D. perde.xml dosyası
Önceki Internet'e Bağlanırken Gerekenler: Firewall ve Proxy Sonraki
D. perde.xml dosyası
<?xml version="1.0"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="0.10.4" id="root">
<AnyNetwork comment="Any Network" id="sysid0" library="Standard" name="Any" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService comment="Any IP Service" id="sysid1" library="Standard" name="Any" protocol_num="0"/>
<AnyInterval comment="Any Interval" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" id="sysid2" library="Standard" name="Any" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1"/>
<ObjectGroup id="sysid3" library="Standard" name="ScratchPad"/>
<ObjectGroup id="stdid01" library="Standard" name="Objects">
<ObjectGroup id="stdid04" library="Standard" name="Groups"/>
<ObjectGroup id="stdid02" library="Standard" name="Hosts"/>
<ObjectGroup id="stdid03" library="Standard" name="Networks">
<Network comment="" id="id3C470EF5" name="Intranet" address="10.0.0.0" netmask="255.0.0.0"/>
</ObjectGroup>
</ObjectGroup>
<ServiceGroup id="stdid05" library="Standard" name="Services">
<CustomService comment="This service matches all packets which are part of network connections established through the firewall, or \nconnections 'related' to those established through the firewall. Term 'established' refers to the state tracking \nmechanism which exists inside iptables and other stateful firewalls and does not mean any particular \ncombination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it \nbelongs to the network session, for which proper initiation has been seen by the firewall, so its stateful \ninspection module made appropriate record in the state table. Usually statefule firewalls keep track of network \nconnections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' \ndescribes packet belonging to a separate network connection, related to the session firewall is keeping \ntrack of. One example is FTP command and FTP data sessions." id="stdid14" library="Standard" name="ESTABLISHED">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
</CustomService>
<ServiceGroup id="stdid10" library="Standard" name="Groups">
<ServiceGroup comment="" id="sg-DHCP" library="Standard" name="DHCP">
<ServiceRef ref="udp-bootpc"/>
<ServiceRef ref="udp-bootps"/>
</ServiceGroup>
<ServiceGroup comment="" id="sg-NETBIOS" library="Standard" name="NETBIOS">
<ServiceRef ref="udp-netbios-dgm"/>
<ServiceRef ref="udp-netbios-ns"/>
<ServiceRef ref="udp-netbios-ssn"/>
</ServiceGroup>
<ServiceGroup comment="" id="sg-Useful_ICMP" library="Standard" name="Useful_ICMP">
<ServiceRef ref="icmp-Time_exceeded"/>
<ServiceRef ref="icmp-Time_exceeded_in_transit"/>
<ServiceRef ref="icmp-ping_reply"/>
<ServiceRef ref="icmp-Unreachables"/>
</ServiceGroup>
<ServiceGroup id="id3B4FEDD9" library="Standard" name="kerberos">
<ServiceRef ref="id3B4FEDA5"/>
<ServiceRef ref="id3B4FEDA9"/>
<ServiceRef ref="id3B4FEDA7"/>
<ServiceRef ref="id3B4FEDAB"/>
<ServiceRef ref="id3B4FEDA3"/>
<ServiceRef ref="id3B4FEE21"/>
<ServiceRef ref="id3B4FEE23"/>
</ServiceGroup>
<ServiceGroup id="id3B4FEFFA" library="Standard" name="quake">
<ServiceRef ref="id3B4FEF7C"/>
<ServiceRef ref="id3B4FEF7E"/>
</ServiceGroup>
<ServiceGroup id="id3B4FF35E" library="Standard" name="nfs">
<ServiceRef ref="id3B4FEE7A"/>
<ServiceRef ref="id3B4FEE78"/>
</ServiceGroup>
</ServiceGroup>
<ServiceGroup id="stdid07" library="Standard" name="ICMP">
<ICMPService code="-1" comment="" id="icmp-Unreachables" library="Standard" name="all ICMP unreachables" type="3"/>
<ICMPService code="-1" comment="" id="id3C20EEB5" library="Standard" name="any ICMP" type="-1"/>
<ICMPService code="1" comment="" id="icmp-Host_unreach" library="Standard" name="host_unreach" type="3"/>
<ICMPService code="0" comment="" id="icmp-ping_reply" library="Standard" name="ping reply" type="0"/>
<ICMPService code="0" comment="" id="icmp-ping_request" library="Standard" name="ping request" type="8"/>
<ICMPService code="3" comment="Port unreachable" id="icmp-Port_unreach" library="Standard" name="port unreach" type="3"/>
<ICMPService code="0" comment="ICMP messages of this type are needed for traceroute" id="icmp-Time_exceeded" library="Standard" name="time exceeded" type="11"/>
<ICMPService code="1" comment="" id="icmp-Time_exceeded_in_transit" library="Standard" name="time exceeded in transit" type="11"/>
</ServiceGroup>
<ServiceGroup id="stdid06" library="Standard" name="IP">
<IPService comment="" fragm="False" id="ip-IPSEC" library="Standard" lsrr="False" name="IPSEC" protocol_num="50" rr="False" short_fragm="False" ssrr="False" ts="False"/>
<IPService comment="Route recording packets" fragm="False" id="ip-RR" library="Standard" lsrr="False" name="RR" protocol_num="0" rr="True" short_fragm="False" ssrr="False" ts="False"/>
<IPService comment="All sorts of Source Routing Packets" fragm="False" id="ip-SRR" library="Standard" lsrr="True" name="SRR" protocol_num="0" rr="False" short_fragm="False" ssrr="True" ts="False"/>
<IPService comment="'Short' fragments" fragm="False" id="ip-IP_Fragments" library="Standard" lsrr="False" name="ip_fragments" protocol_num="0" rr="False" short_fragm="True" ssrr="False" ts="False"/>
</ServiceGroup>
<ServiceGroup id="stdid09" library="Standard" name="TCP">
<TCPService ack_flag="False" comment="ipchains used to use this range of port numbers for masquerading. " dst_range_end="0" dst_range_start="0" fin_flag="False" id="tcp-ALL_TCP_Masqueraded" library="Standard" name="ALL TCP Masqueraded" rst_flag="False" src_range_end="65095" src_range_start="61000" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" id="tcp-All_TCP" library="Standard" name="All TCP" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="1720" dst_range_start="1720" fin_flag="False" id="id3AEDBEAC" library="Standard" name="H323" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="113" dst_range_start="113" fin_flag="False" id="tcp-Auth" library="Standard" name="auth" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="13" dst_range_start="13" fin_flag="False" id="id3AEDBE6E" library="Standard" name="daytime" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="53" dst_range_start="53" fin_flag="False" id="tcp-DNS_zone_transf" library="Standard" name="dns_tcp" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="2105" dst_range_start="2105" fin_flag="False" id="id3B4FEDA3" library="Standard" name="eklogin" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="79" dst_range_start="79" fin_flag="False" id="id3AECF774" library="Standard" name="finger" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="21" dst_range_start="21" fin_flag="False" id="tcp-FTP" library="Standard" name="ftp" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="FTP data channel.\nNote: FTP protocol does not really require server to use source port 20 for the data channel, \nbut many ftp server implementations do so." dst_range_end="65535" dst_range_start="1025" fin_flag="False" id="tcp-FTP_data" library="Standard" name="ftp data" rst_flag="False" src_range_end="20" src_range_start="20" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="80" dst_range_start="80" fin_flag="False" id="tcp-HTTP" library="Standard" name="http" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="443" dst_range_start="443" fin_flag="False" id="id3B4FED69" library="Standard" name="https" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="143" dst_range_start="143" fin_flag="False" id="id3AECF776" library="Standard" name="imap" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="993" dst_range_start="993" fin_flag="False" id="id3B4FED9F" library="Standard" name="imaps" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="6667" dst_range_start="6667" fin_flag="False" id="id3B4FF13C" library="Standard" name="irc" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="543" dst_range_start="543" fin_flag="False" id="id3B4FEE21" library="Standard" name="klogin" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="544" dst_range_start="544" fin_flag="False" id="id3B4FEE23" library="Standard" name="ksh" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="389" dst_range_start="389" fin_flag="False" id="id3AECF778" library="Standard" name="ldap" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="98" dst_range_start="98" fin_flag="False" id="id3B4FF000" library="Standard" name="linuxconf" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="98" dst_range_start="98" fin_flag="False" id="id3AED0D6D" library="Standard" name="linuxconf" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="3306" dst_range_start="3306" fin_flag="False" id="id3B4FEEEE" library="Standard" name="mysql" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="2049" dst_range_start="2049" fin_flag="False" id="id3B4FEE7A" library="Standard" name="nfs" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="119" dst_range_start="119" fin_flag="False" id="tcp-NNTP" library="Standard" name="nntp" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="110" dst_range_start="110" fin_flag="False" id="id3B4FEE1D" library="Standard" name="pop3" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="5432" dst_range_start="5432" fin_flag="False" id="id3B4FF0EA" library="Standard" name="postgres" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="515" dst_range_start="515" fin_flag="False" id="id3AECF782" library="Standard" name="printer" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="26000" dst_range_start="26000" fin_flag="False" id="id3B4FEF7C" library="Standard" name="quake" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="512" dst_range_start="512" fin_flag="False" id="id3AECF77A" library="Standard" name="rexec" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="513" dst_range_start="513" fin_flag="False" id="id3AECF77C" library="Standard" name="rlogin" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="514" dst_range_start="514" fin_flag="False" id="id3AECF77E" library="Standard" name="rshell" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="4321" dst_range_start="4321" fin_flag="False" id="id3B4FEF34" library="Standard" name="rwhois" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="25" dst_range_start="25" fin_flag="False" id="tcp-SMTP" library="Standard" name="smtp" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="465" dst_range_start="465" fin_flag="False" id="id3B4FF04C" library="Standard" name="smtps" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="1080" dst_range_start="1080" fin_flag="False" id="id3B4FEE76" library="Standard" name="socks" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="3128" dst_range_start="3128" fin_flag="False" id="id3B4FF09A" library="Standard" name="squid" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="22" dst_range_start="22" fin_flag="False" id="tcp-SSH" library="Standard" name="ssh" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="111" dst_range_start="111" fin_flag="False" id="id3AEDBE00" library="Standard" name="sunrpc" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" id="tcp-TCP-SYN" library="Standard" name="tcp-syn" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="True"/>
<TCPService ack_flag="False" comment="" dst_range_end="23" dst_range_start="23" fin_flag="False" id="tcp-Telnet" library="Standard" name="telnet" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="540" dst_range_start="540" fin_flag="False" id="tcp-uucp" library="Standard" name="uucp" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
<TCPService ack_flag="False" comment="" dst_range_end="7100" dst_range_start="7100" fin_flag="False" id="id3B4FF1B8" library="Standard" name="xfs" rst_flag="False" src_range_end="0" src_range_start="0" syn_flag="False"/>
</ServiceGroup>
<ServiceGroup id="stdid08" library="Standard" name="UDP">
<UDPService comment="ipchains used to use this port range for masqueraded packets" dst_range_end="0" dst_range_start="0" id="udp-ALL_UDP_Masqueraded" library="Standard" name="ALL UDP Masqueraded" src_range_end="65095" src_range_start="61000"/>
<UDPService comment="" dst_range_end="0" dst_range_start="0" id="udp-All_UDP" library="Standard" name="All UDP" src_range_end="0" src_range_start="0"/>
<UDPService comment="routing protocol RIP" dst_range_end="520" dst_range_start="520" id="id3AED0D6B" library="Standard" name="RIP" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="7009" dst_range_start="7000" id="id3B4FEDA1" library="Standard" name="afs" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="68" dst_range_start="68" id="udp-bootpc" library="Standard" name="bootpc" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="67" dst_range_start="67" id="udp-bootps" library="Standard" name="bootps" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="13" dst_range_start="13" id="id3AEDBE70" library="Standard" name="daytime" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="53" dst_range_start="53" id="udp-DNS" library="Standard" name="dns" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="88" dst_range_start="88" id="id3B4FEDA5" library="Standard" name="kerberos" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="750" dst_range_start="749" id="id3B4FEDA9" library="Standard" name="kerberos-adm" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="464" dst_range_start="464" id="id3B4FEDA7" library="Standard" name="kpasswd" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="4444" dst_range_start="4444" id="id3B4FEDAB" library="Standard" name="krb524" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="138" dst_range_start="138" id="udp-netbios-dgm" library="Standard" name="netbios-dgm" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="137" dst_range_start="137" id="udp-netbios-ns" library="Standard" name="netbios-ns" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="139" dst_range_start="139" id="udp-netbios-ssn" library="Standard" name="netbios-ssn" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="2049" dst_range_start="2049" id="id3B4FEE78" library="Standard" name="nfs" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="123" dst_range_start="123" id="udp-ntp" library="Standard" name="ntp" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="26000" dst_range_start="26000" id="id3B4FEF7E" library="Standard" name="quake" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="520" dst_range_start="520" id="id3B4FEE1F" library="Standard" name="rip" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="161" dst_range_start="161" id="udp-SNMP" library="Standard" name="snmp" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="162" dst_range_start="162" id="id3AED0D69" library="Standard" name="snmp-trap" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="111" dst_range_start="111" id="id3AEDBE19" library="Standard" name="sunrpc" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="514" dst_range_start="514" id="id3AECF780" library="Standard" name="syslog" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="69" dst_range_start="69" id="id3AED0D67" library="Standard" name="tftp" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="33464" dst_range_start="33434" id="id3AED0D8C" library="Standard" name="traceroute" src_range_end="0" src_range_start="0"/>
</ServiceGroup>
<ServiceGroup id="stdid13" library="Standard" name="Custom">
<CustomService comment="works in iptables and requires patch-o-matic" id="id3B64EEA8" library="Standard" name="rpc">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m record_rpc</CustomServiceCommand>
</CustomService>
<CustomService comment="IRC connection tracker, supports DCC. Works on iptables and requires patch-o-matic" id="id3B64EF4E" library="Standard" name="irc-conn">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m irc</CustomServiceCommand>
</CustomService>
<CustomService comment="Port scan detector, works only on iptables and  requires patch-o-matic " id="id3B64EF50" library="Standard" name="psd">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m psd --psd-weight-threshold 5 --psd-delay-threshold 10000</CustomServiceCommand>
</CustomService>
<CustomService comment="Matches a string in a whole packet, works in iptables and requires patch-o-matic" id="id3B64EF52" library="Standard" name="string">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m string --string test_pattern</CustomServiceCommand>
</CustomService>
<CustomService comment="Talk protocol support. Works in iptables and requires patch-o-matic" id="id3B64EF54" library="Standard" name="talk">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m talk</CustomServiceCommand>
</CustomService>
</ServiceGroup>
</ServiceGroup>
<ObjectGroup id="stdid12" library="Standard" name="Firewalls">
<Firewall address="10.254.254.254" comment="" host_OS="linux24" id="id3C470F6B" name="Perde" platform="iptables" snmp_read_community="public" snmp_write_community="private" version="">
<NAT id="id3C470F6E">
<NATRule disabled="False" id="id3C4AECA5" position="0">
<OSrc neg="False">
<ObjectRef ref="id3C470EF5"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3C470F6B"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3B4FF09A"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3C471064" position="1">
<OSrc neg="False">
<ObjectRef ref="id3C470EF5"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3C470F6B"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id3C470F6D">
<PolicyRule action="Deny" comment="block fragments" disabled="False" id="id3C470FAB" log="True" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="ip-IP_Fragments"/>
</Srv>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" disabled="False" id="id3C471096" log="True" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3C470EF5"/>
<ObjectRef ref="id3C470F6B"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sg-Useful_ICMP"/>
</Srv>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="need this for traceroute" disabled="False" id="id3C4710A3" log="True" position="2">
<Src neg="False">
<ObjectRef ref="id3C470F6B"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3C470EF5"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="icmp-Time_exceeded"/>
</Srv>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" disabled="False" id="id3C471367" log="True" position="3">
<Src neg="False">
<ObjectRef ref="id3C470EF5"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3C470F6B"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" disabled="False" id="id3C473E14" log="True" position="4">
<Src neg="True">
<ObjectRef ref="id3C470EF5"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3C470F6B"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
<ServiceRef ref="tcp-Telnet"/>
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" disabled="False" id="id3C471377" log="True" position="5">
<Src neg="False">
<ObjectRef ref="id3C470F6B"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" disabled="False" id="id3C473526" log="True" position="6">
<Src neg="False">
<ObjectRef ref="id3C470EF5"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="id3B4FED69"/>
<ServiceRef ref="tcp-DNS_zone_transf"/>
<ServiceRef ref="udp-DNS"/>
<ServiceRef ref="udp-ntp"/>
<ServiceRef ref="id3AED0D8C"/>
<ServiceRef ref="id3C20EEB5"/>
<ServiceRef ref="tcp-Telnet"/>
<ServiceRef ref="id3AECF776"/>
<ServiceRef ref="id3B4FED9F"/>
<ServiceRef ref="id3B4FEE1D"/>
<ServiceRef ref="tcp-SMTP"/>
<ServiceRef ref="id3B4FF04C"/>
<ServiceRef ref="tcp-SSH"/>
<ServiceRef ref="tcp-FTP"/>
<ServiceRef ref="tcp-FTP_data"/>
</Srv>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Reject" disabled="False" id="id3C4AE985" log="True" position="7">
<Src neg="False">
<ObjectRef ref="id3C470EF5"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" comment="'catch all' rule" disabled="False" id="id3C470FC8" log="True" position="8">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Interface address="0.0.0.0" dyn="True" id="id3C470F76" label="External dial-up" name="ppp0" netmask="0.0.0.0" physAddress="" security_level="0">
<InterfacePolicy id="id3C470F77">
<PolicyRule action="Deny" comment="deny short fragments" direction="Inbound" disabled="False" id="id3C471299" log="True" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="ip-IP_Fragments"/>
</Srv>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Inbound" disabled="False" id="id3C470FA1" log="True" position="1">
<Src neg="False">
<ObjectRef ref="id3C470EF5"/>
<ObjectRef ref="id3C470F6B"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Outbound" disabled="False" id="id3C470F97" log="True" position="2">
<Src neg="True">
<ObjectRef ref="id3C470EF5"/>
<ObjectRef ref="id3C470F6B"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</InterfacePolicy>
</Interface>
<Interface address="10.254.254.254" dyn="False" id="id3C470F78" label="Internal Ethernet" name="eth0" netmask="255.0.0.0" physAddress="" security_level="100">
<InterfacePolicy id="id3C470F79"/>
</Interface>
<Interface address="127.0.0.1" dyn="False" id="id3C470F7A" label="Loopback" name="lo" netmask="255.0.0.0" physAddress="" security_level="100">
<InterfacePolicy id="id3C470F7B">
<PolicyRule action="Accept" comment="allow everything on loopback" direction="Inbound" disabled="False" id="id3C470FB6" log="False" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3C470F6B"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="allow everything on loopback" direction="Outbound" disabled="False" id="id3C470FBF" log="False" position="1">
<Src neg="False">
<ObjectRef ref="id3C470F6B"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</InterfacePolicy>
</Interface>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP host prohibited</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="inst_cmdline"></Option>
<Option name="inst_script"></Option>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_accept_source_route">1</Option>
<Option name="linux24_icmp_echo_ignore_broadcasts">1</Option>
<Option name="linux24_ip_dynaddr">1</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="linux24_log_martians">1</Option>
<Option name="linux24_rp_filter">1</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">True</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">True</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="log_tcp_opt">True</Option>
<Option name="log_tcp_seq">True</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="no_optimisation">False</Option>
<Option name="script_env_path"></Option>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>
<Option name="use_numeric_log_levels">False</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="stdid11" library="Standard" name="Time">
<Interval comment="any day, 9:00am through 5:00pm" from_day="-1" from_hour="9" from_minute="0" from_month="-1" from_weekday="-1" from_year="-1" id="int-workhours" library="Standard" name="workhours" to_day="-1" to_hour="17" to_minute="0" to_month="-1" to_weekday="-1" to_year="-1"/>
<Interval comment="weekends: Saturday 0:00 through Sunday 23:59 " from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="7" from_year="-1" id="int-weekends" library="Standard" name="weekends" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="1" to_year="-1"/>
<Interval comment="any day 6:00pm - 12:00am" from_day="-1" from_hour="18" from_minute="0" from_month="-1" from_weekday="-1" from_year="-1" id="int-afterhours" library="Standard" name="afterhours" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="-1" to_year="-1"/>
</IntervalGroup>
</FWObjectDatabase>
Önceki Üst Ana Başlık Sonraki
C. squidGuard.cgi dosyası Başlangıç E. iptables betiği
Bir Linux Kitaplığı Sayfası