##----------------------------------------------------------------------------- ## fli4l __FLI4LVER__ - configuration for package "ipv6" ## ## P L E A S E R E A D T H E D O C U M E N T A T I O N ! ## ## B I T T E U N B E D I N G T D I E D O K U M E N T A T I O N L E S E N ! ## ##----------------------------------------------------------------------------- ## Creation: Christoph Schulz ## Last Update: $Id$ ## ## Copyright (c) 2001-2016 - Frank Meyer, fli4l-Team ## ## This program is free software; you can redistribute it and/or modify ## it under the terms of the GNU General Public License as published by ## the Free Software Foundation; either version 2 of the License, or ## (at your option) any later version. ##----------------------------------------------------------------------------- #------------------------------------------------------------------------------ # IPv6 general settings #------------------------------------------------------------------------------ #OPT_IPV6='no' # set to 'yes' to activate IPv6 support #HOSTNAME_IP6='IPV6_NET_1_IPADDR' # optional, can be used to explicitly set # the router's IPv6 address; if left empty, # this setting is taken from the first # configured /64 IPv6 subnet (see below) #------------------------------------------------------------------------------ # IPv6 networks #------------------------------------------------------------------------------ IPV6_NET_N='0' # number of IPv6 subnets to configure; # at least one subnet is necessary to # create a local IPv6 network! IPV6_NET_1='::1:0:0:0:1/64' # The router address and net mask within # this subnet. If this subnet is associated # with a tunnel (see IPV6_NET_%_TUNNEL # below), use an address WITHOUT the subnet # prefix (which is possibly not known yet # as it may be dynamically assigned while # configuring the tunnel); when the # associated tunnel is set up, its prefix # will be combined with the address # specified here to yield a complete # address. # # NOTE that the net mask must be equal to # 64 if you want to use stateless IPv6 # autoconfiguration! # # In this example, a /48 subnet prefix is # assumed which is extended by the subnet # '1' and the host part '0:0:0:1'. So with # e.g. '2001:db8:13bc/48' as subnet prefix, # the complete address and mask becomes # '2001:db8:13bc:1::1/64'. IPV6_NET_1_TUNNEL='1' # the index of the associated tunnel; if # left empty, no tunnel is associated, so # the address specification above is taken # "as is" and is not completed by any # prefix IPV6_NET_1_DEV='IP_NET_1_DEV' # interface this subnet is bound to IPV6_NET_1_ADVERTISE='yes' # should the subnet prefix be advertised # automatically via RA in order to enable # stateless autoconfiguration? IPV6_NET_1_ADVERTISE_DNS='no' # should the DNS service be advertised # within this subnet via RA? IPV6_NET_1_DHCP='no' # should domain and DNS server be available # via DHCPv6 in this subnet? #------------------------------------------------------------------------------ # IPv6 tunnels (see documentation for details!) #------------------------------------------------------------------------------ IPV6_TUNNEL_N='0' # number of tunnels to set up IPV6_TUNNEL_1_TYPE='he' # tunnel type IPV6_TUNNEL_1_LOCALV4='dynamic' # IPv4 address of the local tunnel endpoint; # use 'dynamic' for a dial-up connection IPV6_TUNNEL_1_DEFAULT='yes' # should this tunnel be used for routing # IPv6 traffic to/from the Internet? # NOTE that at most one tunnel can be the # default one! #IPV6_TUNNEL_1_DEV='6in4' # (optional) name of the interface to # create for this tunnel; if left empty, # a uniqe name is generated automatically #IPV6_TUNNEL_1_MTU='1280' # (optional) MTU size in bytes for this # tunnel; the default value of 1280 is # recommended by many tunnel providers #------------------------------------------------------------------------------ # when tunnel type is 'static' #------------------------------------------------------------------------------ #IPV6_TUNNEL_1_REMOTEV4='203.0.113.188' # IPv4 address of the remote tunnel endpoint #IPV6_TUNNEL_1_LOCALV6='2001:db8:900:530::2/64' # IPv6 address and mask of the local # tunnel endpoint #IPV6_TUNNEL_1_REMOTEV6='2001:db8:900:530::1' # IPv6 address of the remote tunnel endpoint #IPV6_TUNNEL_1_PREFIX='2001:db8:13bc::/48' # the associated subnet prefix #------------------------------------------------------------------------------ # when tunnel type is 'he' #------------------------------------------------------------------------------ #IPV6_TUNNEL_1_REMOTEV4='203.0.113.188' # IPv4 address of the remote tunnel endpoint #IPV6_TUNNEL_1_LOCALV6='2001:db8:900:530::2/64' # IPv6 address and mask of the # local tunnel endpoint #IPV6_TUNNEL_1_REMOTEV6='2001:db8:900:530::1' # IPv6 address of the remote tunnel endpoint #IPV6_TUNNEL_1_PREFIX='2001:db8:13bc/48' # assigned /48 subnet prefix; # leave empty if you don't have one yet #IPV6_TUNNEL_1_USERID='userid' # HE user id (found on the main page after login) #IPV6_TUNNEL_1_PASSWORD='password' # HE password #IPV6_TUNNEL_1_TUNNELID='123456' # tunnel ID #------------------------------------------------------------------------------ # Additional IPv6 routes (don't use this for default routes!) #------------------------------------------------------------------------------ IPV6_ROUTE_N='0' # number of routes IPV6_ROUTE_1='2001:db8:13bc:2::/64 2001:db8:900:530::1' # example route #------------------------------------------------------------------------------ # Packet filter configuration #------------------------------------------------------------------------------ # INPUT chain #------------------------------------------------------------------------------ PF6_INPUT_POLICY='REJECT' # be nice and use reject as policy PF6_INPUT_ACCEPT_DEF='yes' # use default rule set PF6_INPUT_LOG='no' # don't log anything PF6_INPUT_LOG_LIMIT='3/minute:5' # log 3 events per minute; allow a burst # of 5 events PF6_INPUT_REJ_LIMIT='1/second:5' # reject 1 connection per second; allow a burst # of 5 events; otherwise drop packet PF6_INPUT_UDP_REJ_LIMIT='1/second:5' # reject 1 udp packet per second; allow a burst # of 5 events; otherwise drop packet PF6_INPUT_N='1' # number of INPUT rules PF6_INPUT_1='[fe80::0/10] ACCEPT' # allow all hosts in the local network to # access the router PF6_INPUT_2='IPV6_NET_1 ACCEPT' # allow all hosts in the first subnet to access # the router PF6_INPUT_3='tmpl:samba DROP NOLOG' # drop (or reject) samba access PF6_INPUT_3_COMMENT='no samba traffic allowed' # without logging, otherwise the log file will # be filled with useless entries #------------------------------------------------------------------------------ # FORWARD chain #------------------------------------------------------------------------------ PF6_FORWARD_POLICY='REJECT' # be nice and use reject as policy PF6_FORWARD_ACCEPT_DEF='yes' # use default rule set PF6_FORWARD_LOG='no' # don't log anything PF6_FORWARD_LOG_LIMIT='3/minute:5' # log 3 events per minute; allow a burst of # 5 events PF6_FORWARD_REJ_LIMIT='1/second:5' # reject 1 connection per second; allow a burst # of 5 events; otherwise drop packet PF6_FORWARD_UDP_REJ_LIMIT='1/second:5' # reject 1 udp packet per second; allow a burst # of 5 events; otherwise drop packet PF6_FORWARD_N='2' # number of FORWARD rules PF6_FORWARD_1='tmpl:samba DROP' # drop samba traffic if it tries to leave the # subnet PF6_FORWARD_2='IPV6_NET_1 ACCEPT' # accept everything else #------------------------------------------------------------------------------ # OUTPUT chain #------------------------------------------------------------------------------ PF6_OUTPUT_POLICY='ACCEPT' # default policy for outgoing packets PF6_OUTPUT_ACCEPT_DEF='yes' # use default rule set PF6_OUTPUT_LOG='no' # don't log anything PF6_OUTPUT_LOG_LIMIT='3/minute:5' # log 3 events per minute; allow a burst of # 5 events PF6_OUTPUT_REJ_LIMIT='1/second:5' # reject 1 connection per second; allow a burst # of 5 events; otherwise drop packet PF6_OUTPUT_UDP_REJ_LIMIT='1/second:5' # reject 1 udp packet per second; allow a burst # of 5 events; otherwise drop packet PF6_OUTPUT_N='0' # number of OUTPUT rules #------------------------------------------------------------------------------ # POSTROUTING chain #------------------------------------------------------------------------------ PF6_POSTROUTING_N='0' PF6_POSTROUTING_1='IPV6_NET_1 MASQUERADE' # masquerade traffic leaving the subnet #------------------------------------------------------------------------------ # PREROUTING chain #------------------------------------------------------------------------------ PF6_PREROUTING_N='0' PF6_PREROUTING_1='tmpl:ssh [2001:db8::1] DNAT:@client2' # forward ssh connections coming from # [2001:db8::1] to client2 #------------------------------------------------------------------------------ # PREROUTING_CT chain #------------------------------------------------------------------------------ PF6_PREROUTING_CT_N='0' PF6_PREROUTING_CT_1='tmpl:ftp any IPV6_NET_1 HELPER:ftp BIDIRECTIONAL' # associate FTP conntrack helper for active # FTP forwarded into or out of the LAN #------------------------------------------------------------------------------ # OUTPUT_CT chain #------------------------------------------------------------------------------ PF6_OUTPUT_CT_N='0' PF6_OUTPUT_CT_1='tmpl:ftp HELPER:ftp' # associate FTP conntrack helper for outgoing # active FTP on the router # (this rule is added automatically by # the tools package if OPT_FTP='yes' # and FTP_PF_ENABLE_ACTIVE='yes') #------------------------------------------------------------------------------ # USER chain #------------------------------------------------------------------------------ PF6_USR_CHAIN_N='0' # number of user-defined tables