Updated alff.conf sample config to new format
authorMichael Schwarz <mschwar2@math.uni-paderborn.de>
Wed, 17 Sep 2014 12:32:17 +0000 (14:32 +0200)
committerMichael Schwarz <mschwar2@math.uni-paderborn.de>
Wed, 17 Sep 2014 12:32:17 +0000 (14:32 +0200)
etc/alff.conf

index c2a77b1..37b5b95 100644 (file)
                 The default is yes. //-->
            <allow_traceroute_udp> yes </allow_traceroute_udp>
 
+        <!-- Allow multicast connections?
+         Decide if you want to allow multicast connections to be allowed.
+         Beware that you have to set up your firewall to be able to do so by your own,
+         if your firewall is a router. In bridge mode it does just work[tm].
+         The default is yes. //-->
+        <allow_multicast> yes </allow_multicast>
+
+        <!-- Remove unreferenced chains?
+         Should alff remove/skip chains which are not referenced at all when computing
+         the final ruleset even if it does contain (unreachable) rules?
+         The default is 'no'.
+        //-->
+        <suppress_unreferenced_chains> yes </suppress_unreferenced_chains>
+
+        <suppress_empty_chains> yes </suppress_empty_chains>
+       
+
                <!-- Your DHCP server(s)
                Provide a list of the IPs of your DHCP server in your network, one per row.
                Connections from udp port 67 to $server:68/udp and vice versa will be allowed.
                //-->
 <!--       <dhcp_server> 192.168.42.1 </dhcp_server> //-->
 <!--       <dhcp_server> fe80::42:1 </dhcp_server> //-->
+
+        <!-- Support IPv6 Nat
+         If this option is set to yes, alff will generate rules containing the nat-table
+         even for ipv6. These rulesets will fail to load on firewalls running kernel versions
+         lower than 3.7. So use with care ;)
+        //-->
+        <support_ipv6_nat> no </support_ipv6_nat>
+
   </options>
 
        <plugins>
                         it will just skip this chain to simplify your ruleset and speed up rule processing.
                         The default is 'no'.
                        //-->
-                       <remove_empty_chains> no </remove_empty_chains>
+                       <remove_empty_chains> yes </remove_empty_chains>
+
+            <!-- Should classifyInterVlanTraffic create chains like mynet_to_mynet?
+             If you say 'yes' the plugin will create chains to handle traffic from a network into the same
+             network, like 'myNet_to_myNet'. You may want this if your firewall is a bridge or you have some
+             "interesting" routing configured in your network.
+             The default is 'no'.
+            //-->
+            <force_x_to_x_chains> no </force_x_to_x_chains>
+
                </classifyInterVlanTraffic>
 
+        <createChainTcpScanHandling>
+            <!-- Should TCP-Scans be logged to syslog? By default this value is set to yes -->
+            <log_scans> yes </log_scans>
+
+            <!-- Should we drop any detected scans? By default this value is set to yes -->
+            <drop_scans> yes </drop_scans>
+
+            <!-- Should scan detection be done for packets desired for the firewall itself? -->
+            <hook_in_input> yes </hook_in_input>
+
+            <!-- Should scan detection be done for packets trespassing the firewall? -->
+            <hook_in_forward> yes </hook_in_forward>
+        </createChainTcpScanHandling>
+
                <!-- Configuration options for the 'create_traffic_logging_rules' plugin.
                     Only valid if the plugin is used //-->
                <create_traffic_logging_rules>
                <desc> my ISP network </desc>
                <network> 123.234.42.0/22 </network>
                <network> 123.234.112.0/20 </network>
-               <interface> ppp0 </interface>
        </vlan>
 //-->
 
                <id> 42 </id>
                <network> 192.168.42.0/24 </network>
                <desc> my Home network </desc>
-               <interface> eth0 </interface>
                <filtered> yes </filtered>
                <trusted> yes </trusted>
        </vlan>
 //-->
 
-<!--   <vlan>
-               <id> 23 </id>
-               <network> 192.168.23.0/23 </network>
-               <desc> my hacking lab network </desc>
-               <filtered> yes </filtered>
-       </vlan>
-//-->
-
 <!--
-       <machine id="fw1">
-               <hostname> fw1.example.com </hostname>
-               <ip> 192.168.1.2 </ip>
-               <desc> My main firewall </desc>
-       </machine>
-
-       <machine id="firewall2">
-               <hostname> firewall2.example.com </hostname>
-               <ip> 192.168.1.3 </ip>
-               <desc> My backup firewall </desc>
-       </machine>
+       <sites>
+               <site id="A">
+                       <machines>
+                               <machine id="fw1">
+                                       <hostname> fw1.example.com </hostname>
+                                       <ip> 192.168.1.2 </ip>
+                                       <ip6> 2001:db8::1:2 </ip6>
+                                       <desc> My main firewall </desc>
+                               </machine>
+                       
+                               <machine id="firewall2">
+                                       <hostname> firewall2.example.com </hostname>
+                                       <ip> 192.168.1.3 </ip>
+                                       <ip6> 2001:db8::1:3 </ip6>
+                                       <desc> My backup firewall </desc>
+                               </machine>
+                       </machines>
+                       <interface_map>
+                               <vlan id="ISP">
+                                       <interface>ppp0</interface>
+                                       <default/>
+                               </vlan>
+                               <vlan id="42">
+                                       <interface>eth0</interface>
+                               </vlan>
+                       </interface_map>
+               </site>
+       </sites>
 //-->
 
 </alff_config>