fwservices.xml

linux环境下的一个防火墙程序的源代码

<?xml version="1.0"?>

<services>

	<service name="all" description="All services opened">
		<filter direction="go"/>
		<filter direction="back"/>
	</service>

	<service name="tcp" description="Generic TCP protocol">
		<filter direction="go" p="tcp" dport="PORT"/>
		<filter direction="back" p="tcp" sport="PORT"/>
	</service>

	<service name="icmp_acc" description="Essential ICMP messages">
		<filter direction="go" p="icmp" jump="ICMP-ACC"/>
	</service>

	<service name="icmp_all" description="All ICMP messages">
		<filter direction="go" p="icmp"/>
		<filter direction="back" p="icmp"/>
	</service>

	<service name="ping" description="ICMP messages echo-request and echo-reply">
		<filter direction="go" p="icmp" ICMPTYPE="echo-request"/>
		<filter direction="back" p="icmp" ICMPTYPE="echo-reply"/>
	</service>

	<service name="udp" description="Generic UDP protocol">
		<filter direction="go" p="udp" dport="PORT"/>
		<filter direction="back" p="udp" sport="PORT"/>
	</service>

	<service name="ftp" description="File Transfer Protocol">

		<filter direction="go" p="tcp" dport="21"/>
		<filter direction="back" p="tcp" sport="21"/>

		<!--
			1) Active ftp.
			   This involves a connection INbound from port 20 on the remote machine,
			   to a local port passed over the ftp channel via a PORT command.
			   The ip_conntrack_ftp module recognizes the connection as RELATED to
			   the original outgoing connection to port 21 so we don't need NEW as
			   a state match.
		-->
		<filter direction="go" p="tcp" dport="20" state="ESTABLISHED"/>
		<filter direction="back" p="tcp" sport="20" state="ESTABLISHED,RELATED" jump="ACCEPT"/>

		<!--
			2) Passive ftp.
			   This involves a connection outbound from a port upper 1023 on the
			   local machine, to a port upper 1023 on the remote machine previously
			   passed over the ftp channel via a PORT command. The ip_conntrack_ftp
			   module recognizes the connection as RELATED to the original outgoing
			   connection to port 21 so we don't need NEW as a state match.
		-->
		<filter direction="go" P="tcp" sport="1024:65535" dport="1024:65535" state="ESTABLISHED,RELATED"/>
		<filter direction="back" p="tcp" sport="1024:65535" dport="1024:65535" state="ESTABLISHED" jump="ACCEPT"/>

	</service>

	<service name="dns" description="Domain Name Service">
		<filter direction="go" p="tcp" dport="53"/>
		<filter direction="back" p="tcp" sport="53"/>
		<filter direction="go" p="udp" dport="53"/>
		<filter direction="back" p="udp" sport="53"/>
	</service>

	<service name="www" description="World Wide Web HTTP">
		<filter direction="go" p="tcp" dport="80"/>
		<filter direction="back" p="tcp" sport="80"/>
	</service>

	<service name="http" description="World Wide Web HTTP">
		<filter direction="go" p="tcp" dport="80"/>
		<filter direction="back" p="tcp" sport="80"/>
	</service>

	<service name="https" description="HTTP protocol over TLS/SSL">
		<filter direction="go" p="tcp" dport="443"/>
		<filter direction="back" p="tcp" sport="443"/>
	</service>

	<service name="auth" description="Authentication Service">
		<filter direction="go" p="tcp" dport="113"/>
		<filter direction="back" p="tcp" sport="113"/>
	</service>

	<service name="smtp" description="Simple Mail Transfer Protocol">
		<filter direction="go" p="tcp" dport="25"/>
		<filter direction="back" p="tcp" sport="25"/>
	</service>

	<service name="pop3" description="Post Office Protocol version 3">
		<filter direction="go" p="tcp" dport="110"/>
		<filter direction="back" p="tcp" sport="110"/>
	</service>

	<service name="imap" description="Internet Message Access Protocol">
		<filter direction="go" p="tcp" dport="143"/>
		<filter direction="back" p="tcp" sport="143"/>
	</service>

	<service name="ssh" description="Secure Shell Protocol">
		<filter direction="go" p="tcp" dport="22"/>
		<filter direction="back" p="tcp" sport="22"/>
	</service>

	<service name="ntp" description="Network Time Protocol">
		<filter direction="go" p="udp" dport="123"/>
		<filter direction="back" p="udp" sport="123"/>
	</service>

	<service name="netbios_ns" description="NETBIOS Name Service">
		<filter direction="go" p="udp" dport="137"/>
		<filter direction="back" p="udp" sport="137"/>
	</service>

	<service name="netbios" description="NETBIOS complete">
		<filter direction="go" p="udp" dport="137"/>
		<filter direction="back" p="udp" sport="137"/>
        	<filter direction="go" p="udp" dport="138"/>
		<filter direction="back" p="udp" sport="138"/>
        	<filter direction="go" p="tcp" dport="139"/>
		<filter direction="back" p="tcp" sport="139"/>
        	<filter direction="go" p="tcp" dport="445"/>
		<filter direction="back" p="tcp" sport="445"/>
	</service>

	<service name="netbios_ssn" description="NETBIOS Session Service">
		<filter direction="go" p="tcp" dport="139"/>
		<filter direction="back" p="tcp" sport="139"/>
	</service>

	<service name="cvs" description="CVS Server Service">
		<filter direction="go" p="tcp" dport="2401"/>
		<filter direction="back" p="tcp" sport="2401"/>
	</service>

	<service name="nntp" description="NNTP Network News Transport Protocol">
		<filter direction="go" p="tcp" dport="119"/>
		<filter direction="back" p="tcp" sport="119"/>
	</service>

	<service name="telnet" description="Telnet Protocol">
		<filter direction="go" p="tcp" dport="23"/>
		<filter direction="back" p="tcp" sport="23"/>
	</service>

	<service name="webmin" description="Webmin (port 10000)">
		<filter direction="go" p="tcp" dport="10000"/>
		<filter direction="back" p="tcp" sport="10000"/>
	</service>

	<service name="h323" description="H323 Protocol (NetMeeting), Experimental">
		<filter direction="go" p="tcp" dport="389"/>
		<filter direction="back" p="tcp" sport="389"/>

		<filter direction="go" p="tcp" dport="1720"/>
		<filter direction="back" p="tcp" sport="1720"/>
		<filter direction="back" p="tcp" dport="1720" jump="ACCEPT"/>
		<filter direction="go" p="tcp" sport="1720" state="ESTABLISHED,RELATED"/>

		<filter direction="go" p="tcp" dport="1731"/>
		<filter direction="back" p="tcp" sport="1731"/>
		<filter direction="back" p="tcp" dport="1731" jump="ACCEPT"/>
		<filter direction="go" p="tcp" sport="1731" state="ESTABLISHED,RELATED"/>

		<filter direction="go" p="tcp" dport="1503"/>
		<filter direction="back" p="tcp" sport="1503"/>
		<filter direction="back" p="tcp" dport="1503" jump="ACCEPT"/>
		<filter direction="go" p="tcp" sport="1503" state="ESTABLISHED,RELATED"/>

		<filter direction="go" p="udp" dport="1024:65535"/>
		<filter direction="back" p="udp" sport="1024:65535" dport="1024:65535" jump="ACCEPT"/>
		<filter direction="go" p="udp" sport="1024:65535"/>

		<filter direction="go" p="tcp" dport="1024:65535" state="ESTABLISHED,RELATED"/>
		<filter direction="back" p="tcp" sport="1024:65535" state="ESTABLISHED,RELATED"/>
		<filter direction="back" p="tcp" dport="1024:65535" state="ESTABLISHED,RELATED" jump="ACCEPT"/>
		<filter direction="go" p="tcp" sport="1024:65535" state="ESTABLISHED,RELATED"/>
	</service>

	<service name="ipsec-ESP" Description="VPN IPSec protocol with IKE and ESP">
		<filter direction="go" p="udp" sport="500" dport="500"/>
		<filter direction="back" p="udp" sport="500" dport="500" jump="ACCEPT"/>
		<filter direction="go" p="50"/>
		<filter direction="back" p="50" jump="ACCEPT"/>
	</service>

	<service name="ipsec-AH" Description="VPN IPSec protocol with IKE and AH">
		<filter direction="go" p="udp" sport="500" dport="500"/>
		<filter direction="back" p="udp" sport="500" dport="500" jump="ACCEPT"/>
		<filter direction="go" p="51"/>
		<filter direction="back" p="51" jump="ACCEPT"/>
	</service>

	<service name="ipsec-ESP-AH" Description="VPN IPSec protocol with IKE, ESP and AH">
		<filter direction="go" p="udp" sport="500" dport="500"/>
		<filter direction="back" p="udp" sport="500" dport="500" jump="ACCEPT"/>
		<filter direction="go" p="50"/>
		<filter direction="back" p="50" jump="ACCEPT"/>
		<filter direction="go" p="51"/>
		<filter direction="back" p="51" jump="ACCEPT"/>
	</service>

	<service name="afp-over-tcp" description="AFP (Apple Filing Protocol) over TCP">
		<filter direction="go" p="tcp" dport="548"/>
		<filter direction="back" p="tcp" sport="548"/>
		<filter direction="go" p="udp" dport="548"/>
		<filter direction="back" p="udp" sport="548"/>
	</service>

	<service name="nfs" description="NFS (experimental)">