tdi_fw.conf

基于TDI驱动编写的个人防火墙程序。包括驱动模块、应用层规则配置及加载模块。

;
; Here's tdi_fw sample configuration file
;
; It looks like similiar ini-file: sections, names and values
; and comments after ';' at the begining of line
;

; --- config file signature: don't change it ---
[_signature_]
_signature_=$tdi_fw$

; --- basic config parameters ---
[_config_]

; write ALLOW events to event log:
; 0 - don't write, write them to text log file
; 1 - write to event log
eventlog_allow=0

; write DENY events to event log
eventlog_deny=0

; write ERROR events to event log
eventlog_error=0

; resolve DNS or Netbios names in rules
rules_resolve_addr=1

; --- Rulesets ---
;
; Default ruleset (must be in first line):
;
; _default_=section_1 section_2 ... section_n
;
; rules are in sections (for example [section_n]) in this file
; in order from first to last
;
; Process-related ruleset:
;
; <full_process_name>=<section_1> <section_2> ... <section_n>
;
; process-related rules (don't related with default). Example:
;
; c:\winnt\system32\telnet.exe=allow_all
;
; Note: max number of rulesets is 32
;       (for details see MAX_CHAINS_COUNT in ipc.h)

[_main_]
_default_=custom localnet localhost deny_all
;c:\winnt\system32\telnet.exe=allow_all

;
; [<section_i>]
;
; is rule section (ruleset) with ALLOW or DENY rules
;
; Format of rule:
;
; ALLOW|DENY TCP|UDP|RawIP IN|OUT FROM <addr> TO <addr> [NOLOG]
;
; ALLOW or DENY - type of rule: allow or deny datagram or connection
;
; TCP, UDP or RawIP - protocol (RawIP is using of raw sockets)
;
; IN or OUT - direction for datagram or connection
;
; NOLOG - don't log using of this rule 
;
; <addr> -  <host>[/<mask>][:<port>[-<port2>]
;
; <host> - IP address or host name (see rules_resolve_addr) or ANY
; <mask> - network mask (from 0 to 32)
; <port> - port number (from 0 to 65535)
; <port2> - define port range from <port> to <port2>
;
; Examples:
;
; ALLOW TCP OUT FROM ANY TO ANY:135 NOLOG
; ALLOW UDP IN FROM 192.168.0.0/24:135 TO ANY:1024-4096
; 

[custom]
; allow external networks activity you're using:
; www proxy
; smtp server
; pop3/imap4 server
; dns server

;ALLOW TCP OUT FROM ANY TO your_proxy:8080
;ALLOW TCP OUT FROM ANY TO your_smtp:25
; etc.

;ALLOW UDP OUT FROM ANY TO your_dns:53
;ALLOW UDP IN FROM your_dns:53 TO ANY

[localnet]
; allow and log all localnet activity
; (specify your network address & mask instead of 192.168.0.0/24)

ALLOW TCP OUT FROM ANY TO 192.168.0.0/24
ALLOW TCP IN FROM 192.168.0.0/24 TO ANY

; It may be useful: don't log NetBT UDP packets
ALLOW UDP OUT FROM ANY:137-138 TO 192.168.0.0/24:137-138 NOLOG
ALLOW UDP IN FROM 192.168.0.0/24:137-138 TO ANY:137-138 NOLOG
 
ALLOW UDP OUT FROM ANY TO 192.168.0.0/24
ALLOW UDP IN FROM 192.168.0.0/24 TO ANY

; allow broadcasts
ALLOW UDP OUT FROM ANY TO 255.255.255.255

[localhost]
; allow and don't log localhost activity

ALLOW TCP OUT FROM ANY TO 127.0.0.1 NOLOG
ALLOW TCP IN FROM 127.0.0.1 TO ANY NOLOG

ALLOW UDP OUT FROM ANY TO 127.0.0.1 NOLOG
ALLOW UDP IN FROM 127.0.0.1 TO ANY NOLOG

[allow_all]
; do you really want to use this rules section?

ALLOW TCP OUT FROM ANY TO ANY
ALLOW TCP IN FROM ANY TO ANY

ALLOW UDP OUT FROM ANY TO ANY
ALLOW UDP IN FROM ANY TO ANY

ALLOW RawIP OUT FROM ANY TO ANY
ALLOW RawIP IN FROM ANY TO ANY

[deny_all]
; deny all by default

DENY TCP OUT FROM ANY TO ANY
DENY TCP IN FROM ANY TO ANY

DENY UDP OUT FROM ANY TO ANY
DENY UDP IN FROM ANY TO ANY

DENY RawIP OUT FROM ANY TO ANY
DENY RawIP IN FROM ANY TO ANY