##-----------------------------------------------------------------------------
## fli4l 3.10.5 - configuration for package "ipv6"
##
##  P L E A S E  R E A D  T H E  D O C U M E N T A T I O N !
##
##  B I T T E  U N B E D I N G T  D I E  D O K U M E N T A T I O N  L E S E N !
##
##-----------------------------------------------------------------------------
## Creation:     Christoph Schulz
## Last Update:  $Id: ipv6.txt 44165 2016-01-23 08:03:30Z kristov $
##
## Copyright (c) 2001-2016 - Frank Meyer, fli4l-Team <team@fli4l.de>
##
## This program is free software; you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
## the Free Software Foundation; either version 2 of the License, or
## (at your option) any later version.
##-----------------------------------------------------------------------------

#------------------------------------------------------------------------------
# IPv6 general settings
#------------------------------------------------------------------------------
#OPT_IPV6='no'                  # set to 'yes' to activate IPv6 support

#HOSTNAME_IP6='IPV6_NET_1_IPADDR'
                                # optional, can be used to explicitly set
                                # the router's IPv6 address; if left empty,
                                # this setting is taken from the first
                                # configured /64 IPv6 subnet (see below)

#------------------------------------------------------------------------------
# IPv6 networks
#------------------------------------------------------------------------------
IPV6_NET_N='0'                  # number of IPv6 subnets to configure;
                                # at least one subnet is necessary to
                                # create a local IPv6 network!

IPV6_NET_1='::1:0:0:0:1/64'     # The router address and net mask within
                                # this subnet. If this subnet is associated
                                # with a tunnel (see IPV6_NET_%_TUNNEL
                                # below), use an address WITHOUT the subnet
                                # prefix (which is possibly not known yet
                                # as it may be dynamically assigned while
                                # configuring the tunnel); when the
                                # associated tunnel is set up, its prefix
                                # will be combined with the address
                                # specified here to yield a complete
                                # address.
                                #
                                # NOTE that the net mask must be equal to
                                # 64 if you want to use stateless IPv6
                                # autoconfiguration!
                                #
                                # In this example, a /48 subnet prefix is
                                # assumed which is extended by the subnet
                                # '1' and the host part '0:0:0:1'. So with
                                # e.g. '2001:db8:13bc/48' as subnet prefix,
                                # the complete address and mask becomes
                                # '2001:db8:13bc:1::1/64'.
IPV6_NET_1_TUNNEL='1'           # the index of the associated tunnel; if
                                # left empty, no tunnel is associated, so
                                # the address specification above is taken
                                # "as is" and is not completed by any
                                # prefix
IPV6_NET_1_DEV='IP_NET_1_DEV'   # interface this subnet is bound to
IPV6_NET_1_ADVERTISE='yes'      # should the subnet prefix be advertised
                                # automatically via RA in order to enable
                                # stateless autoconfiguration?
IPV6_NET_1_ADVERTISE_DNS='no'   # should the DNS service be advertised
                                # within this subnet via RA?
IPV6_NET_1_DHCP='no'            # should domain and DNS server be available
                                # via DHCPv6 in this subnet?

#------------------------------------------------------------------------------
# IPv6 tunnels (see documentation for details!)
#------------------------------------------------------------------------------
IPV6_TUNNEL_N='0'               # number of tunnels to set up
IPV6_TUNNEL_1_TYPE='sixxs'      # tunnel type
IPV6_TUNNEL_1_LOCALV4='dynamic' # IPv4 address of the local tunnel endpoint; 
                                # use 'dynamic' for a dial-up connection
IPV6_TUNNEL_1_DEFAULT='yes'     # should this tunnel be used for routing
                                # IPv6 traffic to/from the Internet?
                                # NOTE that at most one tunnel can be the
                                # default one!
#IPV6_TUNNEL_1_DEV='6in4'       # (optional) name of the interface to
                                # create for this tunnel; if left empty,
                                # a uniqe name is generated automatically
#IPV6_TUNNEL_1_MTU='1280'       # (optional) MTU size in bytes for this
                                # tunnel; the default value of 1280 is
                                # recommended by many tunnel providers

#------------------------------------------------------------------------------
# when tunnel type is 'static'
#------------------------------------------------------------------------------
#IPV6_TUNNEL_1_REMOTEV4='203.0.113.188'
                                # IPv4 address of the remote tunnel endpoint
#IPV6_TUNNEL_1_LOCALV6='2001:db8:900:530::2/64'
                                # IPv6 address and mask of the local
                                # tunnel endpoint
#IPV6_TUNNEL_1_REMOTEV6='2001:db8:900:530::1'
                                # IPv6 address of the remote tunnel endpoint
#IPV6_TUNNEL_1_PREFIX='2001:db8:13bc::/48'
                                # the associated subnet prefix

#------------------------------------------------------------------------------
# when tunnel type is 'sixxs'
#------------------------------------------------------------------------------
#IPV6_TUNNEL_1_REMOTEV4='203.0.113.188'
                                # IPv4 address of the remote tunnel endpoint
#IPV6_TUNNEL_1_LOCALV6='2001:db8:900:530::2/64' 
                                # IPv6 address and mask of the
                                # local tunnel endpoint
#IPV6_TUNNEL_1_REMOTEV6='2001:db8:900:530::1'
                                # IPv6 address of the remote tunnel endpoint
#IPV6_TUNNEL_1_PREFIX='2001:db8:13bc::/48'
                                # assigned /48 subnet prefix;
                                # leave empty if you don't have one yet
#IPV6_TUNNEL_1_USERID='ABCDE-SIXXS'
                                # user name for TIC login
#IPV6_TUNNEL_1_PASSWORD='pass'  # password for TIC login
#IPV6_TUNNEL_1_TUNNELID='T1234' # tunnel ID
#IPV6_TUNNEL_1_TIMEOUT='30'     # (optional) timeout in seconds for tunnel

#------------------------------------------------------------------------------
# when tunnel type is 'he'
#------------------------------------------------------------------------------
#IPV6_TUNNEL_1_REMOTEV4='203.0.113.188'
                                # IPv4 address of the remote tunnel endpoint
#IPV6_TUNNEL_1_LOCALV6='2001:db8:900:530::2/64' 
                                # IPv6 address and mask of the
                                # local tunnel endpoint
#IPV6_TUNNEL_1_REMOTEV6='2001:db8:900:530::1'
                                # IPv6 address of the remote tunnel endpoint
#IPV6_TUNNEL_1_PREFIX='2001:db8:13bc/48'
                                # assigned /48 subnet prefix;
                                # leave empty if you don't have one yet
#IPV6_TUNNEL_1_USERID='userid'  # HE user id (found on the main page after login)
#IPV6_TUNNEL_1_PASSWORD='password'
                                # HE password
#IPV6_TUNNEL_1_TUNNELID='123456'
                                # tunnel ID

#------------------------------------------------------------------------------
# Additional IPv6 routes (don't use this for default routes!)
#------------------------------------------------------------------------------
IPV6_ROUTE_N='0'                # number of routes
IPV6_ROUTE_1='2001:db8:13bc:2::/64 2001:db8:900:530::1'
                                # example route

#------------------------------------------------------------------------------
# Packet filter configuration
#------------------------------------------------------------------------------
# INPUT chain
#------------------------------------------------------------------------------
PF6_INPUT_POLICY='REJECT'       # be nice and use reject as policy
PF6_INPUT_ACCEPT_DEF='yes'      # use default rule set
PF6_INPUT_LOG='no'              # don't log anything
PF6_INPUT_LOG_LIMIT='3/minute:5'
                                # log 3 events per minute; allow a burst
                                # of 5 events
PF6_INPUT_REJ_LIMIT='1/second:5'
                                # reject 1 connection per second; allow a burst
                                # of 5 events; otherwise drop packet
PF6_INPUT_UDP_REJ_LIMIT='1/second:5'
                                # reject 1 udp packet per second; allow a burst
                                # of 5 events; otherwise drop packet

PF6_INPUT_N='1'                 # number of INPUT rules
PF6_INPUT_1='[fe80::0/10] ACCEPT'
                                # allow all hosts in the local network to
                                # access the router
PF6_INPUT_2='IPV6_NET_1 ACCEPT' # allow all hosts in the first subnet to access
                                # the router
PF6_INPUT_3='tmpl:samba DROP NOLOG'
                                # drop (or reject) samba access
PF6_INPUT_3_COMMENT='no samba traffic allowed'
                                # without logging, otherwise the log file will
                                # be filled with useless entries

#------------------------------------------------------------------------------
# FORWARD chain
#------------------------------------------------------------------------------
PF6_FORWARD_POLICY='REJECT'     # be nice and use reject as policy
PF6_FORWARD_ACCEPT_DEF='yes'    # use default rule set
PF6_FORWARD_LOG='no'            # don't log anything
PF6_FORWARD_LOG_LIMIT='3/minute:5'
                                # log 3 events per minute; allow a burst of
                                # 5 events
PF6_FORWARD_REJ_LIMIT='1/second:5'
                                # reject 1 connection per second; allow a burst
                                # of 5 events; otherwise drop packet
PF6_FORWARD_UDP_REJ_LIMIT='1/second:5' 
                                # reject 1 udp packet per second; allow a burst
                                # of 5 events; otherwise drop packet

PF6_FORWARD_N='2'               # number of FORWARD rules
PF6_FORWARD_1='tmpl:samba DROP' # drop samba traffic if it tries to leave the
                                # subnet
PF6_FORWARD_2='IPV6_NET_1 ACCEPT'
                                # accept everything else

#------------------------------------------------------------------------------
# OUTPUT chain
#------------------------------------------------------------------------------
PF6_OUTPUT_POLICY='ACCEPT'      # default policy for outgoing packets
PF6_OUTPUT_ACCEPT_DEF='yes'     # use default rule set
PF6_OUTPUT_LOG='no'             # don't log anything
PF6_OUTPUT_LOG_LIMIT='3/minute:5'
                                # log 3 events per minute; allow a burst of
                                # 5 events
PF6_OUTPUT_REJ_LIMIT='1/second:5'
                                # reject 1 connection per second; allow a burst
                                # of 5 events; otherwise drop packet
PF6_OUTPUT_UDP_REJ_LIMIT='1/second:5'
                                # reject 1 udp packet per second; allow a burst
                                # of 5 events; otherwise drop packet

PF6_OUTPUT_N='0'                # number of OUTPUT rules

#------------------------------------------------------------------------------
# POSTROUTING chain
#------------------------------------------------------------------------------
PF6_POSTROUTING_N='0'
PF6_POSTROUTING_1='IPV6_NET_1 MASQUERADE'
                                # masquerade traffic leaving the subnet

#------------------------------------------------------------------------------
# PREROUTING chain
#------------------------------------------------------------------------------
PF6_PREROUTING_N='0'
PF6_PREROUTING_1='tmpl:ssh [2001:db8::1] DNAT:@client2'
                                # forward ssh connections coming from
                                # [2001:db8::1] to client2

#------------------------------------------------------------------------------
# PREROUTING_CT chain
#------------------------------------------------------------------------------
PF6_PREROUTING_CT_N='0'
PF6_PREROUTING_CT_1='tmpl:ftp any IPV6_NET_1 HELPER:ftp BIDIRECTIONAL'
                                # associate FTP conntrack helper for active
                                # FTP forwarded into or out of the LAN

#------------------------------------------------------------------------------
# OUTPUT_CT chain
#------------------------------------------------------------------------------
PF6_OUTPUT_CT_N='0'
PF6_OUTPUT_CT_1='tmpl:ftp HELPER:ftp'
                                # associate FTP conntrack helper for outgoing 
                                # active FTP on the router
                                # (this rule is added automatically by
                                # the tools package if OPT_FTP='yes'
                                # and FTP_PF_ENABLE_ACTIVE='yes')

#------------------------------------------------------------------------------
# USER chain
#------------------------------------------------------------------------------
PF6_USR_CHAIN_N='0'             # number of user-defined tables
