templates.java

sifi-0.1.6.tar.gz 出自http://www.ifi.unizh.ch/ikm/SINUS/firewall/ 一个linux的防火墙工具。

/* ----------------------------------------------------------------------
   The SINUS Firewall -- a TCP/IP packet filter for Linux

   Written within the SINUS project at the University of Zurich,
   SWITCH, Telekurs Payserv AG, ETH Zurich.
   originally based on the sf Firewall Software (C) 1996 by Robert
   Muchsel and Roland Schmid.

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 2 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

   SINUS Firewall resources:
   SINUS Homepage: http://www.ifi.unizh.ch/ikm/SINUS/
   Firewall Homepage: http://www.ifi.unizh.ch/ikm/SINUS/firewall.html
   Frequently asked questions: http://www.ifi.unizh.ch/ikm/SINUS/sf_faq.html
   Mailing list for comments, questions, bug reports: firewall@ifi.unizh.ch
   ----------------------------------------------------------------------  */



package sfclasses;

/**
 * This class implements the rule templates used for autoconfiguration.
 * There are three types of templates (general, server, firewall) that
 * are statically defined in this class. If the counters (numberGeneral,
 * numberServer, numberFirewall) are not set correctly, an error message
 * will occur when starting the software.
 * @version 1.0 07 Jan 1997
 * @author Roland E. Schmid
 */

public class Templates {

  /**
   * Insert new template into arrays 
   */
  private static void newTemplate(int c, String pr, String comm,
    boolean def, boolean prio, int src, int dst, int rc, int flags,
    int t, int prot, int noti) {
    if (c < numberTotal) {
      prompt[c] = pr;
      comment[c] = comm;
      defaultActivate[c] = def;
      priority[c] = prio;
      fw_src_idx[c] = src;
      fw_dst_idx[c] = dst;
      fw_rc[c] = rc;
      fw_flags[c] = flags;
      ttl[c] = t;
      protocol[c] = prot;
      notification[c] = noti;
      srvport[c] = Macro.MACRO_FIRSTPORT;
      srvprend[c] = Macro.MACRO_LASTPORT;
    }
  }

  /**
   * Insert new template into arrays including server port information
   */
  private static void newTemplate(int c, String pr, String comm,
    boolean def, boolean prio, int src, int dst, int rc, int flags,
    int t, int prot, int noti, int sport, int sprend) {
    newTemplate(c, pr, comm, def, prio, src, dst, rc, flags, t, prot, noti);
    srvport[c] = sport;
    srvprend[c] = sprend;
  }

  /**
   * Empty method that is called on startup to invoke the static
   * initializer and produce any error messages immediately after
   * starting the software. 
   */
  public static void callToInit() {}

  public static boolean initialized = false;

  public static int numberGeneral = 30;	// number of templates for general settings
  public static int numberServer = 7;	// number of templates for server settings
  public static int startServer;	// first server template
  public static int numberFirewall = 1; // number of templates for firewall settings
  public static int startFirewall;	// first firewall template
  public static int numberTotal;	// total number of templates

  public static boolean defaultActivate[]; // activate rule by default
  public static boolean priority[];     // priority rule
  public static String prompt[];	// prompt for dialog box
  public static String comment[];	// comment for rule
  public static int fw_src_idx[];	// source address macro
  public static int fw_dst_idx[];	// destination address macro
  public static int fw_rc[];		// return codes
  public static int fw_flags[];		// rule flags
  public static int ttl[];		// time to live value
  public static int protocol[];		// protocol
  public static int notification[];     // notification level
  public static int srvport[];		// start port, only used in server templates
  public static int srvprend[];		// end port, only used in server templates

  static { // static initialization

    /* add 1 for the transparent template */
    numberTotal = numberGeneral + numberServer + numberFirewall + 1;
    startServer = numberGeneral;
    startFirewall = startServer + numberServer;

    defaultActivate = new boolean[numberTotal];
    priority = new boolean[numberTotal];
    prompt = new String[numberTotal];
    comment = new String[numberTotal];
    fw_src_idx = new int[numberTotal];
    fw_dst_idx = new int[numberTotal];
    fw_rc = new int[numberTotal];
    fw_flags = new int[numberTotal];
    ttl = new int[numberTotal];
    protocol = new int[numberTotal];
    notification = new int[numberTotal];
    srvport = new int[numberTotal];
    srvprend = new int[numberTotal];

    int cnt = 0;
    boolean err = false;

    // general templates
    // =================

    newTemplate(cnt, // 0
      "Allow remote configuration",
      "Allow configuration connections from configuration clients.",
      true, // defaultActivate
      true, // priority
      Macro.STATIC_CONFIG_CLIENTS, // src
      Macro.STATIC_FIREWALLS_CONFPORT, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL | Rule.SF_FTP_NO_ACTIVE | Rule.SF_FTP_NO_PASSIVE, // flags
      0, // ttl
      Rule.IPPROTO_TCP, // protocol
      0 // notification
    );
    cnt++;

    newTemplate(cnt, // 1
      "Allow localhost connections",
      "Accept connections from localhost to localhost.",
      true, // defaultActivate
      false, // priority
      Macro.STATIC_LOCALHOST, // src
      Macro.STATIC_LOCALHOST, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_PROT_ALL, // flags
      0, // ttl
      0, // protocol
      0 // notification
    );
    cnt++;

    newTemplate(cnt, // 2
      "Allow local connections",
      "Accept connections from local addresses to local addresses.",
      true, // defaultActivate
      false, // priority
      Macro.STATIC_OWNADDRESSES, // src
      Macro.STATIC_OWNADDRESSES, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_PROT_ALL, // flags
      0, // ttl
      0, // protocol
      0 // notification
    );
    cnt++;

    newTemplate(cnt, // 3
      "Allow e-Mail from firewalls",
      "e-Mail from firewalls",
      true, // defaultActivate
      false, // priority
      Macro.STATIC_FIREWALLS_UNPRIV, // src
      Macro.STATIC_SMTPPORT, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL | Rule.SF_FTP_NO_ACTIVE | Rule.SF_FTP_NO_PASSIVE, // flags
      0, // ttl
      Rule.IPPROTO_TCP, // protocol
      0 // notification
    );
    cnt++;

    newTemplate(cnt, // 4
      "Allow finger from firewalls",
      "finger from firewalls",
      true, // defaultActivate
      false, // priority
      Macro.STATIC_FIREWALLS_UNPRIV, // src
      Macro.STATIC_FINGERPORT, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL | Rule.SF_FTP_NO_ACTIVE | Rule.SF_FTP_NO_PASSIVE, // flags
      0, // ttl
      Rule.IPPROTO_TCP, // protocol
      0 // notification
    );
    cnt++;

    newTemplate(cnt, // 5
      "Reject ident to firewalls",
      "reject ident to firewalls",
      true, // defaultActivate
      false, // priority
      0, // src
      Macro.STATIC_FIREWALLS_IDENTPORT, // dst
      Rule.SF_RC_TREJECT, // rc
      Rule.SF_FW_CHECK_PROTOCOL, // flags
      0, // ttl
      Rule.IPPROTO_TCP, // protocol
      0 // notification
    );
    cnt++;

    newTemplate(cnt, // 6
      "Allow ident from firewalls",
      "ident from firewalls",
      true, // defaultActivate
      false, // priority
      Macro.STATIC_FIREWALLS_UNPRIV, // src
      Macro.STATIC_IDENTPORT, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL, // flags
      0, // ttl
      Rule.IPPROTO_TCP, // protocol
      0 // notification
    );
    cnt++;

    newTemplate(cnt, // 7
      "Allow rusers from firewalls",
      "rusers from firewalls (uses port sunrpc)",
      true, // defaultActivate
      false, // priority
      Macro.STATIC_FIREWALLS_UNPRIV, // src
      Macro.STATIC_RUSERPORT, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL, // flags
      0, // ttl
      Rule.IPPROTO_UDP, // protocol
      0 // notification
    );
    cnt++;

    newTemplate(cnt, // 8
      "Allow rusers to firewalls",
      "rusers to firewalls (uses port sunrpc)",
      true, // defaultActivate
      false, // priority
      Macro.STATIC_RUSERPORT, // src
      Macro.STATIC_FIREWALLS_UNPRIV, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL, // flags
      0, // ttl
      Rule.IPPROTO_UDP, // protocol
      0 // notification
    );
    cnt++;

    newTemplate(cnt, // 9
      "Allow DNS queries from firewalls",
      "DNS from firewalls",
      true, // defaultActivate
      false, // priority
      Macro.STATIC_FIREWALLS, // src
      Macro.STATIC_DNSPORT, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL, // flags
      0, // ttl
      Rule.IPPROTO_UDP, // protocol
      0 // notification
    );
    cnt++;

    newTemplate(cnt, // 10
      "Allow DNS replies to firewalls",
      "DNS to firewalls",
      true, // defaultActivate
      false, // priority
      Macro.STATIC_DNSPORT, // src
      Macro.STATIC_FIREWALLS, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL, // flags
      0, // ttl
      Rule.IPPROTO_UDP, // protocol
      0 // notification
    );
    cnt++;

    newTemplate(cnt, // 11
      "Allow DNS from firewalls (TCP)",
      "DNS from firewalls (TCP)",
      true, // defaultActivate
      false, // priority
      Macro.STATIC_FIREWALLS, // src
      Macro.STATIC_DNSPORT, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL | Rule.SF_FTP_NO_ACTIVE | Rule.SF_FTP_NO_PASSIVE, // flags
      0, // ttl
      Rule.IPPROTO_TCP, // protocol
      0 // notification
    );
    cnt++;

    newTemplate(cnt, // 12
      "Allow ping from oneself",
      "Ping from oneself",
      true, // defaultActivate
      false, // priority
      Macro.STATIC_OWNADDRESSES, // src
      0, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL | Rule.SF_ICMP_ECHO, // flags
      0, // ttl
      Rule.IPPROTO_ICMP, // protocol
      0 // notification
    );
    cnt++;

    newTemplate(cnt, // 13
      "Stop traceroute to firewalls",
      "traceroute - tell them they've reached their destination",
      true, // defaultActivate
      false, // priority
      0, // src
      Macro.STATIC_FIREWALLS_TRACEROUTEPORTS, // dst
      Rule.SF_RC_RPORT, // rc
      Rule.SF_FW_CHECK_PROTOCOL, // flags
      0, // ttl
      Rule.IPPROTO_UDP, // protocol
      Notification.STATIC_TRACEROUTE // notification
    );
    cnt++;

    newTemplate(cnt, // 14
      "No source routing",
      "Block all source routed packets",
      true, // defaultActivate
      false, // priority
      0, // src
      0, // dst
      Rule.FW_BLOCK, // rc
      Rule.SF_FW_PROT_ALL | Rule.SF_FW_OPT_LSR | Rule.SF_FW_OPT_SSR, // flags
      0, // ttl
      0, // protocol
      Notification.STATIC_SOURCEROUTE // notification
    );
    cnt++;

    newTemplate(cnt, // 15
      "Answer pings from outside",
      "Answer pings from outside",
      true, // defaultActivate
      false, // priority
      Macro.STATIC_OUTSIDE, // src
      0, // dst
      Rule.SF_RC_ECHO, // rc
      Rule.SF_FW_CHECK_PROTOCOL | Rule.SF_ICMP_ECHO, // flags
      0, // ttl
      Rule.IPPROTO_ICMP, // protocol
      Notification.STATIC_PING // notification
    );
    cnt++;

    newTemplate(cnt, // 16
      "Block dangerous ICMP",
      "Block dangerous ICMP",
      true, // defaultActivate
      false, // priority
      0, // src