PC-Online 1999 November

home *** CD-ROM | disk | FTP | other *** search

/ PC-Online 1999 November / PCOnline_11_1999.iso / filesbbs / OS2 / IJFIRE12.ZIP / firewall / firerule.cn_ next >

Wrap

Text File | 1999-08-20 | 7KB | 175 lines

#----------------------------------------------------------------------------- # FIRERULE.CNF #----------------------------------------------------------------------------- # # Location.: Firewall directory (may vary). # # Purpose..: Define "Access Control Rules" used by the F/X Firewall. # Attributes not listed in the individual rules will get default # values from the firerule file located in the base directory. # # Syntax...: Records begin in first position of a line. Attributes and Values # are case-sensitive. Lines starting with the '#' denote a comment. # "Quote" strings / IP addresses, but NOT integers and constants. # # Help.....: Product docs and the matching .dct file (for the tech. inclined). # # Errors...: Written to 'FIREWALL.ERR' in the base directory. #_____________________________________________________________________________ #-----------------------------------------------------------------------------# # # # SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE # # # # Transparent access to and from NT Server with real IP address. # # # #-----------------------------------------------------------------------------# NT-SERVER_IN Rule-Status = Disabled, Comment = "Internet ---> NT Server", Source = "any", Destination = "www.ntserver.com", Rule-Action = Allow, NT-SERVER_OUT Rule-Status = Disabled, Comment = "NT Server ---> Internet", Source = "www.ntserver.com", Destination = "any", Rule-Action = Allow, #-----------------------------------------------------------------------------# # # # SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE # # # # Port and IP Address Redirection to lan-PC with domestic IP address. # # # #-----------------------------------------------------------------------------# PORTMAP-TELNET-IN Rule-Status = Disabled, Comment = "Map incoming Telnet to HTTP", Source = "any", Destination = "firewall.company.com", Service = TELNET, Rule-Action = Portmap, Mapping-Dest-IP = "192.168.1.20", Mapping-Dest-Port = WWW PORTMAP-TELNET-OUT Rule-Status = Disabled, Comment = "Map outgoing HTTP back to Telnet", Source = "192.168.1.20", Destination = "any", Source-Port = WWW, Rule-Action = Portmap, Mapping-Dest-Port = TELNET #-----------------------------------------------------------------------------# # # # SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE # # # # Specifying a range of ports # # # # The samples in this section demonstrate the available options for # # matching a selection of ports, using a combination of pre-defined # # operators and actual port numbers (or resolvable service names). # # # # Notice, when using NAT to provide services for internal LAN clients, # # ports above 10000 must generally be left open at the Firewall PC. # # # #-----------------------------------------------------------------------------# PORT-RANGE Rule-Status = Disabled, Comment = "Deny 3 ports", Source = "any", Destination = "fx.dk", Service-List = "ftp smtp pop3", Rule-Action = Deny PORT-RANGE Rule-Status = Disabled, Comment = "Deny ports below 10000", Source = "any", Destination = "fx.dk", Service-List = "<10000", Rule-Action = Deny PORT-RANGE Rule-Status = Disabled, Comment = "Allow range of ports", Source = "any", Destination = "fx.dk", Service-List = "23:80", Rule-Action = Allow MULTIPLE-RANGES Rule-Status = Disabled, Comment = "Allow multiple ranges of ports", Source = "any", Destination = "fx.dk", Service-List = "ftp:telnet 57:67 150:999", Rule-Action = Allow DISABLE-ALL Rule-Status = Disabled, Comment = "Deny all ports, except 80", Source = "any", Destination = "fx.dk", Service-List = "0:65535 -www-http", Rule-Action = Deny PORT-HOLE Rule-Status = Disabled, Comment = "Allow range of ports", Source = "any", Destination = "cyberspace.dk", Service-List = ">1024 <4000 -3000:3500", Rule-Action = Allow #-----------------------------------------------------------------------------# # # # SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE # # # # Accounting for a lan with IP addresses in the 192.168.1.x segment # # # #-----------------------------------------------------------------------------# ACCOUNT-IP-OUT Rule-Status = Disabled, Comment = "Accounting per Source-IP (outgoing)", Source = "192.168.1.0", Destination = "any", Rule-Action = Account, Account-Control = Enabled, Account-Type = Source-IP, Account-File = "firewall\acc\ip-usage", ACCOUNT-IP-IN Rule-Status = Disabled, Comment = "Accounting per Destination-IP (incoming)", Destination = "192.168.1.0", Destination-Netmask = "255.255.255.0", Source = "any", Rule-Action = Account, Account-Control = Enabled, Account-Type = Destination-IP, Account-File = "firewall\acc\ip-usage" #-----------------------------------------------------------------------------# # # # SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE SAMPLE # # # # Logging all references to www.fx.dk # # # #-----------------------------------------------------------------------------# LOG-FX.DK Rule-Status = Disabled, Comment = "Log all references to fx.dk", Source = "any", Destination = "www.fx.dk", Rule-Action = Log, Log-Control = Enabled, Log-File = "firewall\fx.dk", Log-Mask = "rule date time msg prot source dest dump",