mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
98 lines
3.3 KiB
Django/Jinja
98 lines
3.3 KiB
Django/Jinja
# firewalld config file
|
|
|
|
# default zone
|
|
# The default zone used if an empty zone string is used.
|
|
# Default: public
|
|
DefaultZone=public
|
|
|
|
# Clean up on exit
|
|
# If set to no or false the firewall configuration will not get cleaned up
|
|
# on exit or stop of firewalld.
|
|
# Default: yes
|
|
CleanupOnExit=yes
|
|
|
|
# Clean up kernel modules on exit
|
|
# If set to yes or true the firewall related kernel modules will be
|
|
# unloaded on exit or stop of firewalld. This might attempt to unload
|
|
# modules not originally loaded by firewalld.
|
|
# Default: no
|
|
CleanupModulesOnExit=no
|
|
|
|
# Lockdown
|
|
# If set to enabled, firewall changes with the D-Bus interface will be limited
|
|
# to applications that are listed in the lockdown whitelist.
|
|
# The lockdown whitelist file is lockdown-whitelist.xml
|
|
# Default: no
|
|
Lockdown=no
|
|
|
|
# IPv6_rpfilter
|
|
# Performs a reverse path filter test on a packet for IPv6. If a reply to the
|
|
# packet would be sent via the same interface that the packet arrived on, the
|
|
# packet will match and be accepted, otherwise dropped.
|
|
# The rp_filter for IPv4 is controlled using sysctl.
|
|
# Note: This feature has a performance impact. See man page FIREWALLD.CONF(5)
|
|
# for details.
|
|
# Default: yes
|
|
IPv6_rpfilter=yes
|
|
|
|
# IndividualCalls
|
|
# Do not use combined -restore calls, but individual calls. This increases the
|
|
# time that is needed to apply changes and to start the daemon, but is good for
|
|
# debugging.
|
|
# Default: no
|
|
IndividualCalls=no
|
|
|
|
# LogDenied
|
|
# Add logging rules right before reject and drop rules in the INPUT, FORWARD
|
|
# and OUTPUT chains for the default rules and also final reject and drop rules
|
|
# in zones. Possible values are: all, unicast, broadcast, multicast and off.
|
|
# Default: off
|
|
LogDenied=off
|
|
|
|
# FirewallBackend
|
|
# Selects the firewall backend implementation.
|
|
# Choices are:
|
|
# - nftables (default)
|
|
# - iptables (iptables, ip6tables, ebtables and ipset)
|
|
# Note: The iptables backend is deprecated. It will be removed in a future
|
|
# release.
|
|
FirewallBackend=nftables
|
|
|
|
# FlushAllOnReload
|
|
# Flush all runtime rules on a reload. In previous releases some runtime
|
|
# configuration was retained during a reload, namely; interface to zone
|
|
# assignment, and direct rules. This was confusing to users. To get the old
|
|
# behavior set this to "no".
|
|
# Default: yes
|
|
FlushAllOnReload=yes
|
|
|
|
# ReloadPolicy
|
|
# Policy during reload. By default all traffic except for established
|
|
# connections is dropped while the rules are updated. Set to "DROP", "REJECT"
|
|
# or "ACCEPT". Alternatively, specify it per table, like
|
|
# "OUTPUT:ACCEPT,INPUT:DROP,FORWARD:REJECT".
|
|
# Default: ReloadPolicy=INPUT:DROP,FORWARD:DROP,OUTPUT:DROP
|
|
ReloadPolicy=INPUT:DROP,FORWARD:DROP,OUTPUT:DROP
|
|
|
|
# RFC3964_IPv4
|
|
# As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that
|
|
# correspond to IPv4 addresses that should not be routed over the public
|
|
# internet.
|
|
# Defaults to "yes".
|
|
RFC3964_IPv4=yes
|
|
|
|
# NftablesFlowtable
|
|
# This may improve forwarded traffic throughput by enabling nftables flowtable.
|
|
# It is a software fastpath and avoids calling nftables rule evaluation for
|
|
# data packets. This only works for TCP and UDP traffic.
|
|
# The value is a space separated list of interfaces.
|
|
# Example value "eth0 eth1".
|
|
# Defaults to "off".
|
|
NftablesFlowtable=off
|
|
|
|
# NftablesCounters
|
|
# If set to yes, add a counter to every nftables rule. This is useful for
|
|
# debugging and comes with a small performance cost.
|
|
# Defaults to "no".
|
|
NftablesCounters=no
|