Specifications
For a firewall without masquerading, only set this to yes if you want
to allow access to the internal network. Your internal hosts need to use
officially registered IPs in this case. Normally, however, you should not
allow access to your internal network from the outside.
FW_MASQUERADE (masquerading): Set this to yes if you need the
masquerading function. Note that it is more secure to have a proxy
server between the hosts of the internal network and the Internet.
FW_MASQ_NETS (masquerading): Specify the hosts or networks to
be masqueraded, leaving a space between the individual entries. For
example:
FW_MASQ_NETS="192.168.0.0/24 192.168.10.1"
FW_PROTECT_FROM_INTERNAL (firewall): Set this to yes to
protect your firewall host from attacks originating in your internal
network. Services will only be available to the internal network if
explicitly enabled. See also FW_SERVICES_INTERNAL_TCP and
FW_SERVICES_INTERNAL_UDP.
FW_AUTOPROTECT_GLOBAL_SERVICES (firewall): This should nor-
mally be yes.
FW_SERVICES_EXTERNAL_TCP (firewall): Enter the services that
should be available, e. g., "www smtp ftp domain 443" . Normally
leave this blank for a workstation at home that is not intended to offer
any services.
FW_SERVICES_EXTERNAL_UDP (firewall): Leave this blank if you do
not run a name service that you want to make available to the outside.
Otherwise, enter the ports to be used.
FW_SERVICES_INTERNAL_TCP (firewall): This defines the services
available to the internal network. The notation is the same as for exter-
nal TCP services, but, in this case, refers to the internal network.
FW_SERVICES_INTERNAL_UDP (firewall): See above.
FW_TRUSTED_NETS (firewall): Specify the hosts you really trust
(“trusted hosts”). Note, however, that these need to be protected from
attacks, too.
188 Masquerading and Firewalls