Name

ip-array_defaults.conf — Configuration of ip-array default settings

Synopsis

/etc/ip-array/ip-array_defaults.conf

Description

The purpose of this file is, to configure basic (default) settings of ip-array. Those will be used for the stable, as well as for the test configuration. It uses bash shell syntax. Many of the configuration variables can also be set by command line.

Variables

ENABLE_COLORS

Mandatory: no. Defaults to `0' if unset.

Allowed values: `0' or `1'.

Purpose: Enable or disable IP-Array coloured output.

ENABLE_SYSLOG

Mandatory: no. Defaults to `0' if unset.

Allowed values: `0' or `1'.

Purpose: Enable or disable logging of IP-Array's output to syslog using the logger utility.

LOG_FACILITY

Mandatory: no. Defaults to `local0' if unset.

Allowed values: auth, authpriv (for security information of a sensitive nature), cron, daemon, ftp, kern, lpr, mail, news, security (deprecated synonym for auth), syslog, user, uucp, local0 to local7 inclusive.

Purpose: Configure IP-Array's syslog logging facility.

VERBOSE

Mandatory: no. Defaults to `6' if unset.

Allowed values: `0' to `8'.

Purpose: Control level of IP-Array's output verbosity.

Tip

With a non zero environment variable `DEBUG_INFO', additional processing (debugging) information is printed.

  1. No messages are shown. Exit status indicates success or failure.

  2. Shows start and end message and errors.

  3. Main title and warning messages are also shown.

  4. Sub title messages are shown in addition.

  5. Info title, config and rule file loading messages, are shown additionally.

  6. Also show notice messages.

  7. Verbose output.

  8. Also show IP-Array internals.

  9. Debug mode (set -x).

    Tip

    With a non zero environment variable `DEBUG_INFO', a debugging `PS4' is set.

  10. More verbose debug mode (set -vx).

SYSLOG_VERBOSE

Mandatory: no. Defaults to `1' if unset.

Allowed values: `0' to `6'.

Purpose: Control verbosity level of IP-Array's syslog logging.

  1. Errror messages are shown.

  2. Main title and warning messages are shown.

  3. Subtitle messages are shown in addition.

  4. Info title, config and rule file loading messages, are shown additionally.

  5. Also show notice messages.

  6. Verbose output.

  7. Also show IP-Array internals.

COLOR_MSG_MAIN_TITLE

Mandatory: no. Defaults to `magenta' if unset.

Allowed values: black, blue, cyan, green, magenta, red, white, yellow.

Purpose: Set color for title messages.

COLOR_MSG_SUBTITLE

Mandatory: no. Defaults to `blue' if unset.

Allowed values: black, blue, cyan, green, magenta, red, white, yellow.

Purpose: Set color for sub title messages.

COLOR_MSG_INFO_TITLE

Mandatory: no. Defaults to `cyan' if unset.

Allowed values: black, blue, cyan, green, magenta, red, white, yellow.

Purpose: Set color for info title messages.

COLOR_MSG_ERROR

Mandatory: no. Defaults to `red' if unset.

Allowed values: black, blue, cyan, green, magenta, red, white, yellow.

Purpose: Set color for error messages.

COLOR_MSG_WARNING

Mandatory: no. Defaults to `yellow' if unset.

Allowed values: black, blue, cyan, green, magenta, red, white, yellow.

Purpose: Set color for warning messages.

COLOR_MSG_NOTICE

Mandatory: no. Defaults to `white' if unset.

Allowed values: black, blue, cyan, green, magenta, red, white, yellow.

Purpose: Set color for notice messages.

COLOR_MSG_CONFIG_LOAD

Mandatory: no. Defaults to `green' if unset.

Allowed values: black, blue, cyan, green, magenta, red, white, yellow.

Purpose: Set color for configuration file loading messages.

COLOR_MSG_RULE_LOAD

Mandatory: no. Defaults to `yellow' if unset.

Allowed values: black, blue, cyan, green, magenta, red, white, yellow.

Purpose: Set color for rule file loading messages.

AUTO_GET_PROGS

Mandatory: no - defaults to `1'.

Allowed values: `0' or `1'.

Purpose: Configure if IP-Array should try to automatically find the mandatory programs (must be in $PATH) . If disabled (set to `0'), the program names varaibles (below) must be configured manually.

AT

Mandatory: yes

Allowed values: A valid path to the at executable file (i.e: /usr/bin/at), or the just the name of the program, if it's found in $PATH and you do not want to use absolute paths.

CAT

Mandatory: yes

Allowed values: A valid path to the cat executable file (i.e: /bin/cat), or the just the name of the program, if it's found in $PATH and you do not want to use absolute paths.

DATE

Mandatory: yes

Allowed values: A valid path to the date executable file (i.e: /bin/date), or the just the name of the program, if it's found in $PATH and you do not want to use absolute paths.

DIALOG

Mandatory: no (only in interactive mode a dialog program is required, which can be either dialog or whiptail)

Allowed values: A valid path to the dialog executable file (i.e: /usr/bin/dialog), or the just the name of the program, if it's found in $PATH and you do not want to use absolute paths.

DIFF

Mandatory: yes

Allowed values: A valid path to the diff executable file (i.e: /usr/bin/diff), or the just the name of the program, if it's found in $PATH and you do not want to use absolute paths.

FIND

Mandatory: yes

Allowed values: A valid path to the find executable file (i.e: /usr/bin/find), or the just the name of the program, if it's found in $PATH and you do not want to use absolute paths.

GREP

Mandatory: yes

Allowed values: A valid path to the grep executable file (i.e: /bin/grep), or the just the name of the program, if it's found in $PATH and you do not want to use absolute paths.

IP

Mandatory: yes

Allowed values: A valid path to the ip executable file (i.e: /sbin/ip), or the just the name of the program, if it's found in $PATH and you do not want to use absolute paths.

IPSET

Mandatory: no

Allowed values: A valid path to the ipset executable file (i.e: /sbin/ipset), or the just the name of the program, if it's found in $PATH and you do not want to use absolute paths.

IPT

Mandatory: yes

Allowed values: A valid path to the iptables executable file (i.e: /sbin/iptables), or the just the name of the program, if it's found in $PATH and you do not want to use absolute paths.

LOGGER

Mandatory: no

Allowed values: A valid path to the logger executable file (i.e: /usr/bin/logger), or the just the name of the program, if it's found in $PATH and you do not want to use absolute paths.

LSMOD

Mandatory: yes

Allowed values: A valid path to the lsmod executable file (i.e: /sbin/lsmod), or the just the name of the program, if it's found in $PATH and you do not want to use absolute paths.

MODPROBE

Mandatory: yes

Allowed values: A valid path to the modprobe executable file (i.e: /sbin/modprobe), or the just the name of the program, if it's found in $PATH and you do not want to use absolute paths.

NFACCT

Mandatory: no

Allowed values: A valid path to the nfacct executable file (i.e: /usr/sbin/nfacct), or the just the name of the program, if it's found in $PATH and you do not want to use absolute paths.

RM

Mandatory: yes

Allowed values: A valid path to the rm executable file (i.e: /bin/rm), or the just the name of the program, if it's found in $PATH and you do not want to use absolute paths.

IPT_SAVE

Mandatory: yes

Allowed values: A valid path to the iptables-save executable file (i.e: /sbin/iptables-save), or the just the name of the program, if it's found in $PATH and you do not want to use absolute paths.

This variable is only used by the IP-Array init script. It is not globally available.

IPT_RESTORE

Mandatory: yes

Allowed values: A valid path to the iptables-restore executable file (i.e: /sbin/iptables-restore), or the just the name of the program, if it's found in $PATH and you do not want to use absolute paths.

This variable is only used by the IP-Array init script. It is not globally available.

SORT

Mandatory: yes

Allowed values: A valid path to the sort executable file (i.e: /usr/bin/sort), or the just the name of the program, if it's found in $PATH and you do not want to use absolute paths.

TC

Mandatory: no

Allowed values: A valid path to the tc executable file (i.e: /sbin/tc), or the just the name of the program, if it's found in $PATH and you do not want to use absolute paths.

UNAME

Mandatory: yes

Allowed values: A valid path to the uname executable file (i.e: /bin/uname), or the just the name of the program, if it's found in $PATH and you do not want to use absolute paths.

WHIPTAIL

Mandatory: no (only in interactive mode a dialog program is required, which can be either dialog or whiptail)

Allowed values: A valid path to the whiptail executable file (i.e: /usr/bin/whiptail), or the just the name of the program, if it's found in $PATH and you do not want to use absolute paths.

BASE_DIR

Mandatory: no - defaults to /etc/ip-array.

Allowed values: A valid path (i.e.: /etc/ip-array).

IP-Array base directory.

CONFIG

Mandatory: no - defaults to ip-array.conf.

Allowed values: A valid filename (i.e.: ip-array.conf).

Name of the main configuration file.

CONF_DIR

Mandatory: no - defaults to conf.d.

Allowed values: A valid directory name (i.e.: conf.d).

Configuration directory must be below BASE_DIR.

LIB_DIR

Mandatory: no - defaults to /usr/lib/ip-array.

Allowed values: A valid path (i.e.: /usr/lib/ip-array).

Library directory used for the IP-Array function files.

LOCK_DIR

Mandatory: no - defaults to /var/run.

Allowed values: A valid path (i.e.: /var/run).

Directory to put the IP-Array PID file into.

SHARE_DIR

Mandatory: no - defaults to /usr/share/ip-array.

Allowed values: A valid path (i.e.: /usr/share/ip-array).

Data directory.

SAVE_FILE

Mandatory: no - defaults to iptables_ruleset.save.

Allowed values: A valid filename (i.e.: iptables_ruleset.save).

File to save the ruleset into. Applies to all the save* parameters.

IPSET_SAVE_FILE

Mandatory: no - defaults to ipset_ruleset.save.

Allowed values: A valid filename (i.e.: ipset_ruleset.save).

File to put the ipset save output into, when executing IP-Array with the 'save' startup parameter. Or to load, when restoring with the 'restore' parameter.

RULESETFILE

Mandatory: no - defaults to ip-array_commands.bash.

Allowed values: A valid filename (i.e.: ip-array_commands.bash).

File where the generated commands will be saved, if executing IP-Array with one of the 'save[ -iptables | -modprobe | -sysctl | -tc | -shaping ]-commands' parameters. The target directory will be $BASE_DIR/save.d.

DIFF_FILE

Mandatory: no - defaults to iptables_ruleset_saved_for_diff.

Allowed values: A valid filename (i.e.: iptables_ruleset_saved_for_diff).

File to save the iptables rule listing (iptables -S, or if not available on old systems -nL) into, after applying the rules. The target directory will be $BASE_DIR/save.d.

This file will be used to check for a difference to the currently active ruleset, when using the 'diff-last-activated' startup parameter.

SERVICES

Mandatory: no - defaults to /etc/services.

Allowed values: A valid path to the services file (most likely: /etc/services).

Purpose: Configure the location of the services file (containing service definitions).

PROTOCOLS

Mandatory: no - defaults to /etc/protocols.

Allowed values: A valid path to the services file (most likely: /etc/protocols).

Purpose: Configure the location of the protocols file (containing protocol definitions).

KNOWN_GOOD_RULESET

Mandatory: no - defaults to KNOWN_GOOD_RULESET.save.

Allowed values: A valid filename (i.e.: KNOWN_GOOD_RULESET.save).

File to save the currently active 'known good' ruleset. This file will be used to restore the ruleset on 'start', if RESTORE_ON_START is enabled.

RESTORE_ON_START

Mandatory: no - defaults to `0'.

Allowed values: `0' to disable `1' to enable.

Loads the ruleset saved into $KNOWN_GOOG_RULESET, if IP-Array is loaded with the `start' parameter (faster startup also called quick start).

RELOAD_TIME

Mandatory: no - defaults to 7.

Allowed values: Any value greater than 1.

Time period until the previously saved ruleset will be restored, when using the 'test' startup parameter.

Warning

If iptables-save or iptables-restore fails for some reason, the 'test' parameter will not work, thus this setting will not produce the desired effect.

GEN_FORMAT

Mandatory: no - defaults to `cmd'.

Allowed values: `cmd': generated commands will be save as list of commands. ´ipt': generated commands will be used in iptables-save format (faster loading time).

IPTSAVE_FAILS

Mandatory: no - defaults to `0'.

Allowed values: `0' or `1'.

Enable this if saving or restoring with iptables-save or iptables-restore fails for some reason.

Important

Any startup mode, that utilizes iptables-save or iptables-restore will not work in that case.

USE_IPSET

Mandatory: no - defaults to `0'.

Allowed values: `0' or `1'.

Enable or disable the usage of ipset.

MAX_SETS

Mandatory: no - defaults to `256'.

Allowed values: The value compiled into your kernel.

The maximal amount of ipset sets to create.

SYNTAX_CHECK

Mandatory: no - defaults to `1'.

Allowed values: `0' or `1'.

Purpose: Perform a bash grammar check before sourcing or executing files. The bash grammar check is done using `bash -n file'. Thus the syntax check is very basic and may not catch all errors (as described in `man bash').

DIALOG_PROG

Mandatory: no - defaults to `$DIALOG'.

Allowed values: empty (make sure one of the variables DIALOG, or WHIPTAIL is defined, or automatic detection of programs - if enabled - can find them). `dialog' or `whiptail'. The full path to one of them.

Purpose: The interactive mode requires a dialog program. Either dialog (version 1.2+) or whiptail are supported.

See also

ip-array(8), ip-array.conf(8), ip-array_ruleblocks(5), ip-array_rulefiles(5), ip-array_sysctl_rules(5), ip-array_templates(5)