# this file maintained at http://git.mdcc.cx/uruk.git
# Sample Uruk rc file

# Copyright (C) 2003 Stichting LogReport Foundation logreport@logreport.org
# Copyright (C) 2003, 2004 Tilburg University http://www.uvt.nl/
# Copyright (C) 2003, 2004, 2005, 2010 Joost van Baal
# Copyright (C) 2012, 2013, 2014 Joost van Baal-Ilić
#
# This file is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free
# Software Foundation, either version 3 of the License, or (at your option)
# any later version.
#
# This file is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE.  See the GNU GPL for more details.
#
# You should have received a copy of the GNU GPL along with this file, see
# e.g. the file named COPYING.  If not, see <http://www.gnu.org/licenses/>.


##########
# preamble
##########

# Uruk version compatibility of this rc file
# (actually, likely works with version=20071030 too)
version=20140319

# Log denied packets, which are targetted at one of our IPs.  Do not log
# blocked broadcasts.
loglevel=30


###############################
# define our network interfaces
###############################

# List of network interfaces.  lo should not be in this list (see below). For
# every interface <if>, variables ip_<if>, bcast_<if> and net_<if> should be
# defined.
interfaces="eth0 eth1"

# List of network interfaces we want uruk to leave alone: all traffic on these
# interfaces will be trusted and accepted.  By default, interfaces_unprotect=lo
#
interfaces_unprotect="lo sit0 eth3"


###############################################
# assign IPs and networks to network interfaces
###############################################

# this helper sets ip_<if> and net_<if>
. /lib/uruk/init/autodetect-ips

# alternatively, explicitly list adresses manually, by setting ip_<stuff>,
# ip6_<stuff>, net_<stuff> and net6_<stuff>, like this:

ips_eth0=default
# For each interface <if> in interfaces, ip_<if> and net_<if> should be
# defined
ip_eth0_default=10.56.0.201
# Supply IPv6 addresses like this:
ip6_eth0_default=2006:488:1a9b::4a54:e8ff:fe2b:f25c # (aka 2006:488:1a9b:0:4a54:e8ff:fe2b:f25c)
# NB: /sbin/ip6tables (as shipped with e.g. iptables 1.4.8-2) understands
# both full and abbreviated IPv6 names.
ips_eth1="default local"
ip_eth1_default=192.168.0.4
ip_eth1_local=10.0.0.1

# To which network does this interface belong?  Should be one of
# 0.0.0.0/0 (aka 0/0) 10.0.0.0/8 (aka 10./8) 172.16.0.0/12 (aka 172.16./12)
# 192.168.0.0/16 (aka 192.168./16) . Used to decide wether a
# packet for this interface is spoofed, and therefore should get dropped.
# NB: /sbin/iptables (as shipped with e.g. iptables 1.4.8-2) understands
# full names only.
net_eth0_default=0.0.0.0/0
net_eth1_default=192.168.0.0/16
net_eth1_local=10.0.0.0/8

# Subset of named IPs per interface, which should drop broadcast and multicast packets
bcasts_eth1="local"
bcast_eth1_local="10.255.255.255"

# For each interface <if> in interfaces_nocast, bcast_<if> should be defined
bcast_eth0_default=10.56.255.255


#########################################
# optionally, define some shell variables
#########################################

# You can define any shell variable, and reference it later on
localnet="10.56.0.0/16"
all4=0.0.0.0/0


#####################################################
# finally, define allowed services, sources and ports
#####################################################

# For each interface, and for both tcp and udp, symbolic names of (sets of)
# services could be defined, in variables services_<if>_{tcp,udp}.
services_eth0_default_tcp="mail local public"

# For every servicesetname <s>, every interface <if>, and tcp and/or udp, a
# list of allowed source addresses should be defined in a variable
# sources_<if>_{tcp,udp}_<s> .  Furthermore a list of ports should be defined
# in a variable ports_<if>_{tcp,udp}_<s> .

# A valid source is 192.168.6.26, another valid source is 192.168.6.0/24.
# One can add DNS domainnames like gandalf.example.com too: iptables will
# perform a DNS lookup
# Supply IPv6 addresses like e.g. this:
# "::/0" # aka 0000:0000:0000:0000:0000:0000:0000:0000/0
sources_eth0_default_tcp_mail="10.0.0.0/24 192.0.32.0/24 192.168.6.26"
sources_eth0_default_tcp_local="$localnet gandalf.example.com"
sources_eth0_default_tcp_public="$all4 ::/0"

# Symbolic port names are fine.
ports_eth0_default_tcp_mail=smtp
ports_eth0_default_tcp_local="ssh ftp"
ports_eth0_default_tcp_public=www

services_eth0_default_udp="syslog local"

sources_eth0_default_udp_syslog="10.56.0.10/32 2001:db8::/32"
sources_eth0_default_udp_local=$localnet

ports_eth0_default_udp_syslog="syslog"
# Port ranges are allowed too
ports_eth0_default_udp_local="ntp 605:608 853:876"