The following code is an XSDL representation of the default ruleset provided in the Novell Opensuse 10.0 OSS SuSEfirewall2 system. The implementation of this source file may be reviewed at the following location - Netfilter Implementation.
<?xml version="1.0" encoding="US-ASCII"?>
<SecureDocument xmlns="http://www.maitreyasecurity.com/namespaces/xsdl/0.0.1" xml:id="Sf2Opensuse10.0" xml:lang="en_US">
    <DocumentInfo classification="confidential">
        <ClientId>00001</ClientId>
        <SecurityManagement>
            <ChangeControl>
                <RevisionId>$Id$</RevisionId>
                <Author>thomasrjones</Author>
                <Reviewer>thomasrjones</Reviewer>
            </ChangeControl>
            <AccessControl>
                    <User uid="0">rw-</User>
                    <Group gid="0">r--</Group>
                    <Other>---</Other>
                    <NamedUser uid="1000">rw-</NamedUser>
            </AccessControl>
        </SecurityManagement>
    </DocumentInfo>
    <Firewall>
        <Iptables>
            <CommandGroup>
                <Filter>
                    <Policy chain="input" policy="drop"/>
                    <Policy chain="forward" policy="drop"/>
                    <Policy chain="output" policy="accept"/>
                </Filter>
            </CommandGroup>
            <RuleGroup>
                <Filter>
                    <Append chain="input">
                        <Rule xml:id="DefaultOpensuse10.0InputRule1">
                            <Protocol>
                                <All/>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Accept/>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0InputRule2">
                            <Protocol>
                                <All>
                                    <Match>
                                        <State>
                                            <Related/>
                                            <Established/>
                                        </State>
                                    </Match>
                                </All>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Accept/>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0InputRule3">
                            <Protocol>
                                <All/>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <ExternalInput/>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0InputRule4">
                            <Protocol>
                                <All>
                                    <Match>
                                        <Limit>
                                            <Limit-Rate>3/minute</Limit-Rate>
                                            <Limit-Burst>5</Limit-Burst>
                                        </Limit>
                                    </Match>
                                </All>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Log>
                                    <Log-Level>warning</Log-Level>
                                    <Log-Prefix>SFW2-IN-ILL-TARGET</Log-Prefix>
                                    <Log-Ip-Options/>
                                    <Log-Tcp-Options/>
                                </Log>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0InputRule5">
                            <Protocol>
                                <All/>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Drop/>
                            </Jump>
                        </Rule>
                    </Append>
                    <Append chain="forward">
                        <Rule xml:id="DefaultOpensuse10.0ForwardRule1">
                            <Protocol>
                                <All>
                                    <Match>
                                        <Limit>
                                            <Limit-Rate>3/minute</Limit-Rate>
                                            <Limit-Burst>5</Limit-Burst>
                                        </Limit>
                                    </Match>
                                </All>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Log>
                                    <Log-Level>warning</Log-Level>
                                    <Log-Prefix>SFW2-FWD-ILL-ROUTING</Log-Prefix>
                                    <Log-Ip-Options/>
                                    <Log-Tcp-Options/>
                                </Log>
                            </Jump>
                        </Rule>
                    </Append>
                    <Append chain="output">
                        <Rule xml:id="DefaultOpensuse10.0OutputRule1">
                            <Protocol>
                                <All/>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Accept/>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0OutputRule2">
                            <Protocol>
                                <All>
                                    <Match>
                                        <State>
                                            <Related/>
                                            <Established/>
                                        </State>
                                    </Match>
                                </All>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Accept/>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0OutputRule3">
                            <Protocol>
                                <All>
                                    <Match>
                                        <Limit>
                                            <Limit-Rate>3/minute</Limit-Rate>
                                            <Limit-Burst>5</Limit-Burst>
                                        </Limit>
                                    </Match>
                                </All>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Log>
                                    <Log-Level>warning</Log-Level>
                                    <Log-Prefix>SFW2-OUT-ERROR</Log-Prefix>
                                    <Log-Ip-Options/>
                                    <Log-Tcp-Options/>
                                </Log>
                            </Jump>
                        </Rule>
                    </Append>
                    <Append chain="ExternalInput">
                        <Rule xml:id="DefaultOpensuse10.0ExternalInputRule1">
                            <Protocol>
                                <All>
                                    <Match>
                                        <Pkttype>broadcast</Pkttype>
                                    </Match>
                                </All>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Drop/>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0ExternalInputRule2">
                            <Protocol>
                                <Icmp>
                                    <Icmp-Type>Source-quench</Icmp-Type>
                                </Icmp>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Accept/>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0ExternalInputRule3">
                            <Protocol>
                                <Icmp>
                                    <Icmp-Type>echo-request</Icmp-Type>
                                </Icmp>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Accept/>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0ExternalInputRule4">
                            <Protocol>
                                <Icmp>
                                    <Icmp-Type>echo-reply</Icmp-Type>
                                    <Match>
                                        <State>
                                            <Related/>
                                            <Established/>
                                        </State>
                                    </Match>
                                </Icmp>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Accept/>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0ExternalInputRule5">
                            <Protocol>
                                <Icmp>
                                    <Icmp-Type>destination-unreachable</Icmp-Type>
                                    <Match>
                                        <State>
                                            <Related/>
                                            <Established/>
                                        </State>
                                    </Match>
                                </Icmp>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Accept/>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0ExternalInputRule6">
                            <Protocol>
                                <Icmp>
                                    <Icmp-Type>time-exceeded</Icmp-Type>
                                    <Match>
                                        <State>
                                            <Related/>
                                            <Established/>
                                        </State>
                                    </Match>
                                </Icmp>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Accept/>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0ExternalInputRule7">
                            <Protocol>
                                <Icmp>
                                    <Icmp-Type>parameter-problem</Icmp-Type>
                                    <Match>
                                        <State>
                                            <Related/>
                                            <Established/>
                                        </State>
                                    </Match>
                                </Icmp>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Accept/>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0ExternalInputRule8">
                            <Protocol>
                                <Icmp>
                                    <Icmp-Type>timestamp-reply</Icmp-Type>
                                    <Match>
                                        <State>
                                            <Related/>
                                            <Established/>
                                        </State>
                                    </Match>
                                </Icmp>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Accept/>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0ExternalInputRule9">
                            <Protocol>
                                <Icmp>
                                    <Icmp-Type>address-mask-reply</Icmp-Type>
                                    <Match>
                                        <State>
                                            <Related/>
                                            <Established/>
                                        </State>
                                    </Match>
                                </Icmp>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Accept/>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0ExternalInputRule10">
                            <Protocol>
                                <Icmp>
                                    <Icmp-Type>protocol-unreachable</Icmp-Type>
                                    <Match>
                                        <State>
                                            <Related/>
                                            <Established/>
                                        </State>
                                    </Match>
                                </Icmp>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Accept/>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0ExternalInputRule11">
                            <Protocol>
                                <Icmp>
                                    <Icmp-Type>redirect</Icmp-Type>
                                    <Match>
                                        <State>
                                            <Related/>
                                            <Established/>
                                        </State>
                                    </Match>
                                </Icmp>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Accept/>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0ExternalInputRule12">
                            <Protocol>
                                <Tcp>
                                    <Destination-Port>ident</Destination-Port>
                                    <Match>
                                        <State>
                                            <New/>
                                        </State>
                                    </Match>
                                </Tcp>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <RejectFunction/>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0ExternalInputRule13">
                            <Protocol>
                                <Tcp>
                                    <Tcp-Flags>
                                        <Mask>
                                            <Syn>1</Syn>
                                            <Ack>1</Ack>
                                            <Rst>1</Rst>
                                            <Psh>0</Psh>
                                            <Urg>0</Urg>
                                            <Fin>1</Fin>
                                            <Res>0</Res>
                                        </Mask>
                                        <Set>
                                            <Syn>0</Syn>
                                            <Ack>1</Ack>
                                            <Rst>0</Rst>
                                            <Psh>0</Psh>
                                            <Urg>0</Urg>
                                            <Fin>0</Fin>
                                            <Res>0</Res>
                                        </Set>
                                    </Tcp-Flags>
                                </Tcp>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Log>
                                    <Log-Level>warning</Log-Level>
                                    <Log-Prefix>SFW2-INext-DROP-DEFLT</Log-Prefix>
                                    <Log-Ip-Options/>
                                    <Log-Tcp-Options/>
                                </Log>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0ExternalInputRule14">
                            <Protocol>
                                <Icmp/>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Log>
                                    <Log-Level>warning</Log-Level>
                                    <Log-Prefix>SFW2-INext-DROP-DEFLT</Log-Prefix>
                                    <Log-Ip-Options/>
                                    <Log-Tcp-Options/>
                                </Log>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0ExternalInputRule15">
                            <Protocol>
                                <Udp/>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Log>
                                    <Log-Level>warning</Log-Level>
                                    <Log-Prefix>SFW2-INext-DROP-DEFLT</Log-Prefix>
                                    <Log-Ip-Options/>
                                    <Log-Tcp-Options/>
                                </Log>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0ExternalInputRule16">
                            <Protocol>
                                <All>
                                    <Match>
                                        <State>
                                            <Invalid/>
                                        </State>
                                    </Match>
                                </All>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Log>
                                    <Log-Level>warning</Log-Level>
                                    <Log-Prefix>SFW2-INext-DROP-DEFLT-INV</Log-Prefix>
                                    <Log-Ip-Options/>
                                    <Log-Tcp-Options/>
                                </Log>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0ExternalInputRule17">
                            <Protocol>
                                <All/>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Drop/>
                            </Jump>
                        </Rule>
                    </Append>
                    <Append chain="RejectFunction">
                        <Rule xml:id="DefaultOpensuse10.0RejectFunctionRule1">
                            <Protocol>
                                <Tcp/>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Reject>
                                    <Reject-With>tcp-reset</Reject-With>
                                </Reject>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0RejectFunctionRule2">
                            <Protocol>
                                <Udp/>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Reject>
                                    <Reject-With>icmp-port-unreachable</Reject-With>
                                </Reject>
                            </Jump>
                        </Rule>
                        <Rule xml:id="DefaultOpensuse10.0RejectFunctionRule3">
                            <Protocol>
                                <All/>
                            </Protocol>
                            <Source>any</Source>
                            <Destination>any</Destination>
                            <Jump>
                                <Reject>
                                    <Reject-With>icmp-proto-unreachable</Reject-With>
                                </Reject>
                            </Jump>
                        </Rule>
                    </Append>
                </Filter>
            </RuleGroup>
        </Iptables>
    </Firewall>
</SecureDocument>
Cryptography keys
We utilize a number of keys to digitally sign our documents. Please do not send communications encrypted with these keys. These keys are for integrity validation evaluations only.
You may access these keys from the menu located on the left.
XSDL Research
› introduction
› concepts
› changelog
› requirements
› versioning
› examples
› alert
› bugtraq
› netfilter
› osstmm
› implementations
› language
› strategic plan
› download
Copyright © 2008 Maitreya Security Ltd. Co. All Rights Reserved. Maitreya Security, the Maitreya Security logo, and the Extensible Security Document Language are trademarks of Maitreya Security Ltd. Co. in the United States and other countries.