You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
kmyfirewall/templates/04_web_server_template.tkmfrs

358 lines
19 KiB

<!DOCTYPE kmyfirewall-ruleset>
<kmfnet maxVersion="~" minVersion="1.1.0" version="1.1.0" interface="iptables" uuid="{41b36b2b-68e2-4545-b34d-3cf3609c204f}" >
<netzone guiName="Gloabl Network" readonly="bool:on" uuid="{3349418e-3923-4f3c-933c-b1bd91a2c84a}" name="mynetwork" description="This is the global zone that contains all valid IP addresses." >
<fromIP address="0.0.0.0" />
<netMask address="0" />
<target sshPort="22" address="127.0.0.1" guiName="My Local Computer" readonly="bool:on" uuid="{42bc1c1f-996f-4f60-a6e3-3e43cd6f0167}" name="localhost" description="Local copmuter running KMyFirewall" >
<targetconfig uuid="{c3d33a7a-5ba9-45cc-8f34-1617b773e08f}" name="Untitled" description="No Description Available" >
<os name="linux" />
<backend name="iptables" />
<distribution name="" />
<initPath name="" />
<IPTPath name="" />
<modprobePath name="" />
<rcDefaultPath name="" />
</targetconfig>
<kmfrs maxVersion="~" minVersion="1.0.0" version="1.1.0" uuid="{8af7181a-bf52-47e3-a00e-2204f8cff57c}" >
<abstract use_nat="no" use_filter="yes" use_syn_cookies="yes" use_ipfwd="yes" use_martians="yes" use_modules="yes" use_rp_filter="yes" name="Web Server Template" use_mangle="no" description="This is a template configuration for a typical web server. The tcp ports 80,443 and 22 are open (HTTP/HTTPS and SSH)." />
<table uuid="{24e22827-5d99-49a3-8767-b9cf25371f7c}" name="filter" description="This table is the main table for filtering
packets. Here you may define your
access control rules" >
<chain default_target="DROP" builtin="yes" uuid="{414166ad-b58e-41e8-8a8f-a9962e769bd1}" name="INPUT" description="In this chain you can filter packets that
are addressed directly to this computer." >
<rule num="0" logging="no" target="ICMP_FILTER" custom_rule="no" uuid="{ac00d50c-60b1-4596-9fe6-be5843be3cf4}" name="FWD_ICMP_FILTER" enabled="yes" description="Forward to the chain that handles ICPM packets
to avoid crap like source-quench etc." />
<rule num="1" logging="no" target="ANTISPOOF" custom_rule="no" uuid="{214725fa-4179-46e4-800d-5914741921e9}" name="FWD_ANTISPOOF" enabled="yes" description="Forward packets to the ANTISPOOF chain
which performes some sainity checks for
the packets to avoid spoofing." />
<rule num="2" logging="no" target="TCP_CHECKS" custom_rule="no" uuid="{af2b8ac5-3f43-4679-b189-9f031921b7a7}" name="FWD_TCP_CHECKS" enabled="yes" description="Forward to chian TCP_CHECKS which
filters invalid TCP flag combinations." >
<ruleoption targetoption="no" type="tcp_opt" uuid="{b5626a02-1808-444a-9e61-e6484318cb8c}" >
<ruleoptionvalue value0="bool:on" />
<ruleoptionvalue value1="bool:off" />
<ruleoptionvalue value2="bool:off" />
<ruleoptionvalue value3="bool:off" />
<ruleoptionvalue value4="bool:off" />
<ruleoptionvalue value5="bool:off" />
<ruleoptionvalue value6="bool:off" />
<ruleoptionvalue value7="bool:off" />
<ruleoptionvalue value8="bool:off" />
<ruleoptionvalue value9="bool:off" />
</ruleoption>
</rule>
<rule num="3" logging="no" target="SERVICES" custom_rule="no" uuid="{f334a3b2-7f69-48d6-8594-54e2a5c4ef60}" name="FWD_SERVICES" enabled="yes" description="This rule forwards all packetst to the SERVICES chain.
This chain is ment to be used for rules that allow
access to this host e.g. http if you are running a web
server." />
<rule num="4" logging="no" target="ACCEPT" custom_rule="no" uuid="{4dc5f9cf-d19b-4030-998d-166ada82d814}" name="LOOPBACK" enabled="yes" description="Allow packets send from the loopback interface" >
<ruleoption targetoption="no" type="interface_opt" uuid="{d53aa556-afd8-4906-867a-943747470965}" >
<ruleoptionvalue value0="lo" />
<ruleoptionvalue value1="bool:off" />
<ruleoptionvalue value2="bool:off" />
<ruleoptionvalue value3="bool:off" />
<ruleoptionvalue value4="bool:off" />
<ruleoptionvalue value5="bool:off" />
<ruleoptionvalue value6="bool:off" />
<ruleoptionvalue value7="bool:off" />
<ruleoptionvalue value8="bool:off" />
<ruleoptionvalue value9="bool:off" />
</ruleoption>
</rule>
<rule num="5" logging="no" target="ACCEPT" custom_rule="no" uuid="{bece6068-58e4-4cef-83b4-9513d574d471}" name="CONNTRACK" enabled="yes" description="This rule handles the connecktion tracking.
It simply lets everything in that is a response
to a network request you made." >
<ruleoption targetoption="no" type="state_opt" uuid="{0210e1d2-769e-4495-8089-781d20ca2c3a}" >
<ruleoptionvalue value0="bool:on" />
<ruleoptionvalue value1="RELATED,ESTABLISHED" />
<ruleoptionvalue value2="bool:off" />
<ruleoptionvalue value3="bool:off" />
<ruleoptionvalue value4="bool:off" />
<ruleoptionvalue value5="bool:off" />
<ruleoptionvalue value6="bool:off" />
<ruleoptionvalue value7="bool:off" />
<ruleoptionvalue value8="bool:off" />
<ruleoptionvalue value9="bool:off" />
</ruleoption>
</rule>
</chain>
<chain default_target="ACCEPT" builtin="yes" uuid="{e97ee9d7-871f-49f0-b2a0-1912292a2071}" name="OUTPUT" description="In this chain you can decide which
packets are allowed to be sent away
from this computer." />
<chain default_target="DROP" builtin="yes" uuid="{f437654c-62e4-4fee-b129-99ee59755394}" name="FORWARD" description="In this chain you can filter the packets
that are routed to other hosts by this
computer." />
<chain builtin="no" uuid="{a0f476e7-9540-4260-9f61-de89d033fd3e}" name="ANTISPOOF" description="Packet spoof protection is done in
this chain." >
<rule num="0" logging="no" target="DROP" custom_rule="no" uuid="{b1e735e2-1b31-4b74-9c14-8613abf8b29c}" name="loopback_spoof" enabled="yes" description="Check if packets are really from the loaclhost." >
<ruleoption targetoption="no" type="interface_opt" uuid="{774afbfa-c082-4084-878f-69bd9d193104}" >
<ruleoptionvalue value0="! lo" />
<ruleoptionvalue value1="bool:off" />
<ruleoptionvalue value2="bool:off" />
<ruleoptionvalue value3="bool:off" />
<ruleoptionvalue value4="bool:off" />
<ruleoptionvalue value5="bool:off" />
<ruleoptionvalue value6="bool:off" />
<ruleoptionvalue value7="bool:off" />
<ruleoptionvalue value8="bool:off" />
<ruleoptionvalue value9="bool:off" />
</ruleoption>
<ruleoption targetoption="no" type="ip_opt" uuid="{0ff372ce-3e46-499c-9512-0dae87cb2df8}" >
<ruleoptionvalue value0="127.0.0.0/8" />
<ruleoptionvalue value1="bool:off" />
<ruleoptionvalue value2="bool:off" />
<ruleoptionvalue value3="bool:off" />
<ruleoptionvalue value4="bool:off" />
<ruleoptionvalue value5="bool:off" />
<ruleoptionvalue value6="bool:off" />
<ruleoptionvalue value7="bool:off" />
<ruleoptionvalue value8="bool:off" />
<ruleoptionvalue value9="bool:off" />
</ruleoption>
</rule>
</chain>
<chain builtin="no" uuid="{49b1df3f-fb0e-4745-9547-612e350101af}" name="SERVICES" description="This rule allows other computer to connect to us on udp port 53" >
<rule num="0" logging="no" target="ACCEPT" custom_rule="no" uuid="{b5812bdf-cb51-456d-882a-bf7d82f8e13b}" name="HTTP_HTTPS" enabled="yes" description="This rule allows other computer to connect to us on udp port 53" >
<ruleoption targetoption="no" type="tcp_multiport_opt" uuid="{2625a4e2-ba07-472b-89e3-db0b2e065371}" >
<ruleoptionvalue value0="bool:on" />
<ruleoptionvalue value1="bool:off" />
<ruleoptionvalue value2="80,443" />
<ruleoptionvalue value3="bool:off" />
<ruleoptionvalue value4="bool:off" />
<ruleoptionvalue value5="bool:off" />
<ruleoptionvalue value6="bool:off" />
<ruleoptionvalue value7="bool:off" />
<ruleoptionvalue value8="bool:off" />
<ruleoptionvalue value9="bool:off" />
</ruleoption>
</rule>
<rule num="1" logging="no" target="ACCEPT" custom_rule="no" uuid="{11af5582-60d6-43d5-81b5-18bba8edb31f}" name="Example_SSH" enabled="yes" description="This rule opens the ports 80 and 443 (e.g. HTTP and HTTPS)" >
<ruleoption targetoption="no" type="tcp_opt" uuid="{22b2c038-2be6-4997-9430-2340f29ba766}" >
<ruleoptionvalue value0="bool:on" />
<ruleoptionvalue value1="1024:65535" />
<ruleoptionvalue value2="22" />
<ruleoptionvalue value3="bool:off" />
<ruleoptionvalue value4="bool:off" />
<ruleoptionvalue value5="bool:off" />
<ruleoptionvalue value6="bool:off" />
<ruleoptionvalue value7="bool:off" />
<ruleoptionvalue value8="bool:off" />
<ruleoptionvalue value9="bool:off" />
</ruleoption>
</rule>
</chain>
<chain builtin="no" uuid="{28e8c0e7-84b9-431b-a636-c18777af661b}" name="ICMP_FILTER" description="Here some ICMP packet types are
filtered to avoid denial of service attacks." >
<rule num="0" logging="no" target="ACCEPT" custom_rule="no" uuid="{5740f895-e5b8-4b6c-ae75-a07df328b8a0}" name="ping" enabled="yes" description="No Description Available" >
<ruleoption targetoption="no" type="icmp_opt" uuid="{9cf0dfd0-9523-49a0-b7dc-f78b9c759dc2}" >
<ruleoptionvalue value0="bool:on" />
<ruleoptionvalue value1="echo-request" />
<ruleoptionvalue value2="bool:off" />
<ruleoptionvalue value3="bool:off" />
<ruleoptionvalue value4="bool:off" />
<ruleoptionvalue value5="bool:off" />
<ruleoptionvalue value6="bool:off" />
<ruleoptionvalue value7="bool:off" />
<ruleoptionvalue value8="bool:off" />
<ruleoptionvalue value9="bool:off" />
</ruleoption>
</rule>
<rule num="1" logging="no" target="ACCEPT" custom_rule="no" uuid="{f753a6a0-b7c3-47cd-b08a-ebac149220a8}" name="ping_reply" enabled="yes" description="No Description Available" >
<ruleoption targetoption="no" type="icmp_opt" uuid="{3a184346-683e-4535-99d2-ffe14f034984}" >
<ruleoptionvalue value0="bool:on" />
<ruleoptionvalue value1="echo-reply" />
<ruleoptionvalue value2="bool:off" />
<ruleoptionvalue value3="bool:off" />
<ruleoptionvalue value4="bool:off" />
<ruleoptionvalue value5="bool:off" />
<ruleoptionvalue value6="bool:off" />
<ruleoptionvalue value7="bool:off" />
<ruleoptionvalue value8="bool:off" />
<ruleoptionvalue value9="bool:off" />
</ruleoption>
</rule>
<rule num="2" logging="no" target="ACCEPT" custom_rule="no" uuid="{9aee9939-1a7b-4f71-a500-635f2ce6793d}" name="host_unreachable" enabled="yes" description="No Description Available" >
<ruleoption targetoption="no" type="icmp_opt" uuid="{fdb12c22-e453-4fbb-aafb-c3cc32c919e2}" >
<ruleoptionvalue value0="bool:on" />
<ruleoptionvalue value1="host-unreachable" />
<ruleoptionvalue value2="bool:off" />
<ruleoptionvalue value3="bool:off" />
<ruleoptionvalue value4="bool:off" />
<ruleoptionvalue value5="bool:off" />
<ruleoptionvalue value6="bool:off" />
<ruleoptionvalue value7="bool:off" />
<ruleoptionvalue value8="bool:off" />
<ruleoptionvalue value9="bool:off" />
</ruleoption>
</rule>
<rule num="3" logging="no" target="ACCEPT" custom_rule="no" uuid="{fda4fddc-efe8-4bd1-89a0-1e7e2080348d}" name="network_unreachable" enabled="yes" description="No Description Available" >
<ruleoption targetoption="no" type="icmp_opt" uuid="{6768d063-835c-40a2-992d-46d87f7b906a}" >
<ruleoptionvalue value0="bool:on" />
<ruleoptionvalue value1="network-unreachable" />
<ruleoptionvalue value2="bool:off" />
<ruleoptionvalue value3="bool:off" />
<ruleoptionvalue value4="bool:off" />
<ruleoptionvalue value5="bool:off" />
<ruleoptionvalue value6="bool:off" />
<ruleoptionvalue value7="bool:off" />
<ruleoptionvalue value8="bool:off" />
<ruleoptionvalue value9="bool:off" />
</ruleoption>
</rule>
</chain>
<chain builtin="no" uuid="{a47513dd-a3be-486d-a918-dc0dc01e6bcd}" name="TCP_CHECKS" description="No Description Available" >
<rule num="0" logging="no" target="DROP" custom_rule="no" uuid="{53f9ce17-a8c8-4dc4-acb9-ea24977883e7}" name="tcp_flags1" enabled="yes" description="No Description Available" >
<ruleoption targetoption="no" type="tcp_opt" uuid="{381457e1-6e7c-422b-b73f-c879865e8bb2}" >
<ruleoptionvalue value0="bool:on" />
<ruleoptionvalue value1="bool:off" />
<ruleoptionvalue value2="bool:off" />
<ruleoptionvalue value3="ALL NONE" />
<ruleoptionvalue value4="bool:off" />
<ruleoptionvalue value5="bool:off" />
<ruleoptionvalue value6="bool:off" />
<ruleoptionvalue value7="bool:off" />
<ruleoptionvalue value8="bool:off" />
<ruleoptionvalue value9="bool:off" />
</ruleoption>
</rule>
<rule num="1" logging="no" target="DROP" custom_rule="no" uuid="{b5a11f5c-d6cf-400b-bc98-ef42bc7656d9}" name="tcp_flags2" enabled="yes" description="No Description Available" >
<ruleoption targetoption="no" type="tcp_opt" uuid="{4bb35820-e3ac-44be-a9fb-cfc7f1d41e22}" >
<ruleoptionvalue value0="bool:on" />
<ruleoptionvalue value1="bool:off" />
<ruleoptionvalue value2="bool:off" />
<ruleoptionvalue value3="FIN,ACK FIN" />
<ruleoptionvalue value4="bool:off" />
<ruleoptionvalue value5="bool:off" />
<ruleoptionvalue value6="bool:off" />
<ruleoptionvalue value7="bool:off" />
<ruleoptionvalue value8="bool:off" />
<ruleoptionvalue value9="bool:off" />
</ruleoption>
</rule>
<rule num="2" logging="no" target="DROP" custom_rule="no" uuid="{5751a6c7-5c75-4b20-8747-b10da300f38f}" name="tcp_flags3" enabled="yes" description="No Description Available" >
<ruleoption targetoption="no" type="tcp_opt" uuid="{76df0129-2788-4c66-8124-c96801337df3}" >
<ruleoptionvalue value0="bool:on" />
<ruleoptionvalue value1="bool:off" />
<ruleoptionvalue value2="bool:off" />
<ruleoptionvalue value3="ACK,PSH PSH" />
<ruleoptionvalue value4="bool:off" />
<ruleoptionvalue value5="bool:off" />
<ruleoptionvalue value6="bool:off" />
<ruleoptionvalue value7="bool:off" />
<ruleoptionvalue value8="bool:off" />
<ruleoptionvalue value9="bool:off" />
</ruleoption>
</rule>
<rule num="3" logging="no" target="DROP" custom_rule="no" uuid="{3f49954b-6a2a-4298-81c6-c54cd2c5c17d}" name="tcp_flags4" enabled="yes" description="No Description Available" >
<ruleoption targetoption="no" type="tcp_opt" uuid="{f51ebe7f-aa2b-452a-9350-66192ba7d322}" >
<ruleoptionvalue value0="bool:on" />
<ruleoptionvalue value1="bool:off" />
<ruleoptionvalue value2="bool:off" />
<ruleoptionvalue value3="ACK,URG URG" />
<ruleoptionvalue value4="bool:off" />
<ruleoptionvalue value5="bool:off" />
<ruleoptionvalue value6="bool:off" />
<ruleoptionvalue value7="bool:off" />
<ruleoptionvalue value8="bool:off" />
<ruleoptionvalue value9="bool:off" />
</ruleoption>
</rule>
<rule num="4" logging="no" target="DROP" custom_rule="no" uuid="{5e530522-9b04-49aa-8a0c-22d77a143393}" name="tcp_flags5" enabled="yes" description="No Description Available" >
<ruleoption targetoption="no" type="tcp_opt" uuid="{b7dc141d-d632-4ace-8fa5-689a8cfbe640}" >
<ruleoptionvalue value0="bool:on" />
<ruleoptionvalue value1="bool:off" />
<ruleoptionvalue value2="bool:off" />
<ruleoptionvalue value3="SYN,FIN SYN,FIN" />
<ruleoptionvalue value4="bool:off" />
<ruleoptionvalue value5="bool:off" />
<ruleoptionvalue value6="bool:off" />
<ruleoptionvalue value7="bool:off" />
<ruleoptionvalue value8="bool:off" />
<ruleoptionvalue value9="bool:off" />
</ruleoption>
</rule>
<rule num="5" logging="no" target="DROP" custom_rule="no" uuid="{c44e8a32-aa43-4320-afeb-81b7847cfdf9}" name="tcp_flags6" enabled="yes" description="No Description Available" >
<ruleoption targetoption="no" type="tcp_opt" uuid="{0e05588d-c058-4353-8274-33ad8b79aea9}" >
<ruleoptionvalue value0="bool:on" />
<ruleoptionvalue value1="bool:off" />
<ruleoptionvalue value2="bool:off" />
<ruleoptionvalue value3="SYN,RST SYN,RST" />
<ruleoptionvalue value4="bool:off" />
<ruleoptionvalue value5="bool:off" />
<ruleoptionvalue value6="bool:off" />
<ruleoptionvalue value7="bool:off" />
<ruleoptionvalue value8="bool:off" />
<ruleoptionvalue value9="bool:off" />
</ruleoption>
</rule>
<rule num="6" logging="no" target="DROP" custom_rule="no" uuid="{d99c29f2-8d22-4c87-96bd-8fae4f003fbf}" name="tcp_flags7" enabled="yes" description="No Description Available" >
<ruleoption targetoption="no" type="tcp_opt" uuid="{9734225e-7963-42a3-bf61-1a3c42c91331}" >
<ruleoptionvalue value0="bool:on" />
<ruleoptionvalue value1="bool:off" />
<ruleoptionvalue value2="bool:off" />
<ruleoptionvalue value3="FIN,RST FIN,RST" />
<ruleoptionvalue value4="bool:off" />
<ruleoptionvalue value5="bool:off" />
<ruleoptionvalue value6="bool:off" />
<ruleoptionvalue value7="bool:off" />
<ruleoptionvalue value8="bool:off" />
<ruleoptionvalue value9="bool:off" />
</ruleoption>
</rule>
<rule num="7" logging="no" target="DROP" custom_rule="no" uuid="{0943595a-d650-4af0-bf95-0a133e75a72a}" name="tcp_nmapXmas" enabled="yes" description="Avoid nmap-xmas scanns" >
<ruleoption targetoption="no" type="tcp_opt" uuid="{2858dee2-65e8-4097-aa5c-e0f3346ee9b4}" >
<ruleoptionvalue value0="bool:on" />
<ruleoptionvalue value1="bool:off" />
<ruleoptionvalue value2="bool:off" />
<ruleoptionvalue value3="ALL FIN,PSH,URG" />
<ruleoptionvalue value4="bool:off" />
<ruleoptionvalue value5="bool:off" />
<ruleoptionvalue value6="bool:off" />
<ruleoptionvalue value7="bool:off" />
<ruleoptionvalue value8="bool:off" />
<ruleoptionvalue value9="bool:off" />
</ruleoption>
</rule>
</chain>
<chain builtin="no" uuid="{ba89f1bd-f323-41a4-9b05-96e13146a465}" name="LOCAL_LANS" description="No Description Available" >
<rule num="0" logging="no" target="ACCEPT" custom_rule="no" uuid="{776e59c2-1940-48e0-8eb2-9f91a84435c6}" name="MyNET" enabled="yes" description="No Description Available" >
<ruleoption targetoption="no" type="ip_opt" uuid="{570f7dab-5384-4e2f-a530-b33375cead6e}" >
<ruleoptionvalue value0="192.168.0.0/24" />
<ruleoptionvalue value1="bool:off" />
<ruleoptionvalue value2="bool:off" />
<ruleoptionvalue value3="bool:off" />
<ruleoptionvalue value4="bool:off" />
<ruleoptionvalue value5="bool:off" />
<ruleoptionvalue value6="bool:off" />
<ruleoptionvalue value7="bool:off" />
<ruleoptionvalue value8="bool:off" />
<ruleoptionvalue value9="bool:off" />
</ruleoption>
</rule>
</chain>
</table>
<table uuid="{855aa6cf-d15d-4744-aede-5b93d07b128b}" name="nat" description="This table is made for every kind of
NAT (Network Address Translation)." >
<chain default_target="ACCEPT" builtin="yes" uuid="{3410f0f7-e203-4569-a857-dcf922125fa0}" name="OUTPUT" description="In this chain you can decide which
packets are allowed to be sent away
from this computer." />
<chain default_target="ACCEPT" builtin="yes" uuid="{e44c3748-6c56-4c17-be91-76dd12597593}" name="PREROUTING" description="..." />
<chain default_target="ACCEPT" builtin="yes" uuid="{1092717a-a346-4c75-9a16-a2ec8d749634}" name="POSTROUTING" description="..." />
</table>
<table uuid="{a4ef60e2-55fe-4c2c-bff8-3dacfa47caa4}" name="mangle" description="This table is made for altering packets." >
<chain default_target="ACCEPT" builtin="yes" uuid="{a990c3d6-75e1-49e9-922f-d31ea7d59ccd}" name="INPUT" description="In this chain you can filter packets that
are addressed directly to this compter." />
<chain default_target="ACCEPT" builtin="yes" uuid="{65910037-d1ab-4dfc-a5af-c46a32b20e99}" name="OUTPUT" description="In this chain you can decide which
packets are allowed to be sent away
from this computer." />
<chain default_target="ACCEPT" builtin="yes" uuid="{c5f40a03-9239-430c-aa1d-18a7a747f621}" name="FORWARD" description="In this chain you can filter the packets
that are routed to other hosts by this
computer." />
<chain default_target="ACCEPT" builtin="yes" uuid="{34509ced-a1d0-43ca-8bf3-e513cdde985b}" name="PREROUTING" description="..." />
<chain default_target="ACCEPT" builtin="yes" uuid="{1ee9514d-ed88-4607-a22f-6eb4780ca1d7}" name="POSTROUTING" description="..." />
</table>
</kmfrs>
</target>
</netzone>
</kmfnet>