mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-24 12:17:26 +01:00
updated templates.xml, new fireall dialog
This commit is contained in:
Vadim Kurland
parent
990be44f07
commit
24a337d2b1
File diff suppressed because it is too large
Load Diff
@ -1,375 +1,22 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
|
||||
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="10" lastModified="1184450093" id="root">
|
||||
<Library color="#d4f8ff" comment="Standard objects" id="syslib000" name="Standard" ro="False">
|
||||
<AnyNetwork comment="Any Network" id="sysid0" name="Any" address="0.0.0.0" netmask="0.0.0.0"/>
|
||||
<AnyIPService comment="Any IP Service" id="sysid1" name="Any" protocol_num="0"/>
|
||||
<AnyInterval comment="Any Interval" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" id="sysid2" name="Any" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1"/>
|
||||
<ObjectGroup id="stdid01" name="Objects">
|
||||
<ObjectGroup id="stdid16" name="Addresses"/>
|
||||
<ObjectGroup id="stdid17" name="DNS Names"/>
|
||||
<ObjectGroup id="stdid18" name="Address Tables"/>
|
||||
<ObjectGroup id="stdid04" name="Groups">
|
||||
<ObjectGroup id="id3DC75CE8" name="rfc1918-nets">
|
||||
<ObjectRef ref="id3DC75CE5"/>
|
||||
<ObjectRef ref="id3DC75CE6"/>
|
||||
<ObjectRef ref="id3DC75CE7"/>
|
||||
</ObjectGroup>
|
||||
</ObjectGroup>
|
||||
<ObjectGroup id="stdid02" name="Hosts">
|
||||
<Host comment="This host is used in examples and template objects" id="id3D84EECE" name="internal server">
|
||||
<Interface bridgeport="False" dyn="False" id="id3D84EED2" name="eth0" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.1.10" id="id3D84EED3" name="ip" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Management address="192.168.1.10">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
<FWBDManagement enabled="False" identity="" port="-1"/>
|
||||
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
||||
</Management>
|
||||
<HostOptions>
|
||||
<Option name="snmp_contact"></Option>
|
||||
<Option name="snmp_description"></Option>
|
||||
<Option name="snmp_location"></Option>
|
||||
<Option name="use_mac_addr">false</Option>
|
||||
<Option name="use_mac_addr_filter">False</Option>
|
||||
</HostOptions>
|
||||
</Host>
|
||||
<Host comment="This host is used in examples and template objects" id="id3D84EECF" name="server on dmz">
|
||||
<Interface bridgeport="False" dyn="False" id="id3D84EEE3" name="eth0" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.2.10" id="id3D84EEE4" name="ip" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Management address="192.168.2.10">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
<FWBDManagement enabled="False" identity="" port="-1"/>
|
||||
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
||||
</Management>
|
||||
<HostOptions>
|
||||
<Option name="snmp_contact"></Option>
|
||||
<Option name="snmp_description"></Option>
|
||||
<Option name="snmp_location"></Option>
|
||||
<Option name="use_mac_addr">false</Option>
|
||||
<Option name="use_mac_addr_filter">False</Option>
|
||||
</HostOptions>
|
||||
</Host>
|
||||
</ObjectGroup>
|
||||
<ObjectGroup id="stdid03" name="Networks">
|
||||
<Network comment="224.0.0.0/4 - This block, formerly known as the Class D address space, is allocated for use in IPv4 multicast address assignments. The IANA guidelines for assignments from this space are described in [RFC3171]. " id="id3DC75CEC" name="all multicasts" address="224.0.0.0" netmask="240.0.0.0"/>
|
||||
<Network comment="169.254.0.0/16 - This is the "link local" block. It is allocated for communication between hosts on a single link. Hosts obtain these addresses by auto-configuration, such as when a DHCP server may not be found. " id="id3F4ECE3E" name="link-local" address="169.254.0.0" netmask="255.255.0.0"/>
|
||||
<Network comment="127.0.0.0/8 - This block is assigned for use as the Internet host loopback address. A datagram sent by a higher level protocol to an address anywhere within this block should loop back inside the host. This is ordinarily implemented using only 127.0.0.1/32 for loopback, but no addresses within this block should ever appear on any network anywhere [RFC1700, page 5]. " id="id3F4ECE3D" name="loopback-net" address="127.0.0.0" netmask="255.0.0.0"/>
|
||||
<Network comment="10.0.0.0/8 - This block is set aside for use in private networks. Its intended use is documented in [RFC1918]. Addresses within this block should not appear on the public Internet." id="id3DC75CE5" name="net-10.0.0.0" address="10.0.0.0" netmask="255.0.0.0"/>
|
||||
<Network comment="172.16.0.0/12 - This block is set aside for use in private networks. Its intended use is documented in [RFC1918]. Addresses within this block should not appear on the public Internet. " id="id3DC75CE7" name="net-172.16.0.0" address="172.16.0.0" netmask="255.240.0.0"/>
|
||||
<Network comment="192.168.0.0/16 - This block is set aside for use in private networks. Its intended use is documented in [RFC1918]. Addresses within this block should not appear on the public Internet. " id="id3DC75CE6" name="net-192.168.0.0" address="192.168.0.0" netmask="255.255.0.0"/>
|
||||
<Network comment="192.0.2.0/24 - This block is assigned as "TEST-NET" for use in documentation and example code. It is often used in conjunction with domain names example.com or example.net in vendor and protocol documentation. Addresses within this block should not appear on the public Internet. " id="id3F4ECE3F" name="test-net" address="192.0.2.0" netmask="255.255.255.0"/>
|
||||
<Network comment="0.0.0.0/8 - Addresses in this block refer to source hosts on "this" network. Address 0.0.0.0/32 may be used as a source address for this host on this network; other addresses within 0.0.0.0/8 may be used to refer to specified hosts on this network [RFC1700, page 4]." id="id3F4ECE40" name="this-net" address="0.0.0.0" netmask="255.0.0.0"/>
|
||||
<Network comment="192.168.1.0/24 - Address often used for home and small office networks. " id="id3DC75CE7-1" name="net-192.168.1.0" address="192.168.1.0" netmask="255.255.255.0"/>
|
||||
<Network comment="192.168.2.0/24 - Address often used for home and small office networks. " id="id3DC75CE7-2" name="net-192.168.2.0" address="192.168.2.0" netmask="255.255.255.0"/>
|
||||
</ObjectGroup>
|
||||
<ObjectGroup id="stdid15" name="Address Ranges">
|
||||
<AddressRange comment="" id="id3F6D115C" name="broadcast" start_address="255.255.255.255" end_address="255.255.255.255"/>
|
||||
<AddressRange comment="" id="id3F6D115D" name="old-broadcast" start_address="0.0.0.0" end_address="0.0.0.0"/>
|
||||
</ObjectGroup>
|
||||
</ObjectGroup>
|
||||
<ServiceGroup id="stdid05" name="Services">
|
||||
<CustomService comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." id="stdid14_1" name="ESTABLISHED">
|
||||
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
|
||||
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
|
||||
</CustomService>
|
||||
<ServiceGroup id="stdid10" name="Groups">
|
||||
<ServiceGroup comment="" id="sg-DHCP" name="DHCP">
|
||||
<ServiceRef ref="udp-bootpc"/>
|
||||
<ServiceRef ref="udp-bootps"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="id3F530CC8" name="DNS">
|
||||
<ServiceRef ref="udp-DNS"/>
|
||||
<ServiceRef ref="tcp-DNS"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="id3CB1279B" name="IPSEC">
|
||||
<ServiceRef ref="id3CB12797"/>
|
||||
<ServiceRef ref="ip-IPSEC"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup comment="" id="sg-NETBIOS" name="NETBIOS">
|
||||
<ServiceRef ref="udp-netbios-dgm"/>
|
||||
<ServiceRef ref="udp-netbios-ns"/>
|
||||
<ServiceRef ref="id3E755609"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="id3CB131CC" name="PCAnywhere">
|
||||
<ServiceRef ref="id3CB131CA"/>
|
||||
<ServiceRef ref="id3CB131C8"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup comment="" id="sg-Useful_ICMP" name="Useful_ICMP">
|
||||
<ServiceRef ref="icmp-Time_exceeded"/>
|
||||
<ServiceRef ref="icmp-Time_exceeded_in_transit"/>
|
||||
<ServiceRef ref="icmp-ping_reply"/>
|
||||
<ServiceRef ref="icmp-Unreachables"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="id3B4FEDD9" name="kerberos">
|
||||
<ServiceRef ref="id3B4FEDA5"/>
|
||||
<ServiceRef ref="id3B4FEDA9"/>
|
||||
<ServiceRef ref="id3B4FEDA7"/>
|
||||
<ServiceRef ref="id3B4FEDAB"/>
|
||||
<ServiceRef ref="id3B4FEDA3"/>
|
||||
<ServiceRef ref="id3B4FEE21"/>
|
||||
<ServiceRef ref="id3B4FEE23"/>
|
||||
<ServiceRef ref="id3E7E3EA2"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="id3B4FF35E" name="nfs">
|
||||
<ServiceRef ref="id3B4FEE7A"/>
|
||||
<ServiceRef ref="id3B4FEE78"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="id3B4FEFFA" name="quake">
|
||||
<ServiceRef ref="id3B4FEF7C"/>
|
||||
<ServiceRef ref="id3B4FEF7E"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="id3D703C9A" name="Real Player">
|
||||
<ServiceRef ref="id3D703C99"/>
|
||||
<ServiceRef ref="id3D703C8B"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="id3E7E3E95" name="WinNT">
|
||||
<ServiceRef ref="sg-NETBIOS"/>
|
||||
<ServiceRef ref="id3DC8C8BB"/>
|
||||
<ServiceRef ref="id3E7E3D58"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="id3E7E3E9A" name="Win2000">
|
||||
<ServiceRef ref="id3E7E3E95"/>
|
||||
<ServiceRef ref="udp-DNS"/>
|
||||
<ServiceRef ref="id3DC8C8BC"/>
|
||||
<ServiceRef ref="id3E7E3EA2"/>
|
||||
<ServiceRef ref="id3AECF778"/>
|
||||
<ServiceRef ref="id3D703C90"/>
|
||||
<ServiceRef ref="id3E7E4039"/>
|
||||
<ServiceRef ref="id3E7E403A"/>
|
||||
<ServiceRef ref="id3B4FEDA5"/>
|
||||
<ServiceRef ref="tcp-DNS"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup comment="" id="id41291786" name="UPnP">
|
||||
<ServiceRef ref="id41291784"/>
|
||||
<ServiceRef ref="id41291785"/>
|
||||
<ServiceRef ref="id41291783"/>
|
||||
<ServiceRef ref="id412Z18A9"/>
|
||||
</ServiceGroup>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="stdid07" name="ICMP">
|
||||
<ICMPService code="-1" comment="" id="icmp-Unreachables" name="all ICMP unreachables" type="3"/>
|
||||
<ICMPService code="-1" comment="" id="id3C20EEB5" name="any ICMP" type="-1"/>
|
||||
<ICMPService code="1" comment="" id="icmp-Host_unreach" name="host_unreach" type="3"/>
|
||||
<ICMPService code="0" comment="" id="icmp-ping_reply" name="ping reply" type="0"/>
|
||||
<ICMPService code="0" comment="" id="icmp-ping_request" name="ping request" type="8"/>
|
||||
<ICMPService code="3" comment="Port unreachable" id="icmp-Port_unreach" name="port unreach" type="3"/>
|
||||
<ICMPService code="0" comment="ICMP messages of this type are needed for traceroute" id="icmp-Time_exceeded" name="time exceeded" type="11"/>
|
||||
<ICMPService code="1" comment="" id="icmp-Time_exceeded_in_transit" name="time exceeded in transit" type="11"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="stdid06" name="IP">
|
||||
<IPService comment="IPSEC Authentication Header Protocol" fragm="False" id="id3CB12797" lsrr="False" name="AH" protocol_num="51" rr="False" short_fragm="False" ssrr="False" ts="False"/>
|
||||
<IPService comment="IPSEC Encapsulating Security Payload Protocol" fragm="False" id="ip-IPSEC" lsrr="False" name="ESP" protocol_num="50" rr="False" short_fragm="False" ssrr="False" ts="False"/>
|
||||
<IPService comment="Route recording packets" fragm="False" id="ip-RR" lsrr="False" name="RR" protocol_num="0" rr="True" short_fragm="False" ssrr="False" ts="False"/>
|
||||
<IPService comment="All sorts of Source Routing Packets" fragm="False" id="ip-SRR" lsrr="True" name="SRR" protocol_num="0" rr="False" short_fragm="False" ssrr="True" ts="False"/>
|
||||
<IPService comment="'Short' fragments" fragm="False" id="ip-IP_Fragments" lsrr="False" name="ip_fragments" protocol_num="0" rr="False" short_fragm="True" ssrr="False" ts="False"/>
|
||||
<IPService comment="IPSEC Simple Key Management for Internet Protocols" fragm="False" id="id3D703C8E" lsrr="False" name="SKIP" protocol_num="57" rr="False" short_fragm="False" ssrr="False" ts="False"/>
|
||||
<IPService comment="Generic Routing Encapsulation " fragm="False" id="id3D703C8F" lsrr="False" name="GRE" protocol_num="47" rr="False" short_fragm="False" ssrr="False" ts="False"/>
|
||||
<IPService comment="Virtual Router Redundancy Protocol" fragm="False" id="id3D703C95" lsrr="False" name="vrrp" protocol_num="112" rr="False" short_fragm="False" ssrr="False" ts="False"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="stdid09" name="TCP">
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="ipchains used to use this range of port numbers for masquerading. " dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="False" id="tcp-ALL_TCP_Masqueraded" name="ALL TCP Masqueraded" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="65095" src_range_start="61000" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="5190" dst_range_start="5190" fin_flag="False" fin_flag_mask="False" id="id3D703C94" name="AOL" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="False" id="tcp-All_TCP" name="All TCP" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="1494" dst_range_start="1494" fin_flag="False" fin_flag_mask="False" id="id3CB131C4" name="Citrix-ICA" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Entrust CA Administration Service" dst_range_end="709" dst_range_start="709" fin_flag="False" fin_flag_mask="False" id="id3D703C91" name="Entrust-Admin" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Entrust CA Key Management Service" dst_range_end="710" dst_range_start="710" fin_flag="False" fin_flag_mask="False" id="id3D703C92" name="Entrust-KeyMgmt" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="1720" dst_range_start="1720" fin_flag="False" fin_flag_mask="False" id="id3AEDBEAC" name="H323" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Sometimes this protocol is called icslap, but Microsoft does not call it that and just says that DSPP uses port 2869 in Windows XP SP2" dst_range_end="2869" dst_range_start="2869" fin_flag="False" fin_flag_mask="False" id="id412Z18A9" name="icslap" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3268" dst_range_start="3268" fin_flag="False" fin_flag_mask="False" id="id3E7E4039" name="LDAP GC" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3269" dst_range_start="3269" fin_flag="False" fin_flag_mask="False" id="id3E7E403A" name="LDAP GC SSL" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Open Windows" dst_range_end="2000" dst_range_start="2000" fin_flag="False" fin_flag_mask="False" id="id3D703C83" name="OpenWindows" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="data channel for PCAnywhere v7.52 and later " dst_range_end="5631" dst_range_start="5631" fin_flag="False" fin_flag_mask="False" id="id3CB131C8" name="PCAnywhere-data" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="RealNetworks PNA Protocol" dst_range_end="7070" dst_range_start="7070" fin_flag="False" fin_flag_mask="False" id="id3D703C8B" name="Real-Audio" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="2998" dst_range_start="2998" fin_flag="False" fin_flag_mask="False" id="id3D703C93" name="RealSecure" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="SMB over TCP (without NETBIOS) " dst_range_end="445" dst_range_start="445" fin_flag="False" fin_flag_mask="False" id="id3DC8C8BC" name="SMB" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="49" dst_range_start="49" fin_flag="False" fin_flag_mask="False" id="id3D703C8D" name="TACACSplus" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="TCP high ports" dst_range_end="65535" dst_range_start="1024" fin_flag="False" fin_flag_mask="False" id="id3D703C84" name="TCP high ports" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="42" dst_range_start="42" fin_flag="False" fin_flag_mask="False" id="id3E7E3D58" name="WINS replication" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="X Window System" dst_range_end="6063" dst_range_start="6000" fin_flag="False" fin_flag_mask="False" id="id3D703C82" name="X11" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="113" dst_range_start="113" fin_flag="False" fin_flag_mask="False" id="tcp-Auth" name="auth" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="13" dst_range_start="13" fin_flag="False" fin_flag_mask="False" id="id3AEDBE6E" name="daytime" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="53" dst_range_start="53" fin_flag="False" fin_flag_mask="False" id="tcp-DNS" name="domain" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="2105" dst_range_start="2105" fin_flag="False" fin_flag_mask="False" id="id3B4FEDA3" name="eklogin" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="79" dst_range_start="79" fin_flag="False" fin_flag_mask="False" id="id3AECF774" name="finger" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="21" dst_range_start="21" fin_flag="False" fin_flag_mask="False" id="tcp-FTP" name="ftp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="FTP data channel. Note: FTP protocol does not really require server to use source port 20 for the data channel, but many ftp server implementations do so." dst_range_end="65535" dst_range_start="1024" fin_flag="False" fin_flag_mask="False" id="tcp-FTP_data" name="ftp data" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="20" src_range_start="20" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="FTP data channel for passive mode transfers " dst_range_end="20" dst_range_start="20" fin_flag="False" fin_flag_mask="False" id="id3E7553BC" name="ftp data passive" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="80" dst_range_start="80" fin_flag="False" fin_flag_mask="False" id="tcp-HTTP" name="http" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="443" dst_range_start="443" fin_flag="False" fin_flag_mask="False" id="id3B4FED69" name="https" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="143" dst_range_start="143" fin_flag="False" fin_flag_mask="False" id="id3AECF776" name="imap" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="993" dst_range_start="993" fin_flag="False" fin_flag_mask="False" id="id3B4FED9F" name="imaps" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="6667" dst_range_start="6667" fin_flag="False" fin_flag_mask="False" id="id3B4FF13C" name="irc" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="88" dst_range_start="88" fin_flag="False" fin_flag_mask="False" id="id3E7E3EA2" name="kerberos" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="543" dst_range_start="543" fin_flag="False" fin_flag_mask="False" id="id3B4FEE21" name="klogin" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="544" dst_range_start="544" fin_flag="False" fin_flag_mask="False" id="id3B4FEE23" name="ksh" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="389" dst_range_start="389" fin_flag="False" fin_flag_mask="False" id="id3AECF778" name="ldap" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Lightweight Directory Access Protocol over TLS/SSL" dst_range_end="636" dst_range_start="636" fin_flag="False" fin_flag_mask="False" id="id3D703C90" name="ldaps" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="98" dst_range_start="98" fin_flag="False" fin_flag_mask="False" id="id3B4FF000" name="linuxconf" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="515" dst_range_start="515" fin_flag="False" fin_flag_mask="False" id="id3D703C97" name="lpr" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="135" dst_range_start="135" fin_flag="False" fin_flag_mask="False" id="id3DC8C8BB" name="microsoft-rpc" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Microsoft SQL Server" dst_range_end="1433" dst_range_start="1433" fin_flag="False" fin_flag_mask="False" id="id3D703C98" name="ms-sql" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3306" dst_range_start="3306" fin_flag="False" fin_flag_mask="False" id="id3B4FEEEE" name="mysql" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="139" dst_range_start="139" fin_flag="False" fin_flag_mask="False" id="id3E755609" name="netbios-ssn" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="2049" dst_range_start="2049" fin_flag="False" fin_flag_mask="False" id="id3B4FEE7A" name="nfs" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="119" dst_range_start="119" fin_flag="False" fin_flag_mask="False" id="tcp-NNTP" name="nntp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="NNTP over SSL" dst_range_end="563" dst_range_start="563" fin_flag="False" fin_flag_mask="False" id="id3E7553BB" name="nntps" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="110" dst_range_start="110" fin_flag="False" fin_flag_mask="False" id="id3B4FEE1D" name="pop3" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="POP-3 over SSL" dst_range_end="995" dst_range_start="995" fin_flag="False" fin_flag_mask="False" id="id3E7553BA" name="pop3s" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="5432" dst_range_start="5432" fin_flag="False" fin_flag_mask="False" id="id3B4FF0EA" name="postgres" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="515" dst_range_start="515" fin_flag="False" fin_flag_mask="False" id="id3AECF782" name="printer" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="26000" dst_range_start="26000" fin_flag="False" fin_flag_mask="False" id="id3B4FEF7C" name="quake" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="512" dst_range_start="512" fin_flag="False" fin_flag_mask="False" id="id3AECF77A" name="rexec" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="513" dst_range_start="513" fin_flag="False" fin_flag_mask="False" id="id3AECF77C" name="rlogin" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="514" dst_range_start="514" fin_flag="False" fin_flag_mask="False" id="id3AECF77E" name="rshell" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Real Time Streaming Protocol" dst_range_end="554" dst_range_start="554" fin_flag="False" fin_flag_mask="False" id="id3D703C99" name="rtsp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="4321" dst_range_start="4321" fin_flag="False" fin_flag_mask="False" id="id3B4FEF34" name="rwhois" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="5510" dst_range_start="5510" fin_flag="False" fin_flag_mask="False" id="id3D703C89" name="securidprop" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="25" dst_range_start="25" fin_flag="False" fin_flag_mask="False" id="tcp-SMTP" name="smtp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="465" dst_range_start="465" fin_flag="False" fin_flag_mask="False" id="id3B4FF04C" name="smtps" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="1080" dst_range_start="1080" fin_flag="False" fin_flag_mask="False" id="id3B4FEE76" name="socks" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="1521" dst_range_start="1521" fin_flag="False" fin_flag_mask="False" id="id3D703C87" name="sqlnet1" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3128" dst_range_start="3128" fin_flag="False" fin_flag_mask="False" id="id3B4FF09A" name="squid" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="22" dst_range_start="22" fin_flag="False" fin_flag_mask="False" id="tcp-SSH" name="ssh" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="111" dst_range_start="111" fin_flag="False" fin_flag_mask="False" id="id3AEDBE00" name="sunrpc" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="True" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="True" id="tcp-TCP-SYN" name="tcp-syn" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="23" dst_range_start="23" fin_flag="False" fin_flag_mask="False" id="tcp-Telnet" name="telnet" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="540" dst_range_start="540" fin_flag="False" fin_flag_mask="False" id="tcp-uucp" name="uucp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Windows Terminal Services" dst_range_end="3389" dst_range_start="3389" fin_flag="False" fin_flag_mask="False" id="id3CB131C6" name="winterm" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="7100" dst_range_start="7100" fin_flag="False" fin_flag_mask="False" id="id3B4FF1B8" name="xfs" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="True" ack_flag_mask="True" comment="This service object matches TCP packet with all six flags set." dst_range_end="0" dst_range_start="0" fin_flag="True" fin_flag_mask="True" id="id3C685B2B" name="xmas scan - full" psh_flag="True" psh_flag_mask="True" rst_flag="True" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="True" syn_flag_mask="True" urg_flag="True" urg_flag_mask="True"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="True" comment="This service object matches TCP packet with flags FIN, PSH and URG set and other flags cleared. This is a "christmas scan" as defined in snort rules. Nmap can generate this scan, too." dst_range_end="0" dst_range_start="0" fin_flag="True" fin_flag_mask="True" id="id4127E949" name="xmas scan" psh_flag="True" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="True" urg_flag="True" urg_flag_mask="True"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="873" dst_range_start="873" fin_flag="False" fin_flag_mask="False" id="id4127EA72" name="rsync" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="distributed compiler" dst_range_end="3632" dst_range_start="3632" fin_flag="False" fin_flag_mask="False" id="id4127EBAC" name="distcc" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="CVS client/server operations" dst_range_end="2401" dst_range_start="2401" fin_flag="False" fin_flag_mask="False" id="id4127ECF1" name="cvspserver" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="CVSup file transfer/John Polstra/FreeBSD" dst_range_end="5999" dst_range_start="5999" fin_flag="False" fin_flag_mask="False" id="id4127ECF2" name="cvsup" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="AFP (Apple file sharing) over TCP" dst_range_end="548" dst_range_start="548" fin_flag="False" fin_flag_mask="False" id="id4127ED5E" name="afp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="43" dst_range_start="43" fin_flag="False" fin_flag_mask="False" id="id4127EDF6" name="whois" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="179" dst_range_start="179" fin_flag="False" fin_flag_mask="False" id="id4127F04F" name="bgp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Radius protocol" dst_range_end="1812" dst_range_start="1812" fin_flag="False" fin_flag_mask="False" id="id4127F146" name="radius" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Radius Accounting" dst_range_end="1813" dst_range_start="1813" fin_flag="False" fin_flag_mask="False" id="id4127F147" name="radius acct" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="5000" dst_range_start="5000" fin_flag="False" fin_flag_mask="False" id="id41291784" name="upnp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Although UPnP specification say it should use TCP port 5000, Linksys running Sveasoft firmware listens on port 5431" dst_range_end="5431" dst_range_start="5431" fin_flag="False" fin_flag_mask="False" id="id41291785" name="upnp-5431" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Java VNC viewer, display 0" dst_range_end="5800" dst_range_start="5800" fin_flag="False" fin_flag_mask="False" id="id41291787" name="vnc-java-0" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Regular VNC viewer, display 0" dst_range_end="5900" dst_range_start="5900" fin_flag="False" fin_flag_mask="False" id="id41291788" name="vnc-0" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Java VNC viewer, display 1" dst_range_end="5801" dst_range_start="5801" fin_flag="False" fin_flag_mask="False" id="id41291887" name="vnc-java-1" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Regular VNC viewer, display 1" dst_range_end="5901" dst_range_start="5901" fin_flag="False" fin_flag_mask="False" id="id41291888" name="vnc-1" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Some firewall platforms can match TCP packets with flags ACK or RST set; the option is usually called "established". Note that you can use this object only in the policy rules of the firewall that supports this option. If you need to match reply packets for a specific TCP service and wish to use option "established", make a copy of this object and set source port range to match the service. " dst_range_end="0" dst_range_start="0" established="True" fin_flag="False" fin_flag_mask="False" id="id463FE5FE11008" name="All TCP established" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="stdid08" name="UDP">
|
||||
<UDPService comment="ipchains used to use this port range for masqueraded packets" dst_range_end="0" dst_range_start="0" id="udp-ALL_UDP_Masqueraded" name="ALL UDP Masqueraded" src_range_end="65095" src_range_start="61000"/>
|
||||
<UDPService comment="" dst_range_end="0" dst_range_start="0" id="udp-All_UDP" name="All UDP" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="4000" dst_range_start="4000" id="id3D703C96" name="ICQ" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="500" dst_range_start="500" id="id3CB129D2" name="IKE" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="status channel for PCAnywhere v7.52 and later" dst_range_end="5632" dst_range_start="5632" id="id3CB131CA" name="PCAnywhere-status" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="routing protocol RIP" dst_range_end="520" dst_range_start="520" id="id3AED0D6B" name="RIP" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="1645" dst_range_start="1645" id="id3D703C8C" name="Radius" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="65535" dst_range_start="1024" id="id3D703C85" name="UDP high ports" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="513" dst_range_start="513" id="id3D703C86" name="Who" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="7009" dst_range_start="7000" id="id3B4FEDA1" name="afs" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="68" dst_range_start="68" id="udp-bootpc" name="bootpc" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="67" dst_range_start="67" id="udp-bootps" name="bootps" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="13" dst_range_start="13" id="id3AEDBE70" name="daytime" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="53" dst_range_start="53" id="udp-DNS" name="domain" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="VocalTec Internet Phone" dst_range_end="22555" dst_range_start="22555" id="id3D703C8A" name="interphone" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="88" dst_range_start="88" id="id3B4FEDA5" name="kerberos" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="750" dst_range_start="749" id="id3B4FEDA9" name="kerberos-adm" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="464" dst_range_start="464" id="id3B4FEDA7" name="kpasswd" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="4444" dst_range_start="4444" id="id3B4FEDAB" name="krb524" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="135" dst_range_start="135" id="id3F865B0D" name="microsoft-rpc" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="138" dst_range_start="138" id="udp-netbios-dgm" name="netbios-dgm" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="137" dst_range_start="137" id="udp-netbios-ns" name="netbios-ns" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="139" dst_range_start="139" id="udp-netbios-ssn" name="netbios-ssn" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="2049" dst_range_start="2049" id="id3B4FEE78" name="nfs" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="123" dst_range_start="123" id="udp-ntp" name="ntp" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="26000" dst_range_start="26000" id="id3B4FEF7E" name="quake" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="1024" dst_range_start="1024" id="id3D703C88" name="secureid-udp" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="161" dst_range_start="161" id="udp-SNMP" name="snmp" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="162" dst_range_start="162" id="id3AED0D69" name="snmp-trap" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="111" dst_range_start="111" id="id3AEDBE19" name="sunrpc" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="514" dst_range_start="514" id="id3AECF780" name="syslog" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="69" dst_range_start="69" id="id3AED0D67" name="tftp" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="33524" dst_range_start="33434" id="id3AED0D8C" name="traceroute" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="873" dst_range_start="873" id="id4127EA73" name="rsync" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="Simple Service Discovery Protocol (used for UPnP)" dst_range_end="1900" dst_range_start="1900" id="id41291783" name="SSDP" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="1194" dst_range_start="1194" id="id41291883" name="OpenVPN" src_range_end="0" src_range_start="0"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="stdid13" name="Custom">
|
||||
<CustomService comment="works in iptables and requires patch-o-matic. For more information look for patch-o-matic on http://www.netfilter.org/" id="id3B64EEA8" name="rpc">
|
||||
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="iptables">-m record_rpc</CustomServiceCommand>
|
||||
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
||||
</CustomService>
|
||||
<CustomService comment="IRC connection tracker, supports DCC. Works on iptables and requires patch-o-matic. For more information look for patch-o-matic on http://www.netfilter.org/ " id="id3B64EF4E" name="irc-conn">
|
||||
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="iptables">-m irc</CustomServiceCommand>
|
||||
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
||||
</CustomService>
|
||||
<CustomService comment="Port scan detector, works only on iptables and requires patch-o-matic For more information look for patch-o-matic on http://www.netfilter.org/" id="id3B64EF50" name="psd">
|
||||
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="iptables">-m psd --psd-weight-threshold 5 --psd-delay-threshold 10000</CustomServiceCommand>
|
||||
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
||||
</CustomService>
|
||||
<CustomService comment="Matches a string in a whole packet, works in iptables and requires patch-o-matic. For more information look for patch-o-matic on http://www.netfilter.org/" id="id3B64EF52" name="string">
|
||||
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="iptables">-m string --string test_pattern</CustomServiceCommand>
|
||||
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
||||
</CustomService>
|
||||
<CustomService comment="Talk protocol support. Works in iptables and requires patch-o-matic. For more information look for patch-o-matic on http://www.netfilter.org/" id="id3B64EF54" name="talk">
|
||||
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="iptables">-m talk</CustomServiceCommand>
|
||||
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
||||
</CustomService>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="stdid19" name="TagServices"/>
|
||||
</ServiceGroup>
|
||||
<ObjectGroup id="stdid12" name="Firewalls"/>
|
||||
<IntervalGroup id="stdid11" name="Time">
|
||||
<Interval comment="any day, 9:00am through 5:00pm" from_day="-1" from_hour="9" from_minute="0" from_month="-1" from_weekday="1" from_year="-1" id="int-workhours" name="workhours" to_day="-1" to_hour="17" to_minute="0" to_month="-1" to_weekday="5" to_year="-1"/>
|
||||
<Interval comment="weekends: Saturday 0:00 through Sunday 23:59 " from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" id="int-weekends" name="weekends" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1"/>
|
||||
<Interval comment="any day 6:00pm - 12:00am" from_day="-1" from_hour="18" from_minute="0" from_month="-1" from_weekday="-1" from_year="-1" id="int-afterhours" name="afterhours" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="-1" to_year="-1"/>
|
||||
<Interval comment="" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" id="id3C63479C" name="Sat" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="6" to_year="-1"/>
|
||||
<Interval comment="" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="0" from_year="-1" id="id3C63479E" name="Sun" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1"/>
|
||||
</IntervalGroup>
|
||||
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="10" lastModified="1215463063" id="root">
|
||||
<Library id="sysid99" name="Deleted Objects" ro="False">
|
||||
<ICMP6Service id="idE0C27650" name="ipv6 dest unreachable" comment="No route to destination" code="0" type="1"/>
|
||||
<Interface id="id4699503D32343" name="Null0" bridgeport="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id4699503E32343" name="c36xx:Null0:ip" address="0.0.0.0" netmask="255.255.255.255"/>
|
||||
</Interface>
|
||||
</Library>
|
||||
<Library color="#ffb4b4" comment="Template objects that can be used to generate typical firewall configurations" id="syslib100" name="Firewall Templates" ro="True">
|
||||
<Library id="syslib100" name="Firewall Templates" comment="Template objects that can be used to generate typical firewall configurations" color="#ffb4b4" ro="True">
|
||||
<ObjectGroup id="id4070BB9B" name="Objects">
|
||||
<ObjectGroup id="id4070BB9B_og_ats_1" name="Address Tables"/>
|
||||
<ObjectGroup id="id4070BB9B_og_dnsn_1" name="DNS Names"/>
|
||||
<ObjectGroup id="id4070BB9C" name="Addresses"/>
|
||||
<ObjectGroup id="id4070BB9D" name="Groups"/>
|
||||
<ObjectGroup id="id4070BB9E" name="Hosts">
|
||||
<Host comment="This object represents a PC with a single network interface" id="id40CBF1A5" name="PC with 1 interface">
|
||||
<Interface bridgeport="False" dyn="False" id="id40CBF1A7" label="" name="eth0" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.1.1" comment="" id="id40CBF1A9" name="pc:eth0:ip" netmask="255.255.255.0"/>
|
||||
<Host id="id40CBF1A5" name="PC with 1 interface" comment="This object represents a PC with a single network interface">
|
||||
<Interface id="id40CBF1A7" name="eth0" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id40CBF1A9" name="pc:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Management address="0.0.0.0">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -380,12 +27,12 @@
|
||||
<Option name="use_mac_addr_filter">False</Option>
|
||||
</HostOptions>
|
||||
</Host>
|
||||
<Host comment="This object represents a PC with two network interfaces" id="id40CBF1AC" name="PC with 2 interfaces">
|
||||
<Interface bridgeport="False" dyn="False" id="id40CBF1AE" label="" name="eth0" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.1.1" comment="" id="id40CBF1B0" name="pc:eth0:ip" netmask="255.255.255.0"/>
|
||||
<Host id="id40CBF1AC" name="PC with 2 interfaces" comment="This object represents a PC with two network interfaces">
|
||||
<Interface id="id40CBF1AE" name="eth0" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id40CBF1B0" name="pc:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" dyn="False" id="id40CBF1B1" label="" name="eth1" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.2.1" comment="" id="id40CBF1B3" name="pc:eth1:ip" netmask="255.255.255.0"/>
|
||||
<Interface id="id40CBF1B1" name="eth1" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id40CBF1B3" name="pc:eth1:ip" address="192.168.2.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Management address="0.0.0.0">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -396,12 +43,12 @@
|
||||
<Option name="use_mac_addr_filter">False</Option>
|
||||
</HostOptions>
|
||||
</Host>
|
||||
<Host comment="This object represents a router with two interfaces. You may need to change interface names if your router uses different naming scheme." id="id40CBF1C8" name="Router with 2 interfaces">
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id40CBF1CB" label="" name="FastEthernet 0/0" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.1.1" comment="" id="id40CBF1CD" name="rtr:FE0/0:ip" netmask="255.255.255.0"/>
|
||||
<Host id="id40CBF1C8" name="Router with 2 interfaces" comment="This object represents a router with two interfaces. You may need to change interface names if your router uses different naming scheme.">
|
||||
<Interface id="id40CBF1CB" name="FastEthernet 0/0" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id40CBF1CD" name="rtr:FE0/0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id40CBF1CE" label="" name="FastEthernet 0/1" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.2.1" comment="" id="id40CBF1D0" name="rtr:FE0/1:ip" netmask="255.255.255.0"/>
|
||||
<Interface id="id40CBF1CE" name="FastEthernet 0/1" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id40CBF1D0" name="rtr:FE0/1:ip" address="192.168.2.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Management address="0.0.0.0">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -417,6 +64,7 @@
|
||||
<ObjectGroup id="id4070BBA0" name="Address Ranges"/>
|
||||
</ObjectGroup>
|
||||
<ServiceGroup id="id4070BBA1" name="Services">
|
||||
<ServiceGroup id="id4070BBA1_userservices" name="Users"/>
|
||||
<ServiceGroup id="id4070BBA1_og_tag_1" name="TagServices"/>
|
||||
<ServiceGroup id="id4070BBA2" name="Groups"/>
|
||||
<ServiceGroup id="id4070BBA3" name="ICMP"/>
|
||||
@ -426,9 +74,9 @@
|
||||
<ServiceGroup id="id4070BBA7" name="Custom"/>
|
||||
</ServiceGroup>
|
||||
<ObjectGroup id="id4070BBA8" name="Firewalls">
|
||||
<Firewall comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" host_OS="unknown_os" id="id40708A6A" lastCompiled="0" lastInstalled="0" lastModified="0" name="fw template 1" platform="unknown" ro="False" version="">
|
||||
<NAT id="id40708A6E" name="NAT">
|
||||
<NATRule disabled="False" id="id4070BFF5" position="0">
|
||||
<Firewall id="id40708A6A" name="fw template 1" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" host_OS="unknown_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" ro="False" version="">
|
||||
<NAT id="id40708A6E" name="NAT" ipv6_rule_set="False" top_rule_set="True">
|
||||
<NATRule id="id4070BFF5" disabled="False" position="0">
|
||||
<OSrc neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</OSrc>
|
||||
@ -450,8 +98,8 @@
|
||||
<NATRuleOptions/>
|
||||
</NATRule>
|
||||
</NAT>
|
||||
<Policy id="id40708A6D" name="Policy">
|
||||
<PolicyRule action="Deny" comment="anti spoofing rule" direction="Inbound" disabled="False" id="id4070BFE9" log="True" position="0">
|
||||
<Policy id="id40708A6D" name="Policy" ipv6_rule_set="False" top_rule_set="True">
|
||||
<PolicyRule id="id4070BFE9" comment="anti spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="0">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id40708A6A"/>
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
@ -470,7 +118,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4094092C" log="False" position="1">
|
||||
<PolicyRule id="id4094092C" action="Accept" direction="Both" disabled="False" log="False" position="1">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -488,7 +136,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="SSH Access to firewall is permitted only from internal network" disabled="False" id="id40941C75" log="False" position="2">
|
||||
<PolicyRule id="id40941C75" comment="SSH Access to firewall is permitted only from internal network" action="Accept" disabled="False" log="False" position="2">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -506,7 +154,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="Firewall uses one of the machines on internal network for DNS" disabled="False" id="id40941D2E" log="True" position="3">
|
||||
<PolicyRule id="id40941D2E" comment="Firewall uses one of the machines on internal network for DNS" action="Accept" disabled="False" log="True" position="3">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id40708A6A"/>
|
||||
</Src>
|
||||
@ -524,7 +172,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" comment="All other attempts to connect to the firewall are denied and logged" disabled="False" id="id40941CB8" log="True" position="4">
|
||||
<PolicyRule id="id40941CB8" comment="All other attempts to connect to the firewall are denied and logged" action="Deny" disabled="False" log="True" position="4">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -542,7 +190,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="" disabled="False" id="id4070BFDE" log="False" position="5">
|
||||
<PolicyRule id="id4070BFDE" action="Accept" disabled="False" log="False" position="5">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -560,7 +208,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" disabled="False" id="id40708A71" log="True" position="6">
|
||||
<PolicyRule id="id40708A71" action="Deny" disabled="False" log="True" position="6">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -579,13 +227,13 @@
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
</Policy>
|
||||
<Routing id="id40708A6A-routing" name="Routing"/>
|
||||
<Interface bridgeport="False" comment="" dyn="True" id="id4070BFD8" label="outside" mgmt="False" name="eth0" security_level="0" unnum="False" unprotected="False"/>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id4070BFDA" label="inside" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.1.1" comment="" id="id4070BFDC" name="ip" netmask="255.255.255.0"/>
|
||||
<Routing id="id40708A6A-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
|
||||
<Interface id="id4070BFD8" name="eth0" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False"/>
|
||||
<Interface id="id4070BFDA" name="eth1" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id4070BFDC" name="ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id40940929" label="loopback" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="127.0.0.1" comment="" id="id4094092B" name="lo:ip" netmask="255.0.0.0"/>
|
||||
<Interface id="id40940929" name="lo" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id4094092B" name="lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
||||
</Interface>
|
||||
<Management address="0.0.0.0">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -632,9 +280,9 @@
|
||||
<Option name="verify_interfaces">true</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="Similar to fw 1, but the firewall is used as DHCP and DNS server for internal network. This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall can send DNS queries to servers out on the Internet. Another rule permits DNS queries from internal network to the firewall. Special rules permit DHCP requests from internal network and replies sent by the firewall." host_OS="unknown_os" id="id40941E8C" lastCompiled="0" lastInstalled="0" lastModified="0" name="fw template 2" platform="unknown" ro="False" version="">
|
||||
<NAT id="id40941E91" name="NAT">
|
||||
<NATRule disabled="False" id="id40941E92" position="0">
|
||||
<Firewall id="id40941E8C" name="fw template 2" comment="Similar to fw 1, but the firewall is used as DHCP and DNS server for internal network. This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall can send DNS queries to servers out on the Internet. Another rule permits DNS queries from internal network to the firewall. Special rules permit DHCP requests from internal network and replies sent by the firewall." host_OS="unknown_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" ro="False" version="">
|
||||
<NAT id="id40941E91" name="NAT" ipv6_rule_set="False" top_rule_set="True">
|
||||
<NATRule id="id40941E92" disabled="False" position="0">
|
||||
<OSrc neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</OSrc>
|
||||
@ -656,8 +304,8 @@
|
||||
<NATRuleOptions/>
|
||||
</NATRule>
|
||||
</NAT>
|
||||
<Policy id="id40941EA0" name="Policy">
|
||||
<PolicyRule action="Deny" comment="anti spoofing rule" direction="Inbound" disabled="False" id="id40941ED5" log="True" position="2">
|
||||
<Policy id="id40941EA0" name="Policy" ipv6_rule_set="False" top_rule_set="True">
|
||||
<PolicyRule id="id40941ED5" comment="anti spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="2">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id40941E8C"/>
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
@ -676,7 +324,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" direction="Both" disabled="False" id="id40941EE6" log="False" position="3">
|
||||
<PolicyRule id="id40941EE6" action="Accept" direction="Both" disabled="False" log="False" position="3">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -694,7 +342,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="SSH Access to firewall is permitted only from internal network Also firewall serves DNS for internal network" disabled="False" id="id40941EA1" log="False" position="2">
|
||||
<PolicyRule id="id40941EA1" comment="SSH Access to firewall is permitted only from internal network Also firewall serves DNS for internal network" action="Accept" disabled="False" log="False" position="2">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -713,7 +361,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="DHCP requests are permitted from internal network" disabled="False" id="id40942038" log="False" position="3">
|
||||
<PolicyRule id="id40942038" comment="DHCP requests are permitted from internal network" action="Accept" disabled="False" log="False" position="3">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
<ObjectRef ref="id3F6D115D"/>
|
||||
@ -733,7 +381,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="DHCP replies" disabled="False" id="id4094204A" log="False" position="4">
|
||||
<PolicyRule id="id4094204A" comment="DHCP replies" action="Accept" disabled="False" log="False" position="4">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id40941E8C"/>
|
||||
</Src>
|
||||
@ -751,7 +399,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="Firewall should be able to send DNS queries to the Internet" disabled="False" id="id40941EAB" log="True" position="5">
|
||||
<PolicyRule id="id40941EAB" comment="Firewall should be able to send DNS queries to the Internet" action="Accept" disabled="False" log="True" position="5">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id40941E8C"/>
|
||||
</Src>
|
||||
@ -769,7 +417,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" comment="All other attempts to connect to the firewall are denied and logged" disabled="False" id="id40941EB5" log="True" position="6">
|
||||
<PolicyRule id="id40941EB5" comment="All other attempts to connect to the firewall are denied and logged" action="Deny" disabled="False" log="True" position="6">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -787,7 +435,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="" disabled="False" id="id40941EBF" log="False" position="7">
|
||||
<PolicyRule id="id40941EBF" action="Accept" disabled="False" log="False" position="7">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -805,7 +453,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" disabled="False" id="id40941EC9" log="True" position="8">
|
||||
<PolicyRule id="id40941EC9" action="Deny" disabled="False" log="True" position="8">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -824,13 +472,13 @@
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
</Policy>
|
||||
<Routing id="id40941E8C-routing" name="Routing"/>
|
||||
<Interface bridgeport="False" comment="" dyn="True" id="id40941ED3" label="outside" mgmt="False" name="eth0" security_level="0" unnum="False" unprotected="False"/>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id40941EE0" label="inside" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.1.1" comment="" id="id40941EE1" name="ip" netmask="255.255.255.0"/>
|
||||
<Routing id="id40941E8C-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
|
||||
<Interface id="id40941ED3" name="eth0" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False"/>
|
||||
<Interface id="id40941EE0" name="eth1" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id40941EE1" name="ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id40941EE3" label="loopback" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="127.0.0.1" comment="" id="id40941EE4" name="lo:ip" netmask="255.0.0.0"/>
|
||||
<Interface id="id40941EE3" name="lo" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id40941EE4" name="lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
||||
</Interface>
|
||||
<Management address="0.0.0.0">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -877,9 +525,9 @@
|
||||
<Option name="verify_interfaces">true</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="This firewall has three interfaces. Eth0 faces outside and has a static routable address; eth1 faces inside; eth2 is connected to DMZ subnet. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0, DMZ is 192.168.2.0/255.255.255.0. Since DMZ used private IP address, it needs NAT. There is a mail relay host located on DMZ (object 'server on dmz'). Policy rules permit SMTP connections to it from the Internet and allow this server to connect to a host on internal network 'internal server'. All other access from DMZ to internal net is denied. To provide access to the mail relay its private address is mapped to firewall's outside interface address by NAT rule #1." host_OS="freebsd" id="id40986AFE" lastCompiled="0" lastInstalled="0" lastModified="0" name="fw template 3" platform="unknown" ro="False" version="">
|
||||
<NAT id="id40986B03" name="NAT">
|
||||
<NATRule comment="no need to translate between DMZ and internal net" disabled="False" id="id40987169" position="0">
|
||||
<Firewall id="id40986AFE" name="fw template 3" comment="This firewall has three interfaces. Eth0 faces outside and has a static routable address; eth1 faces inside; eth2 is connected to DMZ subnet. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0, DMZ is 192.168.2.0/255.255.255.0. Since DMZ used private IP address, it needs NAT. There is a mail relay host located on DMZ (object 'server on dmz'). Policy rules permit SMTP connections to it from the Internet and allow this server to connect to a host on internal network 'internal server'. All other access from DMZ to internal net is denied. To provide access to the mail relay its private address is mapped to firewall's outside interface address by NAT rule #1." host_OS="freebsd" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" ro="False" version="">
|
||||
<NAT id="id40986B03" name="NAT" ipv6_rule_set="False" top_rule_set="True">
|
||||
<NATRule id="id40987169" comment="no need to translate between DMZ and internal net" disabled="False" position="0">
|
||||
<OSrc neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-2"/>
|
||||
</OSrc>
|
||||
@ -900,7 +548,7 @@
|
||||
</TSrv>
|
||||
<NATRuleOptions/>
|
||||
</NATRule>
|
||||
<NATRule comment="Translate source address for outgoing connections" disabled="False" id="id40986B04" position="1">
|
||||
<NATRule id="id40986B04" comment="Translate source address for outgoing connections" disabled="False" position="1">
|
||||
<OSrc neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
<ObjectRef ref="id3DC75CE7-2"/>
|
||||
@ -922,7 +570,7 @@
|
||||
</TSrv>
|
||||
<NATRuleOptions/>
|
||||
</NATRule>
|
||||
<NATRule disabled="False" id="id40986E4B" position="2">
|
||||
<NATRule id="id40986E4B" disabled="False" position="2">
|
||||
<OSrc neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</OSrc>
|
||||
@ -944,8 +592,8 @@
|
||||
<NATRuleOptions/>
|
||||
</NATRule>
|
||||
</NAT>
|
||||
<Policy id="id40986B12" name="Policy">
|
||||
<PolicyRule action="Deny" comment="anti spoofing rule" direction="Inbound" disabled="False" id="id40986B47" log="True" position="4">
|
||||
<Policy id="id40986B12" name="Policy" ipv6_rule_set="False" top_rule_set="True">
|
||||
<PolicyRule id="id40986B47" comment="anti spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="4">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id40986AFE"/>
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
@ -965,7 +613,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" direction="Both" disabled="False" id="id40986B58" log="False" position="5">
|
||||
<PolicyRule id="id40986B58" action="Accept" direction="Both" disabled="False" log="False" position="5">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -983,7 +631,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="SSH Access to firewall is permitted only from internal network" disabled="False" id="id40986B13" log="False" position="2">
|
||||
<PolicyRule id="id40986B13" comment="SSH Access to firewall is permitted only from internal network" action="Accept" disabled="False" log="False" position="2">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -1001,7 +649,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="Firewall uses one of the machines on internal network for DNS" disabled="False" id="id40986B1D" log="False" position="3">
|
||||
<PolicyRule id="id40986B1D" comment="Firewall uses one of the machines on internal network for DNS" action="Accept" disabled="False" log="False" position="3">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id40986AFE"/>
|
||||
</Src>
|
||||
@ -1019,7 +667,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" comment="All other attempts to connect to the firewall are denied and logged" disabled="False" id="id40986B27" log="True" position="4">
|
||||
<PolicyRule id="id40986B27" comment="All other attempts to connect to the firewall are denied and logged" action="Deny" disabled="False" log="True" position="4">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1037,7 +685,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Reject" comment="Quickly reject attempts to connect to ident server to avoid SMTP delays" disabled="False" id="id40986E5C" log="False" position="5">
|
||||
<PolicyRule id="id40986E5C" comment="Quickly reject attempts to connect to ident server to avoid SMTP delays" action="Reject" disabled="False" log="False" position="5">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1055,7 +703,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="Mail relay on DMZ can accept connections from hosts on the Internet" disabled="False" id="id40986E16" log="False" position="6">
|
||||
<PolicyRule id="id40986E16" comment="Mail relay on DMZ can accept connections from hosts on the Internet" action="Accept" disabled="False" log="False" position="6">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1073,7 +721,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="this rule permits a mail relay located on DMZ to connect to internal mail server" disabled="False" id="id40986EE1" log="False" position="7">
|
||||
<PolicyRule id="id40986EE1" comment="this rule permits a mail relay located on DMZ to connect to internal mail server" action="Accept" disabled="False" log="False" position="7">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3D84EECF"/>
|
||||
</Src>
|
||||
@ -1091,7 +739,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="Mail relay needs DNS and can connect to mail servers on the Internet" disabled="False" id="id40987009" log="False" position="8">
|
||||
<PolicyRule id="id40987009" comment="Mail relay needs DNS and can connect to mail servers on the Internet" action="Accept" disabled="False" log="False" position="8">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3D84EECF"/>
|
||||
</Src>
|
||||
@ -1110,7 +758,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" comment="All other access from DMZ to internal net is denied" disabled="False" id="id40986B79" log="True" position="9">
|
||||
<PolicyRule id="id40986B79" comment="All other access from DMZ to internal net is denied" action="Deny" disabled="False" log="True" position="9">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-2"/>
|
||||
</Src>
|
||||
@ -1128,7 +776,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="This permits access from internal net to the Internet and DMZ" disabled="False" id="id40986B31" log="False" position="10">
|
||||
<PolicyRule id="id40986B31" comment="This permits access from internal net to the Internet and DMZ" action="Accept" disabled="False" log="False" position="10">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -1146,7 +794,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" disabled="False" id="id40986B3B" log="True" position="11">
|
||||
<PolicyRule id="id40986B3B" action="Deny" disabled="False" log="True" position="11">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1165,18 +813,18 @@
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
</Policy>
|
||||
<Routing id="id40986AFE-routing" name="Routing"/>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id40986B45" label="outside" mgmt="False" name="eth0" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.0.2.1" comment="This is a test address, change it to your real one" id="id40986E5B" name="fw 3:eth0:ip" netmask="255.255.255.0"/>
|
||||
<Routing id="id40986AFE-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
|
||||
<Interface id="id40986B45" name="eth0" bridgeport="False" dyn="False" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id40986E5B" name="fw 3:eth0:ip" comment="This is a test address, change it to your real one" address="192.0.2.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id40986B52" label="inside" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.1.1" comment="" id="id40986B53" name="ip" netmask="255.255.255.0"/>
|
||||
<Interface id="id40986B52" name="eth1" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id40986B53" name="ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id40986B55" label="loopback" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="127.0.0.1" comment="" id="id40986B56" name="lo:ip" netmask="255.0.0.0"/>
|
||||
<Interface id="id40986B55" name="lo" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id40986B56" name="lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id40986B67" label="dmz" mgmt="False" name="eth2" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.2.1" comment="" id="id40986B69" name="ip" netmask="255.255.255.0"/>
|
||||
<Interface id="id40986B67" name="eth2" bridgeport="False" dyn="False" label="dmz" mgmt="False" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id40986B69" name="ip" address="192.168.2.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Management address="0.0.0.0">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -1223,10 +871,10 @@
|
||||
<Option name="verify_interfaces">true</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="This is an example of a firewall protecting a host ( a server or a workstation). Only SSH access to the host is permitted. Host has dynamic address." host_OS="unknown_os" id="id409878E4" lastCompiled="0" lastInstalled="0" lastModified="0" name="host fw template 1" platform="unknown" ro="False" version="">
|
||||
<NAT id="id409878E9" name="NAT"/>
|
||||
<Policy id="id409878F8" name="Policy">
|
||||
<PolicyRule action="Deny" comment="anti spoofing rule" direction="Inbound" disabled="False" id="id4098792D" log="True" position="6">
|
||||
<Firewall id="id409878E4" name="host fw template 1" comment="This is an example of a firewall protecting a host ( a server or a workstation). Only SSH access to the host is permitted. Host has dynamic address." host_OS="unknown_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" ro="False" version="">
|
||||
<NAT id="id409878E9" name="NAT" ipv6_rule_set="False" top_rule_set="True"/>
|
||||
<Policy id="id409878F8" name="Policy" ipv6_rule_set="False" top_rule_set="True">
|
||||
<PolicyRule id="id4098792D" comment="anti spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="6">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id409878E4"/>
|
||||
</Src>
|
||||
@ -1244,7 +892,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4098793E" log="False" position="7">
|
||||
<PolicyRule id="id4098793E" action="Accept" direction="Both" disabled="False" log="False" position="7">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1262,7 +910,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="SSH Access to the host; useful ICMP types; ping request" disabled="False" id="id409878F9" log="False" position="2">
|
||||
<PolicyRule id="id409878F9" comment="SSH Access to the host; useful ICMP types; ping request" action="Accept" disabled="False" log="False" position="2">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1282,7 +930,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="" disabled="False" id="id40987917" log="False" position="3">
|
||||
<PolicyRule id="id40987917" action="Accept" disabled="False" log="False" position="3">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id409878E4"/>
|
||||
</Src>
|
||||
@ -1300,7 +948,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" disabled="False" id="id40987921" log="True" position="4">
|
||||
<PolicyRule id="id40987921" action="Deny" disabled="False" log="True" position="4">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1319,10 +967,10 @@
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
</Policy>
|
||||
<Routing id="id409878E4-routing" name="Routing"/>
|
||||
<Interface bridgeport="False" comment="" dyn="True" id="id4098792B" label="outside" mgmt="False" name="eth0" security_level="0" unnum="False" unprotected="False"/>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id4098793B" label="loopback" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="127.0.0.1" comment="" id="id4098793C" name="lo:ip" netmask="255.0.0.0"/>
|
||||
<Routing id="id409878E4-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
|
||||
<Interface id="id4098792B" name="eth0" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False"/>
|
||||
<Interface id="id4098793B" name="lo" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id4098793C" name="lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
||||
</Interface>
|
||||
<Management address="0.0.0.0">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -1365,9 +1013,9 @@
|
||||
<Option name="verify_interfaces">true</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="This firewall is based on Linksys appliance running Sveasoft firmware; it has two interfaces. Interface vlan1 faces outside and has a dynamic address; br0 faces inside. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH or HTTP. The firewall uses name servers supplied by the ISP for DNS. Special rule blocks DHCP requests on external interface without logging to reduce noise in the log. Internal network is configured with address 192.168.1.0/255.255.255.0" host_OS="linksys" id="id41293477" lastCompiled="0" lastInstalled="0" lastModified="0" name="linksys firewall" platform="iptables" ro="False" version="">
|
||||
<NAT id="id412934D3" name="NAT">
|
||||
<NATRule disabled="False" id="id412934D4" position="0">
|
||||
<Firewall id="id41293477" name="linksys firewall" comment="This firewall is based on Linksys appliance running Sveasoft firmware; it has two interfaces. Interface vlan1 faces outside and has a dynamic address; br0 faces inside. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH or HTTP. The firewall uses name servers supplied by the ISP for DNS. Special rule blocks DHCP requests on external interface without logging to reduce noise in the log. Internal network is configured with address 192.168.1.0/255.255.255.0" host_OS="linksys" lastCompiled="0" lastInstalled="0" lastModified="0" platform="iptables" ro="False" version="">
|
||||
<NAT id="id412934D3" name="NAT" ipv6_rule_set="False" top_rule_set="True">
|
||||
<NATRule id="id412934D4" disabled="False" position="0">
|
||||
<OSrc neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</OSrc>
|
||||
@ -1389,8 +1037,8 @@
|
||||
<NATRuleOptions/>
|
||||
</NATRule>
|
||||
</NAT>
|
||||
<Policy id="id4129347C" name="Policy">
|
||||
<PolicyRule action="Deny" comment="anti spoofing rule" direction="Inbound" disabled="False" id="id412934E4" log="True" position="8">
|
||||
<Policy id="id4129347C" name="Policy" ipv6_rule_set="False" top_rule_set="True">
|
||||
<PolicyRule id="id412934E4" comment="anti spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="8">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id41293477"/>
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
@ -1409,7 +1057,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" direction="Both" disabled="False" id="id412934F5" log="False" position="9">
|
||||
<PolicyRule id="id412934F5" action="Accept" direction="Both" disabled="False" log="False" position="9">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1427,7 +1075,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" disabled="False" id="id4129347D" log="False" position="2">
|
||||
<PolicyRule id="id4129347D" action="Deny" disabled="False" log="False" position="2">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1445,7 +1093,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="SSH Access to firewall is permitted only from internal network" disabled="False" id="id41293488" log="False" position="3">
|
||||
<PolicyRule id="id41293488" comment="SSH Access to firewall is permitted only from internal network" action="Accept" disabled="False" log="False" position="3">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -1467,7 +1115,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="need this rule for ping and traceroute" disabled="False" id="id41293496" log="False" position="4">
|
||||
<PolicyRule id="id41293496" comment="need this rule for ping and traceroute" action="Accept" disabled="False" log="False" position="4">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id41293477"/>
|
||||
</Src>
|
||||
@ -1496,7 +1144,7 @@
|
||||
<Option name="ulog_nlgroup">1</Option>
|
||||
</PolicyRuleOptions>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="" disabled="False" id="id412934A1" log="False" position="5">
|
||||
<PolicyRule id="id412934A1" action="Accept" disabled="False" log="False" position="5">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id41293477"/>
|
||||
</Src>
|
||||
@ -1514,7 +1162,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" comment="All other attempts to connect to the firewall are denied and logged" disabled="False" id="id412934AB" log="True" position="6">
|
||||
<PolicyRule id="id412934AB" comment="All other attempts to connect to the firewall are denied and logged" action="Deny" disabled="False" log="True" position="6">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1532,7 +1180,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" disabled="False" id="id412934B5" log="False" position="7">
|
||||
<PolicyRule id="id412934B5" action="Accept" disabled="False" log="False" position="7">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1550,7 +1198,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="" disabled="False" id="id412934BF" log="False" position="8">
|
||||
<PolicyRule id="id412934BF" action="Accept" disabled="False" log="False" position="8">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -1568,7 +1216,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" disabled="False" id="id412934C9" log="True" position="9">
|
||||
<PolicyRule id="id412934C9" action="Deny" disabled="False" log="True" position="9">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1587,13 +1235,13 @@
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
</Policy>
|
||||
<Routing id="id41293477-routing" name="Routing"/>
|
||||
<Interface bridgeport="False" comment="" dyn="True" id="id412934E2" label="outside" mgmt="False" name="vlan1" security_level="0" unnum="False" unprotected="False"/>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id412934EF" label="inside" mgmt="True" name="br0" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.1.1" comment="" id="id412934F0" name="linksys firewall:br0:ip" netmask="255.255.255.0"/>
|
||||
<Routing id="id41293477-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
|
||||
<Interface id="id412934E2" name="vlan1" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False"/>
|
||||
<Interface id="id412934EF" name="br0" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id412934F0" name="linksys firewall:br0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id412934F2" label="loopback" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="127.0.0.1" comment="" id="id412934F3" name="linksys firewall:lo:ip" netmask="255.0.0.0"/>
|
||||
<Interface id="id412934F2" name="lo" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id412934F3" name="linksys firewall:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
||||
</Interface>
|
||||
<Management address="192.168.1.1">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -1692,10 +1340,10 @@
|
||||
<Option name="verify_interfaces">True</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="" host_OS="linux24" id="id4129355E" lastCompiled="0" lastInstalled="0" lastModified="0" name="web server" platform="iptables" ro="False" version="">
|
||||
<NAT id="id41293598" name="NAT"/>
|
||||
<Policy id="id41293563" name="Policy">
|
||||
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id4129359C" log="True" position="10">
|
||||
<Firewall id="id4129355E" name="web server" host_OS="linux24" lastCompiled="0" lastInstalled="0" lastModified="0" platform="iptables" ro="False" version="">
|
||||
<NAT id="id41293598" name="NAT" ipv6_rule_set="False" top_rule_set="True"/>
|
||||
<Policy id="id41293563" name="Policy" ipv6_rule_set="False" top_rule_set="True">
|
||||
<PolicyRule id="id4129359C" action="Deny" direction="Inbound" disabled="False" log="True" position="10">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id4129355E"/>
|
||||
</Src>
|
||||
@ -1713,7 +1361,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" direction="Both" disabled="False" id="id412935A9" log="False" position="11">
|
||||
<PolicyRule id="id412935A9" action="Accept" direction="Both" disabled="False" log="False" position="11">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1731,7 +1379,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" disabled="False" id="id41293564" log="False" position="2">
|
||||
<PolicyRule id="id41293564" action="Accept" disabled="False" log="False" position="2">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1751,7 +1399,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="server needs DNS to back-resolve clients IPs. Even if it does not log host names during its normal operations, statistics scripts such as webalizer need it for reporting." disabled="False" id="id41293570" log="False" position="3">
|
||||
<PolicyRule id="id41293570" comment="server needs DNS to back-resolve clients IPs. Even if it does not log host names during its normal operations, statistics scripts such as webalizer need it for reporting." action="Accept" disabled="False" log="False" position="3">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id4129355E"/>
|
||||
</Src>
|
||||
@ -1769,7 +1417,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="this rule allows the server to send statistics and reports via email. Disable this rule if you do not need it." disabled="False" id="id4129357A" log="False" position="4">
|
||||
<PolicyRule id="id4129357A" comment="this rule allows the server to send statistics and reports via email. Disable this rule if you do not need it." action="Accept" disabled="False" log="False" position="4">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id4129355E"/>
|
||||
</Src>
|
||||
@ -1787,7 +1435,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Reject" comment="this rejects auth (ident) queries that remote mail relays may send to this server when it tries to send email out." disabled="False" id="id41293584" log="False" position="5">
|
||||
<PolicyRule id="id41293584" comment="this rejects auth (ident) queries that remote mail relays may send to this server when it tries to send email out." action="Reject" disabled="False" log="False" position="5">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1805,7 +1453,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" disabled="False" id="id4129358E" log="True" position="6">
|
||||
<PolicyRule id="id4129358E" action="Deny" disabled="False" log="True" position="6">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1824,12 +1472,12 @@
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
</Policy>
|
||||
<Routing id="id4129355E-routing" name="Routing"/>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id41293599" label="outside" mgmt="True" name="eth0" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.1.10" id="id4129359A" name="web server:eth0:ip" netmask="255.255.255.0"/>
|
||||
<Routing id="id4129355E-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
|
||||
<Interface id="id41293599" name="eth0" bridgeport="False" dyn="False" label="outside" mgmt="True" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id4129359A" name="web server:eth0:ip" address="192.168.1.10" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" dyn="False" id="id412935A6" label="loopback" name="lo" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="127.0.0.1" id="id412935A7" name="web server:lo:ip" netmask="255.0.0.0"/>
|
||||
<Interface id="id412935A6" name="lo" bridgeport="False" dyn="False" label="loopback" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id412935A7" name="web server:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
||||
</Interface>
|
||||
<Management address="192.168.1.10">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -1888,10 +1536,10 @@
|
||||
<Option name="verify_interfaces">True</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="An example of Cisco router" host_OS="ios" id="id4699503132343" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1184450093" name="c36xx" platform="iosacl" ro="False" version="12.x">
|
||||
<NAT id="id4699503532343" name="NAT"/>
|
||||
<Policy id="id4699503432343" name="Policy">
|
||||
<PolicyRule action="Deny" comment="anti-spoofing rule" direction="Inbound" disabled="False" id="id46995E2832343" log="True" position="0">
|
||||
<Firewall id="id4699503132343" name="c36xx" comment="An example of Cisco router" host_OS="ios" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1184450093" platform="iosacl" ro="False" version="12.x">
|
||||
<NAT id="id4699503532343" name="NAT" ipv6_rule_set="False" top_rule_set="True"/>
|
||||
<Policy id="id4699503432343" name="Policy" ipv6_rule_set="False" top_rule_set="True">
|
||||
<PolicyRule id="id46995E2832343" comment="anti-spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="0">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
<ObjectRef ref="id4699503132343"/>
|
||||
@ -1912,7 +1560,7 @@
|
||||
<Option name="stateless">True</Option>
|
||||
</PolicyRuleOptions>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id469954CB32343" log="False" position="1">
|
||||
<PolicyRule id="id469954CB32343" action="Accept" direction="Inbound" disabled="False" log="False" position="1">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -1932,7 +1580,7 @@
|
||||
<Option name="stateless">False</Option>
|
||||
</PolicyRuleOptions>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" direction="Both" disabled="False" id="id469954DA32343" log="True" position="2">
|
||||
<PolicyRule id="id469954DA32343" action="Deny" direction="Both" disabled="False" log="True" position="2">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1952,7 +1600,7 @@
|
||||
<Option name="stateless">True</Option>
|
||||
</PolicyRuleOptions>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" direction="Both" disabled="False" id="id469954B332343" log="True" position="3">
|
||||
<PolicyRule id="id469954B332343" action="Deny" direction="Both" disabled="False" log="True" position="3">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1973,18 +1621,18 @@
|
||||
</PolicyRuleOptions>
|
||||
</PolicyRule>
|
||||
</Policy>
|
||||
<Routing id="id4699503632343" name="Routing"/>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id4699503732343" label="" mgmt="False" name="Ethernet1/0" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.0.2.1" comment="" id="id4699503832343" name="c36xx:Ethernet1/0:ip" netmask="255.255.255.0"/>
|
||||
<Routing id="id4699503632343" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
|
||||
<Interface id="id4699503732343" name="Ethernet1/0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id4699503832343" name="c36xx:Ethernet1/0:ip" address="192.0.2.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" dyn="False" id="id4699503932343" label="" name="Ethernet1/1" security_level="50" unnum="False" unprotected="False">
|
||||
<IPv4 address="0.0.0.0" comment="Configure IP address and netmask for this interface" id="id4699503A32343" name="c36xx:Ethernet1/1:ip" netmask="0.0.0.0"/>
|
||||
<Interface id="id4699503932343" name="Ethernet1/1" bridgeport="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False">
|
||||
<IPv4 id="id4699503A32343" name="c36xx:Ethernet1/1:ip" comment="Configure IP address and netmask for this interface" address="0.0.0.0" netmask="0.0.0.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id4699503B32343" label="" mgmt="True" name="FastEthernet0/0" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.1.1" comment="" id="id4699503C32343" name="c36xx:FastEthernet0/0:ip" netmask="255.255.255.0"/>
|
||||
<Interface id="id4699503B32343" name="FastEthernet0/0" bridgeport="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id4699503C32343" name="c36xx:FastEthernet0/0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id4699503F32343" label="" mgmt="False" name="Serial1/0" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="0.0.0.0" comment="Configure IP address and netmask for this interface" id="id4699504032343" name="c36xx:Serial1/0:ip" netmask="0.0.0.0"/>
|
||||
<Interface id="id4699503F32343" name="Serial1/0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id4699504032343" name="c36xx:Serial1/0:ip" comment="Configure IP address and netmask for this interface" address="0.0.0.0" netmask="0.0.0.0"/>
|
||||
</Interface>
|
||||
<Management address="192.168.1.1">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -2065,10 +1713,102 @@
|
||||
</ObjectGroup>
|
||||
<IntervalGroup id="id4070BBA9" name="Time"/>
|
||||
</Library>
|
||||
<Library id="sysid99" name="Deleted Objects" ro="False">
|
||||
<Interface bridgeport="False" dyn="False" id="id4699503D32343" label="" name="Null0" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="0.0.0.0" id="id4699503E32343" name="c36xx:Null0:ip" netmask="255.255.255.255"/>
|
||||
</Interface>
|
||||
<ObjectRef ref="sysid0"/>
|
||||
<Library id="syslib000" name="Standard" comment="Standard objects" color="#d4f8ff" ro="True">
|
||||
<ObjectGroup id="stdid01" name="Objects">
|
||||
<ObjectGroup id="stdid03" name="Networks">
|
||||
<Network id="id3DC75CE7-1" name="net-192.168.1.0" comment="192.168.1.0/24 - Address often used for home and small office networks. " address="192.168.1.0" netmask="255.255.255.0"/>
|
||||
<Network id="id3DC75CE7-2" name="net-192.168.2.0" comment="192.168.2.0/24 - Address often used for home and small office networks. " address="192.168.2.0" netmask="255.255.255.0"/>
|
||||
</ObjectGroup>
|
||||
<ObjectGroup id="stdid15" name="Address Ranges">
|
||||
<AddressRange id="id3F6D115D" name="old-broadcast" start_address="0.0.0.0" end_address="0.0.0.0"/>
|
||||
<AddressRange id="id3F6D115C" name="broadcast" start_address="255.255.255.255" end_address="255.255.255.255"/>
|
||||
</ObjectGroup>
|
||||
<ObjectGroup id="stdid02" name="Hosts">
|
||||
<Host id="id3D84EECE" name="internal server" comment="This host is used in examples and template objects">
|
||||
<Interface id="id3D84EED2" name="eth0" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id3D84EED3" name="ip" address="192.168.1.10" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Management address="192.168.1.10">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
<FWBDManagement enabled="False" identity="" port="-1"/>
|
||||
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
||||
</Management>
|
||||
<HostOptions>
|
||||
<Option name="snmp_contact"></Option>
|
||||
<Option name="snmp_description"></Option>
|
||||
<Option name="snmp_location"></Option>
|
||||
<Option name="use_mac_addr">false</Option>
|
||||
<Option name="use_mac_addr_filter">False</Option>
|
||||
</HostOptions>
|
||||
</Host>
|
||||
<Host id="id3D84EECF" name="server on dmz" comment="This host is used in examples and template objects">
|
||||
<Interface id="id3D84EEE3" name="eth0" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id3D84EEE4" name="ip" address="192.168.2.10" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Management address="192.168.2.10">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
<FWBDManagement enabled="False" identity="" port="-1"/>
|
||||
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
||||
</Management>
|
||||
<HostOptions>
|
||||
<Option name="snmp_contact"></Option>
|
||||
<Option name="snmp_description"></Option>
|
||||
<Option name="snmp_location"></Option>
|
||||
<Option name="use_mac_addr">false</Option>
|
||||
<Option name="use_mac_addr_filter">False</Option>
|
||||
</HostOptions>
|
||||
</Host>
|
||||
</ObjectGroup>
|
||||
</ObjectGroup>
|
||||
<AnyNetwork id="sysid0" name="Any" comment="Any Network" address="0.0.0.0" netmask="0.0.0.0"/>
|
||||
<AnyIPService id="sysid1" name="Any" comment="Any IP Service" protocol_num="0"/>
|
||||
<AnyInterval id="sysid2" name="Any" comment="Any Interval" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1"/>
|
||||
<ServiceGroup id="stdid05" name="Services">
|
||||
<ServiceGroup id="stdid09" name="TCP">
|
||||
<TCPService id="tcp-SSH" name="ssh" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/>
|
||||
<TCPService id="tcp-Auth" name="auth" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="113" dst_range_end="113"/>
|
||||
<TCPService id="tcp-SMTP" name="smtp" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="25" dst_range_end="25"/>
|
||||
<TCPService id="tcp-HTTP" name="http" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="80" dst_range_end="80"/>
|
||||
<TCPService id="tcp-DNS" name="domain" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
|
||||
<TCPService id="id41291784" name="upnp" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="5000" dst_range_end="5000"/>
|
||||
<TCPService id="id41291785" name="upnp-5431" comment="Although UPnP specification say it should use TCP port 5000, Linksys running Sveasoft firmware listens on port 5431" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="5431" dst_range_end="5431"/>
|
||||
<TCPService id="id412Z18A9" name="icslap" comment="Sometimes this protocol is called icslap, but Microsoft does not call it that and just says that DSPP uses port 2869 in Windows XP SP2" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="2869" dst_range_end="2869"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="stdid10" name="Groups">
|
||||
<ServiceGroup id="id3F530CC8" name="DNS">
|
||||
<ServiceRef ref="udp-DNS"/>
|
||||
<ServiceRef ref="tcp-DNS"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="sg-DHCP" name="DHCP">
|
||||
<ServiceRef ref="udp-bootpc"/>
|
||||
<ServiceRef ref="udp-bootps"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="sg-Useful_ICMP" name="Useful_ICMP">
|
||||
<ServiceRef ref="icmp-Time_exceeded"/>
|
||||
<ServiceRef ref="icmp-Time_exceeded_in_transit"/>
|
||||
<ServiceRef ref="icmp-ping_reply"/>
|
||||
<ServiceRef ref="icmp-Unreachables"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="id41291786" name="UPnP">
|
||||
<ServiceRef ref="id41291784"/>
|
||||
<ServiceRef ref="id41291785"/>
|
||||
<ServiceRef ref="id41291783"/>
|
||||
<ServiceRef ref="id412Z18A9"/>
|
||||
</ServiceGroup>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="stdid07" name="ICMP">
|
||||
<ICMPService id="icmp-ping_request" name="ping request" code="0" type="8"/>
|
||||
<ICMPService id="icmp-ping_reply" name="ping reply" code="0" type="0"/>
|
||||
<ICMPService id="icmp-Time_exceeded" name="time exceeded" comment="ICMP messages of this type are needed for traceroute" code="0" type="11"/>
|
||||
<ICMPService id="icmp-Unreachables" name="all ICMP unreachables" code="-1" type="3"/>
|
||||
<ICMPService id="icmp-Time_exceeded_in_transit" name="time exceeded in transit" code="1" type="11"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="stdid08" name="UDP">
|
||||
<UDPService id="udp-DNS" name="domain" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
|
||||
<UDPService id="udp-bootpc" name="bootpc" src_range_start="0" src_range_end="0" dst_range_start="68" dst_range_end="68"/>
|
||||
<UDPService id="udp-bootps" name="bootps" src_range_start="0" src_range_end="0" dst_range_start="67" dst_range_end="67"/>
|
||||
<UDPService id="id41291783" name="SSDP" comment="Simple Service Discovery Protocol (used for UPnP)" src_range_start="0" src_range_end="0" dst_range_start="1900" dst_range_end="1900"/>
|
||||
</ServiceGroup>
|
||||
</ServiceGroup>
|
||||
</Library>
|
||||
</FWObjectDatabase>
|
||||
|
||||
@ -1,375 +1,22 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
|
||||
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="@FWBUILDER_XML_VERSION@" lastModified="1184450093" id="root">
|
||||
<Library color="#d4f8ff" comment="Standard objects" id="syslib000" name="Standard" ro="False">
|
||||
<AnyNetwork comment="Any Network" id="sysid0" name="Any" address="0.0.0.0" netmask="0.0.0.0"/>
|
||||
<AnyIPService comment="Any IP Service" id="sysid1" name="Any" protocol_num="0"/>
|
||||
<AnyInterval comment="Any Interval" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" id="sysid2" name="Any" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1"/>
|
||||
<ObjectGroup id="stdid01" name="Objects">
|
||||
<ObjectGroup id="stdid16" name="Addresses"/>
|
||||
<ObjectGroup id="stdid17" name="DNS Names"/>
|
||||
<ObjectGroup id="stdid18" name="Address Tables"/>
|
||||
<ObjectGroup id="stdid04" name="Groups">
|
||||
<ObjectGroup id="id3DC75CE8" name="rfc1918-nets">
|
||||
<ObjectRef ref="id3DC75CE5"/>
|
||||
<ObjectRef ref="id3DC75CE6"/>
|
||||
<ObjectRef ref="id3DC75CE7"/>
|
||||
</ObjectGroup>
|
||||
</ObjectGroup>
|
||||
<ObjectGroup id="stdid02" name="Hosts">
|
||||
<Host comment="This host is used in examples and template objects" id="id3D84EECE" name="internal server">
|
||||
<Interface bridgeport="False" dyn="False" id="id3D84EED2" name="eth0" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.1.10" id="id3D84EED3" name="ip" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Management address="192.168.1.10">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
<FWBDManagement enabled="False" identity="" port="-1"/>
|
||||
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
||||
</Management>
|
||||
<HostOptions>
|
||||
<Option name="snmp_contact"></Option>
|
||||
<Option name="snmp_description"></Option>
|
||||
<Option name="snmp_location"></Option>
|
||||
<Option name="use_mac_addr">false</Option>
|
||||
<Option name="use_mac_addr_filter">False</Option>
|
||||
</HostOptions>
|
||||
</Host>
|
||||
<Host comment="This host is used in examples and template objects" id="id3D84EECF" name="server on dmz">
|
||||
<Interface bridgeport="False" dyn="False" id="id3D84EEE3" name="eth0" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.2.10" id="id3D84EEE4" name="ip" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Management address="192.168.2.10">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
<FWBDManagement enabled="False" identity="" port="-1"/>
|
||||
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
||||
</Management>
|
||||
<HostOptions>
|
||||
<Option name="snmp_contact"></Option>
|
||||
<Option name="snmp_description"></Option>
|
||||
<Option name="snmp_location"></Option>
|
||||
<Option name="use_mac_addr">false</Option>
|
||||
<Option name="use_mac_addr_filter">False</Option>
|
||||
</HostOptions>
|
||||
</Host>
|
||||
</ObjectGroup>
|
||||
<ObjectGroup id="stdid03" name="Networks">
|
||||
<Network comment="224.0.0.0/4 - This block, formerly known as the Class D address space, is allocated for use in IPv4 multicast address assignments. The IANA guidelines for assignments from this space are described in [RFC3171]. " id="id3DC75CEC" name="all multicasts" address="224.0.0.0" netmask="240.0.0.0"/>
|
||||
<Network comment="169.254.0.0/16 - This is the "link local" block. It is allocated for communication between hosts on a single link. Hosts obtain these addresses by auto-configuration, such as when a DHCP server may not be found. " id="id3F4ECE3E" name="link-local" address="169.254.0.0" netmask="255.255.0.0"/>
|
||||
<Network comment="127.0.0.0/8 - This block is assigned for use as the Internet host loopback address. A datagram sent by a higher level protocol to an address anywhere within this block should loop back inside the host. This is ordinarily implemented using only 127.0.0.1/32 for loopback, but no addresses within this block should ever appear on any network anywhere [RFC1700, page 5]. " id="id3F4ECE3D" name="loopback-net" address="127.0.0.0" netmask="255.0.0.0"/>
|
||||
<Network comment="10.0.0.0/8 - This block is set aside for use in private networks. Its intended use is documented in [RFC1918]. Addresses within this block should not appear on the public Internet." id="id3DC75CE5" name="net-10.0.0.0" address="10.0.0.0" netmask="255.0.0.0"/>
|
||||
<Network comment="172.16.0.0/12 - This block is set aside for use in private networks. Its intended use is documented in [RFC1918]. Addresses within this block should not appear on the public Internet. " id="id3DC75CE7" name="net-172.16.0.0" address="172.16.0.0" netmask="255.240.0.0"/>
|
||||
<Network comment="192.168.0.0/16 - This block is set aside for use in private networks. Its intended use is documented in [RFC1918]. Addresses within this block should not appear on the public Internet. " id="id3DC75CE6" name="net-192.168.0.0" address="192.168.0.0" netmask="255.255.0.0"/>
|
||||
<Network comment="192.0.2.0/24 - This block is assigned as "TEST-NET" for use in documentation and example code. It is often used in conjunction with domain names example.com or example.net in vendor and protocol documentation. Addresses within this block should not appear on the public Internet. " id="id3F4ECE3F" name="test-net" address="192.0.2.0" netmask="255.255.255.0"/>
|
||||
<Network comment="0.0.0.0/8 - Addresses in this block refer to source hosts on "this" network. Address 0.0.0.0/32 may be used as a source address for this host on this network; other addresses within 0.0.0.0/8 may be used to refer to specified hosts on this network [RFC1700, page 4]." id="id3F4ECE40" name="this-net" address="0.0.0.0" netmask="255.0.0.0"/>
|
||||
<Network comment="192.168.1.0/24 - Address often used for home and small office networks. " id="id3DC75CE7-1" name="net-192.168.1.0" address="192.168.1.0" netmask="255.255.255.0"/>
|
||||
<Network comment="192.168.2.0/24 - Address often used for home and small office networks. " id="id3DC75CE7-2" name="net-192.168.2.0" address="192.168.2.0" netmask="255.255.255.0"/>
|
||||
</ObjectGroup>
|
||||
<ObjectGroup id="stdid15" name="Address Ranges">
|
||||
<AddressRange comment="" id="id3F6D115C" name="broadcast" start_address="255.255.255.255" end_address="255.255.255.255"/>
|
||||
<AddressRange comment="" id="id3F6D115D" name="old-broadcast" start_address="0.0.0.0" end_address="0.0.0.0"/>
|
||||
</ObjectGroup>
|
||||
</ObjectGroup>
|
||||
<ServiceGroup id="stdid05" name="Services">
|
||||
<CustomService comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." id="stdid14_1" name="ESTABLISHED">
|
||||
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
|
||||
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
|
||||
</CustomService>
|
||||
<ServiceGroup id="stdid10" name="Groups">
|
||||
<ServiceGroup comment="" id="sg-DHCP" name="DHCP">
|
||||
<ServiceRef ref="udp-bootpc"/>
|
||||
<ServiceRef ref="udp-bootps"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="id3F530CC8" name="DNS">
|
||||
<ServiceRef ref="udp-DNS"/>
|
||||
<ServiceRef ref="tcp-DNS"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="id3CB1279B" name="IPSEC">
|
||||
<ServiceRef ref="id3CB12797"/>
|
||||
<ServiceRef ref="ip-IPSEC"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup comment="" id="sg-NETBIOS" name="NETBIOS">
|
||||
<ServiceRef ref="udp-netbios-dgm"/>
|
||||
<ServiceRef ref="udp-netbios-ns"/>
|
||||
<ServiceRef ref="id3E755609"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="id3CB131CC" name="PCAnywhere">
|
||||
<ServiceRef ref="id3CB131CA"/>
|
||||
<ServiceRef ref="id3CB131C8"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup comment="" id="sg-Useful_ICMP" name="Useful_ICMP">
|
||||
<ServiceRef ref="icmp-Time_exceeded"/>
|
||||
<ServiceRef ref="icmp-Time_exceeded_in_transit"/>
|
||||
<ServiceRef ref="icmp-ping_reply"/>
|
||||
<ServiceRef ref="icmp-Unreachables"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="id3B4FEDD9" name="kerberos">
|
||||
<ServiceRef ref="id3B4FEDA5"/>
|
||||
<ServiceRef ref="id3B4FEDA9"/>
|
||||
<ServiceRef ref="id3B4FEDA7"/>
|
||||
<ServiceRef ref="id3B4FEDAB"/>
|
||||
<ServiceRef ref="id3B4FEDA3"/>
|
||||
<ServiceRef ref="id3B4FEE21"/>
|
||||
<ServiceRef ref="id3B4FEE23"/>
|
||||
<ServiceRef ref="id3E7E3EA2"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="id3B4FF35E" name="nfs">
|
||||
<ServiceRef ref="id3B4FEE7A"/>
|
||||
<ServiceRef ref="id3B4FEE78"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="id3B4FEFFA" name="quake">
|
||||
<ServiceRef ref="id3B4FEF7C"/>
|
||||
<ServiceRef ref="id3B4FEF7E"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="id3D703C9A" name="Real Player">
|
||||
<ServiceRef ref="id3D703C99"/>
|
||||
<ServiceRef ref="id3D703C8B"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="id3E7E3E95" name="WinNT">
|
||||
<ServiceRef ref="sg-NETBIOS"/>
|
||||
<ServiceRef ref="id3DC8C8BB"/>
|
||||
<ServiceRef ref="id3E7E3D58"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="id3E7E3E9A" name="Win2000">
|
||||
<ServiceRef ref="id3E7E3E95"/>
|
||||
<ServiceRef ref="udp-DNS"/>
|
||||
<ServiceRef ref="id3DC8C8BC"/>
|
||||
<ServiceRef ref="id3E7E3EA2"/>
|
||||
<ServiceRef ref="id3AECF778"/>
|
||||
<ServiceRef ref="id3D703C90"/>
|
||||
<ServiceRef ref="id3E7E4039"/>
|
||||
<ServiceRef ref="id3E7E403A"/>
|
||||
<ServiceRef ref="id3B4FEDA5"/>
|
||||
<ServiceRef ref="tcp-DNS"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup comment="" id="id41291786" name="UPnP">
|
||||
<ServiceRef ref="id41291784"/>
|
||||
<ServiceRef ref="id41291785"/>
|
||||
<ServiceRef ref="id41291783"/>
|
||||
<ServiceRef ref="id412Z18A9"/>
|
||||
</ServiceGroup>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="stdid07" name="ICMP">
|
||||
<ICMPService code="-1" comment="" id="icmp-Unreachables" name="all ICMP unreachables" type="3"/>
|
||||
<ICMPService code="-1" comment="" id="id3C20EEB5" name="any ICMP" type="-1"/>
|
||||
<ICMPService code="1" comment="" id="icmp-Host_unreach" name="host_unreach" type="3"/>
|
||||
<ICMPService code="0" comment="" id="icmp-ping_reply" name="ping reply" type="0"/>
|
||||
<ICMPService code="0" comment="" id="icmp-ping_request" name="ping request" type="8"/>
|
||||
<ICMPService code="3" comment="Port unreachable" id="icmp-Port_unreach" name="port unreach" type="3"/>
|
||||
<ICMPService code="0" comment="ICMP messages of this type are needed for traceroute" id="icmp-Time_exceeded" name="time exceeded" type="11"/>
|
||||
<ICMPService code="1" comment="" id="icmp-Time_exceeded_in_transit" name="time exceeded in transit" type="11"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="stdid06" name="IP">
|
||||
<IPService comment="IPSEC Authentication Header Protocol" fragm="False" id="id3CB12797" lsrr="False" name="AH" protocol_num="51" rr="False" short_fragm="False" ssrr="False" ts="False"/>
|
||||
<IPService comment="IPSEC Encapsulating Security Payload Protocol" fragm="False" id="ip-IPSEC" lsrr="False" name="ESP" protocol_num="50" rr="False" short_fragm="False" ssrr="False" ts="False"/>
|
||||
<IPService comment="Route recording packets" fragm="False" id="ip-RR" lsrr="False" name="RR" protocol_num="0" rr="True" short_fragm="False" ssrr="False" ts="False"/>
|
||||
<IPService comment="All sorts of Source Routing Packets" fragm="False" id="ip-SRR" lsrr="True" name="SRR" protocol_num="0" rr="False" short_fragm="False" ssrr="True" ts="False"/>
|
||||
<IPService comment="'Short' fragments" fragm="False" id="ip-IP_Fragments" lsrr="False" name="ip_fragments" protocol_num="0" rr="False" short_fragm="True" ssrr="False" ts="False"/>
|
||||
<IPService comment="IPSEC Simple Key Management for Internet Protocols" fragm="False" id="id3D703C8E" lsrr="False" name="SKIP" protocol_num="57" rr="False" short_fragm="False" ssrr="False" ts="False"/>
|
||||
<IPService comment="Generic Routing Encapsulation " fragm="False" id="id3D703C8F" lsrr="False" name="GRE" protocol_num="47" rr="False" short_fragm="False" ssrr="False" ts="False"/>
|
||||
<IPService comment="Virtual Router Redundancy Protocol" fragm="False" id="id3D703C95" lsrr="False" name="vrrp" protocol_num="112" rr="False" short_fragm="False" ssrr="False" ts="False"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="stdid09" name="TCP">
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="ipchains used to use this range of port numbers for masquerading. " dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="False" id="tcp-ALL_TCP_Masqueraded" name="ALL TCP Masqueraded" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="65095" src_range_start="61000" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="5190" dst_range_start="5190" fin_flag="False" fin_flag_mask="False" id="id3D703C94" name="AOL" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="False" id="tcp-All_TCP" name="All TCP" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="1494" dst_range_start="1494" fin_flag="False" fin_flag_mask="False" id="id3CB131C4" name="Citrix-ICA" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Entrust CA Administration Service" dst_range_end="709" dst_range_start="709" fin_flag="False" fin_flag_mask="False" id="id3D703C91" name="Entrust-Admin" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Entrust CA Key Management Service" dst_range_end="710" dst_range_start="710" fin_flag="False" fin_flag_mask="False" id="id3D703C92" name="Entrust-KeyMgmt" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="1720" dst_range_start="1720" fin_flag="False" fin_flag_mask="False" id="id3AEDBEAC" name="H323" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Sometimes this protocol is called icslap, but Microsoft does not call it that and just says that DSPP uses port 2869 in Windows XP SP2" dst_range_end="2869" dst_range_start="2869" fin_flag="False" fin_flag_mask="False" id="id412Z18A9" name="icslap" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3268" dst_range_start="3268" fin_flag="False" fin_flag_mask="False" id="id3E7E4039" name="LDAP GC" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3269" dst_range_start="3269" fin_flag="False" fin_flag_mask="False" id="id3E7E403A" name="LDAP GC SSL" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Open Windows" dst_range_end="2000" dst_range_start="2000" fin_flag="False" fin_flag_mask="False" id="id3D703C83" name="OpenWindows" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="data channel for PCAnywhere v7.52 and later " dst_range_end="5631" dst_range_start="5631" fin_flag="False" fin_flag_mask="False" id="id3CB131C8" name="PCAnywhere-data" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="RealNetworks PNA Protocol" dst_range_end="7070" dst_range_start="7070" fin_flag="False" fin_flag_mask="False" id="id3D703C8B" name="Real-Audio" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="2998" dst_range_start="2998" fin_flag="False" fin_flag_mask="False" id="id3D703C93" name="RealSecure" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="SMB over TCP (without NETBIOS) " dst_range_end="445" dst_range_start="445" fin_flag="False" fin_flag_mask="False" id="id3DC8C8BC" name="SMB" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="49" dst_range_start="49" fin_flag="False" fin_flag_mask="False" id="id3D703C8D" name="TACACSplus" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="TCP high ports" dst_range_end="65535" dst_range_start="1024" fin_flag="False" fin_flag_mask="False" id="id3D703C84" name="TCP high ports" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="42" dst_range_start="42" fin_flag="False" fin_flag_mask="False" id="id3E7E3D58" name="WINS replication" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="X Window System" dst_range_end="6063" dst_range_start="6000" fin_flag="False" fin_flag_mask="False" id="id3D703C82" name="X11" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="113" dst_range_start="113" fin_flag="False" fin_flag_mask="False" id="tcp-Auth" name="auth" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="13" dst_range_start="13" fin_flag="False" fin_flag_mask="False" id="id3AEDBE6E" name="daytime" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="53" dst_range_start="53" fin_flag="False" fin_flag_mask="False" id="tcp-DNS" name="domain" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="2105" dst_range_start="2105" fin_flag="False" fin_flag_mask="False" id="id3B4FEDA3" name="eklogin" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="79" dst_range_start="79" fin_flag="False" fin_flag_mask="False" id="id3AECF774" name="finger" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="21" dst_range_start="21" fin_flag="False" fin_flag_mask="False" id="tcp-FTP" name="ftp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="FTP data channel. Note: FTP protocol does not really require server to use source port 20 for the data channel, but many ftp server implementations do so." dst_range_end="65535" dst_range_start="1024" fin_flag="False" fin_flag_mask="False" id="tcp-FTP_data" name="ftp data" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="20" src_range_start="20" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="FTP data channel for passive mode transfers " dst_range_end="20" dst_range_start="20" fin_flag="False" fin_flag_mask="False" id="id3E7553BC" name="ftp data passive" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="80" dst_range_start="80" fin_flag="False" fin_flag_mask="False" id="tcp-HTTP" name="http" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="443" dst_range_start="443" fin_flag="False" fin_flag_mask="False" id="id3B4FED69" name="https" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="143" dst_range_start="143" fin_flag="False" fin_flag_mask="False" id="id3AECF776" name="imap" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="993" dst_range_start="993" fin_flag="False" fin_flag_mask="False" id="id3B4FED9F" name="imaps" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="6667" dst_range_start="6667" fin_flag="False" fin_flag_mask="False" id="id3B4FF13C" name="irc" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="88" dst_range_start="88" fin_flag="False" fin_flag_mask="False" id="id3E7E3EA2" name="kerberos" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="543" dst_range_start="543" fin_flag="False" fin_flag_mask="False" id="id3B4FEE21" name="klogin" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="544" dst_range_start="544" fin_flag="False" fin_flag_mask="False" id="id3B4FEE23" name="ksh" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="389" dst_range_start="389" fin_flag="False" fin_flag_mask="False" id="id3AECF778" name="ldap" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Lightweight Directory Access Protocol over TLS/SSL" dst_range_end="636" dst_range_start="636" fin_flag="False" fin_flag_mask="False" id="id3D703C90" name="ldaps" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="98" dst_range_start="98" fin_flag="False" fin_flag_mask="False" id="id3B4FF000" name="linuxconf" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="515" dst_range_start="515" fin_flag="False" fin_flag_mask="False" id="id3D703C97" name="lpr" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="135" dst_range_start="135" fin_flag="False" fin_flag_mask="False" id="id3DC8C8BB" name="microsoft-rpc" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Microsoft SQL Server" dst_range_end="1433" dst_range_start="1433" fin_flag="False" fin_flag_mask="False" id="id3D703C98" name="ms-sql" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3306" dst_range_start="3306" fin_flag="False" fin_flag_mask="False" id="id3B4FEEEE" name="mysql" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="139" dst_range_start="139" fin_flag="False" fin_flag_mask="False" id="id3E755609" name="netbios-ssn" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="2049" dst_range_start="2049" fin_flag="False" fin_flag_mask="False" id="id3B4FEE7A" name="nfs" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="119" dst_range_start="119" fin_flag="False" fin_flag_mask="False" id="tcp-NNTP" name="nntp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="NNTP over SSL" dst_range_end="563" dst_range_start="563" fin_flag="False" fin_flag_mask="False" id="id3E7553BB" name="nntps" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="110" dst_range_start="110" fin_flag="False" fin_flag_mask="False" id="id3B4FEE1D" name="pop3" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="POP-3 over SSL" dst_range_end="995" dst_range_start="995" fin_flag="False" fin_flag_mask="False" id="id3E7553BA" name="pop3s" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="5432" dst_range_start="5432" fin_flag="False" fin_flag_mask="False" id="id3B4FF0EA" name="postgres" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="515" dst_range_start="515" fin_flag="False" fin_flag_mask="False" id="id3AECF782" name="printer" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="26000" dst_range_start="26000" fin_flag="False" fin_flag_mask="False" id="id3B4FEF7C" name="quake" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="512" dst_range_start="512" fin_flag="False" fin_flag_mask="False" id="id3AECF77A" name="rexec" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="513" dst_range_start="513" fin_flag="False" fin_flag_mask="False" id="id3AECF77C" name="rlogin" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="514" dst_range_start="514" fin_flag="False" fin_flag_mask="False" id="id3AECF77E" name="rshell" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Real Time Streaming Protocol" dst_range_end="554" dst_range_start="554" fin_flag="False" fin_flag_mask="False" id="id3D703C99" name="rtsp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="4321" dst_range_start="4321" fin_flag="False" fin_flag_mask="False" id="id3B4FEF34" name="rwhois" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="5510" dst_range_start="5510" fin_flag="False" fin_flag_mask="False" id="id3D703C89" name="securidprop" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="25" dst_range_start="25" fin_flag="False" fin_flag_mask="False" id="tcp-SMTP" name="smtp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="465" dst_range_start="465" fin_flag="False" fin_flag_mask="False" id="id3B4FF04C" name="smtps" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="1080" dst_range_start="1080" fin_flag="False" fin_flag_mask="False" id="id3B4FEE76" name="socks" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="1521" dst_range_start="1521" fin_flag="False" fin_flag_mask="False" id="id3D703C87" name="sqlnet1" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3128" dst_range_start="3128" fin_flag="False" fin_flag_mask="False" id="id3B4FF09A" name="squid" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="22" dst_range_start="22" fin_flag="False" fin_flag_mask="False" id="tcp-SSH" name="ssh" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="111" dst_range_start="111" fin_flag="False" fin_flag_mask="False" id="id3AEDBE00" name="sunrpc" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="True" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="True" id="tcp-TCP-SYN" name="tcp-syn" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="23" dst_range_start="23" fin_flag="False" fin_flag_mask="False" id="tcp-Telnet" name="telnet" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="540" dst_range_start="540" fin_flag="False" fin_flag_mask="False" id="tcp-uucp" name="uucp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Windows Terminal Services" dst_range_end="3389" dst_range_start="3389" fin_flag="False" fin_flag_mask="False" id="id3CB131C6" name="winterm" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="7100" dst_range_start="7100" fin_flag="False" fin_flag_mask="False" id="id3B4FF1B8" name="xfs" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="True" ack_flag_mask="True" comment="This service object matches TCP packet with all six flags set." dst_range_end="0" dst_range_start="0" fin_flag="True" fin_flag_mask="True" id="id3C685B2B" name="xmas scan - full" psh_flag="True" psh_flag_mask="True" rst_flag="True" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="True" syn_flag_mask="True" urg_flag="True" urg_flag_mask="True"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="True" comment="This service object matches TCP packet with flags FIN, PSH and URG set and other flags cleared. This is a "christmas scan" as defined in snort rules. Nmap can generate this scan, too." dst_range_end="0" dst_range_start="0" fin_flag="True" fin_flag_mask="True" id="id4127E949" name="xmas scan" psh_flag="True" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="True" urg_flag="True" urg_flag_mask="True"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="873" dst_range_start="873" fin_flag="False" fin_flag_mask="False" id="id4127EA72" name="rsync" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="distributed compiler" dst_range_end="3632" dst_range_start="3632" fin_flag="False" fin_flag_mask="False" id="id4127EBAC" name="distcc" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="CVS client/server operations" dst_range_end="2401" dst_range_start="2401" fin_flag="False" fin_flag_mask="False" id="id4127ECF1" name="cvspserver" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="CVSup file transfer/John Polstra/FreeBSD" dst_range_end="5999" dst_range_start="5999" fin_flag="False" fin_flag_mask="False" id="id4127ECF2" name="cvsup" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="AFP (Apple file sharing) over TCP" dst_range_end="548" dst_range_start="548" fin_flag="False" fin_flag_mask="False" id="id4127ED5E" name="afp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="43" dst_range_start="43" fin_flag="False" fin_flag_mask="False" id="id4127EDF6" name="whois" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="179" dst_range_start="179" fin_flag="False" fin_flag_mask="False" id="id4127F04F" name="bgp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Radius protocol" dst_range_end="1812" dst_range_start="1812" fin_flag="False" fin_flag_mask="False" id="id4127F146" name="radius" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Radius Accounting" dst_range_end="1813" dst_range_start="1813" fin_flag="False" fin_flag_mask="False" id="id4127F147" name="radius acct" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="5000" dst_range_start="5000" fin_flag="False" fin_flag_mask="False" id="id41291784" name="upnp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Although UPnP specification say it should use TCP port 5000, Linksys running Sveasoft firmware listens on port 5431" dst_range_end="5431" dst_range_start="5431" fin_flag="False" fin_flag_mask="False" id="id41291785" name="upnp-5431" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Java VNC viewer, display 0" dst_range_end="5800" dst_range_start="5800" fin_flag="False" fin_flag_mask="False" id="id41291787" name="vnc-java-0" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Regular VNC viewer, display 0" dst_range_end="5900" dst_range_start="5900" fin_flag="False" fin_flag_mask="False" id="id41291788" name="vnc-0" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Java VNC viewer, display 1" dst_range_end="5801" dst_range_start="5801" fin_flag="False" fin_flag_mask="False" id="id41291887" name="vnc-java-1" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Regular VNC viewer, display 1" dst_range_end="5901" dst_range_start="5901" fin_flag="False" fin_flag_mask="False" id="id41291888" name="vnc-1" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
<TCPService ack_flag="False" ack_flag_mask="False" comment="Some firewall platforms can match TCP packets with flags ACK or RST set; the option is usually called "established". Note that you can use this object only in the policy rules of the firewall that supports this option. If you need to match reply packets for a specific TCP service and wish to use option "established", make a copy of this object and set source port range to match the service. " dst_range_end="0" dst_range_start="0" established="True" fin_flag="False" fin_flag_mask="False" id="id463FE5FE11008" name="All TCP established" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="stdid08" name="UDP">
|
||||
<UDPService comment="ipchains used to use this port range for masqueraded packets" dst_range_end="0" dst_range_start="0" id="udp-ALL_UDP_Masqueraded" name="ALL UDP Masqueraded" src_range_end="65095" src_range_start="61000"/>
|
||||
<UDPService comment="" dst_range_end="0" dst_range_start="0" id="udp-All_UDP" name="All UDP" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="4000" dst_range_start="4000" id="id3D703C96" name="ICQ" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="500" dst_range_start="500" id="id3CB129D2" name="IKE" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="status channel for PCAnywhere v7.52 and later" dst_range_end="5632" dst_range_start="5632" id="id3CB131CA" name="PCAnywhere-status" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="routing protocol RIP" dst_range_end="520" dst_range_start="520" id="id3AED0D6B" name="RIP" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="1645" dst_range_start="1645" id="id3D703C8C" name="Radius" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="65535" dst_range_start="1024" id="id3D703C85" name="UDP high ports" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="513" dst_range_start="513" id="id3D703C86" name="Who" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="7009" dst_range_start="7000" id="id3B4FEDA1" name="afs" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="68" dst_range_start="68" id="udp-bootpc" name="bootpc" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="67" dst_range_start="67" id="udp-bootps" name="bootps" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="13" dst_range_start="13" id="id3AEDBE70" name="daytime" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="53" dst_range_start="53" id="udp-DNS" name="domain" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="VocalTec Internet Phone" dst_range_end="22555" dst_range_start="22555" id="id3D703C8A" name="interphone" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="88" dst_range_start="88" id="id3B4FEDA5" name="kerberos" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="750" dst_range_start="749" id="id3B4FEDA9" name="kerberos-adm" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="464" dst_range_start="464" id="id3B4FEDA7" name="kpasswd" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="4444" dst_range_start="4444" id="id3B4FEDAB" name="krb524" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="135" dst_range_start="135" id="id3F865B0D" name="microsoft-rpc" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="138" dst_range_start="138" id="udp-netbios-dgm" name="netbios-dgm" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="137" dst_range_start="137" id="udp-netbios-ns" name="netbios-ns" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="139" dst_range_start="139" id="udp-netbios-ssn" name="netbios-ssn" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="2049" dst_range_start="2049" id="id3B4FEE78" name="nfs" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="123" dst_range_start="123" id="udp-ntp" name="ntp" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="26000" dst_range_start="26000" id="id3B4FEF7E" name="quake" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="1024" dst_range_start="1024" id="id3D703C88" name="secureid-udp" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="161" dst_range_start="161" id="udp-SNMP" name="snmp" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="162" dst_range_start="162" id="id3AED0D69" name="snmp-trap" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="111" dst_range_start="111" id="id3AEDBE19" name="sunrpc" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="514" dst_range_start="514" id="id3AECF780" name="syslog" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="69" dst_range_start="69" id="id3AED0D67" name="tftp" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="33524" dst_range_start="33434" id="id3AED0D8C" name="traceroute" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="873" dst_range_start="873" id="id4127EA73" name="rsync" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="Simple Service Discovery Protocol (used for UPnP)" dst_range_end="1900" dst_range_start="1900" id="id41291783" name="SSDP" src_range_end="0" src_range_start="0"/>
|
||||
<UDPService comment="" dst_range_end="1194" dst_range_start="1194" id="id41291883" name="OpenVPN" src_range_end="0" src_range_start="0"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="stdid13" name="Custom">
|
||||
<CustomService comment="works in iptables and requires patch-o-matic. For more information look for patch-o-matic on http://www.netfilter.org/" id="id3B64EEA8" name="rpc">
|
||||
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="iptables">-m record_rpc</CustomServiceCommand>
|
||||
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
||||
</CustomService>
|
||||
<CustomService comment="IRC connection tracker, supports DCC. Works on iptables and requires patch-o-matic. For more information look for patch-o-matic on http://www.netfilter.org/ " id="id3B64EF4E" name="irc-conn">
|
||||
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="iptables">-m irc</CustomServiceCommand>
|
||||
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
||||
</CustomService>
|
||||
<CustomService comment="Port scan detector, works only on iptables and requires patch-o-matic For more information look for patch-o-matic on http://www.netfilter.org/" id="id3B64EF50" name="psd">
|
||||
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="iptables">-m psd --psd-weight-threshold 5 --psd-delay-threshold 10000</CustomServiceCommand>
|
||||
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
||||
</CustomService>
|
||||
<CustomService comment="Matches a string in a whole packet, works in iptables and requires patch-o-matic. For more information look for patch-o-matic on http://www.netfilter.org/" id="id3B64EF52" name="string">
|
||||
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="iptables">-m string --string test_pattern</CustomServiceCommand>
|
||||
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
||||
</CustomService>
|
||||
<CustomService comment="Talk protocol support. Works in iptables and requires patch-o-matic. For more information look for patch-o-matic on http://www.netfilter.org/" id="id3B64EF54" name="talk">
|
||||
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="iptables">-m talk</CustomServiceCommand>
|
||||
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
||||
</CustomService>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="stdid19" name="TagServices"/>
|
||||
</ServiceGroup>
|
||||
<ObjectGroup id="stdid12" name="Firewalls"/>
|
||||
<IntervalGroup id="stdid11" name="Time">
|
||||
<Interval comment="any day, 9:00am through 5:00pm" from_day="-1" from_hour="9" from_minute="0" from_month="-1" from_weekday="1" from_year="-1" id="int-workhours" name="workhours" to_day="-1" to_hour="17" to_minute="0" to_month="-1" to_weekday="5" to_year="-1"/>
|
||||
<Interval comment="weekends: Saturday 0:00 through Sunday 23:59 " from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" id="int-weekends" name="weekends" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1"/>
|
||||
<Interval comment="any day 6:00pm - 12:00am" from_day="-1" from_hour="18" from_minute="0" from_month="-1" from_weekday="-1" from_year="-1" id="int-afterhours" name="afterhours" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="-1" to_year="-1"/>
|
||||
<Interval comment="" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" id="id3C63479C" name="Sat" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="6" to_year="-1"/>
|
||||
<Interval comment="" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="0" from_year="-1" id="id3C63479E" name="Sun" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1"/>
|
||||
</IntervalGroup>
|
||||
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="@FWBUILDER_XML_VERSION@" lastModified="1215463063" id="root">
|
||||
<Library id="sysid99" name="Deleted Objects" ro="False">
|
||||
<ICMP6Service id="idE0C27650" name="ipv6 dest unreachable" comment="No route to destination" code="0" type="1"/>
|
||||
<Interface id="id4699503D32343" name="Null0" bridgeport="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id4699503E32343" name="c36xx:Null0:ip" address="0.0.0.0" netmask="255.255.255.255"/>
|
||||
</Interface>
|
||||
</Library>
|
||||
<Library color="#ffb4b4" comment="Template objects that can be used to generate typical firewall configurations" id="syslib100" name="Firewall Templates" ro="True">
|
||||
<Library id="syslib100" name="Firewall Templates" comment="Template objects that can be used to generate typical firewall configurations" color="#ffb4b4" ro="True">
|
||||
<ObjectGroup id="id4070BB9B" name="Objects">
|
||||
<ObjectGroup id="id4070BB9B_og_ats_1" name="Address Tables"/>
|
||||
<ObjectGroup id="id4070BB9B_og_dnsn_1" name="DNS Names"/>
|
||||
<ObjectGroup id="id4070BB9C" name="Addresses"/>
|
||||
<ObjectGroup id="id4070BB9D" name="Groups"/>
|
||||
<ObjectGroup id="id4070BB9E" name="Hosts">
|
||||
<Host comment="This object represents a PC with a single network interface" id="id40CBF1A5" name="PC with 1 interface">
|
||||
<Interface bridgeport="False" dyn="False" id="id40CBF1A7" label="" name="eth0" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.1.1" comment="" id="id40CBF1A9" name="pc:eth0:ip" netmask="255.255.255.0"/>
|
||||
<Host id="id40CBF1A5" name="PC with 1 interface" comment="This object represents a PC with a single network interface">
|
||||
<Interface id="id40CBF1A7" name="eth0" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id40CBF1A9" name="pc:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Management address="0.0.0.0">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -380,12 +27,12 @@
|
||||
<Option name="use_mac_addr_filter">False</Option>
|
||||
</HostOptions>
|
||||
</Host>
|
||||
<Host comment="This object represents a PC with two network interfaces" id="id40CBF1AC" name="PC with 2 interfaces">
|
||||
<Interface bridgeport="False" dyn="False" id="id40CBF1AE" label="" name="eth0" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.1.1" comment="" id="id40CBF1B0" name="pc:eth0:ip" netmask="255.255.255.0"/>
|
||||
<Host id="id40CBF1AC" name="PC with 2 interfaces" comment="This object represents a PC with two network interfaces">
|
||||
<Interface id="id40CBF1AE" name="eth0" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id40CBF1B0" name="pc:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" dyn="False" id="id40CBF1B1" label="" name="eth1" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.2.1" comment="" id="id40CBF1B3" name="pc:eth1:ip" netmask="255.255.255.0"/>
|
||||
<Interface id="id40CBF1B1" name="eth1" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id40CBF1B3" name="pc:eth1:ip" address="192.168.2.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Management address="0.0.0.0">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -396,12 +43,12 @@
|
||||
<Option name="use_mac_addr_filter">False</Option>
|
||||
</HostOptions>
|
||||
</Host>
|
||||
<Host comment="This object represents a router with two interfaces. You may need to change interface names if your router uses different naming scheme." id="id40CBF1C8" name="Router with 2 interfaces">
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id40CBF1CB" label="" name="FastEthernet 0/0" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.1.1" comment="" id="id40CBF1CD" name="rtr:FE0/0:ip" netmask="255.255.255.0"/>
|
||||
<Host id="id40CBF1C8" name="Router with 2 interfaces" comment="This object represents a router with two interfaces. You may need to change interface names if your router uses different naming scheme.">
|
||||
<Interface id="id40CBF1CB" name="FastEthernet 0/0" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id40CBF1CD" name="rtr:FE0/0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id40CBF1CE" label="" name="FastEthernet 0/1" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.2.1" comment="" id="id40CBF1D0" name="rtr:FE0/1:ip" netmask="255.255.255.0"/>
|
||||
<Interface id="id40CBF1CE" name="FastEthernet 0/1" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id40CBF1D0" name="rtr:FE0/1:ip" address="192.168.2.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Management address="0.0.0.0">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -417,6 +64,7 @@
|
||||
<ObjectGroup id="id4070BBA0" name="Address Ranges"/>
|
||||
</ObjectGroup>
|
||||
<ServiceGroup id="id4070BBA1" name="Services">
|
||||
<ServiceGroup id="id4070BBA1_userservices" name="Users"/>
|
||||
<ServiceGroup id="id4070BBA1_og_tag_1" name="TagServices"/>
|
||||
<ServiceGroup id="id4070BBA2" name="Groups"/>
|
||||
<ServiceGroup id="id4070BBA3" name="ICMP"/>
|
||||
@ -426,9 +74,9 @@
|
||||
<ServiceGroup id="id4070BBA7" name="Custom"/>
|
||||
</ServiceGroup>
|
||||
<ObjectGroup id="id4070BBA8" name="Firewalls">
|
||||
<Firewall comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" host_OS="unknown_os" id="id40708A6A" lastCompiled="0" lastInstalled="0" lastModified="0" name="fw template 1" platform="unknown" ro="False" version="">
|
||||
<NAT id="id40708A6E" name="NAT">
|
||||
<NATRule disabled="False" id="id4070BFF5" position="0">
|
||||
<Firewall id="id40708A6A" name="fw template 1" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" host_OS="unknown_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" ro="False" version="">
|
||||
<NAT id="id40708A6E" name="NAT" ipv6_rule_set="False" top_rule_set="True">
|
||||
<NATRule id="id4070BFF5" disabled="False" position="0">
|
||||
<OSrc neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</OSrc>
|
||||
@ -450,8 +98,8 @@
|
||||
<NATRuleOptions/>
|
||||
</NATRule>
|
||||
</NAT>
|
||||
<Policy id="id40708A6D" name="Policy">
|
||||
<PolicyRule action="Deny" comment="anti spoofing rule" direction="Inbound" disabled="False" id="id4070BFE9" log="True" position="0">
|
||||
<Policy id="id40708A6D" name="Policy" ipv6_rule_set="False" top_rule_set="True">
|
||||
<PolicyRule id="id4070BFE9" comment="anti spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="0">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id40708A6A"/>
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
@ -470,7 +118,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4094092C" log="False" position="1">
|
||||
<PolicyRule id="id4094092C" action="Accept" direction="Both" disabled="False" log="False" position="1">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -488,7 +136,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="SSH Access to firewall is permitted only from internal network" disabled="False" id="id40941C75" log="False" position="2">
|
||||
<PolicyRule id="id40941C75" comment="SSH Access to firewall is permitted only from internal network" action="Accept" disabled="False" log="False" position="2">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -506,7 +154,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="Firewall uses one of the machines on internal network for DNS" disabled="False" id="id40941D2E" log="True" position="3">
|
||||
<PolicyRule id="id40941D2E" comment="Firewall uses one of the machines on internal network for DNS" action="Accept" disabled="False" log="True" position="3">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id40708A6A"/>
|
||||
</Src>
|
||||
@ -524,7 +172,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" comment="All other attempts to connect to the firewall are denied and logged" disabled="False" id="id40941CB8" log="True" position="4">
|
||||
<PolicyRule id="id40941CB8" comment="All other attempts to connect to the firewall are denied and logged" action="Deny" disabled="False" log="True" position="4">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -542,7 +190,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="" disabled="False" id="id4070BFDE" log="False" position="5">
|
||||
<PolicyRule id="id4070BFDE" action="Accept" disabled="False" log="False" position="5">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -560,7 +208,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" disabled="False" id="id40708A71" log="True" position="6">
|
||||
<PolicyRule id="id40708A71" action="Deny" disabled="False" log="True" position="6">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -579,13 +227,13 @@
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
</Policy>
|
||||
<Routing id="id40708A6A-routing" name="Routing"/>
|
||||
<Interface bridgeport="False" comment="" dyn="True" id="id4070BFD8" label="outside" mgmt="False" name="eth0" security_level="0" unnum="False" unprotected="False"/>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id4070BFDA" label="inside" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.1.1" comment="" id="id4070BFDC" name="ip" netmask="255.255.255.0"/>
|
||||
<Routing id="id40708A6A-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
|
||||
<Interface id="id4070BFD8" name="eth0" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False"/>
|
||||
<Interface id="id4070BFDA" name="eth1" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id4070BFDC" name="ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id40940929" label="loopback" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="127.0.0.1" comment="" id="id4094092B" name="lo:ip" netmask="255.0.0.0"/>
|
||||
<Interface id="id40940929" name="lo" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id4094092B" name="lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
||||
</Interface>
|
||||
<Management address="0.0.0.0">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -632,9 +280,9 @@
|
||||
<Option name="verify_interfaces">true</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="Similar to fw 1, but the firewall is used as DHCP and DNS server for internal network. This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall can send DNS queries to servers out on the Internet. Another rule permits DNS queries from internal network to the firewall. Special rules permit DHCP requests from internal network and replies sent by the firewall." host_OS="unknown_os" id="id40941E8C" lastCompiled="0" lastInstalled="0" lastModified="0" name="fw template 2" platform="unknown" ro="False" version="">
|
||||
<NAT id="id40941E91" name="NAT">
|
||||
<NATRule disabled="False" id="id40941E92" position="0">
|
||||
<Firewall id="id40941E8C" name="fw template 2" comment="Similar to fw 1, but the firewall is used as DHCP and DNS server for internal network. This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall can send DNS queries to servers out on the Internet. Another rule permits DNS queries from internal network to the firewall. Special rules permit DHCP requests from internal network and replies sent by the firewall." host_OS="unknown_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" ro="False" version="">
|
||||
<NAT id="id40941E91" name="NAT" ipv6_rule_set="False" top_rule_set="True">
|
||||
<NATRule id="id40941E92" disabled="False" position="0">
|
||||
<OSrc neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</OSrc>
|
||||
@ -656,8 +304,8 @@
|
||||
<NATRuleOptions/>
|
||||
</NATRule>
|
||||
</NAT>
|
||||
<Policy id="id40941EA0" name="Policy">
|
||||
<PolicyRule action="Deny" comment="anti spoofing rule" direction="Inbound" disabled="False" id="id40941ED5" log="True" position="2">
|
||||
<Policy id="id40941EA0" name="Policy" ipv6_rule_set="False" top_rule_set="True">
|
||||
<PolicyRule id="id40941ED5" comment="anti spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="2">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id40941E8C"/>
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
@ -676,7 +324,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" direction="Both" disabled="False" id="id40941EE6" log="False" position="3">
|
||||
<PolicyRule id="id40941EE6" action="Accept" direction="Both" disabled="False" log="False" position="3">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -694,7 +342,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="SSH Access to firewall is permitted only from internal network Also firewall serves DNS for internal network" disabled="False" id="id40941EA1" log="False" position="2">
|
||||
<PolicyRule id="id40941EA1" comment="SSH Access to firewall is permitted only from internal network Also firewall serves DNS for internal network" action="Accept" disabled="False" log="False" position="2">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -713,7 +361,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="DHCP requests are permitted from internal network" disabled="False" id="id40942038" log="False" position="3">
|
||||
<PolicyRule id="id40942038" comment="DHCP requests are permitted from internal network" action="Accept" disabled="False" log="False" position="3">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
<ObjectRef ref="id3F6D115D"/>
|
||||
@ -733,7 +381,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="DHCP replies" disabled="False" id="id4094204A" log="False" position="4">
|
||||
<PolicyRule id="id4094204A" comment="DHCP replies" action="Accept" disabled="False" log="False" position="4">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id40941E8C"/>
|
||||
</Src>
|
||||
@ -751,7 +399,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="Firewall should be able to send DNS queries to the Internet" disabled="False" id="id40941EAB" log="True" position="5">
|
||||
<PolicyRule id="id40941EAB" comment="Firewall should be able to send DNS queries to the Internet" action="Accept" disabled="False" log="True" position="5">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id40941E8C"/>
|
||||
</Src>
|
||||
@ -769,7 +417,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" comment="All other attempts to connect to the firewall are denied and logged" disabled="False" id="id40941EB5" log="True" position="6">
|
||||
<PolicyRule id="id40941EB5" comment="All other attempts to connect to the firewall are denied and logged" action="Deny" disabled="False" log="True" position="6">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -787,7 +435,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="" disabled="False" id="id40941EBF" log="False" position="7">
|
||||
<PolicyRule id="id40941EBF" action="Accept" disabled="False" log="False" position="7">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -805,7 +453,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" disabled="False" id="id40941EC9" log="True" position="8">
|
||||
<PolicyRule id="id40941EC9" action="Deny" disabled="False" log="True" position="8">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -824,13 +472,13 @@
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
</Policy>
|
||||
<Routing id="id40941E8C-routing" name="Routing"/>
|
||||
<Interface bridgeport="False" comment="" dyn="True" id="id40941ED3" label="outside" mgmt="False" name="eth0" security_level="0" unnum="False" unprotected="False"/>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id40941EE0" label="inside" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.1.1" comment="" id="id40941EE1" name="ip" netmask="255.255.255.0"/>
|
||||
<Routing id="id40941E8C-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
|
||||
<Interface id="id40941ED3" name="eth0" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False"/>
|
||||
<Interface id="id40941EE0" name="eth1" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id40941EE1" name="ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id40941EE3" label="loopback" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="127.0.0.1" comment="" id="id40941EE4" name="lo:ip" netmask="255.0.0.0"/>
|
||||
<Interface id="id40941EE3" name="lo" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id40941EE4" name="lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
||||
</Interface>
|
||||
<Management address="0.0.0.0">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -877,9 +525,9 @@
|
||||
<Option name="verify_interfaces">true</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="This firewall has three interfaces. Eth0 faces outside and has a static routable address; eth1 faces inside; eth2 is connected to DMZ subnet. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0, DMZ is 192.168.2.0/255.255.255.0. Since DMZ used private IP address, it needs NAT. There is a mail relay host located on DMZ (object 'server on dmz'). Policy rules permit SMTP connections to it from the Internet and allow this server to connect to a host on internal network 'internal server'. All other access from DMZ to internal net is denied. To provide access to the mail relay its private address is mapped to firewall's outside interface address by NAT rule #1." host_OS="freebsd" id="id40986AFE" lastCompiled="0" lastInstalled="0" lastModified="0" name="fw template 3" platform="unknown" ro="False" version="">
|
||||
<NAT id="id40986B03" name="NAT">
|
||||
<NATRule comment="no need to translate between DMZ and internal net" disabled="False" id="id40987169" position="0">
|
||||
<Firewall id="id40986AFE" name="fw template 3" comment="This firewall has three interfaces. Eth0 faces outside and has a static routable address; eth1 faces inside; eth2 is connected to DMZ subnet. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0, DMZ is 192.168.2.0/255.255.255.0. Since DMZ used private IP address, it needs NAT. There is a mail relay host located on DMZ (object 'server on dmz'). Policy rules permit SMTP connections to it from the Internet and allow this server to connect to a host on internal network 'internal server'. All other access from DMZ to internal net is denied. To provide access to the mail relay its private address is mapped to firewall's outside interface address by NAT rule #1." host_OS="freebsd" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" ro="False" version="">
|
||||
<NAT id="id40986B03" name="NAT" ipv6_rule_set="False" top_rule_set="True">
|
||||
<NATRule id="id40987169" comment="no need to translate between DMZ and internal net" disabled="False" position="0">
|
||||
<OSrc neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-2"/>
|
||||
</OSrc>
|
||||
@ -900,7 +548,7 @@
|
||||
</TSrv>
|
||||
<NATRuleOptions/>
|
||||
</NATRule>
|
||||
<NATRule comment="Translate source address for outgoing connections" disabled="False" id="id40986B04" position="1">
|
||||
<NATRule id="id40986B04" comment="Translate source address for outgoing connections" disabled="False" position="1">
|
||||
<OSrc neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
<ObjectRef ref="id3DC75CE7-2"/>
|
||||
@ -922,7 +570,7 @@
|
||||
</TSrv>
|
||||
<NATRuleOptions/>
|
||||
</NATRule>
|
||||
<NATRule disabled="False" id="id40986E4B" position="2">
|
||||
<NATRule id="id40986E4B" disabled="False" position="2">
|
||||
<OSrc neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</OSrc>
|
||||
@ -944,8 +592,8 @@
|
||||
<NATRuleOptions/>
|
||||
</NATRule>
|
||||
</NAT>
|
||||
<Policy id="id40986B12" name="Policy">
|
||||
<PolicyRule action="Deny" comment="anti spoofing rule" direction="Inbound" disabled="False" id="id40986B47" log="True" position="4">
|
||||
<Policy id="id40986B12" name="Policy" ipv6_rule_set="False" top_rule_set="True">
|
||||
<PolicyRule id="id40986B47" comment="anti spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="4">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id40986AFE"/>
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
@ -965,7 +613,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" direction="Both" disabled="False" id="id40986B58" log="False" position="5">
|
||||
<PolicyRule id="id40986B58" action="Accept" direction="Both" disabled="False" log="False" position="5">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -983,7 +631,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="SSH Access to firewall is permitted only from internal network" disabled="False" id="id40986B13" log="False" position="2">
|
||||
<PolicyRule id="id40986B13" comment="SSH Access to firewall is permitted only from internal network" action="Accept" disabled="False" log="False" position="2">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -1001,7 +649,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="Firewall uses one of the machines on internal network for DNS" disabled="False" id="id40986B1D" log="False" position="3">
|
||||
<PolicyRule id="id40986B1D" comment="Firewall uses one of the machines on internal network for DNS" action="Accept" disabled="False" log="False" position="3">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id40986AFE"/>
|
||||
</Src>
|
||||
@ -1019,7 +667,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" comment="All other attempts to connect to the firewall are denied and logged" disabled="False" id="id40986B27" log="True" position="4">
|
||||
<PolicyRule id="id40986B27" comment="All other attempts to connect to the firewall are denied and logged" action="Deny" disabled="False" log="True" position="4">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1037,7 +685,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Reject" comment="Quickly reject attempts to connect to ident server to avoid SMTP delays" disabled="False" id="id40986E5C" log="False" position="5">
|
||||
<PolicyRule id="id40986E5C" comment="Quickly reject attempts to connect to ident server to avoid SMTP delays" action="Reject" disabled="False" log="False" position="5">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1055,7 +703,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="Mail relay on DMZ can accept connections from hosts on the Internet" disabled="False" id="id40986E16" log="False" position="6">
|
||||
<PolicyRule id="id40986E16" comment="Mail relay on DMZ can accept connections from hosts on the Internet" action="Accept" disabled="False" log="False" position="6">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1073,7 +721,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="this rule permits a mail relay located on DMZ to connect to internal mail server" disabled="False" id="id40986EE1" log="False" position="7">
|
||||
<PolicyRule id="id40986EE1" comment="this rule permits a mail relay located on DMZ to connect to internal mail server" action="Accept" disabled="False" log="False" position="7">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3D84EECF"/>
|
||||
</Src>
|
||||
@ -1091,7 +739,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="Mail relay needs DNS and can connect to mail servers on the Internet" disabled="False" id="id40987009" log="False" position="8">
|
||||
<PolicyRule id="id40987009" comment="Mail relay needs DNS and can connect to mail servers on the Internet" action="Accept" disabled="False" log="False" position="8">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3D84EECF"/>
|
||||
</Src>
|
||||
@ -1110,7 +758,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" comment="All other access from DMZ to internal net is denied" disabled="False" id="id40986B79" log="True" position="9">
|
||||
<PolicyRule id="id40986B79" comment="All other access from DMZ to internal net is denied" action="Deny" disabled="False" log="True" position="9">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-2"/>
|
||||
</Src>
|
||||
@ -1128,7 +776,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="This permits access from internal net to the Internet and DMZ" disabled="False" id="id40986B31" log="False" position="10">
|
||||
<PolicyRule id="id40986B31" comment="This permits access from internal net to the Internet and DMZ" action="Accept" disabled="False" log="False" position="10">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -1146,7 +794,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" disabled="False" id="id40986B3B" log="True" position="11">
|
||||
<PolicyRule id="id40986B3B" action="Deny" disabled="False" log="True" position="11">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1165,18 +813,18 @@
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
</Policy>
|
||||
<Routing id="id40986AFE-routing" name="Routing"/>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id40986B45" label="outside" mgmt="False" name="eth0" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.0.2.1" comment="This is a test address, change it to your real one" id="id40986E5B" name="fw 3:eth0:ip" netmask="255.255.255.0"/>
|
||||
<Routing id="id40986AFE-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
|
||||
<Interface id="id40986B45" name="eth0" bridgeport="False" dyn="False" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id40986E5B" name="fw 3:eth0:ip" comment="This is a test address, change it to your real one" address="192.0.2.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id40986B52" label="inside" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.1.1" comment="" id="id40986B53" name="ip" netmask="255.255.255.0"/>
|
||||
<Interface id="id40986B52" name="eth1" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id40986B53" name="ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id40986B55" label="loopback" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="127.0.0.1" comment="" id="id40986B56" name="lo:ip" netmask="255.0.0.0"/>
|
||||
<Interface id="id40986B55" name="lo" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id40986B56" name="lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id40986B67" label="dmz" mgmt="False" name="eth2" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.2.1" comment="" id="id40986B69" name="ip" netmask="255.255.255.0"/>
|
||||
<Interface id="id40986B67" name="eth2" bridgeport="False" dyn="False" label="dmz" mgmt="False" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id40986B69" name="ip" address="192.168.2.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Management address="0.0.0.0">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -1223,10 +871,10 @@
|
||||
<Option name="verify_interfaces">true</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="This is an example of a firewall protecting a host ( a server or a workstation). Only SSH access to the host is permitted. Host has dynamic address." host_OS="unknown_os" id="id409878E4" lastCompiled="0" lastInstalled="0" lastModified="0" name="host fw template 1" platform="unknown" ro="False" version="">
|
||||
<NAT id="id409878E9" name="NAT"/>
|
||||
<Policy id="id409878F8" name="Policy">
|
||||
<PolicyRule action="Deny" comment="anti spoofing rule" direction="Inbound" disabled="False" id="id4098792D" log="True" position="6">
|
||||
<Firewall id="id409878E4" name="host fw template 1" comment="This is an example of a firewall protecting a host ( a server or a workstation). Only SSH access to the host is permitted. Host has dynamic address." host_OS="unknown_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" ro="False" version="">
|
||||
<NAT id="id409878E9" name="NAT" ipv6_rule_set="False" top_rule_set="True"/>
|
||||
<Policy id="id409878F8" name="Policy" ipv6_rule_set="False" top_rule_set="True">
|
||||
<PolicyRule id="id4098792D" comment="anti spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="6">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id409878E4"/>
|
||||
</Src>
|
||||
@ -1244,7 +892,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4098793E" log="False" position="7">
|
||||
<PolicyRule id="id4098793E" action="Accept" direction="Both" disabled="False" log="False" position="7">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1262,7 +910,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="SSH Access to the host; useful ICMP types; ping request" disabled="False" id="id409878F9" log="False" position="2">
|
||||
<PolicyRule id="id409878F9" comment="SSH Access to the host; useful ICMP types; ping request" action="Accept" disabled="False" log="False" position="2">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1282,7 +930,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="" disabled="False" id="id40987917" log="False" position="3">
|
||||
<PolicyRule id="id40987917" action="Accept" disabled="False" log="False" position="3">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id409878E4"/>
|
||||
</Src>
|
||||
@ -1300,7 +948,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" disabled="False" id="id40987921" log="True" position="4">
|
||||
<PolicyRule id="id40987921" action="Deny" disabled="False" log="True" position="4">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1319,10 +967,10 @@
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
</Policy>
|
||||
<Routing id="id409878E4-routing" name="Routing"/>
|
||||
<Interface bridgeport="False" comment="" dyn="True" id="id4098792B" label="outside" mgmt="False" name="eth0" security_level="0" unnum="False" unprotected="False"/>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id4098793B" label="loopback" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="127.0.0.1" comment="" id="id4098793C" name="lo:ip" netmask="255.0.0.0"/>
|
||||
<Routing id="id409878E4-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
|
||||
<Interface id="id4098792B" name="eth0" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False"/>
|
||||
<Interface id="id4098793B" name="lo" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id4098793C" name="lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
||||
</Interface>
|
||||
<Management address="0.0.0.0">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -1365,9 +1013,9 @@
|
||||
<Option name="verify_interfaces">true</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="This firewall is based on Linksys appliance running Sveasoft firmware; it has two interfaces. Interface vlan1 faces outside and has a dynamic address; br0 faces inside. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH or HTTP. The firewall uses name servers supplied by the ISP for DNS. Special rule blocks DHCP requests on external interface without logging to reduce noise in the log. Internal network is configured with address 192.168.1.0/255.255.255.0" host_OS="linksys" id="id41293477" lastCompiled="0" lastInstalled="0" lastModified="0" name="linksys firewall" platform="iptables" ro="False" version="">
|
||||
<NAT id="id412934D3" name="NAT">
|
||||
<NATRule disabled="False" id="id412934D4" position="0">
|
||||
<Firewall id="id41293477" name="linksys firewall" comment="This firewall is based on Linksys appliance running Sveasoft firmware; it has two interfaces. Interface vlan1 faces outside and has a dynamic address; br0 faces inside. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH or HTTP. The firewall uses name servers supplied by the ISP for DNS. Special rule blocks DHCP requests on external interface without logging to reduce noise in the log. Internal network is configured with address 192.168.1.0/255.255.255.0" host_OS="linksys" lastCompiled="0" lastInstalled="0" lastModified="0" platform="iptables" ro="False" version="">
|
||||
<NAT id="id412934D3" name="NAT" ipv6_rule_set="False" top_rule_set="True">
|
||||
<NATRule id="id412934D4" disabled="False" position="0">
|
||||
<OSrc neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</OSrc>
|
||||
@ -1389,8 +1037,8 @@
|
||||
<NATRuleOptions/>
|
||||
</NATRule>
|
||||
</NAT>
|
||||
<Policy id="id4129347C" name="Policy">
|
||||
<PolicyRule action="Deny" comment="anti spoofing rule" direction="Inbound" disabled="False" id="id412934E4" log="True" position="8">
|
||||
<Policy id="id4129347C" name="Policy" ipv6_rule_set="False" top_rule_set="True">
|
||||
<PolicyRule id="id412934E4" comment="anti spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="8">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id41293477"/>
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
@ -1409,7 +1057,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" direction="Both" disabled="False" id="id412934F5" log="False" position="9">
|
||||
<PolicyRule id="id412934F5" action="Accept" direction="Both" disabled="False" log="False" position="9">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1427,7 +1075,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" disabled="False" id="id4129347D" log="False" position="2">
|
||||
<PolicyRule id="id4129347D" action="Deny" disabled="False" log="False" position="2">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1445,7 +1093,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="SSH Access to firewall is permitted only from internal network" disabled="False" id="id41293488" log="False" position="3">
|
||||
<PolicyRule id="id41293488" comment="SSH Access to firewall is permitted only from internal network" action="Accept" disabled="False" log="False" position="3">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -1467,7 +1115,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="need this rule for ping and traceroute" disabled="False" id="id41293496" log="False" position="4">
|
||||
<PolicyRule id="id41293496" comment="need this rule for ping and traceroute" action="Accept" disabled="False" log="False" position="4">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id41293477"/>
|
||||
</Src>
|
||||
@ -1496,7 +1144,7 @@
|
||||
<Option name="ulog_nlgroup">1</Option>
|
||||
</PolicyRuleOptions>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="" disabled="False" id="id412934A1" log="False" position="5">
|
||||
<PolicyRule id="id412934A1" action="Accept" disabled="False" log="False" position="5">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id41293477"/>
|
||||
</Src>
|
||||
@ -1514,7 +1162,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" comment="All other attempts to connect to the firewall are denied and logged" disabled="False" id="id412934AB" log="True" position="6">
|
||||
<PolicyRule id="id412934AB" comment="All other attempts to connect to the firewall are denied and logged" action="Deny" disabled="False" log="True" position="6">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1532,7 +1180,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" disabled="False" id="id412934B5" log="False" position="7">
|
||||
<PolicyRule id="id412934B5" action="Accept" disabled="False" log="False" position="7">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1550,7 +1198,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="" disabled="False" id="id412934BF" log="False" position="8">
|
||||
<PolicyRule id="id412934BF" action="Accept" disabled="False" log="False" position="8">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -1568,7 +1216,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" disabled="False" id="id412934C9" log="True" position="9">
|
||||
<PolicyRule id="id412934C9" action="Deny" disabled="False" log="True" position="9">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1587,13 +1235,13 @@
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
</Policy>
|
||||
<Routing id="id41293477-routing" name="Routing"/>
|
||||
<Interface bridgeport="False" comment="" dyn="True" id="id412934E2" label="outside" mgmt="False" name="vlan1" security_level="0" unnum="False" unprotected="False"/>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id412934EF" label="inside" mgmt="True" name="br0" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.1.1" comment="" id="id412934F0" name="linksys firewall:br0:ip" netmask="255.255.255.0"/>
|
||||
<Routing id="id41293477-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
|
||||
<Interface id="id412934E2" name="vlan1" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False"/>
|
||||
<Interface id="id412934EF" name="br0" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id412934F0" name="linksys firewall:br0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id412934F2" label="loopback" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="127.0.0.1" comment="" id="id412934F3" name="linksys firewall:lo:ip" netmask="255.0.0.0"/>
|
||||
<Interface id="id412934F2" name="lo" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id412934F3" name="linksys firewall:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
||||
</Interface>
|
||||
<Management address="192.168.1.1">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -1692,10 +1340,10 @@
|
||||
<Option name="verify_interfaces">True</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="" host_OS="linux24" id="id4129355E" lastCompiled="0" lastInstalled="0" lastModified="0" name="web server" platform="iptables" ro="False" version="">
|
||||
<NAT id="id41293598" name="NAT"/>
|
||||
<Policy id="id41293563" name="Policy">
|
||||
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id4129359C" log="True" position="10">
|
||||
<Firewall id="id4129355E" name="web server" host_OS="linux24" lastCompiled="0" lastInstalled="0" lastModified="0" platform="iptables" ro="False" version="">
|
||||
<NAT id="id41293598" name="NAT" ipv6_rule_set="False" top_rule_set="True"/>
|
||||
<Policy id="id41293563" name="Policy" ipv6_rule_set="False" top_rule_set="True">
|
||||
<PolicyRule id="id4129359C" action="Deny" direction="Inbound" disabled="False" log="True" position="10">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id4129355E"/>
|
||||
</Src>
|
||||
@ -1713,7 +1361,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" direction="Both" disabled="False" id="id412935A9" log="False" position="11">
|
||||
<PolicyRule id="id412935A9" action="Accept" direction="Both" disabled="False" log="False" position="11">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1731,7 +1379,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" disabled="False" id="id41293564" log="False" position="2">
|
||||
<PolicyRule id="id41293564" action="Accept" disabled="False" log="False" position="2">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1751,7 +1399,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="server needs DNS to back-resolve clients IPs. Even if it does not log host names during its normal operations, statistics scripts such as webalizer need it for reporting." disabled="False" id="id41293570" log="False" position="3">
|
||||
<PolicyRule id="id41293570" comment="server needs DNS to back-resolve clients IPs. Even if it does not log host names during its normal operations, statistics scripts such as webalizer need it for reporting." action="Accept" disabled="False" log="False" position="3">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id4129355E"/>
|
||||
</Src>
|
||||
@ -1769,7 +1417,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="this rule allows the server to send statistics and reports via email. Disable this rule if you do not need it." disabled="False" id="id4129357A" log="False" position="4">
|
||||
<PolicyRule id="id4129357A" comment="this rule allows the server to send statistics and reports via email. Disable this rule if you do not need it." action="Accept" disabled="False" log="False" position="4">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id4129355E"/>
|
||||
</Src>
|
||||
@ -1787,7 +1435,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Reject" comment="this rejects auth (ident) queries that remote mail relays may send to this server when it tries to send email out." disabled="False" id="id41293584" log="False" position="5">
|
||||
<PolicyRule id="id41293584" comment="this rejects auth (ident) queries that remote mail relays may send to this server when it tries to send email out." action="Reject" disabled="False" log="False" position="5">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1805,7 +1453,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" disabled="False" id="id4129358E" log="True" position="6">
|
||||
<PolicyRule id="id4129358E" action="Deny" disabled="False" log="True" position="6">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1824,12 +1472,12 @@
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
</Policy>
|
||||
<Routing id="id4129355E-routing" name="Routing"/>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id41293599" label="outside" mgmt="True" name="eth0" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.1.10" id="id4129359A" name="web server:eth0:ip" netmask="255.255.255.0"/>
|
||||
<Routing id="id4129355E-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
|
||||
<Interface id="id41293599" name="eth0" bridgeport="False" dyn="False" label="outside" mgmt="True" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id4129359A" name="web server:eth0:ip" address="192.168.1.10" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" dyn="False" id="id412935A6" label="loopback" name="lo" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="127.0.0.1" id="id412935A7" name="web server:lo:ip" netmask="255.0.0.0"/>
|
||||
<Interface id="id412935A6" name="lo" bridgeport="False" dyn="False" label="loopback" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id412935A7" name="web server:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
||||
</Interface>
|
||||
<Management address="192.168.1.10">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -1888,10 +1536,10 @@
|
||||
<Option name="verify_interfaces">True</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="An example of Cisco router" host_OS="ios" id="id4699503132343" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1184450093" name="c36xx" platform="iosacl" ro="False" version="12.x">
|
||||
<NAT id="id4699503532343" name="NAT"/>
|
||||
<Policy id="id4699503432343" name="Policy">
|
||||
<PolicyRule action="Deny" comment="anti-spoofing rule" direction="Inbound" disabled="False" id="id46995E2832343" log="True" position="0">
|
||||
<Firewall id="id4699503132343" name="c36xx" comment="An example of Cisco router" host_OS="ios" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1184450093" platform="iosacl" ro="False" version="12.x">
|
||||
<NAT id="id4699503532343" name="NAT" ipv6_rule_set="False" top_rule_set="True"/>
|
||||
<Policy id="id4699503432343" name="Policy" ipv6_rule_set="False" top_rule_set="True">
|
||||
<PolicyRule id="id46995E2832343" comment="anti-spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="0">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
<ObjectRef ref="id4699503132343"/>
|
||||
@ -1912,7 +1560,7 @@
|
||||
<Option name="stateless">True</Option>
|
||||
</PolicyRuleOptions>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id469954CB32343" log="False" position="1">
|
||||
<PolicyRule id="id469954CB32343" action="Accept" direction="Inbound" disabled="False" log="False" position="1">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -1932,7 +1580,7 @@
|
||||
<Option name="stateless">False</Option>
|
||||
</PolicyRuleOptions>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" direction="Both" disabled="False" id="id469954DA32343" log="True" position="2">
|
||||
<PolicyRule id="id469954DA32343" action="Deny" direction="Both" disabled="False" log="True" position="2">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1952,7 +1600,7 @@
|
||||
<Option name="stateless">True</Option>
|
||||
</PolicyRuleOptions>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Deny" direction="Both" disabled="False" id="id469954B332343" log="True" position="3">
|
||||
<PolicyRule id="id469954B332343" action="Deny" direction="Both" disabled="False" log="True" position="3">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1973,18 +1621,18 @@
|
||||
</PolicyRuleOptions>
|
||||
</PolicyRule>
|
||||
</Policy>
|
||||
<Routing id="id4699503632343" name="Routing"/>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id4699503732343" label="" mgmt="False" name="Ethernet1/0" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.0.2.1" comment="" id="id4699503832343" name="c36xx:Ethernet1/0:ip" netmask="255.255.255.0"/>
|
||||
<Routing id="id4699503632343" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
|
||||
<Interface id="id4699503732343" name="Ethernet1/0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id4699503832343" name="c36xx:Ethernet1/0:ip" address="192.0.2.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" dyn="False" id="id4699503932343" label="" name="Ethernet1/1" security_level="50" unnum="False" unprotected="False">
|
||||
<IPv4 address="0.0.0.0" comment="Configure IP address and netmask for this interface" id="id4699503A32343" name="c36xx:Ethernet1/1:ip" netmask="0.0.0.0"/>
|
||||
<Interface id="id4699503932343" name="Ethernet1/1" bridgeport="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False">
|
||||
<IPv4 id="id4699503A32343" name="c36xx:Ethernet1/1:ip" comment="Configure IP address and netmask for this interface" address="0.0.0.0" netmask="0.0.0.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id4699503B32343" label="" mgmt="True" name="FastEthernet0/0" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.1.1" comment="" id="id4699503C32343" name="c36xx:FastEthernet0/0:ip" netmask="255.255.255.0"/>
|
||||
<Interface id="id4699503B32343" name="FastEthernet0/0" bridgeport="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id4699503C32343" name="c36xx:FastEthernet0/0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id4699503F32343" label="" mgmt="False" name="Serial1/0" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="0.0.0.0" comment="Configure IP address and netmask for this interface" id="id4699504032343" name="c36xx:Serial1/0:ip" netmask="0.0.0.0"/>
|
||||
<Interface id="id4699503F32343" name="Serial1/0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id4699504032343" name="c36xx:Serial1/0:ip" comment="Configure IP address and netmask for this interface" address="0.0.0.0" netmask="0.0.0.0"/>
|
||||
</Interface>
|
||||
<Management address="192.168.1.1">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -2065,10 +1713,102 @@
|
||||
</ObjectGroup>
|
||||
<IntervalGroup id="id4070BBA9" name="Time"/>
|
||||
</Library>
|
||||
<Library id="sysid99" name="Deleted Objects" ro="False">
|
||||
<Interface bridgeport="False" dyn="False" id="id4699503D32343" label="" name="Null0" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="0.0.0.0" id="id4699503E32343" name="c36xx:Null0:ip" netmask="255.255.255.255"/>
|
||||
</Interface>
|
||||
<ObjectRef ref="sysid0"/>
|
||||
<Library id="syslib000" name="Standard" comment="Standard objects" color="#d4f8ff" ro="True">
|
||||
<ObjectGroup id="stdid01" name="Objects">
|
||||
<ObjectGroup id="stdid03" name="Networks">
|
||||
<Network id="id3DC75CE7-1" name="net-192.168.1.0" comment="192.168.1.0/24 - Address often used for home and small office networks. " address="192.168.1.0" netmask="255.255.255.0"/>
|
||||
<Network id="id3DC75CE7-2" name="net-192.168.2.0" comment="192.168.2.0/24 - Address often used for home and small office networks. " address="192.168.2.0" netmask="255.255.255.0"/>
|
||||
</ObjectGroup>
|
||||
<ObjectGroup id="stdid15" name="Address Ranges">
|
||||
<AddressRange id="id3F6D115D" name="old-broadcast" start_address="0.0.0.0" end_address="0.0.0.0"/>
|
||||
<AddressRange id="id3F6D115C" name="broadcast" start_address="255.255.255.255" end_address="255.255.255.255"/>
|
||||
</ObjectGroup>
|
||||
<ObjectGroup id="stdid02" name="Hosts">
|
||||
<Host id="id3D84EECE" name="internal server" comment="This host is used in examples and template objects">
|
||||
<Interface id="id3D84EED2" name="eth0" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id3D84EED3" name="ip" address="192.168.1.10" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Management address="192.168.1.10">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
<FWBDManagement enabled="False" identity="" port="-1"/>
|
||||
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
||||
</Management>
|
||||
<HostOptions>
|
||||
<Option name="snmp_contact"></Option>
|
||||
<Option name="snmp_description"></Option>
|
||||
<Option name="snmp_location"></Option>
|
||||
<Option name="use_mac_addr">false</Option>
|
||||
<Option name="use_mac_addr_filter">False</Option>
|
||||
</HostOptions>
|
||||
</Host>
|
||||
<Host id="id3D84EECF" name="server on dmz" comment="This host is used in examples and template objects">
|
||||
<Interface id="id3D84EEE3" name="eth0" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id3D84EEE4" name="ip" address="192.168.2.10" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Management address="192.168.2.10">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
<FWBDManagement enabled="False" identity="" port="-1"/>
|
||||
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
||||
</Management>
|
||||
<HostOptions>
|
||||
<Option name="snmp_contact"></Option>
|
||||
<Option name="snmp_description"></Option>
|
||||
<Option name="snmp_location"></Option>
|
||||
<Option name="use_mac_addr">false</Option>
|
||||
<Option name="use_mac_addr_filter">False</Option>
|
||||
</HostOptions>
|
||||
</Host>
|
||||
</ObjectGroup>
|
||||
</ObjectGroup>
|
||||
<AnyNetwork id="sysid0" name="Any" comment="Any Network" address="0.0.0.0" netmask="0.0.0.0"/>
|
||||
<AnyIPService id="sysid1" name="Any" comment="Any IP Service" protocol_num="0"/>
|
||||
<AnyInterval id="sysid2" name="Any" comment="Any Interval" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1"/>
|
||||
<ServiceGroup id="stdid05" name="Services">
|
||||
<ServiceGroup id="stdid09" name="TCP">
|
||||
<TCPService id="tcp-SSH" name="ssh" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/>
|
||||
<TCPService id="tcp-Auth" name="auth" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="113" dst_range_end="113"/>
|
||||
<TCPService id="tcp-SMTP" name="smtp" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="25" dst_range_end="25"/>
|
||||
<TCPService id="tcp-HTTP" name="http" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="80" dst_range_end="80"/>
|
||||
<TCPService id="tcp-DNS" name="domain" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
|
||||
<TCPService id="id41291784" name="upnp" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="5000" dst_range_end="5000"/>
|
||||
<TCPService id="id41291785" name="upnp-5431" comment="Although UPnP specification say it should use TCP port 5000, Linksys running Sveasoft firmware listens on port 5431" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="5431" dst_range_end="5431"/>
|
||||
<TCPService id="id412Z18A9" name="icslap" comment="Sometimes this protocol is called icslap, but Microsoft does not call it that and just says that DSPP uses port 2869 in Windows XP SP2" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="2869" dst_range_end="2869"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="stdid10" name="Groups">
|
||||
<ServiceGroup id="id3F530CC8" name="DNS">
|
||||
<ServiceRef ref="udp-DNS"/>
|
||||
<ServiceRef ref="tcp-DNS"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="sg-DHCP" name="DHCP">
|
||||
<ServiceRef ref="udp-bootpc"/>
|
||||
<ServiceRef ref="udp-bootps"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="sg-Useful_ICMP" name="Useful_ICMP">
|
||||
<ServiceRef ref="icmp-Time_exceeded"/>
|
||||
<ServiceRef ref="icmp-Time_exceeded_in_transit"/>
|
||||
<ServiceRef ref="icmp-ping_reply"/>
|
||||
<ServiceRef ref="icmp-Unreachables"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="id41291786" name="UPnP">
|
||||
<ServiceRef ref="id41291784"/>
|
||||
<ServiceRef ref="id41291785"/>
|
||||
<ServiceRef ref="id41291783"/>
|
||||
<ServiceRef ref="id412Z18A9"/>
|
||||
</ServiceGroup>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="stdid07" name="ICMP">
|
||||
<ICMPService id="icmp-ping_request" name="ping request" code="0" type="8"/>
|
||||
<ICMPService id="icmp-ping_reply" name="ping reply" code="0" type="0"/>
|
||||
<ICMPService id="icmp-Time_exceeded" name="time exceeded" comment="ICMP messages of this type are needed for traceroute" code="0" type="11"/>
|
||||
<ICMPService id="icmp-Unreachables" name="all ICMP unreachables" code="-1" type="3"/>
|
||||
<ICMPService id="icmp-Time_exceeded_in_transit" name="time exceeded in transit" code="1" type="11"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="stdid08" name="UDP">
|
||||
<UDPService id="udp-DNS" name="domain" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
|
||||
<UDPService id="udp-bootpc" name="bootpc" src_range_start="0" src_range_end="0" dst_range_start="68" dst_range_end="68"/>
|
||||
<UDPService id="udp-bootps" name="bootps" src_range_start="0" src_range_end="0" dst_range_start="67" dst_range_end="67"/>
|
||||
<UDPService id="id41291783" name="SSDP" comment="Simple Service Discovery Protocol (used for UPnP)" src_range_start="0" src_range_end="0" dst_range_start="1900" dst_range_end="1900"/>
|
||||
</ServiceGroup>
|
||||
</ServiceGroup>
|
||||
</Library>
|
||||
</FWObjectDatabase>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user