a debug mode. This causes the backend to print out all the | ||
| ; commands it tries to run. | ||
| debug = yes | ||
|
|
||
| [captive] | ||
| ; Enable support for the captive mode. | ||
| enable = yes | ||
|
|
||
| ; Port number the captive listener is running on. | ||
| ; There should be a web server running redirecting to the "captive landing" page | ||
| ; that listens on this port. In apache2, you should have it listening on port | ||
| ; 81 (or whatever port you set) AS WELL, with a mod_python.cgi to | ||
| ; captive_landing/index.py | ||
| ; | ||
| ; You should change this as appropriate for your setup | ||
| port = 81 | ||
|
|
||
| [unmetered] | ||
| ; These sites are always accessible and are unmetered. | ||
| ; | ||
| ; This can be in some forms, eg: | ||
| ; 172.19.230.1 -- all traffic to a host | ||
| ; 172.19.230.0/24 -- all traffic to a subnet | ||
| ; 172.19.203.1:80 -- all traffic to a host on a port (tcp + udp) | ||
| ; 172.19.203.1:53/udp -- all traffic to a host on a port (udp only) | ||
| ; 172.19.203.1:80/tcp -- all traffic to a host on a port (tcp only) | ||
| ; 172.19.203.1:*/tcp -- all traffic to a host on a protocol | ||
| ; 172.19.203.0/24:80/tcp -- all traffic to a subnet on a port (tcp only) | ||
| ; 0.0.0.0/0:80/tcp -- all traffic on a port (tcp only) | ||
| ; example1:www/tcp -- all traffic to a named host with a named port (tcp only) | ||
| ; | ||
| ; You can use basically any combination of those rulesets. | ||
| ; | ||
| ; DNS names can be used for hosts, however it is NOT RECOMMENDED unless you | ||
| ; are reading entries from your HOSTS file. You can also use names for services | ||
| ; as well. | ||
| ; | ||
| ; Note: these rules are NOT read in any particular order. | ||
|
|
||
| ; Make sure each rule has it's own unique label. | ||
|
|
||
| ; You must make sure the tollgate machine itself is marked as unmetered to | ||
| ; bypass captivity issues | ||
| tollgate = 10.4.0.1 | ||
|
|
||
|
|
||
|
|
||
| [blacklist] | ||
| ; Same format as the unmetered site list. These are ports and sites that will | ||
| ; ALWAYS be blocked. | ||
| ; | ||
| ; As an example, you may want to block access to the ADSL router that this | ||
| ; system is NAT'd behind, or prevent access to an external DNS server (as some | ||
| ; worms will redirect clients to a third-party poisoned DNS server via rogue | ||
| ; DHCP responses) or SMTP mailserver (due to spam). | ||
|
|
||
|
|
||
|
|