# this file maintained at http://git.mdcc.cx/uruk.git # Sample Uruk rc file # Copyright (C) 2003 Stichting LogReport Foundation logreport@logreport.org # Copyright (C) 2003, 2004 Tilburg University http://www.uvt.nl/ # Copyright (C) 2003, 2004, 2005, 2010 Joost van Baal # Copyright (C) 2012, 2013, 2014 Joost van Baal-Ilić # # This file is free software; you can redistribute it and/or modify it under # the terms of the GNU General Public License as published by the Free # Software Foundation, either version 3 of the License, or (at your option) # any later version. # # This file is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE. See the GNU GPL for more details. # # You should have received a copy of the GNU GPL along with this file, see # e.g. the file named COPYING. If not, see . ########## # preamble ########## # Uruk version compatibility of this rc file # (actually, likely works with version=20071030 too) version=20140319 # Log denied packets, which are targetted at one of our IPs. Do not log # blocked broadcasts. loglevel=30 ############################### # define our network interfaces ############################### # List of network interfaces. lo should not be in this list (see below). For # every interface , variables ip_, bcast_ and net_ should be # defined. interfaces="eth0 eth1" # List of network interfaces we want uruk to leave alone: all traffic on these # interfaces will be trusted and accepted. By default, interfaces_unprotect=lo # interfaces_unprotect="lo sit0 eth3" ############################################### # assign IPs and networks to network interfaces ############################################### # this helper sets ip_ and net_ . /lib/uruk/init/autodetect-ips # alternatively, explicitly list adresses manually, by setting ip_, # ip6_, net_ and net6_, like this: ips_eth0=default # For each interface in interfaces, ip_ and net_ should be # defined ip_eth0_default=10.56.0.201 # Supply IPv6 addresses like this: ip6_eth0_default=2006:488:1a9b::4a54:e8ff:fe2b:f25c # (aka 2006:488:1a9b:0:4a54:e8ff:fe2b:f25c) # NB: /sbin/ip6tables (as shipped with e.g. iptables 1.4.8-2) understands # both full and abbreviated IPv6 names. ips_eth1="default local" ip_eth1_default=192.168.0.4 ip_eth1_local=10.0.0.1 # To which network does this interface belong? Should be one of # 0.0.0.0/0 (aka 0/0) 10.0.0.0/8 (aka 10./8) 172.16.0.0/12 (aka 172.16./12) # 192.168.0.0/16 (aka 192.168./16) . Used to decide wether a # packet for this interface is spoofed, and therefore should get dropped. # NB: /sbin/iptables (as shipped with e.g. iptables 1.4.8-2) understands # full names only. net_eth0_default=0.0.0.0/0 net_eth1_default=192.168.0.0/16 net_eth1_local=10.0.0.0/8 # Subset of named IPs per interface, which should drop broadcast and multicast packets bcasts_eth1="local" bcast_eth1_local="10.255.255.255" # For each interface in interfaces_nocast, bcast_ should be defined bcast_eth0_default=10.56.255.255 ######################################### # optionally, define some shell variables ######################################### # You can define any shell variable, and reference it later on localnet="10.56.0.0/16" all4=0.0.0.0/0 ##################################################### # finally, define allowed services, sources and ports ##################################################### # For each interface, and for both tcp and udp, symbolic names of (sets of) # services could be defined, in variables services__{tcp,udp}. services_eth0_default_tcp="mail local public" # For every servicesetname , every interface , and tcp and/or udp, a # list of allowed source addresses should be defined in a variable # sources__{tcp,udp}_ . Furthermore a list of ports should be defined # in a variable ports__{tcp,udp}_ . # A valid source is 192.168.6.26, another valid source is 192.168.6.0/24. # One can add DNS domainnames like gandalf.example.com too: iptables will # perform a DNS lookup # Supply IPv6 addresses like e.g. this: # "::/0" # aka 0000:0000:0000:0000:0000:0000:0000:0000/0 sources_eth0_default_tcp_mail="10.0.0.0/24 192.0.32.0/24 192.168.6.26" sources_eth0_default_tcp_local="$localnet gandalf.example.com" sources_eth0_default_tcp_public="$all4 ::/0" # Symbolic port names are fine. ports_eth0_default_tcp_mail=smtp ports_eth0_default_tcp_local="ssh ftp" ports_eth0_default_tcp_public=www services_eth0_default_udp="syslog local" sources_eth0_default_udp_syslog="10.56.0.10/32 2001:db8::/32" sources_eth0_default_udp_local=$localnet ports_eth0_default_udp_syslog="syslog" # Port ranges are allowed too ports_eth0_default_udp_local="ntp 605:608 853:876"