ip-array_defaults.conf — Configuration of ip-array default settings
/etc/ip-array/ip-array_defaults.conf
The purpose of this file is, to configure basic (default) settings of ip-array. Those will be used for the stable, as well as for the test configuration. It uses bash shell syntax. Many of the configuration variables can also be set by command line.
ENABLE_COLORS
Mandatory: no. Defaults to `0' if unset.
Allowed values: `0' or `1'.
Purpose: Enable or disable IP-Array coloured output.
ENABLE_SYSLOG
Mandatory: no. Defaults to `0' if unset.
Allowed values: `0' or `1'.
Purpose: Enable or disable logging of IP-Array's output to syslog using the logger utility.
LOG_FACILITY
Mandatory: no. Defaults to `local0' if unset.
Allowed values: auth, authpriv (for security information of a sensitive nature), cron, daemon, ftp, kern, lpr, mail, news, security (deprecated synonym for auth), syslog, user, uucp, local0 to local7 inclusive.
Purpose: Configure IP-Array's syslog logging facility.
VERBOSE
Mandatory: no. Defaults to `6' if unset.
Allowed values: `0' to `8'.
Purpose: Control level of IP-Array's output verbosity.
With a non zero environment variable
`DEBUG_INFO
', additional processing
(debugging) information is printed.
No messages are shown. Exit status indicates success or failure.
Shows start and end message and errors.
Main title and warning messages are also shown.
Sub title messages are shown in addition.
Info title, config and rule file loading messages, are shown additionally.
Also show notice messages.
Verbose output.
Also show IP-Array internals.
Debug mode (set -x).
With a non zero environment variable
`DEBUG_INFO
', a debugging
`PS4
' is set.
More verbose debug mode (set -vx).
SYSLOG_VERBOSE
Mandatory: no. Defaults to `1' if unset.
Allowed values: `0' to `6'.
Purpose: Control verbosity level of IP-Array's syslog logging.
Errror messages are shown.
Main title and warning messages are shown.
Subtitle messages are shown in addition.
Info title, config and rule file loading messages, are shown additionally.
Also show notice messages.
Verbose output.
Also show IP-Array internals.
COLOR_MSG_MAIN_TITLE
Mandatory: no. Defaults to `magenta' if unset.
Allowed values: black, blue, cyan, green, magenta, red, white, yellow.
Purpose: Set color for title messages.
COLOR_MSG_SUBTITLE
Mandatory: no. Defaults to `blue' if unset.
Allowed values: black, blue, cyan, green, magenta, red, white, yellow.
Purpose: Set color for sub title messages.
COLOR_MSG_INFO_TITLE
Mandatory: no. Defaults to `cyan' if unset.
Allowed values: black, blue, cyan, green, magenta, red, white, yellow.
Purpose: Set color for info title messages.
COLOR_MSG_ERROR
Mandatory: no. Defaults to `red' if unset.
Allowed values: black, blue, cyan, green, magenta, red, white, yellow.
Purpose: Set color for error messages.
COLOR_MSG_WARNING
Mandatory: no. Defaults to `yellow' if unset.
Allowed values: black, blue, cyan, green, magenta, red, white, yellow.
Purpose: Set color for warning messages.
COLOR_MSG_NOTICE
Mandatory: no. Defaults to `white' if unset.
Allowed values: black, blue, cyan, green, magenta, red, white, yellow.
Purpose: Set color for notice messages.
COLOR_MSG_CONFIG_LOAD
Mandatory: no. Defaults to `green' if unset.
Allowed values: black, blue, cyan, green, magenta, red, white, yellow.
Purpose: Set color for configuration file loading messages.
COLOR_MSG_RULE_LOAD
Mandatory: no. Defaults to `yellow' if unset.
Allowed values: black, blue, cyan, green, magenta, red, white, yellow.
Purpose: Set color for rule file loading messages.
AUTO_GET_PROGS
Mandatory: no - defaults to `1'.
Allowed values: `0' or `1'.
Purpose: Configure if IP-Array should try to automatically find the
mandatory programs (must be in $PATH
) . If disabled
(set to `0'), the program names varaibles (below) must be configured manually.
AT
Mandatory: yes
Allowed values: A valid path to the at executable
file (i.e: /usr/bin/at
), or the just the name of
the program, if it's found in $PATH and you do not want to use absolute
paths.
CAT
Mandatory: yes
Allowed values: A valid path to the cat executable
file (i.e: /bin/cat
), or the just the name of the
program, if it's found in $PATH and you do not want to use absolute
paths.
DATE
Mandatory: yes
Allowed values: A valid path to the date executable
file (i.e: /bin/date
), or the just the name of the
program, if it's found in $PATH and you do not want to use absolute
paths.
DIALOG
Mandatory: no (only in interactive mode a dialog program is required, which can be either dialog or whiptail)
Allowed values: A valid path to the dialog
executable file (i.e: /usr/bin/dialog
), or the just
the name of the program, if it's found in $PATH and you do not want to
use absolute paths.
DIFF
Mandatory: yes
Allowed values: A valid path to the diff executable
file (i.e: /usr/bin/diff
), or the just the name of
the program, if it's found in $PATH and you do not want to use absolute
paths.
FIND
Mandatory: yes
Allowed values: A valid path to the find executable
file (i.e: /usr/bin/find
), or the just the name of
the program, if it's found in $PATH and you do not want to use absolute
paths.
GREP
Mandatory: yes
Allowed values: A valid path to the grep executable
file (i.e: /bin/grep
), or the just the name of the
program, if it's found in $PATH and you do not want to use absolute
paths.
IP
Mandatory: yes
Allowed values: A valid path to the ip executable
file (i.e: /sbin/ip
), or the just the name of the
program, if it's found in $PATH and you do not want to use absolute
paths.
IPSET
Mandatory: no
Allowed values: A valid path to the ipset
executable file (i.e: /sbin/ipset
), or the just the
name of the program, if it's found in $PATH and you do not want to use
absolute paths.
IPT
Mandatory: yes
Allowed values: A valid path to the iptables
executable file (i.e: /sbin/iptables
), or the just
the name of the program, if it's found in $PATH and you do not want to
use absolute paths.
LOGGER
Mandatory: no
Allowed values: A valid path to the logger
executable file (i.e: /usr/bin/logger
), or the just
the name of the program, if it's found in $PATH and you do not want to
use absolute paths.
LSMOD
Mandatory: yes
Allowed values: A valid path to the lsmod
executable file (i.e: /sbin/lsmod
), or the just the
name of the program, if it's found in $PATH and you do not want to use
absolute paths.
MODPROBE
Mandatory: yes
Allowed values: A valid path to the modprobe
executable file (i.e: /sbin/modprobe
), or the just
the name of the program, if it's found in $PATH and you do not want to
use absolute paths.
NFACCT
Mandatory: no
Allowed values: A valid path to the nfacct
executable file (i.e: /usr/sbin/nfacct
), or the
just the name of the program, if it's found in $PATH and you do not want
to use absolute paths.
RM
Mandatory: yes
Allowed values: A valid path to the rm executable
file (i.e: /bin/rm
), or the just the name of the
program, if it's found in $PATH and you do not want to use absolute
paths.
IPT_SAVE
Mandatory: yes
Allowed values: A valid path to the iptables-save
executable file (i.e: /sbin/iptables-save
), or the
just the name of the program, if it's found in $PATH and you do not want
to use absolute paths.
This variable is only used by the IP-Array init script. It is not globally available.
IPT_RESTORE
Mandatory: yes
Allowed values: A valid path to the
iptables-restore executable file (i.e:
/sbin/iptables-restore
), or the just the name
of the program, if it's found in $PATH and you do not want to use
absolute paths.
This variable is only used by the IP-Array init script. It is not globally available.
SORT
Mandatory: yes
Allowed values: A valid path to the sort executable
file (i.e: /usr/bin/sort
), or the just the name of
the program, if it's found in $PATH and you do not want to use absolute
paths.
TC
Mandatory: no
Allowed values: A valid path to the tc executable
file (i.e: /sbin/tc
), or the just the name of the
program, if it's found in $PATH and you do not want to use absolute
paths.
UNAME
Mandatory: yes
Allowed values: A valid path to the uname
executable file (i.e: /bin/uname
), or the just the
name of the program, if it's found in $PATH and you do not want to use
absolute paths.
WHIPTAIL
Mandatory: no (only in interactive mode a dialog program is required, which can be either dialog or whiptail)
Allowed values: A valid path to the whiptail
executable file (i.e: /usr/bin/whiptail
), or the
just the name of the program, if it's found in $PATH and you do not want
to use absolute paths.
BASE_DIR
Mandatory: no - defaults to /etc/ip-array
.
Allowed values: A valid path (i.e.:
/etc/ip-array
).
IP-Array base directory.
CONFIG
Mandatory: no - defaults to ip-array.conf
.
Allowed values: A valid filename (i.e.:
ip-array.conf
).
Name of the main configuration file.
CONF_DIR
Mandatory: no - defaults to conf.d
.
Allowed values: A valid directory name (i.e.:
conf.d
).
Configuration directory must be below
BASE_DIR
.
LIB_DIR
Mandatory: no - defaults to
/usr/lib/ip-array
.
Allowed values: A valid path (i.e.:
/usr/lib/ip-array
).
Library directory used for the IP-Array function files.
LOCK_DIR
Mandatory: no - defaults to /var/run
.
Allowed values: A valid path (i.e.:
/var/run
).
Directory to put the IP-Array PID file into.
SHARE_DIR
Mandatory: no - defaults to
/usr/share/ip-array
.
Allowed values: A valid path (i.e.:
/usr/share/ip-array
).
Data directory.
SAVE_FILE
Mandatory: no - defaults to
iptables_ruleset.save
.
Allowed values: A valid filename (i.e.:
iptables_ruleset.save
).
File to save the ruleset into. Applies to all the save* parameters.
IPSET_SAVE_FILE
Mandatory: no - defaults to
ipset_ruleset.save
.
Allowed values: A valid filename (i.e.:
ipset_ruleset.save
).
File to put the ipset save output into, when executing IP-Array with the 'save' startup parameter. Or to load, when restoring with the 'restore' parameter.
RULESETFILE
Mandatory: no - defaults to
ip-array_commands.bash
.
Allowed values: A valid filename (i.e.:
ip-array_commands.bash
).
File where the generated commands will be saved, if executing IP-Array with one of the 'save[ -iptables | -modprobe | -sysctl | -tc | -shaping ]-commands' parameters. The target directory will be $BASE_DIR/save.d.
DIFF_FILE
Mandatory: no - defaults to
iptables_ruleset_saved_for_diff
.
Allowed values: A valid filename (i.e.:
iptables_ruleset_saved_for_diff
).
File to save the iptables rule listing (iptables -S, or if not available on old systems -nL) into, after applying the rules. The target directory will be $BASE_DIR/save.d.
This file will be used to check for a difference to the currently active ruleset, when using the 'diff-last-activated' startup parameter.
SERVICES
Mandatory: no - defaults to /etc/services
.
Allowed values: A valid path to the services file (most likely:
/etc/services
).
Purpose: Configure the location of the services file (containing service definitions).
PROTOCOLS
Mandatory: no - defaults to
/etc/protocols
.
Allowed values: A valid path to the services file (most likely:
/etc/protocols
).
Purpose: Configure the location of the protocols file (containing protocol definitions).
KNOWN_GOOD_RULESET
Mandatory: no - defaults to
KNOWN_GOOD_RULESET.save
.
Allowed values: A valid filename (i.e.:
KNOWN_GOOD_RULESET.save
).
File to save the currently active 'known good' ruleset. This file will
be used to restore the ruleset on 'start', if
RESTORE_ON_START
is enabled.
RESTORE_ON_START
Mandatory: no - defaults to `0'.
Allowed values: `0' to disable `1' to enable.
Loads the ruleset saved into $KNOWN_GOOG_RULESET
,
if IP-Array is loaded with the `start' parameter (faster startup also
called quick start).
RELOAD_TIME
Mandatory: no - defaults to 7.
Allowed values: Any value greater than 1.
Time period until the previously saved ruleset will be restored, when using the 'test' startup parameter.
If iptables-save or iptables-restore fails for some reason, the 'test' parameter will not work, thus this setting will not produce the desired effect.
GEN_FORMAT
Mandatory: no - defaults to `cmd'.
Allowed values: `cmd': generated commands will be save as list of commands. ´ipt': generated commands will be used in iptables-save format (faster loading time).
IPTSAVE_FAILS
Mandatory: no - defaults to `0'.
Allowed values: `0' or `1'.
Enable this if saving or restoring with iptables-save or iptables-restore fails for some reason.
Any startup mode, that utilizes iptables-save or iptables-restore will not work in that case.
USE_IPSET
Mandatory: no - defaults to `0'.
Allowed values: `0' or `1'.
Enable or disable the usage of ipset.
MAX_SETS
Mandatory: no - defaults to `256'.
Allowed values: The value compiled into your kernel.
The maximal amount of ipset sets to create.
SYNTAX_CHECK
Mandatory: no - defaults to `1'.
Allowed values: `0' or `1'.
Purpose: Perform a bash grammar check before sourcing or executing
files. The bash grammar check is done using `bash -n file
'.
Thus the syntax check is very basic and may not catch all errors (as
described in `man bash
').
DIALOG_PROG
Mandatory: no - defaults to `$DIALOG'.
Allowed values: empty (make sure one of the variables
DIALOG
, or WHIPTAIL
is
defined, or automatic detection of programs - if enabled - can find
them). `dialog' or `whiptail'. The full path to one of them.
Purpose: The interactive mode requires a dialog program. Either dialog (version 1.2+) or whiptail are supported.