templates.java

sifi-0.1.6.tar.gz 出自http://www.ifi.unizh.ch/ikm/SINUS/firewall/ 一个linux的防火墙工具。

      0, // dst
      Rule.FW_BLOCK, // rc
      Rule.SF_FW_CHECK_PROTOCOL | Rule.SF_ICMP_REDIRECT | 
      Rule.SF_ICMP_TIMESTAMP | Rule.SF_ICMP_TIMESTAMPREPLY |
      Rule.SF_ICMP_ADDRESS | Rule.SF_ICMP_ADDRESSREPLY, // flags
      0, // ttl
      Rule.IPPROTO_ICMP, // protocol
      Notification.STATIC_PING // notification
    );
    cnt++;

    newTemplate(cnt, // 17
      "Accept ICMP",
      "Accept ICMP",
      true, // defaultActivate
      false, // priority
      0, // src
      0, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL, // flags
      0, // ttl
      Rule.IPPROTO_ICMP, // protocol
      Notification.STATIC_ICMP // notification
    );
    cnt++;

    newTemplate(cnt, // 18
      "Reject ident to inside",
      "reject ident to inside",
      true, // defaultActivate
      false, // priority
      0, // src
      Macro.STATIC_INSIDE_IDENTPORT, // dst
      Rule.SF_RC_TREJECT, // rc
      Rule.SF_FW_CHECK_PROTOCOL, // flags
      0, // ttl
      Rule.IPPROTO_TCP, // protocol
      Notification.STATIC_IDENT // notification
    );
    cnt++;
    
    newTemplate(cnt, // 19
      "Stop traceroute to inside",
      "traceroute - tell them they've reached their destination",
      true, // defaultActivate
      false, // priority
      0, // src
      Macro.STATIC_INSIDE_TRACEROUTEPORTS, // dst
      Rule.SF_RC_RPORT, // rc
      Rule.SF_FW_CHECK_PROTOCOL, // flags
      0, // ttl
      Rule.IPPROTO_UDP, // protocol
      Notification.STATIC_TRACEROUTE // notification
    );
    cnt++;
    
    newTemplate(cnt, // 20
      "Allow outgoing FTP",
      "outgoing FTP connections",
      true, // defaultActivate
      false, // priority
      Macro.STATIC_INSIDE, // src
      Macro.STATIC_FTPPORT, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL, // flags
      0, // ttl
      Rule.IPPROTO_TCP, // protocol
      Notification.STATIC_OUTGOING // notification
    );
    cnt++;

    newTemplate(cnt, // 21
      "Allow outgoing Telnet",
      "outgoing Telnet connections",
      true, // defaultActivate
      false, // priority
      Macro.STATIC_INSIDE, // src
      Macro.STATIC_TELNETPORT, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL | Rule.SF_FTP_NO_ACTIVE | Rule.SF_FTP_NO_PASSIVE, // flags
      0, // ttl
      Rule.IPPROTO_TCP, // protocol
      Notification.STATIC_OUTGOING // notification
    );
    cnt++;

    newTemplate(cnt, // 22
      "Allow DNS queries from inside",
      "DNS from inside",
      true, // defaultActivate
      false, // priority
      Macro.STATIC_INSIDE, // src
      Macro.STATIC_DNSPORT, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL, // flags
      0, // ttl
      Rule.IPPROTO_UDP, // protocol
      0 // notification
    );
    cnt++;

    newTemplate(cnt, // 23
      "Allow DNS replies to inside",
      "DNS to inside",
      true, // defaultActivate
      false, // priority
      Macro.STATIC_DNSPORT, // src
      Macro.STATIC_INSIDE, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL, // flags
      0, // ttl
      Rule.IPPROTO_UDP, // protocol
      0 // notification
    );
    cnt++;

    newTemplate(cnt, // 24
      "Allow DNS from contains (TCP)",
      "DNS from contains (TCP)",
      true, // defaultActivate
      false, // priority
      Macro.STATIC_INSIDE, // src
      Macro.STATIC_DNSPORT, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL | Rule.SF_FTP_NO_ACTIVE | Rule.SF_FTP_NO_PASSIVE, // flags
      0, // ttl
      Rule.IPPROTO_TCP, // protocol
      Notification.STATIC_OUTGOING // notification
    );
    cnt++;

    newTemplate(cnt, // 25
      "Allow SMTP from inside",
      "SMTP from inside",
      false, // defaultActivate
      false, // priority
      Macro.STATIC_INSIDE, // src
      Macro.STATIC_SMTPPORT, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL | Rule.SF_FTP_NO_ACTIVE | Rule.SF_FTP_NO_PASSIVE, // flags
      0, // ttl
      Rule.IPPROTO_TCP, // protocol
      Notification.STATIC_OUTGOING // notification
    );
    cnt++;

    newTemplate(cnt, // 26
      "Allow SSH from inside",
      "SSH from inside",
      true, // defaultActivate
      false, // priority
      Macro.STATIC_INSIDE, // src
      Macro.STATIC_SSHPORT, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL | Rule.SF_FTP_NO_ACTIVE | Rule.SF_FTP_NO_PASSIVE, // flags
      0, // ttl
      Rule.IPPROTO_TCP, // protocol
      Notification.STATIC_OUTGOING // notification
    );
    cnt++;

    newTemplate(cnt, // 27
      "Allow HTTP from inside",
      "HTTP from inside",
      true, // defaultActivate
      false, // priority
      Macro.STATIC_INSIDE, // src
      Macro.STATIC_HTTPPORTS, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL | Rule.SF_FTP_NO_ACTIVE | Rule.SF_FTP_NO_PASSIVE, // flags
      0, // ttl
      Rule.IPPROTO_TCP, // protocol
      Notification.STATIC_OUTGOING // notification
    );
    cnt++;

    newTemplate(cnt, // 28
      "Allow HTTPS from inside",
      "HTTPS from inside",
      true, // defaultActivate
      false, // priority
      Macro.STATIC_INSIDE, // src
      Macro.STATIC_HTTPSPORTS, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL | Rule.SF_FTP_NO_ACTIVE | Rule.SF_FTP_NO_PASSIVE, // flags
      0, // ttl
      Rule.IPPROTO_TCP, // protocol
      Notification.STATIC_OUTGOING // notification
    );
    cnt++;

    newTemplate(cnt, // 29
      "Allow traceroute from inside",
      "traceroute from inside",
      true, // defaultActivate
      false, // priority
      Macro.STATIC_INSIDE, // src
      Macro.STATIC_TRACEROUTEPORTS, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL, // flags
      0, // ttl
      Rule.IPPROTO_UDP, // protocol
      Notification.STATIC_OUTGOING // notification
    );
    cnt++;

    if (cnt != numberGeneral) {
      System.out.println("FATAL: Set Templates.numberGeneral to "+cnt);
      err = true;
    }

    // server templates
    // ================

    newTemplate(cnt, // 0
      "WWW server (port 80)",
      "WWW server (http to port 80)",
      false, // defaultActivate
      false, // priority
      Macro.STATIC_INSIDE_OUTSIDE, // src
      Macro.STATIC_SERVER, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL | Rule.SF_FTP_NO_ACTIVE | Rule.SF_FTP_NO_PASSIVE, // flags
      0, // ttl
      Rule.IPPROTO_TCP, // protocol
      Notification.STATIC_SERVER, // notification
      80, // port
      80 // prend
    );
    cnt++;

    newTemplate(cnt, // 1
      "Secure WWW server (port 443)",
      "Secure WWW server (https to port 443)",
      false, // defaultActivate
      false, // priority
      Macro.STATIC_INSIDE_OUTSIDE, // src
      Macro.STATIC_SERVER, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL | Rule.SF_FTP_NO_ACTIVE | Rule.SF_FTP_NO_PASSIVE, // flags
      0, // ttl
      Rule.IPPROTO_TCP, // protocol
      Notification.STATIC_SERVER, // notification
      443, // port
      443 // prend
    );
    cnt++;

    newTemplate(cnt, // 2
      "SMTP to server",
      "SMTP to server (TCP to port 25)",
      false, // defaultActivate
      false, // priority
      Macro.STATIC_INSIDE_OUTSIDE, // src
      Macro.STATIC_SERVER, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL | Rule.SF_FTP_NO_ACTIVE | Rule.SF_FTP_NO_PASSIVE, // flags
      0, // ttl
      Rule.IPPROTO_TCP, // protocol
      Notification.STATIC_SERVER, // notification
      25, // port
      25 // prend
    );
    cnt++;

    newTemplate(cnt, // 3
      "SMTP from server",
      "SMTP from server (TCP to port 25)",
      false, // defaultActivate
      false, // priority
      Macro.STATIC_SERVER, // src
      Macro.STATIC_SMTPPORT, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL | Rule.SF_FTP_NO_ACTIVE | Rule.SF_FTP_NO_PASSIVE, // flags
      0, // ttl
      Rule.IPPROTO_TCP, // protocol
      Notification.STATIC_OUTGOING // notification
    );
    cnt++;

    newTemplate(cnt, // 4
      "FTP server",
      "FTP server (TCP to port 21)",
      false, // defaultActivate
      false, // priority
      Macro.STATIC_INSIDE_OUTSIDE, // src
      Macro.STATIC_SERVER, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL, // flags
      0, // ttl
      Rule.IPPROTO_TCP, // protocol
      Notification.STATIC_SERVER, // notification
      21, // port
      21 // prend
    );
    cnt++;

    newTemplate(cnt, // 5
      "Telnet server",
      "Telnet server (TCP to port 23)",
      false, // defaultActivate
      false, // priority
      Macro.STATIC_INSIDE_OUTSIDE, // src
      Macro.STATIC_SERVER, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL | Rule.SF_FTP_NO_ACTIVE | Rule.SF_FTP_NO_PASSIVE, // flags
      0, // ttl
      Rule.IPPROTO_TCP, // protocol
      Notification.STATIC_SERVER, // notification
      23, // port
      23 // prend
    );
    cnt++;

    newTemplate(cnt, // 6
      "SSH server",
      "SSH server (TCP to port 22)",
      false, // defaultActivate
      false, // priority
      Macro.STATIC_INSIDE_OUTSIDE, // src
      Macro.STATIC_SERVER, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL | Rule.SF_FTP_NO_ACTIVE | Rule.SF_FTP_NO_PASSIVE, // flags
      0, // ttl
      Rule.IPPROTO_TCP, // protocol
      Notification.STATIC_SERVER, // notification
      22, // port
      22 // prend
    );
    cnt++;


    if (!err && (cnt-numberGeneral) != numberServer) {
      System.out.println("FATAL: Set Templates.numberServer to "+(cnt-numberGeneral));
      err = true;
    }

    // firewall templates
    // ==================

    newTemplate(cnt, // 0
      "Configuration client on firewall",
      "Accept connections from config client to firewall.",
      false, // defaultActivate
      true, // priority
      Macro.STATIC_OWNADDRESSES, // src
      Macro.STATIC_OWNADDRESSES_FWPORT, // dst
      Rule.FW_ACCEPT, // rc
      Rule.SF_FW_CHECK_PROTOCOL | Rule.SF_FTP_NO_ACTIVE | Rule.SF_FTP_NO_PASSIVE, // flags
      0, // ttl
      Rule.IPPROTO_TCP, // protocol
      0 // notification
    );
    cnt++;

    if (!err && cnt-numberGeneral-numberServer != numberFirewall) {
      System.out.println("FATAL: Set Templates.numberFirewall to "+(cnt-numberGeneral-numberServer));
      err = true;
    }

    // transparent template
    newTemplate(cnt,
      "Route traffic from outside to outside",
      "Route traffic from outside to outside",
      false, // defaultActivate (ignored)
      false, // priority
      Macro.STATIC_OUTSIDE, // src
      Macro.STATIC_OUTSIDE, // dst
      Rule.FW_ACCEPT, // rc
      0, // flags
      0, // ttl
      0, // protocol
      0  // notification
    );
    cnt++;

    initialized = !err;

  } // static initialization

} // Templates