Manualshelf

Technical data

ManualsBrandsSamsung ManualsFlat Panel TVPC680-ZA
51525354555657585960
3. Base configuration
PF_INPUT_ACCEPT_DEF If this variable is set to ‘yes’ default rules will be generated
needed for the correct function of the router. Use ‘yes’ as a default here.
If you want to configure the router’s behaviour completely yourself you may enter ‘no’
here but you will have to define all rules on your own then. An equivalent to the default
behaviour would look like this (the explanation of user defined chains can be found here
(Page 56)):
PF_INPUT_ACCEPT_DEF='no'
#
# limit ICMP echo requests - use a separate chain
#
PF_USR_CHAIN_N='1'
PF_USR_CHAIN_1_NAME='usr-in-icmp'
PF_USR_CHAIN_1_RULE_N='2'
PF_USR_CHAIN_1_RULE_1='prot:icmp:echo-request length:0-150 limit:1/second:5 ACCEPT'
PF_USR_CHAIN_1_RULE_2='state:RELATED ACCEPT'
PF_INPUT_N='4'
PF_INPUT_1='prot:icmp usr-in-icmp'
PF_INPUT_2='state:ESTABLISHED,RELATED ACCEPT'
PF_INPUT_3='if:lo:any ACCEPT'
PF_INPUT_4='state:NEW 127.0.0.1 DROP BIDIRECTIONAL'
The first rule branches to the rate limited “usr-in-icmp”-chain. The second only ac-
cepts packets belonging to established connections (packets that have either the state
ESTABLISHED or RELATED), and the third one allows local communication (if:lo:any ACCEPT).
The fourth filters packets that pretend to be local communication but are not accepted
by the rules defined before.
If you work with OpenVPN, the rules have to be enhanced to enable packets used by the
chains there.
PF_INPUT_N='5'
...
PF_INPUT_5='ovpn-chain'
PF_INPUT_LOG Defines if rejected packets should be logged by the kernel. Log output can
be directed to the syslog deamon by activating OPT_KLOGD.
PF_INPUT_LOG_LIMIT Defines how often log entries will be generated. The frequency is
described as n/time units with bursts in analog to the limit constraints, e.g. 3/minute:5.
If this entry is empty a default of 1/second:5 is used, if set to none, the limit constraints
are disabled.
PF_INPUT_REJ_LIMIT PF_INPUT_UDP_REJ_LIMIT Specifies how often a REJECT-
packet is generated when rejecting incoming packets. The frequency is described as
n/time units with bursts in analog to the limit constraints, e.g. 3/minute:5. If this
entry is empty a default of 1/second:5 is used, if set to none, the limit constraints are
disabled.
53