# /etc/netmasq/lo.conf   interface configuration file for netmasq

# The name of this file determines which interface it controls, e.g.,
# eth0.conf controls eth0.  Notice that each interface will have its
# own firewall settings.

# You will need to run netmasq again to make changes in this file take effect.



#                         ===========================
#                         ==== Firewall settings ====
#                         ===========================

# If this interface has access to an untrusted network, such as the Internet,
# you NEED to have a firewall.  I don't recommend firewalling the loopback
# device, not even for testing purposes.

FIREWALL=no

# If you do not firewall this interface, you can ignore the rest of this file.

#                         ==== MAC authentication ====

# You can require MAC address authentication by specifying an IP address
# and port which serves a webpage to be displayed to non-authenticated
# users.  If you choose to do this, connections from unregistered MAC
# addresses will be dropped.  If needed, be sure to include any servers,
# such as your dns servers, to trustedmac.conf.

#AUTH_IP_PORT=192.168.0.1:81

# The MAC_AUTH_FILE is an optional file that contains a list of MAC
# addresses which can be updated by another user or process, such as
# the webserver.  The file must reside outside of /etc/netmasq if it
# must be writeable by any user other than root.

#MAC_AUTH_FILE=/var/lib/netmasq
#MAC_AUTH_FILE_OWNER=www-data
#MAC_AUTH_FILE_GROUP=www-data

# If you require non-authenticated clients access to services such
# as dhcp or name services, you can allow access here.

#mac tcp 53       #allows dns  (allow udp and tcp)
#mac udp 53       #allows dns  (allow udp and tcp)
#mac tcp 67       #allows dhcp  (allow udp and tcp)
#mac udp 67       #allows dhcp  (allow udp and tcp)

#                          ==== icmp filtering ====

# You can choose to block all icmp traffic, but that will break ping and
# traceroute, and could cause unexpected problems.  Unless you have a good
# reason, allow icmp connections.

ALLOW_ICMP=yes

# If you're allowing icmp connections, you can drop specific types using the
# keyword "icmp_block".
icmp_block 5     #allows remote update of router tables (this could be bad)
#icmp_block 8     #allows ping request
#icmp_block 0     #allows ping response

#                         ==== allowed services ====

# If you want to provide services to the network attached to this interface,
# you will need to uncomment or create entries here.  Use the keyword "svc"
# followed by the protocol, tcp or udp, then the port number.  (Comments are
# mine, your mileage may vary.)

#svc tcp 20:21    #allows ftp  (not good, unless you know what you're doing)
svc tcp 22       #allows ssh  (best way to allow remote access)
#svc tcp 23       #allows telnet  (not a good idea, use ssh instead)
#svc tcp 25       #allows smtp  (email delivery)
#svc tcp 53       #allows dns  (allow udp and tcp)
#svc udp 53       #allows dns  (allow udp and tcp)
#svc tcp 67       #allows dhcp  (also requires tcp/udp 67 in rmt below)
#svc udp 67       #allows dhcp  (also requires tcp/udp 67 in rmt below)
#svc tcp 80       #allows httpd  (webserver)
#svc tcp 81       #allows httpd  (webserver for MAC authentication)
#svc tcp 110      #allows pop3  (for email clients)
#svc tcp 113      #allows identd  (use only if needed)
#svc tcp 443      #allows shttpd  (secure webserver)
#svc tcp 5801     #allows vnc connections
#svc tcp 5901     #allows vnc connections



#                      ===============================
#                      ==== masquerading settings ====
#                      ===============================

# Masquerading is optional.  This will allow hosts on your other network(s)
# to use this host as a gateway to the network(s) accessible from this
# interface.  To enable masquerading, replace the "no" with "yes", restart
# netmasq, then configure your hosts to use this host as a gateway.

MASQUERADE=no

# If you do not masquerade on any of your interfacdes, you can ignore the
# rest of this file.

# To make services available to remote hosts, you can forward connection
# requests to an internal host by using the portfw command.  Notice that
# you must also allow connections using the svc command in the firewall
# section above.

#portfw tcp 22 to 192.168.0.5 22  #forwards ssh connections to 192.168.0.5
#portfw tcp 80 to 192.168.0.5 80  #forwards http connections to 192.168.0.5
#portfw tcp 5802 to 192.168.0.2 5802  #forwards vnc connections to 192.168.0.2
#portfw tcp 5902 to 192.168.0.2 5902  #forwards vnc connections to 192.168.0.2



#                      ================================
#                      ==== remote lan connections ====
#                      ================================

# If you allow masquerading on another interface and have a firewall
# on this interface, you must select which tcp and udp connections
# are allowed from your clients.  If all lines below are commented,
# no connections are allowed.

#To allow all remote connections:

#rmt tcp 1:65535
#rmt udp 1:65535

#To allow all remote connections, except for Microsoft networking:

#rmt tcp 1:134
#rmt udp 1:134
#rmt tcp 140:444
#rmt udp 140:444
#rmt tcp 446:592
#rmt udp 446:592
#rmt tcp 594:65535
#rmt udp 594:65535

#To allow only dhcp and http:

#rmt tcp 67   #dhcp tcp
#rmt udp 67   #dhcp udp
#rmt tcp 80   #httpd