FIREWALL=yes

# Location of programs/configuration files
FIREWALL_DIR="/etc/sysconfig/firewall.d"

iptables="/usr/sbin/iptables"
iptsave="/usr/sbin/iptables-save"
iptrestore="/usr/sbin/iptables-restore"

ip6tables="/usr/sbin/ip6tables"
ip6tsave="/usr/sbin/ip6tables-save"
ip6trestore="/usr/sbin/ip6tables-restore"

# Which tables you want set up (filter, nat, mangle, drop, prestate)
ipv4_TABLES="filter nat" 
ipv6_TABLES=

# Connetion tracking (defaults to yes as it's VERY usefull also on non-nat boxes)
CONNTRACK="yes"

# Which conntrack modules to load, can be "all" (old default), "none" or a list
#CONNTRACK_MODULES="all"
#CONNTRACK_MODULES="ftp irc"
# Which conntrack modules not to load (mms cannot be unloaded)
#CONNTRACK_MODULES_BLACKLIST="mms"

# Which IPv4 nat modules to load, can be "all" (old default), "none" or a list
#NAT_MODULES="all"
#NAT_MODULES="ftp irc"
# Which conntrack modules not to load
#NAT_MODULES_BLACKLIST="mms"

# The ftp/irc options has been removed
# set them via /etc/modprobe.d/modprobe.conf

# The hash table size options has been removed
# set them via /etc/modprobe.d/modprobe.conf

# Policies for chains:
# IPv4:
ipv4_filter_INPUT="ACCEPT"
ipv4_filter_OUTPUT="ACCEPT"
ipv4_filter_FORWARD="DROP"

ipv4_nat_OUTPUT="ACCEPT"
ipv4_nat_PREROUTING="ACCEPT"
ipv4_nat_POSTROUTING="ACCEPT"

ipv4_mangle_INPUT="ACCEPT"
ipv4_mangle_OUTPUT="ACCEPT"
ipv4_mangle_FORWARD="ACCEPT"
ipv4_mangle_PREROUTING="ACCEPT"
ipv4_mangle_POSTROUTING="ACCEPT"

ipv4_raw_OUTPUT="ACCEPT"
ipv4_raw_PREROUTING="ACCEPT"

# IPv6:
ipv6_filter_INPUT="ACCEPT"
ipv6_filter_OUTPUT="ACCEPT"
ipv6_filter_FORWARD="DROP"

ipv6_mangle_INPUT="ACCEPT"
ipv6_mangle_OUTPUT="ACCEPT"
ipv6_mangle_FORWARD="ACCEPT"
ipv6_mangle_PREROUTING="ACCEPT"
ipv6_mangle_POSTROUTING="ACCEPT"

ipv6_raw_OUTPUT="ACCEPT"
ipv6_raw_PREROUTING="ACCEPT"
