onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-22 19:27:13 +01:00
Code Issues Releases Wiki Activity

fixes #712 (ipt_mangle_only_rulesets option converted) fixes #713

Browse Source
This commit is contained in:
Vadim Kurland 2009-11-26 02:37:38 +00:00
parent 1572ef1fdb
commit 005507969c
18 changed files with 7049 additions and 8439 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 1927
#define BUILD_NUM 1929

36
src/cisco_lib/NATCompiler_pix.cpp
View File

@ -195,6 +195,7 @@ list<triplet> NATCompiler_pix::findDNATForAddress(Address *src,
i!=final_ruleset->end(); ++i)
{
NATRule *rule=NATRule::cast(*i);
if (rule == NULL) continue; // skip RuleSetOptions object
switch (rule->getRuleType())
{
@ -409,36 +410,6 @@ bool NATCompiler_pix::verifyInterfaces::processNext()
{
NATRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
#ifdef WRONG_CHECK
if ( rule->getInt("nat_iface_orig")!=rule->getInt("nat_iface_trn") )
{
if (rule->getRuleType()==NATRule::SNAT)
{
Interface *iface1=
Interface::cast( rule->getRoot()->findInIndex(
rule->getInt("nat_iface_orig")) );
Interface *iface2=
Interface::cast( rule->getRoot()->findInIndex(
rule->getInt("nat_iface_trn")) );
if ( iface1->getSecurityLevel() <= iface2->getSecurityLevel() )
{
char lvl1[32];
char lvl2[32];
sprintf(lvl1,"%d",iface1->getSecurityLevel());
sprintf(lvl2,"%d",iface2->getSecurityLevel());
compiler->abort(
rule,
"Security level of internal interface "+
iface1->getName() + " (level "+ lvl1 +") "+
" set lower than that of external interface "+
iface2->getName() + " (level "+ lvl2 +") ");
}
}
}
#endif
return true;
}
@ -543,7 +514,8 @@ bool NATCompiler_pix::fillTranslatedSrv::processNext()
Service *osrv_o=compiler->getFirstOSrv(rule);
Service *tsrv_o=compiler->getFirstTSrv(rule);
if ( ! osrv_o->isAny() && tsrv_o->isAny() ) {
if ( ! osrv_o->isAny() && tsrv_o->isAny() )
{
RuleElementTSrv *tsrv=rule->getTSrv();
tsrv->addRef(osrv_o);
}
@ -888,7 +860,7 @@ bool NATCompiler_pix::createStaticCmd::processNext()
NATRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
if (rule->getRuleType()==NATRule::DNAT)
if (rule->getRuleType()==NATRule::DNAT)
{
Address *osrc=compiler->getFirstOSrc(rule); assert(osrc);
Address *odst=compiler->getFirstODst(rule); assert(odst);

1
src/compiler_lib/CompilerDriver.cpp
View File

@ -593,6 +593,7 @@ void CompilerDriver::findImportedRuleSets(Firewall *fw,
for (list<FWObject*>::iterator r=(*i)->begin(); r!=(*i)->end(); ++r)
{
Rule *rule = Rule::cast(*r);
if (rule == NULL) continue; // skip RuleSetOptions object
RuleSet *ruleset = rule->getBranch();
if (ruleset!=NULL && !ruleset->isChildOf(fw))

3
src/iptlib/CompilerDriver_ipt.cpp
View File

@ -64,6 +64,7 @@ void CompilerDriver_ipt::assignRuleSetChain(RuleSet *ruleset)
for (FWObject::iterator r=ruleset->begin(); r!=ruleset->end(); r++)
{
Rule *rule = Rule::cast(*r);
if (rule == NULL) continue; // skip RuleSetOptions object
if (rule->isDisabled()) continue;
//rule->setStr("parent_rule_num", parentRuleNum);
@ -90,6 +91,7 @@ void CompilerDriver_ipt::findBranchesInMangleTable(Firewall*,
r!=(*i)->end(); ++r)
{
PolicyRule *rule = PolicyRule::cast(*r);
if (rule == NULL) continue; // skip RuleSetOptions object
FWOptions *ruleopt = rule->getOptionsObject();
if (rule->getAction() == PolicyRule::Branch &&
ruleopt->getBool("ipt_branch_in_mangle"))
@ -99,6 +101,7 @@ void CompilerDriver_ipt::findBranchesInMangleTable(Firewall*,
br!=ruleset->end(); ++br)
{
Rule *b_rule = Rule::cast(*br);
if (b_rule == NULL) continue; // skip RuleSetOptions object
ruleopt = b_rule->getOptionsObject();
ruleopt->setBool("put_in_mangle_table", true);
}

4
src/iptlib/MangleTableCompiler_ipt.cpp
View File

@ -55,6 +55,7 @@ int MangleTableCompiler_ipt::prolog()
i!=combined_ruleset->end(); i++)
{
PolicyRule *r = PolicyRule::cast( *i );
if (r == NULL) continue; // skip RuleSetOptions object
FWOptions *ruleopt = r->getOptionsObject();
if (r->isDisabled()) continue;
if (r->getAction() == PolicyRule::Tag ||
@ -73,7 +74,8 @@ bool MangleTableCompiler_ipt::keepMangleTableRules::processNext()
string ruleset_name = compiler->getRuleSetName();
if (ipt_comp->isMangleOnlyRuleSet(ruleset_name))
FWOptions *rulesetopts = ipt_comp->getSourceRuleSet()->getOptionsObject();
if (rulesetopts->getBool("mangle_only_rule_set"))
tmp_queue.push_back(rule);
else
{

16
src/iptlib/PolicyCompiler_ipt.cpp
View File

@ -443,12 +443,6 @@ int PolicyCompiler_ipt::prolog()
FWOptions *fwopt = getCachedFwOpt();
istringstream is(fwopt->getStr("ipt_mangle_only_rulesets"));
std::copy(istream_iterator<string>(is),
istream_iterator<string>(),
back_inserter(mangle_only_rulesets));
// initialize counters for the standard chains
for (list<string>::const_iterator i =
PolicyCompiler_ipt::getStandardChains().begin();
@ -776,7 +770,8 @@ bool PolicyCompiler_ipt::dropMangleTableRules::processNext()
string ruleset_name = compiler->getRuleSetName();
if (ipt_comp->isMangleOnlyRuleSet(ruleset_name)) return true;
FWOptions *rulesetopts = ipt_comp->getSourceRuleSet()->getOptionsObject();
if (rulesetopts->getBool("mangle_only_rule_set")) return true;
if (rule->getAction() == PolicyRule::Tag ||
rule->getAction() == PolicyRule::Route ||
@ -4595,13 +4590,6 @@ bool PolicyCompiler_ipt::newIptables(const string &version)
XMLTools::version_compare(version, "1.2.6")>0);
}
bool PolicyCompiler_ipt::isMangleOnlyRuleSet(const string &ruleset_name)
{
return (std::find(mangle_only_rulesets.begin(),
mangle_only_rulesets.end(),
ruleset_name) != mangle_only_rulesets.end());
}
void PolicyCompiler_ipt::insertConntrackRule()
{
FWOptions* options = fw->getOptionsObject();

3
src/iptlib/PolicyCompiler_ipt.h
View File

@ -64,7 +64,6 @@ namespace fwcompiler
bool have_connmark;
bool have_connmark_in_output;
std::string my_table;
std::list<std::string> mangle_only_rulesets;
std::map<std::string, int> tmp_chain_no;
std::map<std::string, int> chain_usage_counter;
@ -1072,8 +1071,6 @@ namespace fwcompiler
bool haveConnMarkRules() { return have_connmark; }
bool haveConnMarkRulesInOutput() { return have_connmark_in_output; }
bool isMangleOnlyRuleSet(const std::string &rule_set_name);
std::list<std::string> getUsedChains();
};

701
test/iosacl/cluster-tests.fwb
View File

@ -1,20 +1,16 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="13" lastModified="1253911075" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="15" lastModified="1253911075" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<ObjectRef ref="id2735X69605"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="id2843X69605"/>
<StateSyncClusterGroup id="id3505X94039" type="conntrack" name="State Sync Group-1" comment="">
<ClusterGroupOptions/>
</StateSyncClusterGroup>
<FailoverClusterGroup id="id2719X89830" type="vrrp" name="cluster3:vrrp0:members" comment="">
<ClusterGroupOptions>
<Option name="vrrp_secret">vrrp_secret</Option>
<Option name="vrrp_vrid"></Option>
<Option name="vrrp_vrid"/>
</ClusterGroupOptions>
</FailoverClusterGroup>
<ServiceRef ref="sysid1"/>
<StateSyncClusterGroup id="id2762X92940" type="conntrack" name="State Sync Group-1" comment="">
<ClusterGroupOptions/>
</StateSyncClusterGroup>
@ -24,26 +20,24 @@
<StateSyncClusterGroup id="id2726X89830" type="conntrack" name="State sync group" comment="">
<ClusterGroupOptions/>
</StateSyncClusterGroup>
<ObjectRef ref="id10491X48869"/>
<ObjectRef ref="id10489X48869"/>
<Interface id="id10489X48869" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="br0" comment="" ro="False">
<IPv4 id="id11790X48869" name="secuwall-1:br0:ip" comment="" ro="False" address="2.2.2.2" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="iface_options"/>
<Option name="type">bridge</Option>
<Option name="vlan_id"></Option>
<Option name="vlan_id"/>
</InterfaceOptions>
<Interface id="id10491X48869" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<InterfaceOptions>
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="iface_options"/>
<Option name="type">ethernet</Option>
<Option name="vlan_id"></Option>
<Option name="vlan_id"/>
</InterfaceOptions>
</Interface>
<Interface id="id10493X48869" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
@ -80,7 +74,7 @@
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="iface_options"/>
<Option name="type">8021q</Option>
<Option name="vlan_id">100</Option>
</InterfaceOptions>
@ -91,15 +85,11 @@
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="iface_options"/>
<Option name="type">8021q</Option>
<Option name="vlan_id">101</Option>
</InterfaceOptions>
</Interface>
<ObjectRef ref="id3117X69605"/>
<ObjectRef ref="id3647X95766"/>
<ObjectRef ref="id3642X95766"/>
<ObjectRef ref="id3631X95766"/>
<Cluster id="id3631X95766" host_OS="openbsd" inactive="False" lastCompiled="1244758659" lastInstalled="0" lastModified="1244757366" platform="pf" name="pf_cluster_1" comment="" ro="False">
<NAT id="id3640X95766" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id3162X39764" disabled="False" position="0" action="Translate" comment="">
@ -228,7 +218,9 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<RuleSetOptions/>
</NAT>
<Policy id="id3639X95766" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id5954X26920" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -249,8 +241,7 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id7136X39764" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id7136X39764" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -269,8 +260,7 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id7162X39764" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id7162X39764" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -289,8 +279,7 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id7149X39764" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="">
</PolicyRule><PolicyRule id="id7149X39764" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -309,8 +298,7 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5942X26920" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id5942X26920" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -329,9 +317,10 @@
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3641X95766" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
</PolicyRule><RuleSetOptions/></Policy>
<Routing id="id3641X95766" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id3642X95766" dyn="False" label="pf_clsuter_1 carp0" mgmt="False" security_level="0" unnum="False" unprotected="False" name="carp0" comment="" ro="False">
<IPv4 id="id3647X95766" name="pf_cluster_1:carp0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.255.0"/>
<IPv4 id="id16633X39764" name="pf_cluster_1:carp0:ip-1" comment="" ro="False" address="172.24.0.1" netmask="255.255.255.0"/>
@ -369,11 +358,15 @@
</ClusterGroupOptions>
</StateSyncClusterGroup>
</Cluster>
<ObjectRef ref="id2833X26920"/>
<Firewall id="id2827X26920" host_OS="openbsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1244783399" platform="pf" version="4.x" name="openbsd-1" comment="" ro="False">
<NAT id="id2831X26920" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id2830X26920" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id2832X26920" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id2831X26920" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id2830X26920" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id2832X26920" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id2833X26920" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="en0" comment="" ro="False">
<IPv4 id="id2834X26920" name="openbsd-1:en0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.255.0"/>
<InterfaceOptions/>
@ -395,18 +388,18 @@
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="ignore_empty_groups">False</Option>
@ -415,11 +408,11 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -439,7 +432,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -479,16 +472,20 @@
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="sshArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="sshArgs"/>
</FirewallOptions>
</Firewall>
<ObjectRef ref="id3346X26920"/>
<Firewall id="id3337X26920" host_OS="openbsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1244783399" platform="pf" version="4.x" name="openbsd-2" comment="" ro="False">
<NAT id="id3344X26920" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id3343X26920" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id3345X26920" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id3344X26920" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id3343X26920" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id3345X26920" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id3346X26920" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="en0" comment="" ro="False">
<IPv4 id="id3348X26920" name="openbsd-2:en0:ip" comment="" ro="False" address="172.24.0.3" netmask="255.255.255.0"/>
<InterfaceOptions/>
@ -504,18 +501,18 @@
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">False</Option>
<Option name="configure_vlan_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="ignore_empty_groups">False</Option>
@ -524,11 +521,11 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -548,7 +545,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -588,15 +585,20 @@
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="sshArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="sshArgs"/>
</FirewallOptions>
</Firewall>
<Cluster id="id3867X13237" host_OS="linux24" lastCompiled="0" lastInstalled="0" lastModified="0" platform="iptables" name="vrrp_cluster_2" comment="" ro="False">
<NAT id="id3871X13237" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id3870X13237" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id3872X13237" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id3871X13237" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id3870X13237" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id3872X13237" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id3875X13237" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False">
<IPv4 id="id3876X13237" name="vrrp_cluster_2:vrrp0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
<InterfaceOptions>
@ -649,12 +651,15 @@
<Option name="type">ethernet</Option>
</InterfaceOptions>
</Interface>
<ObjectRef ref="id4030X2906"/>
<ObjectRef ref="id4033X2906"/>
<Firewall id="id4021X2906" host_OS="secuwall" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1244045700" platform="iptables" version="" name="secuwall-1" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
<NAT id="id4028X2906" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id4027X2906" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id4029X2906" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id4028X2906" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id4027X2906" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id4029X2906" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id4030X2906" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id4032X2906" name="secuwall-1:eth0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.0.0"/>
<InterfaceOptions>
@ -668,9 +673,9 @@
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="iface_options"/>
<Option name="type">ethernet</Option>
<Option name="vlan_id"></Option>
<Option name="vlan_id"/>
</InterfaceOptions>
</Interface>
<Interface id="id4038X2906" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
@ -688,28 +693,28 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -724,11 +729,11 @@
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -746,13 +751,13 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -762,12 +767,15 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<ObjectRef ref="id4055X2906"/>
<ObjectRef ref="id4058X2906"/>
<Firewall id="id4046X2906" host_OS="secuwall" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1243788928" platform="iptables" version="" name="secuwall-2" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
<NAT id="id4053X2906" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id4052X2906" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id4054X2906" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id4053X2906" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id4052X2906" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id4054X2906" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id4055X2906" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id4057X2906" name="secuwall-2:eth0:ip" comment="" ro="False" address="172.24.0.3" netmask="255.255.0.0"/>
<InterfaceOptions>
@ -795,9 +803,9 @@
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="iface_options"/>
<Option name="type">bonding</Option>
<Option name="vlan_id"></Option>
<Option name="vlan_id"/>
</InterfaceOptions>
<Interface id="id3807X49120" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<InterfaceOptions>
@ -820,28 +828,28 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -856,11 +864,11 @@
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -878,13 +886,13 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -894,9 +902,10 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<ObjectRef ref="id3799X36775"/>
<Firewall id="id3783X36775" host_OS="linux24" inactive="False" lastCompiled="1251482998" lastInstalled="0" lastModified="1251482982" platform="iptables" version="" name="linux-bonding-1" comment="VLAN and bonding interface configuration" ro="False">
<NAT id="id3817X36775" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id3817X36775" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id3816X36775" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4355X56095" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -917,9 +926,10 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3818X36775" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
</PolicyRule><RuleSetOptions/></Policy>
<Routing id="id3818X36775" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id3789X36775" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3794X36775" name="linux-bonding-1:eth0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.0.0"/>
<InterfaceOptions>
@ -943,7 +953,7 @@
<InterfaceOptions>
<Option name="bonding_mode">blance xor</Option>
<Option name="bonding_policy">balance-xor</Option>
<Option name="bondng_driver_options"></Option>
<Option name="bondng_driver_options"/>
<Option name="dev_plus_vid">False</Option>
<Option name="dev_plus_vid_no_pad">False</Option>
<Option name="enable_stp">True</Option>
@ -973,12 +983,12 @@
<Interface id="id6778X41225" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="bond1.123" comment="" ro="False">
<IPv4 id="id16320X39036" name="linux-bonding-1:bond1:bond1.123:ip" comment="" ro="False" address="172.16.2.1" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="bonding_policy"></Option>
<Option name="bondng_driver_options"></Option>
<Option name="bonding_policy"/>
<Option name="bondng_driver_options"/>
<Option name="enable_stp">False</Option>
<Option name="type">8021q</Option>
<Option name="vlan_id">123</Option>
<Option name="xmit_hash_policy"></Option>
<Option name="xmit_hash_policy"/>
</InterfaceOptions>
</Interface>
</Interface>
@ -1004,16 +1014,16 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_bonding_interfaces">True</Option>
<Option name="configure_bridge_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
@ -1021,14 +1031,14 @@
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -1043,11 +1053,11 @@
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -1065,13 +1075,13 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -1082,9 +1092,14 @@
</FirewallOptions>
</Firewall>
<Cluster id="id2708X89830" host_OS="secuwall" inactive="False" lastCompiled="1248541093" lastInstalled="0" lastModified="1244047289" platform="iptables" name="secuwall_cluster_1" comment="" ro="False">
<NAT id="id2712X89830" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id2711X89830" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id2713X89830" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id2712X89830" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id2711X89830" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id2713X89830" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id2716X89830" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False">
<IPv4 id="id2717X89830" name="cluster3:vrrp0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions>
@ -1104,8 +1119,6 @@
<FirewallOptions/>
<StateSyncClusterGroup id="id2714X89830" master_iface="id4030X2906" type="conntrack" name="State Sync Group" comment=""/>
</Cluster>
<ObjectRef ref="id3441X13311"/>
<ObjectRef ref="id3462X13311"/>
<Cluster id="id3433X13311" host_OS="linux24" inactive="False" lastCompiled="1251482764" lastInstalled="0" lastModified="1253910805" platform="iptables" name="heartbeat_cluster_1" comment="This is an example of linux/heartbeat cluster with two policy rule sets. Branching rule in the top policy passes control to rule set to_fw, which is different in member firewalls. See ticket #372 for explanation.&#10;" ro="False">
<NAT id="id3587X13311" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id3588X13311" disabled="False" position="0" action="Translate" comment="">
@ -1129,7 +1142,9 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<RuleSetOptions/>
</NAT>
<Policy id="id3465X13311" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3466X13311" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1150,8 +1165,7 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3478X13311" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
</PolicyRule><PolicyRule id="id3478X13311" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id3433X13311"/>
@ -1169,8 +1183,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3491X13311" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id3491X13311" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1187,8 +1200,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3503X13311" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id3503X13311" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1205,8 +1217,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3515X13311" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id3515X13311" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1223,8 +1234,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3527X13311" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
</PolicyRule><PolicyRule id="id3527X13311" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id3433X13311"/>
</Src>
@ -1241,8 +1251,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4369X67939" disabled="False" group="" log="False" position="6" action="Branch" direction="Both" comment="branch rule set is different in members linux-1 and linux-2">
</PolicyRule><PolicyRule id="id4369X67939" disabled="False" group="" log="False" position="6" action="Branch" direction="Both" comment="branch rule set is different in members linux-1 and linux-2">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1259,12 +1268,12 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="action_on_reject"/>
<Option name="branch_id">id6187X76214</Option>
<Option name="classify_str"></Option>
<Option name="classify_str"/>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="custom_str"></Option>
<Option name="custom_str"/>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
@ -1275,39 +1284,38 @@
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_name"/>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_suffix"/>
<Option name="hashlimit_value">0</Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_branch_in_mangle">False</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_oif"/>
<Option name="ipt_tee">False</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="log_level"/>
<Option name="log_prefix"/>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_opt_addr"/>
<Option name="pf_route_opt_if"/>
<Option name="pf_route_option">none</Option>
<Option name="rule_name_accounting"></Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3539X13311" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id3539X13311" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1336,20 +1344,19 @@
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_name"/>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_suffix"/>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="log_level"/>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3551X13311" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id3551X13311" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1366,8 +1373,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3563X13311" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id3563X13311" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1384,8 +1390,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3575X13311" disabled="False" group="" log="True" position="10" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id3575X13311" disabled="False" group="" log="True" position="10" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1404,9 +1409,9 @@
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Policy id="id6187X76214" name="to_fw" comment="this is a placeholder ruleset used in branching rule in Policy&#10;Member firewalls linux-1 and linux-2 have their own copy&#10;of the rule set with the same name which is used." ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False"/>
</PolicyRule><RuleSetOptions/></Policy>
<Policy id="id6187X76214" name="to_fw" comment="this is a placeholder ruleset used in branching rule in Policy&#10;Member firewalls linux-1 and linux-2 have their own copy&#10;of the rule set with the same name which is used." ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
<RuleSetOptions/></Policy>
<Routing id="id3602X13311" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RoutingRule id="id97243X57559" disabled="False" metric="0" position="0" comment="">
<RDst neg="False">
@ -1420,7 +1425,9 @@
</RItf>
<RoutingRuleOptions/>
</RoutingRule>
</Routing>
<RuleSetOptions/>
</Routing>
<Interface id="id3441X13311" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3448X13311" name="heartbeat_cluster_1:eth0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.0.0"/>
<InterfaceOptions>
@ -1454,7 +1461,7 @@
</FailoverClusterGroup>
</Interface>
<FirewallOptions>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="ipt_mangle_only_rulesets"/>
</FirewallOptions>
<StateSyncClusterGroup id="id3604X13311" master_iface="id2843X69605" type="conntrack" name="State Sync Group" comment="">
<ObjectRef ref="id2843X69605"/>
@ -1465,8 +1472,6 @@
</ClusterGroupOptions>
</StateSyncClusterGroup>
</Cluster>
<ObjectRef ref="id4408X28690"/>
<ObjectRef ref="id4430X28690"/>
<Cluster id="id4400X28690" host_OS="linux24" inactive="False" lastCompiled="1248555910" lastInstalled="0" lastModified="1253911350" platform="iptables" name="openais_cluster_1" comment="" ro="False">
<NAT id="id4568X28690" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id4569X28690" disabled="False" position="0" action="Translate" comment="">
@ -1490,7 +1495,9 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<RuleSetOptions/>
</NAT>
<Policy id="id4434X28690" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4435X28690" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1511,8 +1518,7 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4447X28690" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
</PolicyRule><PolicyRule id="id4447X28690" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id4400X28690"/>
@ -1530,8 +1536,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4460X28690" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id4460X28690" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1548,8 +1553,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4472X28690" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id4472X28690" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1566,8 +1570,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4484X28690" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id4484X28690" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1584,8 +1587,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4496X28690" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
</PolicyRule><PolicyRule id="id4496X28690" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id4400X28690"/>
</Src>
@ -1602,8 +1604,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4508X28690" disabled="False" group="" log="False" position="6" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id4508X28690" disabled="False" group="" log="False" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1632,20 +1633,19 @@
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_name"/>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_suffix"/>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="log_level"/>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4520X28690" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id4520X28690" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1674,20 +1674,19 @@
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_name"/>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_suffix"/>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="log_level"/>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4532X28690" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id4532X28690" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1704,8 +1703,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4544X28690" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id4544X28690" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1722,8 +1720,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4556X28690" disabled="False" group="" log="True" position="10" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id4556X28690" disabled="False" group="" log="True" position="10" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1742,8 +1739,7 @@
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
</PolicyRule><RuleSetOptions/></Policy>
<Routing id="id4583X28690" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RoutingRule id="id225294X57559" disabled="False" metric="0" position="0" comment="">
<RDst neg="False">
@ -1769,7 +1765,9 @@
</RItf>
<RoutingRuleOptions/>
</RoutingRule>
</Routing>
<RuleSetOptions/>
</Routing>
<Interface id="id4408X28690" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id4415X28690" name="heartbeat_cluster_1-1:eth0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.0.0"/>
<InterfaceOptions>
@ -1814,9 +1812,6 @@
</ClusterGroupOptions>
</StateSyncClusterGroup>
</Cluster>
<ObjectRef ref="id2882X94039"/>
<ObjectRef ref="id2903X94039"/>
<ObjectRef ref="id2895X94039"/>
<Cluster id="id2772X94039" host_OS="linux24" inactive="False" lastCompiled="1248541095" lastInstalled="0" lastModified="1253911174" platform="iptables" name="vrrp_cluster_1" comment="" ro="False">
<NAT id="id2866X94039" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id2867X94039" disabled="False" position="0" action="Translate" comment="">
@ -1840,7 +1835,9 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<RuleSetOptions/>
</NAT>
<Policy id="id2780X94039" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3055X14356" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1861,8 +1858,7 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2781X94039" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
</PolicyRule><PolicyRule id="id2781X94039" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id2772X94039"/>
@ -1880,8 +1876,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2794X94039" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id2794X94039" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1898,8 +1893,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2806X94039" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id2806X94039" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1916,8 +1910,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3725X2234" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id3725X2234" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1934,8 +1927,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2818X94039" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
</PolicyRule><PolicyRule id="id2818X94039" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id2772X94039"/>
</Src>
@ -1952,8 +1944,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2830X94039" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
</PolicyRule><PolicyRule id="id2830X94039" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1982,20 +1973,19 @@
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_name"/>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_suffix"/>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="log_level"/>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2842X94039" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id2842X94039" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -2012,8 +2002,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2854X94039" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id2854X94039" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -2030,8 +2019,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3087X2234" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id3087X2234" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -2050,8 +2038,7 @@
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
</PolicyRule><RuleSetOptions/></Policy>
<Routing id="id2881X94039" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RoutingRule id="id146086X57559" disabled="False" metric="0" position="0" comment="">
<RDst neg="False">
@ -2077,7 +2064,9 @@
</RItf>
<RoutingRuleOptions/>
</RoutingRule>
</Routing>
<RuleSetOptions/>
</Routing>
<Interface id="id2882X94039" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False">
<IPv4 id="id2889X94039" name="cluster1-1:vrrp0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.0.0"/>
<InterfaceOptions>
@ -2111,9 +2100,6 @@
<ClusterGroupOptions/>
</StateSyncClusterGroup>
</Cluster>
<ObjectRef ref="id3945X13563"/>
<ObjectRef ref="id3953X13563"/>
<ObjectRef ref="id3955X13563"/>
<Cluster id="id3937X13563" host_OS="linux24" lastCompiled="1248541096" lastInstalled="0" lastModified="1251419063" platform="iptables" name="vrrp_cluster_2" comment="" ro="False">
<NAT id="id3941X13563" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id5083X25627" disabled="False" position="0" action="Translate" comment="">
@ -2137,7 +2123,9 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<RuleSetOptions/>
</NAT>
<Policy id="id3940X13563" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id5257X25627" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2158,8 +2146,7 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5239X25627" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
</PolicyRule><PolicyRule id="id5239X25627" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id3937X13563"/>
@ -2177,8 +2164,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5222X25627" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id5222X25627" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -2195,8 +2181,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5205X25627" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id5205X25627" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -2213,8 +2198,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5188X25627" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id5188X25627" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -2231,8 +2215,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5171X25627" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
</PolicyRule><PolicyRule id="id5171X25627" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id3937X13563"/>
</Src>
@ -2249,8 +2232,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5154X25627" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
</PolicyRule><PolicyRule id="id5154X25627" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -2279,20 +2261,19 @@
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_name"/>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_suffix"/>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="log_level"/>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5137X25627" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id5137X25627" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -2309,8 +2290,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5120X25627" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id5120X25627" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -2327,8 +2307,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5103X25627" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id5103X25627" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -2347,9 +2326,10 @@
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3942X13563" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
</PolicyRule><RuleSetOptions/></Policy>
<Routing id="id3942X13563" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id3945X13563" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False">
<IPv4 id="id3946X13563" name="vrrp_cluster_2:vrrp0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.255.0"/>
<InterfaceOptions>
@ -2392,9 +2372,14 @@
</StateSyncClusterGroup>
</Cluster>
<Firewall id="id3095X82837" host_OS="linux24" inactive="False" lastCompiled="1248541097" lastInstalled="0" lastModified="1244071962" platform="iptables" version="" name="gw1-bridge" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
<NAT id="id3102X82837" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id3101X82837" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id3103X82837" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id3102X82837" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id3101X82837" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id3103X82837" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id3104X82837" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3109X82837" name="gw1-bridge:eth0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.0.0"/>
<InterfaceOptions>
@ -2450,16 +2435,16 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_bonding_interfaces">True</Option>
<Option name="configure_bridge_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
@ -2467,14 +2452,14 @@
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -2489,11 +2474,11 @@
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -2511,13 +2496,13 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -2527,7 +2512,6 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<ObjectRef ref="id2847X69605"/>
<Interface id="id2847X69605" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id2849X69605" name="pix-1:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
<InterfaceOptions/>
@ -2559,9 +2543,11 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id2369X75741" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id2913X78273" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
<PolicyRule id="id2913X78273" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id2366X75741"/>
@ -2579,8 +2565,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2896X78273" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id2896X78273" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -2597,8 +2582,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2879X78273" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id2879X78273" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -2615,8 +2599,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2862X78273" disabled="False" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
</PolicyRule><PolicyRule id="id2862X78273" disabled="False" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id2366X75741"/>
</Src>
@ -2633,8 +2616,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2845X78273" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
</PolicyRule><PolicyRule id="id2845X78273" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -2651,8 +2633,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2828X78273" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id2828X78273" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -2669,8 +2650,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2811X78273" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id2811X78273" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -2687,9 +2667,10 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id2371X75741" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
</PolicyRule><RuleSetOptions/></Policy>
<Routing id="id2371X75741" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id2374X75741" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False">
<IPv4 id="id2375X75741" name="cluster1:vrrp0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.0.0"/>
<InterfaceOptions>
@ -2758,10 +2739,13 @@
</ServiceGroup>
<ObjectGroup id="id1514X69605" name="Firewalls" comment="" ro="False">
<Firewall id="id2735X69605" host_OS="ios" inactive="False" lastCompiled="1251482764" lastInstalled="0" lastModified="1257786087" platform="iosacl" version="12.4" name="ios-1" comment=" " ro="False">
<NAT id="id2827X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id2741X69605" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id2827X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id2741X69605" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Policy id="id6188X76214" name="to_fw" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id10428X76214" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="hashlimit 10/sec">
<PolicyRule id="id10428X76214" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="hashlimit 10/sec">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -2790,21 +2774,22 @@
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_name"/>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix">/second</Option>
<Option name="hashlimit_value">10</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="log_level"/>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id2842X69605" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
</PolicyRule><RuleSetOptions/></Policy>
<Routing id="id2842X69605" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id2843X69605" dyn="False" label="" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="FastEthernet0/0" comment=" " ro="False">
<InterfaceOptions>
<Option name="type">ethernet</Option>
@ -2837,16 +2822,16 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="ctiqbe_fixup">2 2748 0 nil 0</Option>
@ -2854,7 +2839,7 @@
<Option name="dns_fixup">2 65535 0 nil 0</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="espike_fixup">2 0 0 nil 0</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
@ -2870,9 +2855,9 @@
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_include_comments">true</Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="ipt_mangle_only_rulesets"/>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -2888,11 +2873,11 @@
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgcp_fixup">2 2427 2727 nil 0</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -2912,10 +2897,10 @@
<Option name="pix_use_acl_remarks">true</Option>
<Option name="pptp_fixup">2 1723 0 nil 0</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="prolog_script"/>
<Option name="rsh_fixup">2 514 0 nil 0</Option>
<Option name="rtsp_fixup">2 554 0 nil 0</Option>
<Option name="scpArgs"></Option>
<Option name="scpArgs"/>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
@ -2925,7 +2910,7 @@
<Option name="smtp_fixup">2 25 25 nil 0</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sqlnet_fixup">2 1521 1521 nil 0</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="tftp_fixup">2 69 0 nil 0</Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
@ -2937,10 +2922,13 @@
</FirewallOptions>
</Firewall>
<Firewall id="id3009X69605" host_OS="ios" inactive="False" lastCompiled="1251482764" lastInstalled="0" lastModified="1257786076" platform="iosacl" version="12.4" name="ios-2" comment="" ro="False">
<NAT id="id3101X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id3015X69605" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id3101X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id3015X69605" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Policy id="id6191X76214" name="to_fw" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id10440X76214" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="hashlimit 20/sec">
<PolicyRule id="id10440X76214" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="hashlimit 20/sec">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -2969,21 +2957,22 @@
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_name"/>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix">/second</Option>
<Option name="hashlimit_value">20</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="log_level"/>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3116X69605" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
</PolicyRule><RuleSetOptions/></Policy>
<Routing id="id3116X69605" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id3117X69605" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3765X78273" name="ios-2:eth0:ip" comment="" ro="False" address="172.24.0.3" netmask="255.255.0.0"/>
<InterfaceOptions/>
@ -3004,21 +2993,21 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
@ -3027,9 +3016,9 @@
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_include_comments">true</Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="ipt_mangle_only_rulesets"/>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -3044,11 +3033,11 @@
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -3066,13 +3055,13 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>

928
test/iosacl/objects-for-regression-tests.fwb
View File

File diff suppressed because it is too large Load Diff

479
test/ipf/large_policy_test.fwb
View File

@ -1,330 +1,46 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="2.0.0" id="root">
<Library id="syslib000" name="Standard" comment="Standard objects" color="#d4f8ff" ro="True">
<AnyNetwork comment="Any Network" id="sysid0" name="Any" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService comment="Any IP Service" id="sysid1" name="Any" protocol_num="0"/>
<AnyInterval comment="Any Interval" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" id="sysid2" name="Any" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1"/>
<ObjectGroup id="stdid01" name="Objects">
<ObjectGroup id="stdid04" name="Groups">
<ObjectGroup id="id3DC75CE8" name="rfc1918-nets">
<ObjectRef ref="id3DC75CE5"/>
<ObjectRef ref="id3DC75CE6"/>
<ObjectRef ref="id3DC75CE7"/>
</ObjectGroup>
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="15" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False"/>
<Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
<ObjectGroup id="stdid01_1_clusters" name="Clusters" comment="" ro="False"/>
<ObjectGroup id="stdid01_1" name="Objects" comment="" ro="False">
<ObjectGroup id="stdid01_1_og_ats_1" name="Address Tables" comment="" ro="False"/>
<ObjectGroup id="stdid01_1_og_dnsn_1" name="DNS Names" comment="" ro="False"/>
<ObjectGroup id="stdid16_1" name="Addresses" comment="" ro="False"/>
<ObjectGroup id="stdid04_1" name="Groups" comment="" ro="False"/>
<ObjectGroup id="stdid02_1" name="Hosts" comment="" ro="False"/>
<ObjectGroup id="stdid03_1" name="Networks" comment="" ro="False">
<Network id="id3F9A1BC7" name="net A" comment="" ro="False" address="192.168.0.0" netmask="255.255.255.0"/>
<Network id="id3F9A1BC8" name="net B" comment="" ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
<Network id="id3F9A1BC9" name="net C" comment="" ro="False" address="192.168.2.0" netmask="255.255.255.0"/>
</ObjectGroup>
<ObjectGroup id="stdid02" name="Hosts"/>
<ObjectGroup id="stdid03" name="Networks">
<Network comment="224.0.0.0/4 - This block, formerly known as the Class D address\nspace, is allocated for use in IPv4 multicast address assignments.\nThe IANA guidelines for assignments from this space are described in\n[RFC3171].\n" id="id3DC75CEC" name="all multicasts" address="224.0.0.0" netmask="240.0.0.0"/>
<Network comment="169.254.0.0/16 - This is the &quot;link local&quot; block. It is allocated for\ncommunication between hosts on a single link. Hosts obtain these\naddresses by auto-configuration, such as when a DHCP server may not\nbe found.\n" id="id3F4ECE3E" name="link-local" address="169.254.0.0" netmask="255.255.0.0"/>
<Network comment="127.0.0.0/8 - This block is assigned for use as the Internet host\nloopback address. A datagram sent by a higher level protocol to an\naddress anywhere within this block should loop back inside the host.\nThis is ordinarily implemented using only 127.0.0.1/32 for loopback,\nbut no addresses within this block should ever appear on any network\nanywhere [RFC1700, page 5].\n" id="id3F4ECE3D" name="loopback-net" address="127.0.0.0" netmask="255.0.0.0"/>
<Network comment="10.0.0.0/8 - This block is set aside for use in private networks.\nIts intended use is documented in [RFC1918]. Addresses within this\nblock should not appear on the public Internet." id="id3DC75CE5" name="net-10.0.0.0" address="10.0.0.0" netmask="255.0.0.0"/>
<Network comment="172.16.0.0/12 - This block is set aside for use in private networks.\nIts intended use is documented in [RFC1918]. Addresses within this\nblock should not appear on the public Internet.\n" id="id3DC75CE7" name="net-172.16.0.0" address="172.16.0.0" netmask="255.240.0.0"/>
<Network comment="192.168.0.0/16 - This block is set aside for use in private networks.\nIts intended use is documented in [RFC1918]. Addresses within this\nblock should not appear on the public Internet.\n" id="id3DC75CE6" name="net-192.168.0.0" address="192.168.0.0" netmask="255.255.0.0"/>
<Network comment="192.0.2.0/24 - This block is assigned as &quot;TEST-NET&quot; for use in\ndocumentation and example code. It is often used in conjunction with\ndomain names example.com or example.net in vendor and protocol\ndocumentation. Addresses within this block should not appear on the\npublic Internet.\n" id="id3F4ECE3F" name="test-net" address="192.0.2.0" netmask="255.255.255.0"/>
<Network comment="0.0.0.0/8 - Addresses in this block refer to source hosts on &quot;this&quot;\nnetwork. Address 0.0.0.0/32 may be used as a source address for this\nhost on this network; other addresses within 0.0.0.0/8 may be used to\nrefer to specified hosts on this network [RFC1700, page 4]." id="id3F4ECE40" name="this-net" address="0.0.0.0" netmask="255.0.0.0"/>
</ObjectGroup>
<ObjectGroup id="stdid15" name="Address Ranges">
<AddressRange comment="" id="id3F6D115C" name="broadcast" start_address="255.255.255.255" end_address="255.255.255.255"/>
<AddressRange comment="" id="id3F6D115D" name="old-broadcast" start_address="0.0.0.0" end_address="0.0.0.0"/>
<ObjectGroup id="stdid15_1" name="Address Ranges" comment="" ro="False">
<AddressRange id="id3F9A1BCA" name="range A" comment="" ro="False" start_address="192.168.0.10" end_address="192.168.0.250"/>
<AddressRange id="id3F9A1BCB" name="range B" comment="" ro="False" start_address="192.168.1.10" end_address="192.168.1.250"/>
<AddressRange id="id3F9A1BCC" name="range C" comment="" ro="False" start_address="192.168.2.10" end_address="192.168.2.250"/>
<AddressRange id="id3F9AF27F" name="mini range A" comment="" ro="False" start_address="192.168.0.10" end_address="192.168.0.12"/>
<AddressRange id="id3F9AF280" name="mini range B" comment="" ro="False" start_address="192.168.1.10" end_address="192.168.1.12"/>
<AddressRange id="id3F9AF281" name="mini range C" comment="" ro="False" start_address="192.168.2.10" end_address="192.168.2.12"/>
</ObjectGroup>
</ObjectGroup>
<ServiceGroup id="stdid05" name="Services">
<CustomService comment="This service matches all packets which are part of network connections established through the firewall, or \n connections 'related' to those established through the firewall. Term 'established' refers to the state tracking \n mechanism which exists inside iptables and other stateful firewalls and does not mean any particular \n combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it \n belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful \n inspection module made appropriate record in the state table. Usually statefule firewalls keep track of network \n connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' \n describes packet belonging to a separate network connection, related to the session firewall is keeping \n track of. One example is FTP command and FTP data sessions." id="stdid14" name="ESTABLISHED">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
</CustomService>
<ServiceGroup id="stdid10" name="Groups">
<ServiceGroup comment="" id="sg-DHCP" name="DHCP">
<ServiceRef ref="udp-bootpc"/>
<ServiceRef ref="udp-bootps"/>
</ServiceGroup>
<ServiceGroup id="id3F530CC8" name="DNS">
<ServiceRef ref="udp-DNS"/>
<ServiceRef ref="tcp-DNS"/>
</ServiceGroup>
<ServiceGroup id="id3CB1279B" name="IPSEC">
<ServiceRef ref="id3CB12797"/>
<ServiceRef ref="ip-IPSEC"/>
</ServiceGroup>
<ServiceGroup comment="" id="sg-NETBIOS" name="NETBIOS">
<ServiceRef ref="udp-netbios-dgm"/>
<ServiceRef ref="udp-netbios-ns"/>
<ServiceRef ref="id3E755609"/>
</ServiceGroup>
<ServiceGroup id="id3CB131CC" name="PCAnywhere">
<ServiceRef ref="id3CB131CA"/>
<ServiceRef ref="id3CB131C8"/>
</ServiceGroup>
<ServiceGroup comment="" id="sg-Useful_ICMP" name="Useful_ICMP">
<ServiceRef ref="icmp-Time_exceeded"/>
<ServiceRef ref="icmp-Time_exceeded_in_transit"/>
<ServiceRef ref="icmp-ping_reply"/>
<ServiceRef ref="icmp-Unreachables"/>
</ServiceGroup>
<ServiceGroup id="id3B4FEDD9" name="kerberos">
<ServiceRef ref="id3B4FEDA5"/>
<ServiceRef ref="id3B4FEDA9"/>
<ServiceRef ref="id3B4FEDA7"/>
<ServiceRef ref="id3B4FEDAB"/>
<ServiceRef ref="id3B4FEDA3"/>
<ServiceRef ref="id3B4FEE21"/>
<ServiceRef ref="id3B4FEE23"/>
<ServiceRef ref="id3E7E3EA2"/>
</ServiceGroup>
<ServiceGroup id="id3B4FF35E" name="nfs">
<ServiceRef ref="id3B4FEE7A"/>
<ServiceRef ref="id3B4FEE78"/>
</ServiceGroup>
<ServiceGroup id="id3B4FEFFA" name="quake">
<ServiceRef ref="id3B4FEF7C"/>
<ServiceRef ref="id3B4FEF7E"/>
</ServiceGroup>
<ServiceGroup id="id3D703C9A" name="Real Player">
<ServiceRef ref="id3D703C99"/>
<ServiceRef ref="id3D703C8B"/>
</ServiceGroup>
<ServiceGroup id="id3E7E3E95" name="WinNT">
<ServiceRef ref="sg-NETBIOS"/>
<ServiceRef ref="id3DC8C8BB"/>
<ServiceRef ref="id3E7E3D58"/>
</ServiceGroup>
<ServiceGroup id="id3E7E3E9A" name="Win2000">
<ServiceRef ref="id3E7E3E95"/>
<ServiceRef ref="udp-DNS"/>
<ServiceRef ref="id3DC8C8BC"/>
<ServiceRef ref="id3E7E3EA2"/>
<ServiceRef ref="id3AECF778"/>
<ServiceRef ref="id3D703C90"/>
<ServiceRef ref="id3E7E4039"/>
<ServiceRef ref="id3E7E403A"/>
<ServiceRef ref="id3B4FEDA5"/>
<ServiceRef ref="tcp-DNS"/>
</ServiceGroup>
</ServiceGroup>
<ServiceGroup id="stdid07" name="ICMP">
<ICMPService code="-1" comment="" id="icmp-Unreachables" name="all ICMP unreachables" type="3"/>
<ICMPService code="-1" comment="" id="id3C20EEB5" name="any ICMP" type="-1"/>
<ICMPService code="1" comment="" id="icmp-Host_unreach" name="host_unreach" type="3"/>
<ICMPService code="0" comment="" id="icmp-ping_reply" name="ping reply" type="0"/>
<ICMPService code="0" comment="" id="icmp-ping_request" name="ping request" type="8"/>
<ICMPService code="3" comment="Port unreachable" id="icmp-Port_unreach" name="port unreach" type="3"/>
<ICMPService code="0" comment="ICMP messages of this type are needed for traceroute" id="icmp-Time_exceeded" name="time exceeded" type="11"/>
<ICMPService code="1" comment="" id="icmp-Time_exceeded_in_transit" name="time exceeded in transit" type="11"/>
</ServiceGroup>
<ServiceGroup id="stdid06" name="IP">
<IPService comment="IPSEC Authentication Header Protocol" fragm="False" id="id3CB12797" lsrr="False" name="AH" protocol_num="51" rr="False" short_fragm="False" ssrr="False" ts="False"/>
<IPService comment="IPSEC Encapsulating Security Payload Protocol" fragm="False" id="ip-IPSEC" lsrr="False" name="ESP" protocol_num="50" rr="False" short_fragm="False" ssrr="False" ts="False"/>
<IPService comment="Route recording packets" fragm="False" id="ip-RR" lsrr="False" name="RR" protocol_num="0" rr="True" short_fragm="False" ssrr="False" ts="False"/>
<IPService comment="All sorts of Source Routing Packets" fragm="False" id="ip-SRR" lsrr="True" name="SRR" protocol_num="0" rr="False" short_fragm="False" ssrr="True" ts="False"/>
<IPService comment="'Short' fragments" fragm="False" id="ip-IP_Fragments" lsrr="False" name="ip_fragments" protocol_num="0" rr="False" short_fragm="True" ssrr="False" ts="False"/>
<IPService comment="IPSEC Simple Key Management for Internet Protocols" fragm="False" id="id3D703C8E" lsrr="False" name="SKIP" protocol_num="57" rr="False" short_fragm="False" ssrr="False" ts="False"/>
<IPService comment="Generic Routing Encapsulation\n" fragm="False" id="id3D703C8F" lsrr="False" name="GRE" protocol_num="47" rr="False" short_fragm="False" ssrr="False" ts="False"/>
<IPService comment="Virtual Router Redundancy Protocol" fragm="False" id="id3D703C95" lsrr="False" name="vrrp" protocol_num="112" rr="False" short_fragm="False" ssrr="False" ts="False"/>
</ServiceGroup>
<ServiceGroup id="stdid09" name="TCP">
<TCPService ack_flag="False" ack_flag_mask="False" comment="ipchains used to use this range of port numbers for masquerading. " dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="False" id="tcp-ALL_TCP_Masqueraded" name="ALL TCP Masqueraded" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="65095" src_range_start="61000" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="5190" dst_range_start="5190" fin_flag="False" fin_flag_mask="False" id="id3D703C94" name="AOL" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="False" id="tcp-All_TCP" name="All TCP" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="1494" dst_range_start="1494" fin_flag="False" fin_flag_mask="False" id="id3CB131C4" name="Citrix-ICA" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="Entrust CA Administration Service" dst_range_end="709" dst_range_start="709" fin_flag="False" fin_flag_mask="False" id="id3D703C91" name="Entrust-Admin" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="Entrust CA Key Management Service" dst_range_end="710" dst_range_start="710" fin_flag="False" fin_flag_mask="False" id="id3D703C92" name="Entrust-KeyMgmt" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="1720" dst_range_start="1720" fin_flag="False" fin_flag_mask="False" id="id3AEDBEAC" name="H323" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3268" dst_range_start="3268" fin_flag="False" fin_flag_mask="False" id="id3E7E4039" name="LDAP GC" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3269" dst_range_start="3269" fin_flag="False" fin_flag_mask="False" id="id3E7E403A" name="LDAP GC SSL" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="Open Windows" dst_range_end="2000" dst_range_start="2000" fin_flag="False" fin_flag_mask="False" id="id3D703C83" name="OpenWindows" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="data channel for PCAnywhere v7.52 and later " dst_range_end="5631" dst_range_start="5631" fin_flag="False" fin_flag_mask="False" id="id3CB131C8" name="PCAnywhere-data" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="RealNetworks PNA Protocol" dst_range_end="7070" dst_range_start="7070" fin_flag="False" fin_flag_mask="False" id="id3D703C8B" name="Real-Audio" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="2998" dst_range_start="2998" fin_flag="False" fin_flag_mask="False" id="id3D703C93" name="RealSecure" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="SMB over TCP (without NETBIOS)\n" dst_range_end="445" dst_range_start="445" fin_flag="False" fin_flag_mask="False" id="id3DC8C8BC" name="SMB" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="49" dst_range_start="49" fin_flag="False" fin_flag_mask="False" id="id3D703C8D" name="TACACSplus" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="TCP high ports" dst_range_end="65535" dst_range_start="1024" fin_flag="False" fin_flag_mask="False" id="id3D703C84" name="TCP high ports" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="42" dst_range_start="42" fin_flag="False" fin_flag_mask="False" id="id3E7E3D58" name="WINS replication" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="X Window System" dst_range_end="6063" dst_range_start="6000" fin_flag="False" fin_flag_mask="False" id="id3D703C82" name="X11" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="113" dst_range_start="113" fin_flag="False" fin_flag_mask="False" id="tcp-Auth" name="auth" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="13" dst_range_start="13" fin_flag="False" fin_flag_mask="False" id="id3AEDBE6E" name="daytime" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="53" dst_range_start="53" fin_flag="False" fin_flag_mask="False" id="tcp-DNS" name="domain" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="2105" dst_range_start="2105" fin_flag="False" fin_flag_mask="False" id="id3B4FEDA3" name="eklogin" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="79" dst_range_start="79" fin_flag="False" fin_flag_mask="False" id="id3AECF774" name="finger" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="21" dst_range_start="21" fin_flag="False" fin_flag_mask="False" id="tcp-FTP" name="ftp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="FTP data channel.\n Note: FTP protocol does not really require server to use source port 20 for the data channel, \n but many ftp server implementations do so." dst_range_end="65535" dst_range_start="1024" fin_flag="False" fin_flag_mask="False" id="tcp-FTP_data" name="ftp data" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="20" src_range_start="20" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="FTP data channel for passive mode transfers\n" dst_range_end="20" dst_range_start="20" fin_flag="False" fin_flag_mask="False" id="id3E7553BC" name="ftp data passive" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="80" dst_range_start="80" fin_flag="False" fin_flag_mask="False" id="tcp-HTTP" name="http" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="443" dst_range_start="443" fin_flag="False" fin_flag_mask="False" id="id3B4FED69" name="https" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="143" dst_range_start="143" fin_flag="False" fin_flag_mask="False" id="id3AECF776" name="imap" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="993" dst_range_start="993" fin_flag="False" fin_flag_mask="False" id="id3B4FED9F" name="imaps" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="6667" dst_range_start="6667" fin_flag="False" fin_flag_mask="False" id="id3B4FF13C" name="irc" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="88" dst_range_start="88" fin_flag="False" fin_flag_mask="False" id="id3E7E3EA2" name="kerberos" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="543" dst_range_start="543" fin_flag="False" fin_flag_mask="False" id="id3B4FEE21" name="klogin" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="544" dst_range_start="544" fin_flag="False" fin_flag_mask="False" id="id3B4FEE23" name="ksh" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="389" dst_range_start="389" fin_flag="False" fin_flag_mask="False" id="id3AECF778" name="ldap" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="Lightweight Directory Access Protocol over TLS/SSL" dst_range_end="636" dst_range_start="636" fin_flag="False" fin_flag_mask="False" id="id3D703C90" name="ldaps" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="98" dst_range_start="98" fin_flag="False" fin_flag_mask="False" id="id3B4FF000" name="linuxconf" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="98" dst_range_start="98" fin_flag="False" fin_flag_mask="False" id="id3AED0D6D" name="linuxconf" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="515" dst_range_start="515" fin_flag="False" fin_flag_mask="False" id="id3D703C97" name="lpr" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="135" dst_range_start="135" fin_flag="False" fin_flag_mask="False" id="id3DC8C8BB" name="microsoft-rpc" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="Microsoft SQL Server" dst_range_end="1433" dst_range_start="1433" fin_flag="False" fin_flag_mask="False" id="id3D703C98" name="ms-sql" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3306" dst_range_start="3306" fin_flag="False" fin_flag_mask="False" id="id3B4FEEEE" name="mysql" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="139" dst_range_start="139" fin_flag="False" fin_flag_mask="False" id="id3E755609" name="netbios-ssn" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="2049" dst_range_start="2049" fin_flag="False" fin_flag_mask="False" id="id3B4FEE7A" name="nfs" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="119" dst_range_start="119" fin_flag="False" fin_flag_mask="False" id="tcp-NNTP" name="nntp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="NNTP over SSL" dst_range_end="563" dst_range_start="563" fin_flag="False" fin_flag_mask="False" id="id3E7553BB" name="nntps" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="110" dst_range_start="110" fin_flag="False" fin_flag_mask="False" id="id3B4FEE1D" name="pop3" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="POP-3 over SSL" dst_range_end="995" dst_range_start="995" fin_flag="False" fin_flag_mask="False" id="id3E7553BA" name="pop3s" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="5432" dst_range_start="5432" fin_flag="False" fin_flag_mask="False" id="id3B4FF0EA" name="postgres" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="515" dst_range_start="515" fin_flag="False" fin_flag_mask="False" id="id3AECF782" name="printer" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="26000" dst_range_start="26000" fin_flag="False" fin_flag_mask="False" id="id3B4FEF7C" name="quake" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="512" dst_range_start="512" fin_flag="False" fin_flag_mask="False" id="id3AECF77A" name="rexec" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="513" dst_range_start="513" fin_flag="False" fin_flag_mask="False" id="id3AECF77C" name="rlogin" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="514" dst_range_start="514" fin_flag="False" fin_flag_mask="False" id="id3AECF77E" name="rshell" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="Real Time Streaming Protocol" dst_range_end="554" dst_range_start="554" fin_flag="False" fin_flag_mask="False" id="id3D703C99" name="rtsp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="4321" dst_range_start="4321" fin_flag="False" fin_flag_mask="False" id="id3B4FEF34" name="rwhois" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="5510" dst_range_start="5510" fin_flag="False" fin_flag_mask="False" id="id3D703C89" name="securidprop" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="25" dst_range_start="25" fin_flag="False" fin_flag_mask="False" id="tcp-SMTP" name="smtp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="465" dst_range_start="465" fin_flag="False" fin_flag_mask="False" id="id3B4FF04C" name="smtps" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="1080" dst_range_start="1080" fin_flag="False" fin_flag_mask="False" id="id3B4FEE76" name="socks" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="1521" dst_range_start="1521" fin_flag="False" fin_flag_mask="False" id="id3D703C87" name="sqlnet1" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3128" dst_range_start="3128" fin_flag="False" fin_flag_mask="False" id="id3B4FF09A" name="squid" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="22" dst_range_start="22" fin_flag="False" fin_flag_mask="False" id="tcp-SSH" name="ssh" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="111" dst_range_start="111" fin_flag="False" fin_flag_mask="False" id="id3AEDBE00" name="sunrpc" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="True" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="True" id="tcp-TCP-SYN" name="tcp-syn" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="23" dst_range_start="23" fin_flag="False" fin_flag_mask="False" id="tcp-Telnet" name="telnet" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="540" dst_range_start="540" fin_flag="False" fin_flag_mask="False" id="tcp-uucp" name="uucp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="Windows Terminal Services" dst_range_end="3389" dst_range_start="3389" fin_flag="False" fin_flag_mask="False" id="id3CB131C6" name="winterm" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="7100" dst_range_start="7100" fin_flag="False" fin_flag_mask="False" id="id3B4FF1B8" name="xfs" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="True" ack_flag_mask="True" comment="" dst_range_end="0" dst_range_start="0" fin_flag="True" fin_flag_mask="True" id="id3C685B2B" name="xmas scan" psh_flag="True" psh_flag_mask="True" rst_flag="True" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="True" syn_flag_mask="True" urg_flag="True" urg_flag_mask="True"/>
</ServiceGroup>
<ServiceGroup id="stdid08" name="UDP">
<UDPService comment="ipchains used to use this port range for masqueraded packets" dst_range_end="0" dst_range_start="0" id="udp-ALL_UDP_Masqueraded" name="ALL UDP Masqueraded" src_range_end="65095" src_range_start="61000"/>
<UDPService comment="" dst_range_end="0" dst_range_start="0" id="udp-All_UDP" name="All UDP" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="4000" dst_range_start="4000" id="id3D703C96" name="ICQ" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="500" dst_range_start="500" id="id3CB129D2" name="IKE" src_range_end="0" src_range_start="0"/>
<UDPService comment="status channel for PCAnywhere v7.52 and later" dst_range_end="5632" dst_range_start="5632" id="id3CB131CA" name="PCAnywhere-status" src_range_end="0" src_range_start="0"/>
<UDPService comment="routing protocol RIP" dst_range_end="520" dst_range_start="520" id="id3AED0D6B" name="RIP" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="1645" dst_range_start="1645" id="id3D703C8C" name="Radius" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="65535" dst_range_start="1024" id="id3D703C85" name="UDP high ports" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="513" dst_range_start="513" id="id3D703C86" name="Who" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="7009" dst_range_start="7000" id="id3B4FEDA1" name="afs" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="68" dst_range_start="68" id="udp-bootpc" name="bootpc" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="67" dst_range_start="67" id="udp-bootps" name="bootps" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="13" dst_range_start="13" id="id3AEDBE70" name="daytime" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="53" dst_range_start="53" id="udp-DNS" name="domain" src_range_end="0" src_range_start="0"/>
<UDPService comment="VocalTec Internet Phone" dst_range_end="22555" dst_range_start="22555" id="id3D703C8A" name="interphone" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="88" dst_range_start="88" id="id3B4FEDA5" name="kerberos" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="750" dst_range_start="749" id="id3B4FEDA9" name="kerberos-adm" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="464" dst_range_start="464" id="id3B4FEDA7" name="kpasswd" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="4444" dst_range_start="4444" id="id3B4FEDAB" name="krb524" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="135" dst_range_start="135" id="id3F865B0D" name="microsoft-rpc" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="138" dst_range_start="138" id="udp-netbios-dgm" name="netbios-dgm" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="137" dst_range_start="137" id="udp-netbios-ns" name="netbios-ns" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="139" dst_range_start="139" id="udp-netbios-ssn" name="netbios-ssn" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="2049" dst_range_start="2049" id="id3B4FEE78" name="nfs" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="123" dst_range_start="123" id="udp-ntp" name="ntp" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="26000" dst_range_start="26000" id="id3B4FEF7E" name="quake" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="1024" dst_range_start="1024" id="id3D703C88" name="secureid-udp" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="161" dst_range_start="161" id="udp-SNMP" name="snmp" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="162" dst_range_start="162" id="id3AED0D69" name="snmp-trap" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="111" dst_range_start="111" id="id3AEDBE19" name="sunrpc" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="514" dst_range_start="514" id="id3AECF780" name="syslog" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="69" dst_range_start="69" id="id3AED0D67" name="tftp" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="33524" dst_range_start="33434" id="id3AED0D8C" name="traceroute" src_range_end="0" src_range_start="0"/>
</ServiceGroup>
<ServiceGroup id="stdid13" name="Custom">
<CustomService comment="works in iptables and requires patch-o-matic.\nFor more information look for patch-o-matic on http://www.netfilter.org/" id="id3B64EEA8" name="rpc">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables">-m record_rpc</CustomServiceCommand>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
</CustomService>
<CustomService comment="IRC connection tracker, supports DCC.\nWorks on iptables and requires patch-o-matic.\nFor more information look for patch-o-matic on http://www.netfilter.org/\n" id="id3B64EF4E" name="irc-conn">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables">-m irc</CustomServiceCommand>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
</CustomService>
<CustomService comment="Port scan detector, works only on iptables and requires patch-o-matic \nFor more information look for patch-o-matic on http://www.netfilter.org/" id="id3B64EF50" name="psd">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables">-m psd --psd-weight-threshold 5 --psd-delay-threshold 10000</CustomServiceCommand>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
</CustomService>
<CustomService comment="Matches a string in a whole packet, works in iptables and requires patch-o-matic.\nFor more information look for patch-o-matic on http://www.netfilter.org/" id="id3B64EF52" name="string">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables">-m string --string test_pattern</CustomServiceCommand>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
</CustomService>
<CustomService comment="Talk protocol support. Works in iptables and requires patch-o-matic.\nFor more information look for patch-o-matic on http://www.netfilter.org/" id="id3B64EF54" name="talk">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables">-m talk</CustomServiceCommand>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
</CustomService>
</ServiceGroup>
<ServiceGroup id="stdid05_1" name="Services" comment="" ro="False">
<ServiceGroup id="stdid05_1_userservices" name="Users" comment="" ro="False"/>
<ServiceGroup id="stdid05_1_og_tag_1" name="TagServices" comment="" ro="False"/>
<ServiceGroup id="stdid10_1" name="Groups" comment="" ro="False"/>
<ServiceGroup id="stdid07_1" name="ICMP" comment="" ro="False"/>
<ServiceGroup id="stdid06_1" name="IP" comment="" ro="False"/>
<ServiceGroup id="stdid09_1" name="TCP" comment="" ro="False"/>
<ServiceGroup id="stdid08_1" name="UDP" comment="" ro="False"/>
<ServiceGroup id="stdid13_1" name="Custom" comment="" ro="False"/>
</ServiceGroup>
<ObjectGroup id="stdid12" name="Firewalls"/>
<IntervalGroup id="stdid11" name="Time">
<Interval comment="any day, 9:00am through 5:00pm" from_day="-1" from_hour="9" from_minute="0" from_month="-1" from_weekday="1" from_year="-1" id="int-workhours" name="workhours" to_day="-1" to_hour="17" to_minute="0" to_month="-1" to_weekday="5" to_year="-1"/>
<Interval comment="weekends: Saturday 0:00 through Sunday 23:59 " from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="7" from_year="-1" id="int-weekends" name="weekends" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="1" to_year="-1"/>
<Interval comment="any day 6:00pm - 12:00am" from_day="-1" from_hour="18" from_minute="0" from_month="-1" from_weekday="-1" from_year="-1" id="int-afterhours" name="afterhours" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="-1" to_year="-1"/>
<Interval comment="" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" id="id3C63479C" name="Sat" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="6" to_year="-1"/>
<Interval comment="" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="0" from_year="-1" id="id3C63479E" name="Sun" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1"/>
</IntervalGroup>
</Library>
<Library id="syslib001" name="User" comment="User defined objects" color="#d2ffd0">
<ObjectGroup id="stdid01_1" name="Objects">
<ObjectGroup id="stdid16_1" name="Addresses"/>
<ObjectGroup id="stdid04_1" name="Groups"/>
<ObjectGroup id="stdid02_1" name="Hosts"/>
<ObjectGroup id="stdid03_1" name="Networks">
<Network comment="" id="id3F9A1BC7" name="net A" address="192.168.0.0" netmask="255.255.255.0"/>
<Network comment="" id="id3F9A1BC8" name="net B" address="192.168.1.0" netmask="255.255.255.0"/>
<Network comment="" id="id3F9A1BC9" name="net C" address="192.168.2.0" netmask="255.255.255.0"/>
</ObjectGroup>
<ObjectGroup id="stdid15_1" name="Address Ranges">
<AddressRange comment="" id="id3F9A1BCA" name="range A" start_address="192.168.0.10" end_address="192.168.0.250"/>
<AddressRange comment="" id="id3F9A1BCB" name="range B" start_address="192.168.1.10" end_address="192.168.1.250"/>
<AddressRange comment="" id="id3F9A1BCC" name="range C" start_address="192.168.2.10" end_address="192.168.2.250"/>
<AddressRange comment="" id="id3F9AF27F" name="mini range A" start_address="192.168.0.10" end_address="192.168.0.12"/>
<AddressRange comment="" id="id3F9AF280" name="mini range B" start_address="192.168.1.10" end_address="192.168.1.12"/>
<AddressRange comment="" id="id3F9AF281" name="mini range C" start_address="192.168.2.10" end_address="192.168.2.12"/>
</ObjectGroup>
</ObjectGroup>
<ServiceGroup id="stdid05_1" name="Services">
<ServiceGroup id="stdid10_1" name="Groups"/>
<ServiceGroup id="stdid07_1" name="ICMP"/>
<ServiceGroup id="stdid06_1" name="IP"/>
<ServiceGroup id="stdid09_1" name="TCP"/>
<ServiceGroup id="stdid08_1" name="UDP"/>
<ServiceGroup id="stdid13_1" name="Custom"/>
</ServiceGroup>
<ObjectGroup id="stdid12_1" name="Firewalls">
<Firewall comment="" host_OS="freebsd" id="id3F9A1BD2" name="test" platform="ipf">
<NAT id="id3F9A1BD6"/>
<Policy id="id3F9A1BD5">
<PolicyRule action="Accept" comment="" disabled="False" id="id3F9A1CE7" log="False" position="0">
<ObjectGroup id="stdid12_1" name="Firewalls" comment="" ro="False">
<Firewall id="id3F9A1BD2" host_OS="freebsd" lastCompiled="0" lastInstalled="0" lastModified="0" platform="ipf" name="test" comment="" ro="False">
<NAT id="id3F9A1BD6" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id3F9A1BD5" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3F9A1CE7" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3F9A1BC7"/>
</Src>
@ -334,12 +50,15 @@
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" disabled="False" id="id3F9AF2C0" log="True" position="1">
<PolicyRule id="id3F9AF2C0" disabled="False" log="True" position="1" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3F9AF27F"/>
</Src>
@ -351,12 +70,17 @@
<ServiceRef ref="tcp-NNTP"/>
<ServiceRef ref="tcp-FTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" disabled="False" id="id3F9A1BF6" log="False" position="2">
<PolicyRule id="id3F9A1BF6" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3F9A1BCA"/>
</Src>
@ -366,12 +90,15 @@
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" disabled="False" id="id3F9A1BEC" log="False" position="3">
<PolicyRule id="id3F9A1BEC" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3F9A1BCA"/>
</Src>
@ -381,12 +108,15 @@
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" disabled="False" id="id3F9A1C2E" log="False" position="4">
<PolicyRule id="id3F9A1C2E" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3F9A1BCB"/>
</Src>
@ -396,12 +126,15 @@
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" disabled="False" id="id3F9A1C96" log="False" position="5">
<PolicyRule id="id3F9A1C96" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3F9A1BC7"/>
</Src>
@ -411,12 +144,15 @@
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" disabled="False" id="id3F9A1C3A" log="True" position="6">
<PolicyRule id="id3F9A1C3A" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -426,31 +162,40 @@
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Interface dyn="False" id="id3F9A1BD9" label="" name="eth0" network_zone="sysid0" security_level="0" unnum="False">
<IPv4 address="192.0.2.1" id="id3F9A1BDB" name="test:eth0(ip)" netmask="255.255.255.0"/>
<InterfacePolicy id="id3F9A1BDA"/>
<Routing id="id3F9A1BD2-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id3F9A1BD9" dedicated_failover="False" dyn="False" label="" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3F9A1BDB" name="test:eth0(ip)" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface dyn="False" id="id3F9A1BDC" label="" name="eth1" network_zone="sysid0" security_level="100" unnum="False">
<IPv4 address="192.168.0.1" id="id3F9A1BDE" name="test:eth1(ip)" netmask="255.255.255.0"/>
<InterfacePolicy id="id3F9A1BDD"/>
<Interface id="id3F9A1BDC" dedicated_failover="False" dyn="False" label="" network_zone="sysid0" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id3F9A1BDE" name="test:eth1(ip)" comment="" ro="False" address="192.168.0.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface dyn="False" id="id3F9A1BDF" label="" name="eth2" network_zone="sysid0" security_level="100" unnum="False">
<IPv4 address="192.168.1.1" id="id3F9A1BE1" name="test:eth2(ip)" netmask="255.255.255.0"/>
<InterfacePolicy id="id3F9A1BE0"/>
<Interface id="id3F9A1BDF" dedicated_failover="False" dyn="False" label="" network_zone="sysid0" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id3F9A1BE1" name="test:eth2(ip)" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface dyn="False" id="id3F9A1BE2" label="" name="eth3" network_zone="sysid0" security_level="100" unnum="False">
<IPv4 address="192.168.2.1" id="id3F9A1BE4" name="test:eth3(ip)" netmask="255.255.255.0"/>
<InterfacePolicy id="id3F9A1BE3"/>
<Interface id="id3F9A1BE2" dedicated_failover="False" dyn="False" label="" network_zone="sysid0" security_level="100" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
<IPv4 id="id3F9A1BE4" name="test:eth3(ip)" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface dyn="False" id="id3F9A1BE5" label="" name="lo" network_zone="sysid0" security_level="100" unnum="False">
<IPv4 address="127.0.0.1" id="id3F9A1BE7" name="test:lo(ip)" netmask="255.0.0.0"/>
<InterfacePolicy id="id3F9A1BE6"/>
<Interface id="id3F9A1BE5" dedicated_failover="False" dyn="False" label="" network_zone="sysid0" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id3F9A1BE7" name="test:lo(ip)" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
<InterfaceOptions/>
</Interface>
<Management address="127.0.0.1">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@ -464,20 +209,20 @@
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="debug">False</Option>
<Option name="eliminate_duplicates">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="freebsd_path_ipf"></Option>
<Option name="freebsd_path_ipnat"></Option>
<Option name="freebsd_path_sysctl"></Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="ipf_log_body">False</Option>
<Option name="ipf_log_facility"/>
<Option name="ipf_log_level"/>
<Option name="ipf_log_facility"></Option>
<Option name="ipf_log_level"></Option>
<Option name="ipf_log_or_block">False</Option>
<Option name="ipf_nat_ftp_proxy">False</Option>
<Option name="ipf_nat_h323_proxy">False</Option>
@ -485,14 +230,14 @@
<Option name="ipf_nat_raudio_proxy">False</Option>
<Option name="ipf_nat_rcmd_proxy">False</Option>
<Option name="ipf_return_icmp_as_dest">False</Option>
<Option name="limit_suffix"/>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="linux24_path_ip"/>
<Option name="linux24_path_iptables"/>
<Option name="linux24_path_logger"/>
<Option name="linux24_path_lsmod"/>
<Option name="linux24_path_modprobe"/>
<Option name="linux24_path_ip"></Option>
<Option name="linux24_path_iptables"></Option>
<Option name="linux24_path_logger"></Option>
<Option name="linux24_path_lsmod"></Option>
<Option name="linux24_path_modprobe"></Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">True</Option>
@ -507,9 +252,9 @@
<Option name="loopback_interface">lo</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="pass_all_out">False</Option>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -519,6 +264,18 @@
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="stdid11_1" name="Time"/>
<IntervalGroup id="stdid11_1" name="Time" comment="" ro="False"/>
</Library>
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
<AnyInterval id="sysid2" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1" name="Any" comment="Any Interval" ro="False"/>
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
<ServiceGroup id="stdid09" name="TCP" comment="" ro="False">
<TCPService id="tcp-SMTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="smtp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="25" dst_range_end="25"/>
<TCPService id="tcp-NNTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nntp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="119" dst_range_end="119"/>
<TCPService id="tcp-FTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ftp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="21" dst_range_end="21"/>
</ServiceGroup>
</ServiceGroup>
</Library>
</FWObjectDatabase>

1255
test/ipf/objects-for-regression-tests.fwb
View File

File diff suppressed because it is too large Load Diff

1164
test/ipfw/objects-for-regression-tests.fwb
View File

File diff suppressed because it is too large Load Diff

363
test/ipt/cluster-tests.fwb
View File

@ -1,10 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="13" lastModified="1253911075" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="15" lastModified="1253911075" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<ObjectRef ref="id2735X69605"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="id2843X69605"/>
<StateSyncClusterGroup id="id3505X94039" type="conntrack" name="State Sync Group-1" comment="">
<ClusterGroupOptions/>
</StateSyncClusterGroup>
@ -14,8 +11,6 @@
<Option name="vrrp_vrid"/>
</ClusterGroupOptions>
</FailoverClusterGroup>
<ServiceRef ref="sysid1"/>
<ObjectRef ref="id2772X94039"/>
<StateSyncClusterGroup id="id2762X92940" type="conntrack" name="State Sync Group-1" comment="">
<ClusterGroupOptions/>
</StateSyncClusterGroup>
@ -25,8 +20,6 @@
<StateSyncClusterGroup id="id2726X89830" type="conntrack" name="State sync group" comment="">
<ClusterGroupOptions/>
</StateSyncClusterGroup>
<ObjectRef ref="id10491X48869"/>
<ObjectRef ref="id10489X48869"/>
<Interface id="id10489X48869" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="br0" comment="" ro="False">
<IPv4 id="id11790X48869" name="secuwall-1:br0:ip" comment="" ro="False" address="2.2.2.2" netmask="255.255.255.0"/>
<InterfaceOptions>
@ -97,12 +90,6 @@
<Option name="vlan_id">101</Option>
</InterfaceOptions>
</Interface>
<ObjectRef ref="id3117X69605"/>
<ObjectRef ref="id4030X2906"/>
<ObjectRef ref="id4055X2906"/>
<ObjectRef ref="id3647X95766"/>
<ObjectRef ref="id3642X95766"/>
<ObjectRef ref="id3631X95766"/>
<Cluster id="id3631X95766" host_OS="openbsd" inactive="False" lastCompiled="1244758659" lastInstalled="0" lastModified="1244757366" platform="pf" name="pf_cluster_1" comment="" ro="False">
<NAT id="id3640X95766" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule action="Translate" id="id3162X39764" disabled="False" position="0" comment="">
@ -231,7 +218,9 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<RuleSetOptions/>
</NAT>
<Policy id="id3639X95766" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id5954X26920" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -252,8 +241,7 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id7136X39764" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id7136X39764" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -272,8 +260,7 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id7162X39764" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id7162X39764" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -292,8 +279,7 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id7149X39764" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="">
</PolicyRule><PolicyRule id="id7149X39764" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -312,8 +298,7 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5942X26920" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id5942X26920" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -332,9 +317,10 @@
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3641X95766" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
</PolicyRule><RuleSetOptions/></Policy>
<Routing id="id3641X95766" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id3642X95766" dyn="False" label="pf_clsuter_1 carp0" mgmt="False" security_level="0" unnum="False" unprotected="False" name="carp0" comment="" ro="False">
<IPv4 id="id3647X95766" name="pf_cluster_1:carp0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.255.0"/>
<IPv4 id="id16633X39764" name="pf_cluster_1:carp0:ip-1" comment="" ro="False" address="172.24.0.1" netmask="255.255.255.0"/>
@ -372,11 +358,15 @@
</ClusterGroupOptions>
</StateSyncClusterGroup>
</Cluster>
<ObjectRef ref="id2833X26920"/>
<Firewall id="id2827X26920" host_OS="openbsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1244783399" platform="pf" version="4.x" name="openbsd-1" comment="" ro="False">
<NAT id="id2831X26920" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id2830X26920" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id2832X26920" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id2831X26920" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id2830X26920" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id2832X26920" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id2833X26920" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="en0" comment="" ro="False">
<IPv4 id="id2834X26920" name="openbsd-1:en0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.255.0"/>
<InterfaceOptions/>
@ -487,11 +477,15 @@
<Option name="sshArgs"/>
</FirewallOptions>
</Firewall>
<ObjectRef ref="id3346X26920"/>
<Firewall id="id3337X26920" host_OS="openbsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1244783399" platform="pf" version="4.x" name="openbsd-2" comment="" ro="False">
<NAT id="id3344X26920" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id3343X26920" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id3345X26920" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id3344X26920" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id3343X26920" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id3345X26920" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id3346X26920" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="en0" comment="" ro="False">
<IPv4 id="id3348X26920" name="openbsd-2:en0:ip" comment="" ro="False" address="172.24.0.3" netmask="255.255.255.0"/>
<InterfaceOptions/>
@ -597,9 +591,14 @@
</FirewallOptions>
</Firewall>
<Cluster id="id3867X13237" host_OS="linux24" lastCompiled="0" lastInstalled="0" lastModified="0" platform="iptables" name="vrrp_cluster_2" comment="" ro="False">
<NAT id="id3871X13237" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id3870X13237" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id3872X13237" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id3871X13237" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id3870X13237" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id3872X13237" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id3875X13237" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False">
<IPv4 id="id3876X13237" name="vrrp_cluster_2:vrrp0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
<InterfaceOptions>
@ -647,28 +646,11 @@
<Option name="vrrp_vrid">1</Option>
</ClusterGroupOptions>
</FailoverClusterGroup>
<ObjectRef ref="id2882X94039"/>
<ObjectRef ref="id2847X69605"/>
<ObjectRef ref="id2903X94039"/>
<Interface id="id6189X76214" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<InterfaceOptions>
<Option name="type">ethernet</Option>
</InterfaceOptions>
</Interface>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="id3441X13311"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="id2882X94039"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="id2895X94039"/>
</Library>
<Library id="id1495X69605" color="#d2ffd0" name="User" comment="" ro="False">
<ObjectGroup id="id1502X69605" name="Clusters" comment="" ro="False">
@ -695,9 +677,11 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id2369X75741" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id2913X78273" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
<PolicyRule id="id2913X78273" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id2366X75741"/>
@ -715,8 +699,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2896X78273" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id2896X78273" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -733,8 +716,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2879X78273" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id2879X78273" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -751,8 +733,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2862X78273" disabled="False" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
</PolicyRule><PolicyRule id="id2862X78273" disabled="False" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id2366X75741"/>
</Src>
@ -769,8 +750,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2845X78273" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
</PolicyRule><PolicyRule id="id2845X78273" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -787,8 +767,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2828X78273" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id2828X78273" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -805,8 +784,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2811X78273" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id2811X78273" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -823,9 +801,10 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id2371X75741" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
</PolicyRule><RuleSetOptions/></Policy>
<Routing id="id2371X75741" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id2374X75741" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False">
<IPv4 id="id2375X75741" name="cluster1:vrrp0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.0.0"/>
<InterfaceOptions>
@ -867,9 +846,14 @@
</StateSyncClusterGroup>
</Cluster>
<Cluster id="id2708X89830" host_OS="secuwall" inactive="False" lastCompiled="1248541093" lastInstalled="0" lastModified="1244047289" platform="iptables" name="secuwall_cluster_1" comment="" ro="False">
<NAT id="id2712X89830" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id2711X89830" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id2713X89830" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id2712X89830" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id2711X89830" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id2713X89830" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id2716X89830" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False">
<IPv4 id="id2717X89830" name="cluster3:vrrp0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions>
@ -921,9 +905,11 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id2780X94039" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3055X14356" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<PolicyRule id="id3055X14356" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -942,8 +928,7 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2781X94039" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
</PolicyRule><PolicyRule id="id2781X94039" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id2772X94039"/>
@ -961,8 +946,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2794X94039" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id2794X94039" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -979,8 +963,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2806X94039" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id2806X94039" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -997,8 +980,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3725X2234" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id3725X2234" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1015,8 +997,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2818X94039" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
</PolicyRule><PolicyRule id="id2818X94039" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id2772X94039"/>
</Src>
@ -1033,8 +1014,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2830X94039" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
</PolicyRule><PolicyRule id="id2830X94039" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1075,8 +1055,7 @@
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2842X94039" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id2842X94039" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1093,8 +1072,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2854X94039" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id2854X94039" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1111,8 +1089,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3087X2234" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id3087X2234" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1131,8 +1108,7 @@
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
</PolicyRule><RuleSetOptions/></Policy>
<Routing id="id2881X94039" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RoutingRule id="id146086X57559" disabled="False" metric="0" position="0" comment="">
<RDst neg="False">
@ -1158,7 +1134,9 @@
</RItf>
<RoutingRuleOptions/>
</RoutingRule>
<RuleSetOptions/>
</Routing>
<Interface id="id2882X94039" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False">
<IPv4 id="id2889X94039" name="cluster1-1:vrrp0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.0.0"/>
<InterfaceOptions>
@ -1215,9 +1193,11 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id3465X13311" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3466X13311" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<PolicyRule id="id3466X13311" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1236,8 +1216,7 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3478X13311" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
</PolicyRule><PolicyRule id="id3478X13311" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id3433X13311"/>
@ -1255,8 +1234,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3491X13311" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id3491X13311" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1273,8 +1251,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3503X13311" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id3503X13311" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1291,8 +1268,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3515X13311" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id3515X13311" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1309,8 +1285,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3527X13311" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
</PolicyRule><PolicyRule id="id3527X13311" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id3433X13311"/>
</Src>
@ -1327,8 +1302,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4369X67939" disabled="False" group="" log="False" position="6" action="Branch" direction="Both" comment="branch rule set is different in members linux-1 and linux-2">
</PolicyRule><PolicyRule id="id4369X67939" disabled="False" group="" log="False" position="6" action="Branch" direction="Both" comment="branch rule set is different in members linux-1 and linux-2">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1392,8 +1366,7 @@
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3539X13311" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id3539X13311" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1434,8 +1407,7 @@
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3551X13311" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id3551X13311" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1452,8 +1424,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3563X13311" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id3563X13311" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1470,8 +1441,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3575X13311" disabled="False" group="" log="True" position="10" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id3575X13311" disabled="False" group="" log="True" position="10" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1490,9 +1460,9 @@
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Policy id="id6187X76214" name="to_fw" comment="this is a placeholder ruleset used in branching rule in Policy&#10;Member firewalls linux-1 and linux-2 have their own copy&#10;of the rule set with the same name which is used." ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False"/>
</PolicyRule><RuleSetOptions/></Policy>
<Policy id="id6187X76214" name="to_fw" comment="this is a placeholder ruleset used in branching rule in Policy&#10;Member firewalls linux-1 and linux-2 have their own copy&#10;of the rule set with the same name which is used." ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
<RuleSetOptions/></Policy>
<Routing id="id3602X13311" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RoutingRule id="id97243X57559" disabled="False" metric="0" position="0" comment="">
<RDst neg="False">
@ -1506,7 +1476,9 @@
</RItf>
<RoutingRuleOptions/>
</RoutingRule>
<RuleSetOptions/>
</Routing>
<Interface id="id3441X13311" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3448X13311" name="heartbeat_cluster_1:eth0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.0.0"/>
<InterfaceOptions>
@ -1574,9 +1546,11 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id3940X13563" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id5257X25627" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<PolicyRule id="id5257X25627" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1595,8 +1569,7 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5239X25627" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
</PolicyRule><PolicyRule id="id5239X25627" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id3937X13563"/>
@ -1614,8 +1587,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5222X25627" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id5222X25627" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1632,8 +1604,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5205X25627" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id5205X25627" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1650,8 +1621,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5188X25627" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id5188X25627" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1668,8 +1638,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5171X25627" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
</PolicyRule><PolicyRule id="id5171X25627" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id3937X13563"/>
</Src>
@ -1686,8 +1655,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5154X25627" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
</PolicyRule><PolicyRule id="id5154X25627" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1728,8 +1696,7 @@
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5137X25627" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id5137X25627" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1746,8 +1713,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5120X25627" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id5120X25627" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1764,8 +1730,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5103X25627" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id5103X25627" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1784,9 +1749,10 @@
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3942X13563" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
</PolicyRule><RuleSetOptions/></Policy>
<Routing id="id3942X13563" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id3945X13563" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False">
<IPv4 id="id3946X13563" name="vrrp_cluster_2:vrrp0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.255.0"/>
<InterfaceOptions>
@ -1851,9 +1817,11 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id4434X28690" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4435X28690" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<PolicyRule id="id4435X28690" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1872,8 +1840,7 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4447X28690" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
</PolicyRule><PolicyRule id="id4447X28690" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id4400X28690"/>
@ -1891,8 +1858,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4460X28690" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id4460X28690" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1909,8 +1875,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4472X28690" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id4472X28690" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1927,8 +1892,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4484X28690" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id4484X28690" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1945,8 +1909,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4496X28690" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
</PolicyRule><PolicyRule id="id4496X28690" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id4400X28690"/>
</Src>
@ -1963,8 +1926,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4508X28690" disabled="False" group="" log="False" position="6" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id4508X28690" disabled="False" group="" log="False" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -2005,8 +1967,7 @@
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4520X28690" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id4520X28690" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -2047,8 +2008,7 @@
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4532X28690" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id4532X28690" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -2065,8 +2025,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4544X28690" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id4544X28690" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -2083,8 +2042,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4556X28690" disabled="False" group="" log="True" position="10" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id4556X28690" disabled="False" group="" log="True" position="10" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -2103,8 +2061,7 @@
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
</PolicyRule><RuleSetOptions/></Policy>
<Routing id="id4583X28690" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RoutingRule id="id225294X57559" disabled="False" metric="0" position="0" comment="">
<RDst neg="False">
@ -2130,7 +2087,9 @@
</RItf>
<RoutingRuleOptions/>
</RoutingRule>
<RuleSetOptions/>
</Routing>
<Interface id="id4408X28690" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id4415X28690" name="heartbeat_cluster_1-1:eth0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.0.0"/>
<InterfaceOptions>
@ -2207,10 +2166,13 @@
</ServiceGroup>
<ObjectGroup id="id1514X69605" name="Firewalls" comment="" ro="False">
<Firewall id="id2735X69605" host_OS="linux24" inactive="False" lastCompiled="1251482764" lastInstalled="0" lastModified="1251419063" platform="iptables" version="" name="linux-1" comment=" " ro="False">
<NAT id="id2827X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id2741X69605" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id2827X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id2741X69605" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Policy id="id6188X76214" name="to_fw" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id10428X76214" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="hashlimit 10/sec">
<PolicyRule id="id10428X76214" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="hashlimit 10/sec">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -2251,9 +2213,10 @@
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id2842X69605" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
</PolicyRule><RuleSetOptions/></Policy>
<Routing id="id2842X69605" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id2843X69605" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment=" " ro="False">
<IPv4 id="id3764X78273" name="linux-1:eth0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.0.0"/>
<InterfaceOptions>
@ -2368,10 +2331,13 @@
</FirewallOptions>
</Firewall>
<Firewall id="id3009X69605" host_OS="linux24" inactive="False" lastCompiled="1251482764" lastInstalled="0" lastModified="1251418923" platform="iptables" version="" name="linux-2" comment="" ro="False">
<NAT id="id3101X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id3015X69605" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id3101X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id3015X69605" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Policy id="id6191X76214" name="to_fw" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id10440X76214" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="hashlimit 20/sec">
<PolicyRule id="id10440X76214" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="hashlimit 20/sec">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -2412,9 +2378,10 @@
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3116X69605" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
</PolicyRule><RuleSetOptions/></Policy>
<Routing id="id3116X69605" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id3117X69605" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3765X78273" name="linux-2:eth0:ip" comment="" ro="False" address="172.24.0.3" netmask="255.255.0.0"/>
<InterfaceOptions/>
@ -2511,9 +2478,14 @@
</FirewallOptions>
</Firewall>
<Firewall id="id4021X2906" host_OS="secuwall" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1244045700" platform="iptables" version="" name="secuwall-1" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
<NAT id="id4028X2906" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id4027X2906" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id4029X2906" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id4028X2906" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id4027X2906" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id4029X2906" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id4030X2906" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id4032X2906" name="secuwall-1:eth0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.0.0"/>
<InterfaceOptions>
@ -2622,9 +2594,14 @@
</FirewallOptions>
</Firewall>
<Firewall id="id4046X2906" host_OS="secuwall" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1243788928" platform="iptables" version="" name="secuwall-2" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
<NAT id="id4053X2906" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id4052X2906" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id4054X2906" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id4053X2906" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id4052X2906" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id4054X2906" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id4055X2906" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id4057X2906" name="secuwall-2:eth0:ip" comment="" ro="False" address="172.24.0.3" netmask="255.255.0.0"/>
<InterfaceOptions>
@ -2752,9 +2729,14 @@
</FirewallOptions>
</Firewall>
<Firewall id="id3095X82837" host_OS="linux24" inactive="False" lastCompiled="1248541097" lastInstalled="0" lastModified="1244071962" platform="iptables" version="" name="gw1-bridge" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
<NAT id="id3102X82837" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id3101X82837" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id3103X82837" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id3102X82837" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id3101X82837" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id3103X82837" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id3104X82837" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3109X82837" name="gw1-bridge:eth0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.0.0"/>
<InterfaceOptions>
@ -2888,9 +2870,11 @@
</FirewallOptions>
</Firewall>
<Firewall id="id3783X36775" host_OS="linux24" inactive="False" lastCompiled="1251482998" lastInstalled="0" lastModified="1251482982" platform="iptables" version="" name="linux-bonding-1" comment="VLAN and bonding interface configuration" ro="False">
<NAT id="id3817X36775" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id3817X36775" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id3816X36775" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4355X56095" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
<PolicyRule id="id4355X56095" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -2909,9 +2893,10 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3818X36775" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
</PolicyRule><RuleSetOptions/></Policy>
<Routing id="id3818X36775" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id3789X36775" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3794X36775" name="linux-bonding-1:eth0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.0.0"/>
<InterfaceOptions>

4230
test/ipt/objects-for-regression-tests.fwb
View File

File diff suppressed because it is too large Load Diff

511
test/pf/cluster-tests.fwb
View File

@ -1,18 +1,16 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="13" lastModified="1247165520" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="15" lastModified="1247165520" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<ObjectRef ref="sysid0"/>
<StateSyncClusterGroup id="id3505X94039" type="conntrack" name="State Sync Group-1" comment="">
<ClusterGroupOptions/>
</StateSyncClusterGroup>
<FailoverClusterGroup id="id2719X89830" type="vrrp" name="cluster3:vrrp0:members" comment="">
<ClusterGroupOptions>
<Option name="vrrp_secret">vrrp_secret</Option>
<Option name="vrrp_vrid"></Option>
<Option name="vrrp_vrid"/>
</ClusterGroupOptions>
</FailoverClusterGroup>
<ServiceRef ref="sysid1"/>
<StateSyncClusterGroup id="id2762X92940" type="conntrack" name="State Sync Group-1" comment="">
<ClusterGroupOptions/>
</StateSyncClusterGroup>
@ -22,26 +20,24 @@
<StateSyncClusterGroup id="id2726X89830" type="conntrack" name="State sync group" comment="">
<ClusterGroupOptions/>
</StateSyncClusterGroup>
<ObjectRef ref="id10491X48869"/>
<ObjectRef ref="id10489X48869"/>
<Interface id="id10489X48869" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="br0" comment="" ro="False">
<IPv4 id="id11790X48869" name="secuwall-1:br0:ip" comment="" ro="False" address="2.2.2.2" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="iface_options"/>
<Option name="type">bridge</Option>
<Option name="vlan_id"></Option>
<Option name="vlan_id"/>
</InterfaceOptions>
<Interface id="id10491X48869" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<InterfaceOptions>
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="iface_options"/>
<Option name="type">ethernet</Option>
<Option name="vlan_id"></Option>
<Option name="vlan_id"/>
</InterfaceOptions>
</Interface>
<Interface id="id10493X48869" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
@ -78,7 +74,7 @@
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="iface_options"/>
<Option name="type">8021q</Option>
<Option name="vlan_id">100</Option>
</InterfaceOptions>
@ -89,21 +85,11 @@
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="iface_options"/>
<Option name="type">8021q</Option>
<Option name="vlan_id">101</Option>
</InterfaceOptions>
</Interface>
<ObjectRef ref="id3642X95766"/>
<ObjectRef ref="id3647X95766"/>
<ObjectRef ref="id2833X26920"/>
<ObjectRef ref="id3346X26920"/>
<ObjectRef ref="id2835X26920"/>
<ObjectRef ref="id3349X26920"/>
<ObjectRef ref="id7296X42213"/>
<ObjectRef ref="id7323X42213"/>
<ObjectRef ref="id2374X75741"/>
<ObjectRef ref="id2366X75741"/>
<Cluster id="id2366X75741" host_OS="secuwall" lastCompiled="1247150655" lastInstalled="0" lastModified="1242671896" platform="iptables" name="cluster1" comment="" ro="False">
<NAT id="id2370X75741" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id4606X78273" disabled="False" position="0" action="Translate" comment="">
@ -127,7 +113,9 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<RuleSetOptions/>
</NAT>
<Policy id="id2369X75741" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id2913X78273" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
@ -146,8 +134,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2896X78273" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id2896X78273" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -164,8 +151,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2879X78273" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id2879X78273" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -182,8 +168,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2862X78273" disabled="False" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
</PolicyRule><PolicyRule id="id2862X78273" disabled="False" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -200,8 +185,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2845X78273" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
</PolicyRule><PolicyRule id="id2845X78273" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -218,8 +202,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2828X78273" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id2828X78273" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -236,8 +219,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2811X78273" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id2811X78273" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -254,9 +236,10 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id2371X75741" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
</PolicyRule><RuleSetOptions/></Policy>
<Routing id="id2371X75741" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id2374X75741" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False">
<IPv4 id="id2375X75741" name="cluster1:vrrp0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.0.0"/>
<InterfaceOptions>
@ -290,9 +273,6 @@
<ClusterGroupOptions/>
</StateSyncClusterGroup>
</Cluster>
<ObjectRef ref="id2882X94039"/>
<ObjectRef ref="id2903X94039"/>
<ObjectRef ref="id2772X94039"/>
<Cluster id="id2772X94039" host_OS="linux24" inactive="False" lastCompiled="1247150656" lastInstalled="0" lastModified="1243709194" platform="iptables" name="linux_cluster_1" comment="" ro="False">
<NAT id="id2866X94039" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id2867X94039" disabled="False" position="0" action="Translate" comment="">
@ -316,7 +296,9 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<RuleSetOptions/>
</NAT>
<Policy id="id2780X94039" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3055X14356" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -337,8 +319,7 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2781X94039" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
</PolicyRule><PolicyRule id="id2781X94039" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -355,8 +336,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2794X94039" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id2794X94039" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -373,8 +353,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2806X94039" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id2806X94039" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -391,8 +370,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3725X2234" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id3725X2234" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -409,8 +387,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2818X94039" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
</PolicyRule><PolicyRule id="id2818X94039" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -427,8 +404,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2830X94039" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
</PolicyRule><PolicyRule id="id2830X94039" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -457,20 +433,19 @@
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_name"/>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_suffix"/>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="log_level"/>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2842X94039" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id2842X94039" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -487,8 +462,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2854X94039" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id2854X94039" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -505,8 +479,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3087X2234" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id3087X2234" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -525,9 +498,10 @@
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id2881X94039" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
</PolicyRule><RuleSetOptions/></Policy>
<Routing id="id2881X94039" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id2882X94039" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False">
<IPv4 id="id2889X94039" name="cluster1-1:vrrp0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.0.0"/>
<InterfaceOptions>
@ -555,9 +529,14 @@
</StateSyncClusterGroup>
</Cluster>
<Cluster id="id2708X89830" host_OS="secuwall" inactive="False" lastCompiled="1247150660" lastInstalled="0" lastModified="1244047289" platform="iptables" name="secuwall_cluster_1" comment="" ro="False">
<NAT id="id2712X89830" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id2711X89830" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id2713X89830" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id2712X89830" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id2711X89830" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id2713X89830" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id2716X89830" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False">
<IPv4 id="id2717X89830" name="cluster3:vrrp0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions>
@ -578,9 +557,14 @@
<StateSyncClusterGroup id="id2714X89830" master_iface="id4030X2906" type="conntrack" name="State Sync Group" comment=""/>
</Cluster>
<Firewall id="id3095X82837" host_OS="linux24" inactive="False" lastCompiled="1244138816" lastInstalled="0" lastModified="1247150710" platform="iptables" version="" name="gw1-bridge" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
<NAT id="id3102X82837" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id3101X82837" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id3103X82837" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id3102X82837" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id3101X82837" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id3103X82837" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id3104X82837" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3109X82837" name="gw1-bridge:eth0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.0.0"/>
<InterfaceOptions>
@ -636,16 +620,16 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_bonding_interfaces">True</Option>
<Option name="configure_bridge_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
@ -653,14 +637,14 @@
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -675,11 +659,11 @@
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -697,13 +681,13 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -713,13 +697,15 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<ObjectRef ref="id2843X69605"/>
<ObjectRef ref="id2844X69605"/>
<ObjectRef ref="id2847X69605"/>
<Firewall id="id2735X69605" host_OS="linux24" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1247150717" platform="iptables" version="" name="linux-1" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
<NAT id="id2827X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id2741X69605" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id2842X69605" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id2827X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id2741X69605" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id2842X69605" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id2843X69605" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3764X78273" name="linux-1:eth0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.0.0"/>
<InterfaceOptions>
@ -756,29 +742,29 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -793,11 +779,11 @@
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -815,13 +801,13 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -831,12 +817,15 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<ObjectRef ref="id3117X69605"/>
<ObjectRef ref="id3118X69605"/>
<Firewall id="id3009X69605" host_OS="linux24" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1247150722" platform="iptables" version="" name="linux-2" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
<NAT id="id3101X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id3015X69605" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id3116X69605" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id3101X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id3015X69605" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id3116X69605" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id3117X69605" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3765X78273" name="linux-2:eth0:ip" comment="" ro="False" address="172.24.0.3" netmask="255.255.0.0"/>
<InterfaceOptions/>
@ -857,28 +846,28 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -893,11 +882,11 @@
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -915,13 +904,13 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -931,11 +920,15 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<ObjectRef ref="id4030X2906"/>
<Firewall id="id4021X2906" host_OS="secuwall" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1247150728" platform="iptables" version="" name="secuwall-1" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
<NAT id="id4028X2906" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id4027X2906" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id4029X2906" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id4028X2906" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id4027X2906" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id4029X2906" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id4030X2906" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id4032X2906" name="secuwall-1:eth0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.0.0"/>
<InterfaceOptions>
@ -949,9 +942,9 @@
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="iface_options"/>
<Option name="type">ethernet</Option>
<Option name="vlan_id"></Option>
<Option name="vlan_id"/>
</InterfaceOptions>
</Interface>
<Interface id="id4038X2906" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
@ -969,28 +962,28 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -1005,11 +998,11 @@
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -1027,13 +1020,13 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -1043,11 +1036,15 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<ObjectRef ref="id4055X2906"/>
<Firewall id="id4046X2906" host_OS="secuwall" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1247150732" platform="iptables" version="" name="secuwall-2" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
<NAT id="id4053X2906" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id4052X2906" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id4054X2906" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id4053X2906" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id4052X2906" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id4054X2906" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id4055X2906" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id4057X2906" name="secuwall-2:eth0:ip" comment="" ro="False" address="172.24.0.3" netmask="255.255.0.0"/>
<InterfaceOptions>
@ -1075,9 +1072,9 @@
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="iface_options"/>
<Option name="type">bonding</Option>
<Option name="vlan_id"></Option>
<Option name="vlan_id"/>
</InterfaceOptions>
<Interface id="id3807X49120" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<InterfaceOptions>
@ -1100,28 +1097,28 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -1136,11 +1133,11 @@
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -1158,13 +1155,13 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -1305,9 +1302,11 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id3639X95766" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4574X33400" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<PolicyRule id="id4574X33400" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1326,8 +1325,7 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5954X26920" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id5954X26920" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1346,8 +1344,7 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id7136X39764" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id7136X39764" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3642X95766"/>
</Src>
@ -1366,8 +1363,7 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id7162X39764" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id7162X39764" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1386,8 +1382,7 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id7149X39764" disabled="False" group="" log="False" position="4" action="Accept" direction="Inbound" comment="">
</PolicyRule><PolicyRule id="id7149X39764" disabled="False" group="" log="False" position="4" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1406,8 +1401,7 @@
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5942X26920" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id5942X26920" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1426,9 +1420,10 @@
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3641X95766" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
</PolicyRule><RuleSetOptions/></Policy>
<Routing id="id3641X95766" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id3642X95766" dedicated_failover="False" dyn="False" label="pf_clsuter_1 carp0" mgmt="False" security_level="0" unnum="False" unprotected="False" name="carp0" comment="" ro="False">
<IPv4 id="id3647X95766" name="pf_cluster_1:carp0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.255.0"/>
<IPv4 id="id16633X39764" name="pf_cluster_1:carp0:ip-1" comment="" ro="False" address="172.24.0.1" netmask="255.255.255.0"/>
@ -1480,9 +1475,11 @@
</StateSyncClusterGroup>
</Cluster>
<Cluster id="id5462X42213" host_OS="freebsd" inactive="False" lastCompiled="1247150757" lastInstalled="0" lastModified="1245802420" platform="pf" name="pf_cluster_2" comment="using multicast address for pfsync and FreeBSD" ro="False">
<NAT id="id5559X42213" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id5559X42213" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id5498X42213" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id5547X42213" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="">
<PolicyRule id="id5547X42213" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1501,9 +1498,10 @@
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id5644X42213" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
</PolicyRule><RuleSetOptions/></Policy>
<Routing id="id5644X42213" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id5470X42213" dedicated_failover="False" dyn="False" label="pf_clsuter_1 carp0" mgmt="False" security_level="0" unnum="False" unprotected="False" name="carp0" comment="" ro="False">
<IPv4 id="id5478X42213" name="pf_cluster_1-1:carp0:ip1" comment="" ro="False" address="172.24.0.1" netmask="255.255.255.0"/>
<IPv4 id="id5479X42213" name="pf_cluster_1-1:carp0:ip2" comment="" ro="False" address="172.24.0.1" netmask="255.255.255.0"/>
@ -1551,9 +1549,14 @@
</StateSyncClusterGroup>
</Cluster>
<Cluster id="id3642X20162" host_OS="openbsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="0" platform="pf" name="pf_cluster_3" comment="" ro="False">
<NAT id="id3646X20162" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id3645X20162" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id3647X20162" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id3646X20162" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id3645X20162" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id3647X20162" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id3650X20162" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="carp0" comment="" ro="False">
<IPv4 id="id3651X20162" name="pf_cluster_3:carp0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.255.0"/>
<InterfaceOptions>
@ -1623,9 +1626,14 @@
</ServiceGroup>
<ObjectGroup id="id1514X69605" name="Firewalls" comment="" ro="False">
<Firewall id="id2827X26920" host_OS="openbsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1244757410" platform="pf" version="4.x" name="openbsd-1" comment="" ro="False">
<NAT id="id2831X26920" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id2830X26920" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id2832X26920" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id2831X26920" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id2830X26920" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id2832X26920" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id2833X26920" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="en0" comment="" ro="False">
<IPv4 id="id2834X26920" name="openbsd-1:en0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.255.0"/>
<InterfaceOptions/>
@ -1647,18 +1655,18 @@
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="ignore_empty_groups">False</Option>
@ -1667,11 +1675,11 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -1691,7 +1699,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -1731,15 +1739,20 @@
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="sshArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="sshArgs"/>
</FirewallOptions>
</Firewall>
<Firewall id="id3337X26920" host_OS="openbsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1244757413" platform="pf" version="4.x" name="openbsd-2" comment="" ro="False">
<NAT id="id3344X26920" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id3343X26920" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id3345X26920" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id3344X26920" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id3343X26920" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id3345X26920" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id3346X26920" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="en0" comment="" ro="False">
<IPv4 id="id3348X26920" name="openbsd-2:en0:ip" comment="" ro="False" address="172.24.0.3" netmask="255.255.255.0"/>
<InterfaceOptions/>
@ -1755,18 +1768,18 @@
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">False</Option>
<Option name="configure_vlan_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="ignore_empty_groups">False</Option>
@ -1775,11 +1788,11 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -1799,7 +1812,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -1839,15 +1852,20 @@
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="sshArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="sshArgs"/>
</FirewallOptions>
</Firewall>
<Firewall id="id7290X42213" host_OS="freebsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1245802413" platform="pf" version="4.x" name="freebsd-1" comment="" ro="False">
<NAT id="id7310X42213" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id7309X42213" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id7311X42213" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id7310X42213" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id7309X42213" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id7311X42213" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id7296X42213" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="en0" comment="" ro="False">
<IPv4 id="id7301X42213" name="freebsd-1:en0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.255.0"/>
<InterfaceOptions/>
@ -1869,18 +1887,18 @@
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="freebsd_ip_forward">1</Option>
@ -1890,11 +1908,11 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -1914,7 +1932,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -1954,15 +1972,20 @@
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="sshArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="sshArgs"/>
</FirewallOptions>
</Firewall>
<Firewall id="id7317X42213" host_OS="freebsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1245802420" platform="pf" version="4.x" name="freebsd-2" comment="" ro="False">
<NAT id="id7330X42213" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id7329X42213" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id7331X42213" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id7330X42213" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id7329X42213" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id7331X42213" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id7323X42213" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="en0" comment="" ro="False">
<IPv4 id="id7325X42213" name="freebsd-2:en0:ip" comment="" ro="False" address="172.24.0.3" netmask="255.255.255.0"/>
<InterfaceOptions/>
@ -1978,18 +2001,18 @@
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">False</Option>
<Option name="configure_vlan_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="freebsd_ip_forward">1</Option>
@ -1999,11 +2022,11 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -2023,7 +2046,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -2063,9 +2086,9 @@
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="sshArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="sshArgs"/>
</FirewallOptions>
</Firewall>
</ObjectGroup>

4990
test/pf/objects-for-regression-tests.fwb
View File

File diff suppressed because it is too large Load Diff

402
test/pix/cluster-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="13" lastModified="1258406412" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="15" lastModified="1258406412" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<Interface id="id3213X42281" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="vrrp2" comment="" ro="False">
<InterfaceOptions>
@ -9,9 +9,8 @@
<Option name="vrrp_secret">my_secret</Option>
</InterfaceOptions>
</Interface>
<ObjectRef ref="id2844X69605"/>
<Policy id="id6188X76214" name="to_fw" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id10428X76214" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="hashlimit 10/sec">
<PolicyRule id="id10428X76214" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="hashlimit 10/sec">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -40,22 +39,21 @@
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_name"/>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix">/second</Option>
<Option name="hashlimit_value">10</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="log_level"/>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
</PolicyRule><RuleSetOptions/></Policy>
<Policy id="id2274X68642" name="to_fw" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id2275X68642" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="hashlimit 10/sec">
<PolicyRule id="id2275X68642" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="hashlimit 10/sec">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -84,30 +82,25 @@
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_name"/>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix">/second</Option>
<Option name="hashlimit_value">10</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="log_level"/>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id2374X75741"/>
</PolicyRule><RuleSetOptions/></Policy>
<Interface id="id2875X71781" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="Interface" comment="" ro="False">
<InterfaceOptions/>
</Interface>
<IPv4 id="id2375X75741" name="cluster1:FastEthernet0/0.101:ip" comment="" ro="False" address="192.168.100.1" netmask="255.255.255.0"/>
<IPv4 id="id2380X75741" name="cluster1:FastEthernet0/1:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
<ObjectRef ref="id2331X71781"/>
<IPv4 id="id10439X39874" name="pix-1:FastEthernet0/0:FastEthernet0/0.101:ip" comment="" ro="False" address="192.168.100.253" netmask="255.255.255.0"/>
<ObjectRef ref="id3188X29979"/>
<Interface id="id3188X29979" dedicated_failover="False" dyn="False" label="inside" mgmt="False" network_zone="id3042X68642" security_level="100" unnum="False" unprotected="False" name="FastEthernet0/0.101" comment="vlan interface " ro="False">
<InterfaceOptions>
<Option name="dev_plus_vid">False</Option>
@ -118,11 +111,15 @@
<Option name="vlan_plus_vid_no_pad">False</Option>
</InterfaceOptions>
</Interface>
<ObjectRef ref="id3041X68642"/>
<Firewall id="id2251X68642" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1257896939" platform="pix" version="7.0" name="pix-2" comment=" " ro="False">
<NAT id="id2287X68642" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id2273X68642" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id2288X68642" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id2287X68642" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id2273X68642" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id2288X68642" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id2257X68642" dedicated_failover="False" dyn="False" label="" mgmt="False" network_zone="sysid0" security_level="0" unnum="True" unprotected="False" name="FastEthernet0/0" comment=" " ro="False">
<InterfaceOptions>
<Option name="type">ethernet</Option>
@ -161,16 +158,16 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="ctiqbe_fixup">2 2748 0 nil 0</Option>
@ -178,7 +175,7 @@
<Option name="dns_fixup">2 65535 0 nil 0</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="espike_fixup">2 0 0 nil 0</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
@ -191,9 +188,9 @@
<Option name="icmp_error_fixup">2 0 0 nil 0</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ils_fixup">2 389 389 nil 0</Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="ipt_mangle_only_rulesets"/>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -209,11 +206,11 @@
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgcp_fixup">2 2427 2727 nil 0</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -229,31 +226,31 @@
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_ip_address">True</Option>
<Option name="pix_ntp1"></Option>
<Option name="pix_ntp1"/>
<Option name="pix_ntp1_pref">False</Option>
<Option name="pix_ntp2"></Option>
<Option name="pix_ntp2"/>
<Option name="pix_ntp2_pref">False</Option>
<Option name="pix_ntp3"></Option>
<Option name="pix_ntp3"/>
<Option name="pix_ntp3_pref">False</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_set_communities_from_object_data">False</Option>
<Option name="pix_set_host_name">True</Option>
<Option name="pix_snmp_poll_traps_1"></Option>
<Option name="pix_snmp_poll_traps_2"></Option>
<Option name="pix_snmp_server1"></Option>
<Option name="pix_snmp_server2"></Option>
<Option name="pix_snmp_poll_traps_1"/>
<Option name="pix_snmp_poll_traps_2"/>
<Option name="pix_snmp_server1"/>
<Option name="pix_snmp_server2"/>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_tcpmss">False</Option>
<Option name="pix_tcpmss_value">0</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="pptp_fixup">2 1723 0 nil 0</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="prolog_script"/>
<Option name="rsh_fixup">2 514 0 nil 0</Option>
<Option name="rtsp_fixup">2 554 0 nil 0</Option>
<Option name="scpArgs"></Option>
<Option name="scpArgs"/>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
@ -263,7 +260,7 @@
<Option name="smtp_fixup">2 25 25 nil 0</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sqlnet_fixup">2 1521 1521 nil 0</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="tftp_fixup">2 69 0 nil 0</Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
@ -274,17 +271,9 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<ObjectRef ref="id2946X39486"/>
<ObjectRef ref="id2941X39486"/>
<ObjectRef ref="id2843X69605"/>
<ObjectRef ref="id2936X39486"/>
<ObjectRef ref="id2461X26048"/>
<ObjectRef ref="id2490X26048"/>
<IPv4 id="id2944X39486" name="pix2:Ethernet0:ip" comment="" ro="False" address="192.0.2.254" netmask="255.255.255.0"/>
<IPv4 id="id2846X69605" name="pix1:Ethernet0:ip" comment="" ro="False" address="192.0.2.253" netmask="255.255.255.0"/>
<IPv4 id="id4842X97641" name="cluster1_v6:Ethernet0:ip" comment="" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<ObjectRef ref="id3817X97641"/>
<ObjectRef ref="id3315X97641"/>
</Library>
<Library id="id1495X69605" color="#d2ffd0" name="User" comment="" ro="False">
<ObjectGroup id="id1502X69605" name="Clusters" comment="" ro="False">
@ -311,9 +300,11 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id2369X75741" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id2913X78273" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
<PolicyRule id="id2913X78273" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id2366X75741"/>
<ObjectRef ref="id2385X39486"/>
@ -331,8 +322,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2879X78273" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id2879X78273" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id2385X39486"/>
</Src>
@ -349,8 +339,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id55439X897" disabled="False" group="" log="True" position="2" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
</PolicyRule><PolicyRule id="id55439X897" disabled="False" group="" log="True" position="2" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id2735X69605"/>
</Src>
@ -367,8 +356,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2862X78273" disabled="False" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
</PolicyRule><PolicyRule id="id2862X78273" disabled="False" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id2366X75741"/>
</Src>
@ -385,8 +373,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2845X78273" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
</PolicyRule><PolicyRule id="id2845X78273" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -403,8 +390,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2828X78273" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id2828X78273" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id2385X39486"/>
</Src>
@ -421,8 +407,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2811X78273" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id2811X78273" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -439,9 +424,10 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id2371X75741" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
</PolicyRule><RuleSetOptions/></Policy>
<Routing id="id2371X75741" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id2374X75741" dedicated_failover="False" dyn="False" label="inside" mgmt="False" network_zone="id3042X68642" security_level="100" unnum="False" unprotected="False" name="Ethernet1" comment="" ro="False">
<InterfaceOptions>
<Option name="iface_mtu">1500</Option>
@ -515,9 +501,11 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id2892X26048" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id2893X26048" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
<PolicyRule id="id2893X26048" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id2851X26048"/>
<ObjectRef ref="id2385X39486"/>
@ -535,8 +523,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2906X26048" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
</PolicyRule><PolicyRule id="id2906X26048" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id2385X39486"/>
</Src>
@ -553,8 +540,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2918X26048" disabled="False" log="True" position="2" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
</PolicyRule><PolicyRule id="id2918X26048" disabled="False" log="True" position="2" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id2851X26048"/>
</Src>
@ -571,8 +557,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2930X26048" disabled="False" log="True" position="3" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
</PolicyRule><PolicyRule id="id2930X26048" disabled="False" log="True" position="3" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -589,8 +574,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2942X26048" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="">
</PolicyRule><PolicyRule id="id2942X26048" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id2385X39486"/>
</Src>
@ -607,8 +591,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2954X26048" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="">
</PolicyRule><PolicyRule id="id2954X26048" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -625,9 +608,10 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id2981X26048" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
</PolicyRule><RuleSetOptions/></Policy>
<Routing id="id2981X26048" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id2859X26048" dedicated_failover="False" dyn="False" label="inside" mgmt="False" network_zone="id3042X68642" security_level="100" unnum="False" unprotected="False" name="Ethernet1" comment="" ro="False">
<InterfaceOptions>
<Option name="iface_mtu">1500</Option>
@ -716,9 +700,14 @@
</ServiceGroup>
<ObjectGroup id="id1514X69605" name="Firewalls" comment="" ro="False">
<Firewall id="id2735X69605" host_OS="pix_os" inactive="False" lastCompiled="1258409844" lastInstalled="0" lastModified="1258414389" platform="pix" version="7.0" name="pix1" comment=" " ro="False">
<NAT id="id2827X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id2741X69605" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id2842X69605" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id2827X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id2741X69605" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id2842X69605" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id2843X69605" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="id2385X39486" security_level="100" unnum="False" unprotected="False" name="Ethernet1" comment=" " ro="False">
<IPv4 id="id2384X39486" name="pix1:Ethernet1:ip" comment="" ro="False" address="10.3.14.206" netmask="255.255.255.0"/>
<InterfaceOptions>
@ -734,12 +723,12 @@
<Interface id="id3814X97641" dedicated_failover="False" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="Ethernet0.101" comment="" ro="False">
<IPv4 id="id3816X97641" name="pix1:Ethernet0:Ethernet0.101:ip" comment="" ro="False" address="192.0.2.253" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="bonding_policy"></Option>
<Option name="bondng_driver_options"></Option>
<Option name="bonding_policy"/>
<Option name="bondng_driver_options"/>
<Option name="enable_stp">False</Option>
<Option name="type">8021q</Option>
<Option name="vlan_id">101</Option>
<Option name="xmit_hash_policy"></Option>
<Option name="xmit_hash_policy"/>
</InterfaceOptions>
</Interface>
<Interface id="id3817X97641" dedicated_failover="False" dyn="False" label="" mgmt="False" network_zone="id11817X97641" security_level="20" unnum="False" unprotected="False" name="Ethernet0.102" comment="" ro="False">
@ -764,16 +753,16 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="conn_hh">0</Option>
@ -784,7 +773,7 @@
<Option name="dns_fixup">2 65535 0 nil 0</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="espike_fixup">2 0 0 nil 0</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
@ -803,9 +792,9 @@
<Option name="icmp_error_fixup">2 0 0 nil 0</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ils_fixup">2 389 389 nil 0</Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="ipt_mangle_only_rulesets"/>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -821,11 +810,11 @@
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgcp_fixup">2 2427 2727 nil 0</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -833,7 +822,7 @@
<Option name="pix_acl_basic">True</Option>
<Option name="pix_acl_no_clear">False</Option>
<Option name="pix_acl_substitution">False</Option>
<Option name="pix_acl_temp_addr"></Option>
<Option name="pix_acl_temp_addr"/>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">True</Option>
<Option name="pix_check_duplicate_nat">False</Option>
@ -847,7 +836,7 @@
<Option name="pix_emblem_log_format">False</Option>
<Option name="pix_emulate_out_acl">True</Option>
<Option name="pix_enable_snmp_traps">False</Option>
<Option name="pix_epilog_script"></Option>
<Option name="pix_epilog_script"/>
<Option name="pix_floodguard">True</Option>
<Option name="pix_fragguard">False</Option>
<Option name="pix_generate_out_acl">True</Option>
@ -862,14 +851,14 @@
<Option name="pix_max_conns">0</Option>
<Option name="pix_nodnsalias_inbound">False</Option>
<Option name="pix_nodnsalias_outbound">False</Option>
<Option name="pix_ntp1"></Option>
<Option name="pix_ntp1"/>
<Option name="pix_ntp1_pref">False</Option>
<Option name="pix_ntp2"></Option>
<Option name="pix_ntp2"/>
<Option name="pix_ntp2_pref">False</Option>
<Option name="pix_ntp3"></Option>
<Option name="pix_ntp3"/>
<Option name="pix_ntp3_pref">False</Option>
<Option name="pix_optimize_default_nat">False</Option>
<Option name="pix_prolog_script"></Option>
<Option name="pix_prolog_script"/>
<Option name="pix_regroup_commands">False</Option>
<Option name="pix_replace_natted_objects">False</Option>
<Option name="pix_resetinbound">False</Option>
@ -880,16 +869,16 @@
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_set_communities_from_object_data">False</Option>
<Option name="pix_set_host_name">True</Option>
<Option name="pix_snmp_poll_traps_1"></Option>
<Option name="pix_snmp_poll_traps_2"></Option>
<Option name="pix_snmp_server1"></Option>
<Option name="pix_snmp_server2"></Option>
<Option name="pix_snmp_poll_traps_1"/>
<Option name="pix_snmp_poll_traps_2"/>
<Option name="pix_snmp_server1"/>
<Option name="pix_snmp_server2"/>
<Option name="pix_ssh_timeout">0</Option>
<Option name="pix_syslog_device_id_opt"></Option>
<Option name="pix_syslog_device_id_opt"/>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_syslog_device_id_val"></Option>
<Option name="pix_syslog_facility"></Option>
<Option name="pix_syslog_host"></Option>
<Option name="pix_syslog_device_id_val"/>
<Option name="pix_syslog_facility"/>
<Option name="pix_syslog_host"/>
<Option name="pix_syslog_queue_size">0</Option>
<Option name="pix_tcpmss">False</Option>
<Option name="pix_tcpmss_value">0</Option>
@ -898,13 +887,13 @@
<Option name="pix_use_manual_commit">False</Option>
<Option name="pptp_fixup">2 1723 0 nil 0</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="prolog_script"/>
<Option name="rpc_hh">0</Option>
<Option name="rpc_mm">0</Option>
<Option name="rpc_ss">0</Option>
<Option name="rsh_fixup">2 514 0 nil 0</Option>
<Option name="rtsp_fixup">2 554 0 nil 0</Option>
<Option name="scpArgs"></Option>
<Option name="scpArgs"/>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
@ -920,7 +909,7 @@
<Option name="smtp_fixup">2 25 25 nil 0</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sqlnet_fixup">2 1521 1521 nil 0</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="tftp_fixup">2 69 0 nil 0</Option>
<Option name="uauth_abs">False</Option>
<Option name="uauth_hh">0</Option>
@ -943,9 +932,14 @@
</FirewallOptions>
</Firewall>
<Firewall id="id2930X39486" host_OS="pix_os" inactive="False" lastCompiled="1258409844" lastInstalled="0" lastModified="1258414396" platform="pix" version="7.0" name="pix2" comment=" " ro="False">
<NAT id="id2952X39486" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id2951X39486" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id2953X39486" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id2952X39486" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id2951X39486" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id2953X39486" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id2936X39486" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="id2385X39486" security_level="100" unnum="False" unprotected="False" name="Ethernet1" comment=" " ro="False">
<IPv4 id="id2939X39486" name="pix2:Ethernet1:ip" comment="" ro="False" address="10.3.14.207" netmask="255.255.255.0"/>
<InterfaceOptions>
@ -961,12 +955,12 @@
<Interface id="id2818X95537" dedicated_failover="False" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="Ethernet0.101" comment="" ro="False">
<IPv4 id="id2826X97641" name="pix2:Ethernet0:ip" comment="" ro="False" address="192.0.2.254" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="bonding_policy"></Option>
<Option name="bondng_driver_options"></Option>
<Option name="bonding_policy"/>
<Option name="bondng_driver_options"/>
<Option name="enable_stp">False</Option>
<Option name="type">8021q</Option>
<Option name="vlan_id">101</Option>
<Option name="xmit_hash_policy"></Option>
<Option name="xmit_hash_policy"/>
</InterfaceOptions>
</Interface>
<Interface id="id3315X97641" dedicated_failover="False" dyn="False" label="" mgmt="False" network_zone="id11817X97641" security_level="20" unnum="False" unprotected="False" name="Ethernet0.102" comment="" ro="False">
@ -991,16 +985,16 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="conn_hh">0</Option>
@ -1011,7 +1005,7 @@
<Option name="dns_fixup">2 65535 0 nil 0</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="espike_fixup">2 0 0 nil 0</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
@ -1030,9 +1024,9 @@
<Option name="icmp_error_fixup">2 0 0 nil 0</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ils_fixup">2 389 389 nil 0</Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="ipt_mangle_only_rulesets"/>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -1048,11 +1042,11 @@
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgcp_fixup">2 2427 2727 nil 0</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -1060,7 +1054,7 @@
<Option name="pix_acl_basic">True</Option>
<Option name="pix_acl_no_clear">False</Option>
<Option name="pix_acl_substitution">False</Option>
<Option name="pix_acl_temp_addr"></Option>
<Option name="pix_acl_temp_addr"/>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">True</Option>
<Option name="pix_check_duplicate_nat">False</Option>
@ -1074,7 +1068,7 @@
<Option name="pix_emblem_log_format">False</Option>
<Option name="pix_emulate_out_acl">True</Option>
<Option name="pix_enable_snmp_traps">False</Option>
<Option name="pix_epilog_script"></Option>
<Option name="pix_epilog_script"/>
<Option name="pix_floodguard">True</Option>
<Option name="pix_fragguard">False</Option>
<Option name="pix_generate_out_acl">True</Option>
@ -1089,14 +1083,14 @@
<Option name="pix_max_conns">0</Option>
<Option name="pix_nodnsalias_inbound">False</Option>
<Option name="pix_nodnsalias_outbound">False</Option>
<Option name="pix_ntp1"></Option>
<Option name="pix_ntp1"/>
<Option name="pix_ntp1_pref">False</Option>
<Option name="pix_ntp2"></Option>
<Option name="pix_ntp2"/>
<Option name="pix_ntp2_pref">False</Option>
<Option name="pix_ntp3"></Option>
<Option name="pix_ntp3"/>
<Option name="pix_ntp3_pref">False</Option>
<Option name="pix_optimize_default_nat">False</Option>
<Option name="pix_prolog_script"></Option>
<Option name="pix_prolog_script"/>
<Option name="pix_regroup_commands">False</Option>
<Option name="pix_replace_natted_objects">False</Option>
<Option name="pix_resetinbound">False</Option>
@ -1107,16 +1101,16 @@
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_set_communities_from_object_data">False</Option>
<Option name="pix_set_host_name">True</Option>
<Option name="pix_snmp_poll_traps_1"></Option>
<Option name="pix_snmp_poll_traps_2"></Option>
<Option name="pix_snmp_server1"></Option>
<Option name="pix_snmp_server2"></Option>
<Option name="pix_snmp_poll_traps_1"/>
<Option name="pix_snmp_poll_traps_2"/>
<Option name="pix_snmp_server1"/>
<Option name="pix_snmp_server2"/>
<Option name="pix_ssh_timeout">0</Option>
<Option name="pix_syslog_device_id_opt"></Option>
<Option name="pix_syslog_device_id_opt"/>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_syslog_device_id_val"></Option>
<Option name="pix_syslog_facility"></Option>
<Option name="pix_syslog_host"></Option>
<Option name="pix_syslog_device_id_val"/>
<Option name="pix_syslog_facility"/>
<Option name="pix_syslog_host"/>
<Option name="pix_syslog_queue_size">0</Option>
<Option name="pix_tcpmss">False</Option>
<Option name="pix_tcpmss_value">0</Option>
@ -1125,13 +1119,13 @@
<Option name="pix_use_manual_commit">False</Option>
<Option name="pptp_fixup">2 1723 0 nil 0</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="prolog_script"/>
<Option name="rpc_hh">0</Option>
<Option name="rpc_mm">0</Option>
<Option name="rpc_ss">0</Option>
<Option name="rsh_fixup">2 514 0 nil 0</Option>
<Option name="rtsp_fixup">2 554 0 nil 0</Option>
<Option name="scpArgs"></Option>
<Option name="scpArgs"/>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
@ -1147,7 +1141,7 @@
<Option name="smtp_fixup">2 25 25 nil 0</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sqlnet_fixup">2 1521 1521 nil 0</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="tftp_fixup">2 69 0 nil 0</Option>
<Option name="uauth_abs">False</Option>
<Option name="uauth_hh">0</Option>
@ -1170,9 +1164,14 @@
</FirewallOptions>
</Firewall>
<Firewall id="id2445X26048" host_OS="pix_os" inactive="False" lastCompiled="1258127973" lastInstalled="0" lastModified="1258127858" platform="pix" version="6.3" name="pix1_v6" comment=" " ro="False">
<NAT id="id2467X26048" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id2466X26048" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id2468X26048" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id2467X26048" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id2466X26048" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id2468X26048" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id2451X26048" dedicated_failover="False" dyn="False" label="inside" mgmt="False" network_zone="id2385X39486" security_level="100" unnum="False" unprotected="False" name="Ethernet1" comment=" " ro="False">
<IPv4 id="id2454X26048" name="pix1_v6:Ethernet1:ip" comment="" ro="False" address="10.3.14.206" netmask="255.255.255.0"/>
<InterfaceOptions>
@ -1201,16 +1200,16 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="ctiqbe_fixup">2 2748 0 nil 0</Option>
@ -1218,7 +1217,7 @@
<Option name="dns_fixup">2 65535 0 nil 0</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="espike_fixup">2 0 0 nil 0</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
@ -1231,9 +1230,9 @@
<Option name="icmp_error_fixup">2 0 0 nil 0</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ils_fixup">2 389 389 nil 0</Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="ipt_mangle_only_rulesets"/>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -1249,11 +1248,11 @@
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgcp_fixup">2 2427 2727 nil 0</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -1269,31 +1268,31 @@
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_ip_address">True</Option>
<Option name="pix_ntp1"></Option>
<Option name="pix_ntp1"/>
<Option name="pix_ntp1_pref">False</Option>
<Option name="pix_ntp2"></Option>
<Option name="pix_ntp2"/>
<Option name="pix_ntp2_pref">False</Option>
<Option name="pix_ntp3"></Option>
<Option name="pix_ntp3"/>
<Option name="pix_ntp3_pref">False</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_set_communities_from_object_data">False</Option>
<Option name="pix_set_host_name">True</Option>
<Option name="pix_snmp_poll_traps_1"></Option>
<Option name="pix_snmp_poll_traps_2"></Option>
<Option name="pix_snmp_server1"></Option>
<Option name="pix_snmp_server2"></Option>
<Option name="pix_snmp_poll_traps_1"/>
<Option name="pix_snmp_poll_traps_2"/>
<Option name="pix_snmp_server1"/>
<Option name="pix_snmp_server2"/>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_tcpmss">False</Option>
<Option name="pix_tcpmss_value">0</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="pptp_fixup">2 1723 0 nil 0</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="prolog_script"/>
<Option name="rsh_fixup">2 514 0 nil 0</Option>
<Option name="rtsp_fixup">2 554 0 nil 0</Option>
<Option name="scpArgs"></Option>
<Option name="scpArgs"/>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
@ -1303,7 +1302,7 @@
<Option name="smtp_fixup">2 25 25 nil 0</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sqlnet_fixup">2 1521 1521 nil 0</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="tftp_fixup">2 69 0 nil 0</Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
@ -1315,9 +1314,14 @@
</FirewallOptions>
</Firewall>
<Firewall id="id2474X26048" host_OS="pix_os" inactive="False" lastCompiled="1258127973" lastInstalled="0" lastModified="1258127885" platform="pix" version="6.3" name="pix2_v6" comment=" " ro="False">
<NAT id="id2496X26048" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id2495X26048" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id2497X26048" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id2496X26048" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</NAT>
<Policy id="id2495X26048" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/></Policy>
<Routing id="id2497X26048" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"><RuleSetOptions/>
</Routing>
<Interface id="id2480X26048" dedicated_failover="False" dyn="False" label="inside" mgmt="False" network_zone="id2385X39486" security_level="100" unnum="False" unprotected="False" name="Ethernet1" comment=" " ro="False">
<IPv4 id="id2483X26048" name="pix2_v6:Ethernet1:ip" comment="" ro="False" address="10.3.14.207" netmask="255.255.255.0"/>
<InterfaceOptions>
@ -1346,16 +1350,16 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="ctiqbe_fixup">2 2748 0 nil 0</Option>
@ -1363,7 +1367,7 @@
<Option name="dns_fixup">2 65535 0 nil 0</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="espike_fixup">2 0 0 nil 0</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
@ -1376,9 +1380,9 @@
<Option name="icmp_error_fixup">2 0 0 nil 0</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ils_fixup">2 389 389 nil 0</Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="ipt_mangle_only_rulesets"/>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -1394,11 +1398,11 @@
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgcp_fixup">2 2427 2727 nil 0</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -1414,31 +1418,31 @@
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_ip_address">True</Option>
<Option name="pix_ntp1"></Option>
<Option name="pix_ntp1"/>
<Option name="pix_ntp1_pref">False</Option>
<Option name="pix_ntp2"></Option>
<Option name="pix_ntp2"/>
<Option name="pix_ntp2_pref">False</Option>
<Option name="pix_ntp3"></Option>
<Option name="pix_ntp3"/>
<Option name="pix_ntp3_pref">False</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_set_communities_from_object_data">False</Option>
<Option name="pix_set_host_name">True</Option>
<Option name="pix_snmp_poll_traps_1"></Option>
<Option name="pix_snmp_poll_traps_2"></Option>
<Option name="pix_snmp_server1"></Option>
<Option name="pix_snmp_server2"></Option>
<Option name="pix_snmp_poll_traps_1"/>
<Option name="pix_snmp_poll_traps_2"/>
<Option name="pix_snmp_server1"/>
<Option name="pix_snmp_server2"/>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_tcpmss">False</Option>
<Option name="pix_tcpmss_value">0</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="pptp_fixup">2 1723 0 nil 0</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="prolog_script"/>
<Option name="rsh_fixup">2 514 0 nil 0</Option>
<Option name="rtsp_fixup">2 554 0 nil 0</Option>
<Option name="scpArgs"></Option>
<Option name="scpArgs"/>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
@ -1448,7 +1452,7 @@
<Option name="smtp_fixup">2 25 25 nil 0</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sqlnet_fixup">2 1521 1521 nil 0</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="tftp_fixup">2 69 0 nil 0</Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>

400
test/pix/objects-for-regression-tests.fwb
View File

@ -1,13 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="13" lastModified="1257560955" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<ObjectRef ref="sysid0"/>
<ObjectRef ref="id16325X21455"/>
<ServiceRef ref="sysid1"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="sysid0"/>
</Library>
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="15" lastModified="1257560955" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False"/>
<Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
<ObjectGroup id="stdid01_1_clusters" name="Clusters" comment="" ro="False"/>
<ObjectGroup id="stdid01_1" name="Objects" comment="" ro="False">
@ -110,7 +104,7 @@
</ObjectGroup>
<ObjectGroup id="stdid02_1" name="Hosts" comment="" ro="False">
<Host id="id3F8F9622" name="DMZhost1" comment="" ro="False">
<Interface id="id3F8F9624" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
<Interface id="id3F8F9624" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
<IPv4 id="id3F8F9625" name="DMZhost:interface1(ip)" comment="" ro="False" address="192.0.2.20" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -128,7 +122,7 @@
</HostOptions>
</Host>
<Host id="id3F8F9692" name="DMZhost2" comment="" ro="False">
<Interface id="id3F8F9694" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
<Interface id="id3F8F9694" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
<IPv4 id="id3F8F9695" name="DMZhost2:interface1(ip)" comment="" ro="False" address="192.0.2.21" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -142,7 +136,7 @@
</HostOptions>
</Host>
<Host id="id3F8F9698" name="DMZhost3" comment="" ro="False">
<Interface id="id3F8F969A" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
<Interface id="id3F8F969A" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
<IPv4 id="id3F8F969B" name="DMZhost3:interface1(ip)" comment="" ro="False" address="192.0.2.23" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -156,7 +150,7 @@
</HostOptions>
</Host>
<Host id="id3B64FFAC" name="broadcast" comment="broadcast on internal subnet" ro="False">
<Interface id="id3B64FFAC-i" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<Interface id="id3B64FFAC-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<IPv4 id="id3B64FFAC-i-ipv4" name="address" comment="" ro="False" address="192.168.1.255" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -165,7 +159,7 @@
</HostOptions>
</Host>
<Host id="id3FA34F45" name="dest nat 1" comment="" ro="False">
<Interface id="id3FA34F47" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
<Interface id="id3FA34F47" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
<IPv4 id="id3FA34F48" name="dest nat 1:interface1(ip)" comment="" ro="False" address="209.165.201.11" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -179,7 +173,7 @@
</HostOptions>
</Host>
<Host id="id3FA34F4B" name="dest nat 2" comment="" ro="False">
<Interface id="id3FA34F4D" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
<Interface id="id3FA34F4D" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
<IPv4 id="id3FA34F4E" name="dest nat 1:interface1(ip)" comment="" ro="False" address="209.165.200.225" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -197,7 +191,7 @@
</HostOptions>
</Host>
<Host id="id3AFC0F70" name="fw2-eth1" comment="this host has the same IP address as firewall1 and firewall2" ro="False">
<Interface id="id3AFC0F70-i" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<Interface id="id3AFC0F70-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<IPv4 id="id3AFC0F70-i-ipv4" name="address" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -214,7 +208,7 @@
</HostOptions>
</Host>
<Host id="id3D42052D" name="global-dmz" comment="global address on DMZ for firewall8" ro="False">
<Interface id="id3D42052D-i" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<Interface id="id3D42052D-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<IPv4 id="id3D42052D-i-1-addr" name="address" comment="" ro="False" address="192.168.2.10" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -232,7 +226,7 @@
</HostOptions>
</Host>
<Host id="id3D42051B" name="global-ext-1" comment="external global address for firewall8" ro="False">
<Interface id="id3D42051B-i" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<Interface id="id3D42051B-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<IPv4 id="id3D42051B-i-1-addr" name="address" comment="" ro="False" address="10.50.70.21" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -250,7 +244,7 @@
</HostOptions>
</Host>
<Host id="id3D420525" name="global-ext-2" comment="" ro="False">
<Interface id="id3D420525-i" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<Interface id="id3D420525-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<IPv4 id="id3D420525-i-1-addr" name="address" comment="" ro="False" address="10.50.70.22" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -268,7 +262,7 @@
</HostOptions>
</Host>
<Host id="id3D42094E" name="global-ext-3" comment="" ro="False">
<Interface id="id3D42094E-i" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<Interface id="id3D42094E-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<IPv4 id="id3D42094E-i-1-addr" name="address" comment="" ro="False" address="10.50.70.23" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -286,7 +280,7 @@
</HostOptions>
</Host>
<Host id="id3D436EA6" name="global-int" comment="" ro="False">
<Interface id="id3D436EA6-i" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<Interface id="id3D436EA6-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<IPv4 id="id3D436EA6-i-1-addr" name="address" comment="" ro="False" address="192.168.1.10" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -304,7 +298,7 @@
</HostOptions>
</Host>
<Host id="id3FA34FCB" name="h1" comment="" ro="False">
<Interface id="id3FA34FCD" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
<Interface id="id3FA34FCD" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
<IPv4 id="id3FA34FCE" name="h1:interface1(ip)" comment="" ro="False" address="10.1.2.27" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -318,7 +312,7 @@
</HostOptions>
</Host>
<Host id="id3FA34D2F" name="h192.0.2.20" comment="" ro="False">
<Interface id="id3FA34D30" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
<Interface id="id3FA34D30" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
<IPv4 id="id3FA34D31" name="DMZhost:interface1(ip)" comment="" ro="False" address="192.0.2.20" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -336,7 +330,7 @@
</HostOptions>
</Host>
<Host id="id3FA34D37" name="h192.0.20.21" comment="" ro="False">
<Interface id="id3FA34D38" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
<Interface id="id3FA34D38" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
<IPv4 id="id3FA34D39" name="DMZhost2:interface1(ip)" comment="" ro="False" address="192.0.2.21" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -354,7 +348,7 @@
</HostOptions>
</Host>
<Host id="id3CD87A53" name="h192.168.1.11" comment="" ro="False">
<Interface id="id3CD87A53-i" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<Interface id="id3CD87A53-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<IPv4 id="id3CD87A53-i-1-addr" name="address" comment="" ro="False" address="192.168.1.11" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -372,7 +366,7 @@
</HostOptions>
</Host>
<Host id="id3CD87A5E" name="h192.168.1.12" comment="" ro="False">
<Interface id="id3CD87A5E-i" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<Interface id="id3CD87A5E-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<IPv4 id="id3CD87A5E-i-1-addr" name="address" comment="" ro="False" address="192.168.1.12" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -390,7 +384,7 @@
</HostOptions>
</Host>
<Host id="id3CD87A6D" name="h192.168.1.13" comment="" ro="False">
<Interface id="id3CD87A6D-i" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<Interface id="id3CD87A6D-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<IPv4 id="id3CD87A6D-i-1-addr" name="address" comment="" ro="False" address="192.168.1.13" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -408,7 +402,7 @@
</HostOptions>
</Host>
<Host id="id3CD87A7C" name="h192.168.1.14" comment="" ro="False">
<Interface id="id3CD87A7C-i" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<Interface id="id3CD87A7C-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<IPv4 id="id3CD87A7C-i-1-addr" name="address" comment="" ro="False" address="192.168.1.14" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -426,7 +420,7 @@
</HostOptions>
</Host>
<Host id="id3CD87A8B" name="h192.168.1.15" comment="" ro="False">
<Interface id="id3CD87A8B-i" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<Interface id="id3CD87A8B-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<IPv4 id="id3CD87A8B-i-1-addr" name="address" comment="" ro="False" address="192.168.1.15" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -458,7 +452,7 @@
</HostOptions>
</Host>
<Host id="id3BF1B3E1" name="host-with_mac" comment="" ro="False">
<Interface id="id3BF1B3E2" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<Interface id="id3BF1B3E2" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<IPv4 id="id3BF1B3E2-ipv4" name="address" comment="" ro="False" address="192.168.1.10" netmask="255.255.255.0"/>
<physAddress id="id3BF1B3E2-pa" address="00:10:4b:de:e9:6f" name="unknown(MAC)" comment="" ro="False"/>
<InterfaceOptions/>
@ -473,7 +467,7 @@
</HostOptions>
</Host>
<Host id="id3BF1B3E7" name="host-with_mac-2" comment="" ro="False">
<Interface id="id3BF1B3E8" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<Interface id="id3BF1B3E8" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<IPv4 id="id3BF1B3E8-ipv4" name="address" comment="" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<physAddress id="id3BF1B3E8-pa" address="00:10:4b:de:e9:6f" name="unknown(MAC)" comment="" ro="False"/>
<InterfaceOptions/>
@ -491,7 +485,7 @@
</HostOptions>
</Host>
<Host id="host-hostA" name="hostA" comment="" ro="False">
<Interface id="host-hostA-i" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="hostA:eth0" comment="" ro="False">
<Interface id="host-hostA-i" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="hostA:eth0" comment="" ro="False">
<IPv4 id="host-hostA-i-ipv4" name="hostA:eth0" comment="" ro="False" address="192.168.1.10" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -508,7 +502,7 @@
</HostOptions>
</Host>
<Host id="id3B3D5A3B" name="hostA-2" comment="" ro="False">
<Interface id="id3B3D5A3B-i" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<Interface id="id3B3D5A3B-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<IPv4 id="id3B3D5A3B-i-1-addr" name="address" comment="" ro="False" address="192.168.1.10" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -525,7 +519,7 @@
</HostOptions>
</Host>
<Host id="id3AFADBF9" name="hostA-NAT" comment="translated address for hostA" ro="False">
<Interface id="id3AFADBF9-i" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<Interface id="id3AFADBF9-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<IPv4 id="id3AFADBF9-i-ipv4" name="address" comment="" ro="False" address="22.22.22.23" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -539,7 +533,7 @@
</HostOptions>
</Host>
<Host id="id3D1BFABC" name="hostA-NAT-DMZ" comment="" ro="False">
<Interface id="id3D1BFABC-i" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<Interface id="id3D1BFABC-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<IPv4 id="id3D1BFABC-i-1-addr" name="address" comment="" ro="False" address="192.168.2.23" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -557,7 +551,7 @@
</HostOptions>
</Host>
<Host id="host-hostB" name="hostB" comment="" ro="False">
<Interface id="host-hostB-i" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="hostB:eth0" comment="" ro="False">
<Interface id="host-hostB-i" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="hostB:eth0" comment="" ro="False">
<IPv4 id="host-hostB-i-ipv4" name="hostB:eth0" comment="" ro="False" address="192.168.1.20" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -571,7 +565,7 @@
</HostOptions>
</Host>
<Host id="id3BD6736B" name="hostB-NAT" comment="" ro="False">
<Interface id="id3BD6736B-i" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<Interface id="id3BD6736B-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<IPv4 id="id3BD6736B-i-ipv4" name="address" comment="" ro="False" address="22.22.23.24" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -580,7 +574,7 @@
</HostOptions>
</Host>
<Host id="id3AFC191C" name="hostF-int" comment="the same address as internal iface of firewall1" ro="False">
<Interface id="id3AFC191C-i" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<Interface id="id3AFC191C-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<IPv4 id="id3AFC191C-i-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -589,7 +583,7 @@
</HostOptions>
</Host>
<Host id="id3FA34EFB" name="nat1" comment="" ro="False">
<Interface id="id3FA34EFD" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
<Interface id="id3FA34EFD" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
<IPv4 id="id3FA34EFE" name="nat1:interface1(ip)" comment="" ro="False" address="209.165.202.129" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -603,7 +597,7 @@
</HostOptions>
</Host>
<Host id="id3FA34F01" name="nat2" comment="" ro="False">
<Interface id="id3FA34F03" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
<Interface id="id3FA34F03" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
<IPv4 id="id3FA34F04" name="nat1:interface1(ip)" comment="" ro="False" address="209.165.202.130" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -621,7 +615,7 @@
</HostOptions>
</Host>
<Host id="id3B19C5EB" name="outside-host-1" comment="some host outside our network" ro="False">
<Interface id="id3B19C5EB-i" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<Interface id="id3B19C5EB-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<IPv4 id="id3B19C5EB-i-ipv4" name="address" comment="" ro="False" address="200.200.200.200" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -638,7 +632,7 @@
</HostOptions>
</Host>
<Host id="id3FA34055" name="outside-host-2" comment="some host outside our network" ro="False">
<Interface id="id3FA34056" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<Interface id="id3FA34056" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<IPv4 id="id3FA34057" name="address" comment="" ro="False" address="222.222.222.222" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -655,7 +649,7 @@
</HostOptions>
</Host>
<Host id="id3FA34B05" name="outside-host-3" comment="some host outside our network" ro="False">
<Interface id="id3FA34B06" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<Interface id="id3FA34B06" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<IPv4 id="id3FA34B07" name="address" comment="" ro="False" address="200.200.200.201" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -672,7 +666,7 @@
</HostOptions>
</Host>
<Host id="host-secondary1-com" name="secondary1.com" comment="" ro="False">
<Interface id="host-secondary1-com-i" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<Interface id="host-secondary1-com-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<IPv4 id="host-secondary1-com-i-ipv4" name="address" comment="" ro="False" address="211.11.11.11" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -686,7 +680,7 @@
</HostOptions>
</Host>
<Host id="host-secondary2-com" name="secondary2.com" comment="" ro="False">
<Interface id="host-secondary2-com-i" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<Interface id="host-secondary2-com-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<IPv4 id="host-secondary2-com-i-ipv4" name="address" comment="" ro="False" address="211.22.22.22" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -700,7 +694,7 @@
</HostOptions>
</Host>
<Host id="id3D1966D8" name="vk" comment="" ro="False">
<Interface id="id3D1966D8-i" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<Interface id="id3D1966D8-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<IPv4 id="id3D1966D8-i-1-addr" name="address" comment="" ro="False" address="10.3.14.30" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -718,7 +712,7 @@
</HostOptions>
</Host>
<Host id="id3D420521" name="websrv" comment="" ro="False">
<Interface id="id3D420521-i" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<Interface id="id3D420521-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
<IPv4 id="id3D420521-i-1-addr" name="address" comment="" ro="False" address="192.168.2.100" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
@ -736,7 +730,7 @@
</HostOptions>
</Host>
<Host id="id3BF23930" name="z-host" comment="test" ro="False">
<Interface id="id3BF23931" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<Interface id="id3BF23931" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<IPv4 id="id3BF23931-ipv4" name="address" comment="" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<physAddress id="id3BF23931-pa" address="00:a0:24:53:06:8c" name="unknown(MAC)" comment="" ro="False"/>
<InterfaceOptions/>
@ -754,7 +748,7 @@
</HostOptions>
</Host>
<Host id="id47B7C6CD21818" name="testhost50" comment="This object represents a PC with a single network interface" ro="False">
<Interface id="id47B7C6CF21818" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<Interface id="id47B7C6CF21818" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id47B7C6D021818" name="testhost50:eth0:ip" comment="" ro="False" address="10.3.14.50" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -1177,6 +1171,7 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="pol-firewall2" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="pol-firewall2-0" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="blocking short fragments">
@ -1725,6 +1720,7 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="fw-firewall2-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RoutingRule id="id16355X67574" disabled="False" metric="0" position="0" comment="">
@ -1775,16 +1771,17 @@
</RItf>
<RoutingRuleOptions/>
</RoutingRule>
<RuleSetOptions/>
</Routing>
<Interface id="if-FW-firewall2-eth1" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<Interface id="if-FW-firewall2-eth1" dedicated_failover="False" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<IPv4 id="if-FW-firewall2-eth1-ipv4" name="a1" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="if-FW-firewall2-eth0" dyn="False" label="inside" mgmt="True" network_zone="id3DAA5110" security_level="100" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<Interface id="if-FW-firewall2-eth0" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="id3DAA5110" security_level="100" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<IPv4 id="if-FW-firewall2-eth0-ipv4" name="a0" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3D19631F" dyn="False" label="dmz" mgmt="False" network_zone="id3B022266" security_level="50" unnum="False" unprotected="False" name="ethernet2" comment="" ro="False">
<Interface id="id3D19631F" dedicated_failover="False" dyn="False" label="dmz" mgmt="False" network_zone="id3B022266" security_level="50" unnum="False" unprotected="False" name="ethernet2" comment="" ro="False">
<IPv4 id="id3D19631F-ipv4" name="a2" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -2070,6 +2067,7 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id3AF5AA0C" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3C5987DC" disabled="True" log="True" position="0" action="Deny" direction="Both" comment="">
@ -2493,17 +2491,20 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id3AF5AA0A-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id3AF5AA96" dyn="False" label="inside" mgmt="True" network_zone="net-Internal_net" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<Routing id="id3AF5AA0A-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id3AF5AA96" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="net-Internal_net" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3AF5AA96-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3AF5AA99" dyn="True" label="outside" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<Interface id="id3AF5AA99" dedicated_failover="False" dyn="True" label="outside" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id3AF5AA99-ipv4" name="address" comment="" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3B0B4BC8" dyn="False" label="dmz" network_zone="id3B022266" security_level="50" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<Interface id="id3B0B4BC8" dedicated_failover="False" dyn="False" label="dmz" network_zone="id3B022266" security_level="50" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id3B0B4BC8-ipv4" name="address" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -2927,6 +2928,7 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id3DB0F9B0" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3DB0FA5E" disabled="True" log="True" position="0" action="Deny" direction="Inbound" comment="blocking short fragments">
@ -3405,17 +3407,20 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id3DB0F914-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id3DB0FA5B" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<Routing id="id3DB0F914-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id3DB0FA5B" dedicated_failover="False" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<IPv4 id="id3DB0FA5C" name="a1" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3DB0FA85" dyn="False" label="inside" mgmt="True" network_zone="id3DAA5110" security_level="100" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<Interface id="id3DB0FA85" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="id3DAA5110" security_level="100" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<IPv4 id="id3DB0FA86" name="a0" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3DB0FAA3" dyn="False" label="dmz" mgmt="False" network_zone="id3F93531C" security_level="50" unnum="False" unprotected="False" name="ethernet2" comment="" ro="False">
<Interface id="id3DB0FAA3" dedicated_failover="False" dyn="False" label="dmz" mgmt="False" network_zone="id3F93531C" security_level="50" unnum="False" unprotected="False" name="ethernet2" comment="" ro="False">
<IPv4 id="id3DB0FAA4" name="a2" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -3731,6 +3736,7 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id3DF458BD" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3DF458BE" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
@ -3827,18 +3833,21 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id3DF45858-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id3DF458DC" dyn="False" label="outside" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<Routing id="id3DF45858-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id3DF458DC" dedicated_failover="False" dyn="False" label="outside" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3DF458DD" name="firewall11:eth0:ip" comment="" ro="False" address="10.5.70.20" netmask="255.255.240.0"/>
<IPv4 id="id414419C1" name="firewall11:eth0:ip-1" comment="" ro="False" address="10.5.80.20" netmask="255.255.240.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3DF458DF" dyn="False" label="dmz" network_zone="id3D420A09" security_level="50" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<Interface id="id3DF458DF" dedicated_failover="False" dyn="False" label="dmz" network_zone="id3D420A09" security_level="50" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id3DF458E0" name="firewall11:eth1:ip" comment="" ro="False" address="192.168.2.20" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3DF458E2" dyn="False" label="inside" mgmt="True" network_zone="id3D420A0B" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<Interface id="id3DF458E2" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="id3D420A0B" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id3DF458E3" name="firewall11:eth2:ip" comment="" ro="False" address="192.168.1.20" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -4045,6 +4054,7 @@ no sysopt nodnsalias outbound
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id3F8F95AE" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3F8F95AF" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
@ -4145,16 +4155,19 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id3F8F9590-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id3F8F95E1" dyn="True" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<Routing id="id3F8F9590-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id3F8F95E1" dedicated_failover="False" dyn="True" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<InterfaceOptions/>
</Interface>
<Interface id="id3F8F95E3" dyn="False" label="inside" network_zone="id3D385DEC" security_level="100" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<Interface id="id3F8F95E3" dedicated_failover="False" dyn="False" label="inside" network_zone="id3D385DEC" security_level="100" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<IPv4 id="id3F8F95E4" name="inside" comment="" ro="False" address="10.3.14.20" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3F8F95E6" dyn="False" label="dmz50" mgmt="False" network_zone="id3F8F97BB" security_level="50" unnum="False" unprotected="False" name="ethernet2" comment="" ro="False">
<Interface id="id3F8F95E6" dedicated_failover="False" dyn="False" label="dmz50" mgmt="False" network_zone="id3F8F97BB" security_level="50" unnum="False" unprotected="False" name="ethernet2" comment="" ro="False">
<IPv4 id="id3F8F95E7" name="dmz" comment="suppose this is routable address ..." ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -4316,7 +4329,7 @@ no sysopt nodnsalias outbound
<Option name="xlate_ss">0</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3FA349A1" host_OS="pix_os" lastCompiled="1145688319" lastInstalled="0" lastModified="0" platform="pix" version="6.3" name="firewall13" comment="various policy NAT rules per examples from&#10;http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#1113601&#10;" ro="False">
<Firewall id="id3FA349A1" host_OS="pix_os" lastCompiled="1145688319" lastInstalled="0" lastModified="1259202385" platform="pix" version="6.3" name="firewall13" comment="various policy NAT rules per examples from&#10;http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#1113601&#10;" ro="False">
<NAT id="id3FA349A2" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id3FA349A3" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -4489,6 +4502,7 @@ no sysopt nodnsalias outbound
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id3FA349CF" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3FA349EE" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
@ -4529,13 +4543,16 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id3FA349A1-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id3FA34A02" dyn="False" label="outside" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<Routing id="id3FA349A1-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id3FA34A02" dedicated_failover="False" dyn="False" label="outside" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3FA34A03" name="address" comment="" ro="False" address="209.165.202.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3FA34A08" dyn="False" label="inside" mgmt="True" network_zone="id3FA34EFA" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<Interface id="id3FA34A08" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="id3FA34EFA" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id3FA34A09" name="address" comment="" ro="False" address="10.1.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -4734,6 +4751,7 @@ no sysopt nodnsalias outbound
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id3FA74F0D" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3FA74F0E" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
@ -4774,13 +4792,16 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id3FA74E98-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id3FA74F22" dyn="False" label="outside" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<Routing id="id3FA74E98-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id3FA74F22" dedicated_failover="False" dyn="False" label="outside" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3FA74F23" name="address" comment="" ro="False" address="209.165.202.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3FA74F25" dyn="False" label="inside" mgmt="True" network_zone="id3FA34EFA" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<Interface id="id3FA74F25" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="id3FA34EFA" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id3FA74F26" name="address" comment="" ro="False" address="10.1.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -5527,6 +5548,7 @@ no sysopt nodnsalias outbound
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id3AFB66E4" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3AFB6708" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="Anti-spoofing rule">
@ -5670,17 +5692,20 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id3AFB66C6-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id3AFB6703" dyn="False" label="" mgmt="True" network_zone="net-Internal_net" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<Routing id="id3AFB66C6-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id3AFB6703" dedicated_failover="False" dyn="False" label="" mgmt="True" network_zone="net-Internal_net" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3AFB6703-ipv4" name="firewall2:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3AFB6706" dyn="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<Interface id="id3AFB6706" dedicated_failover="False" dyn="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id3AFB6706-ipv4" name="firewall2:eth1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3B0221F1" dyn="False" network_zone="id3B022266" security_level="50" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<Interface id="id3B0221F1" dedicated_failover="False" dyn="False" network_zone="id3B022266" security_level="50" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id3B0221F1-ipv4" name="firewall2:eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -5799,7 +5824,9 @@ no sysopt nodnsalias outbound
</FirewallOptions>
</Firewall>
<Firewall id="id3D6A92A9" host_OS="pix_os" lastCompiled="1145688330" lastInstalled="0" lastModified="0" platform="pix" version="6.2" name="firewall3" comment="testing icmp and ssh/telnet commands" ro="False">
<NAT id="id3D6A92AA" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id3D6A92AA" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id3D6A9409" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3D6ADB7E" disabled="False" log="False" position="0" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -6073,17 +6100,20 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id3D6A92A9-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id3D6A940A" dyn="False" label="inside" mgmt="True" network_zone="net-Internal_net" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<Routing id="id3D6A92A9-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id3D6A940A" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="net-Internal_net" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3D6A940B" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3D6A940D" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<Interface id="id3D6A940D" dedicated_failover="False" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id3D6A940E" name="address" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3D6A9422" dyn="False" label="dmz" mgmt="False" network_zone="id3B022266" security_level="50" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<Interface id="id3D6A9422" dedicated_failover="False" dyn="False" label="dmz" mgmt="False" network_zone="id3B022266" security_level="50" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id3D6A9423" name="address" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -6302,6 +6332,7 @@ no sysopt nodnsalias outbound
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id3B0C639E" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3B0C63BF" disabled="False" log="True" position="0" action="Accept" direction="Both" comment="">
@ -6407,21 +6438,24 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id3B0C6380-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id3B0C63DF" dyn="False" label="inside" mgmt="True" network_zone="net-Internal_net" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<Routing id="id3B0C6380-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id3B0C63DF" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="net-Internal_net" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3B0C63DF-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3B0C63E1" dyn="False" label="dmz1" mgmt="False" network_zone="id3D385DED" security_level="40" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<Interface id="id3B0C63E1" dedicated_failover="False" dyn="False" label="dmz1" mgmt="False" network_zone="id3D385DED" security_level="40" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id3B0C63E1-ipv4" name="address" comment="" ro="False" address="10.2.2.2" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3B0C63F3" dyn="False" label="dmz2" mgmt="False" network_zone="id3B022266" security_level="50" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<Interface id="id3B0C63F3" dedicated_failover="False" dyn="False" label="dmz2" mgmt="False" network_zone="id3B022266" security_level="50" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id3B0C63F3-ipv4" name="fw4:dmz2" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3CD88A77" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
<Interface id="id3CD88A77" dedicated_failover="False" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
<IPv4 id="id3CD88A77-ipv4" name="address" comment="" ro="False" address="222.222.222.222" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -6612,6 +6646,7 @@ no sysopt nodnsalias outbound
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id3C698F9D" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3C699028" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="">
@ -6651,17 +6686,20 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id3C698F1D-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id3C699013" dyn="False" label="inside" mgmt="False" network_zone="id3D420A0B" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<Routing id="id3C698F1D-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id3C699013" dedicated_failover="False" dyn="False" label="inside" mgmt="False" network_zone="id3D420A0B" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3C699013-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3C69901D" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<Interface id="id3C69901D" dedicated_failover="False" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id3C69901D-ipv4" name="address" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3C699030" dyn="False" label="dmz" mgmt="False" network_zone="id3D420A09" security_level="50" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<Interface id="id3C699030" dedicated_failover="False" dyn="False" label="dmz" mgmt="False" network_zone="id3D420A09" security_level="50" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id3C699030-ipv4" name="address" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -6818,6 +6856,7 @@ no sysopt nodnsalias outbound
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id3C69BD51" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3D916646" disabled="False" log="False" position="0" action="Accept" direction="Inbound" comment="">
@ -6894,13 +6933,16 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id3C69BD4F-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id3C69BD5C" dyn="False" label="" mgmt="False" network_zone="net-Internal_net" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<Routing id="id3C69BD4F-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id3C69BD5C" dedicated_failover="False" dyn="False" label="" mgmt="False" network_zone="net-Internal_net" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3C69BD5C-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3C69BD5E" dyn="False" label="" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<Interface id="id3C69BD5E" dedicated_failover="False" dyn="False" label="" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id3C69BD5E-ipv4" name="address" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -7143,6 +7185,7 @@ no sysopt nodnsalias outbound
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id3D4204D9" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3DB10B42" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
@ -7201,17 +7244,20 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id3D4204D6-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id3D4204DF" dyn="False" label="outside" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<Routing id="id3D4204D6-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id3D4204DF" dedicated_failover="False" dyn="False" label="outside" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3D4204DF-ipv4" name="address" comment="" ro="False" address="10.5.70.20" netmask="255.255.240.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3D4204E2" dyn="False" label="dmz" network_zone="id3D420A09" security_level="50" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<Interface id="id3D4204E2" dedicated_failover="False" dyn="False" label="dmz" network_zone="id3D420A09" security_level="50" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id3D4204E2-ipv4" name="address" comment="" ro="False" address="192.168.2.20" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3D4204E5" dyn="False" label="inside" mgmt="True" network_zone="id3D420A0B" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<Interface id="id3D4204E5" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="id3D420A0B" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id3D4204E5-ipv4" name="address" comment="" ro="False" address="192.168.1.20" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -7371,18 +7417,24 @@ no sysopt nodnsalias outbound
</FirewallOptions>
</Firewall>
<Firewall id="id3D8AAF43" host_OS="pix_os" lastCompiled="1145688340" lastInstalled="0" lastModified="0" platform="pix" version="6.3" name="firewall9" comment="this firewall has no rules at all." ro="False">
<NAT id="id3D8AAF44" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id3D8AAFA8" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id3D8AAF43-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id3D8AAFA9" dyn="False" label="outside" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<NAT id="id3D8AAF44" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id3D8AAFA8" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Policy>
<Routing id="id3D8AAF43-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id3D8AAFA9" dedicated_failover="False" dyn="False" label="outside" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3D8AAFAA" name="address" comment="" ro="False" address="10.5.70.20" netmask="255.255.240.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3D8AAFAC" dyn="False" label="dmz" network_zone="id3D420A09" security_level="50" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<Interface id="id3D8AAFAC" dedicated_failover="False" dyn="False" label="dmz" network_zone="id3D420A09" security_level="50" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id3D8AAFAD" name="address" comment="" ro="False" address="192.168.2.20" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3D8AAFAF" dyn="False" label="inside" mgmt="True" network_zone="id3D420A0B" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<Interface id="id3D8AAFAF" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="id3D420A0B" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id3D8AAFB0" name="address" comment="" ro="False" address="192.168.1.20" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -7533,7 +7585,9 @@ no sysopt nodnsalias outbound
</FirewallOptions>
</Firewall>
<Firewall id="id3AF5A2BA" host_OS="openbsd" lastCompiled="1145688342" lastInstalled="0" lastModified="0" platform="pf" name="host" comment="firewall protects host it is running on" ro="False">
<NAT id="id3AF5A2BD" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<NAT id="id3AF5A2BD" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id3AF5A2BC" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3BD8ECD0" disabled="False" log="True" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -7676,13 +7730,16 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id3AF5A2BA-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id3AF5A2CB" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<Routing id="id3AF5A2BA-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id3AF5A2CB" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3AF5A2CB-ipv4" name="address" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3AFB7090" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<Interface id="id3AFB7090" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id3AFB7090-ipv4" name="address" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
<InterfaceOptions/>
</Interface>
@ -7779,6 +7836,7 @@ no sysopt nodnsalias outbound
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id3D385DAC" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3D385DF0" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
@ -7876,12 +7934,15 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id3D385DA9-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id3D385DE3" dyn="True" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<Routing id="id3D385DA9-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id3D385DE3" dedicated_failover="False" dyn="True" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<InterfaceOptions/>
</Interface>
<Interface id="id3D385DE6" dyn="False" label="inside" mgmt="True" network_zone="id3D385DEC" security_level="100" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<Interface id="id3D385DE6" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="id3D385DEC" security_level="100" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<IPv4 id="id3D385DE6-ipv4" name="address" comment="" ro="False" address="10.3.14.204" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -8080,6 +8141,7 @@ no sysopt nodnsalias outbound
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id3F957BF5" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3F957C00" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="Anti-spoofing rule">
@ -8178,12 +8240,15 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id3F957BF2-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id3F957BF9" dyn="True" label="" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<Routing id="id3F957BF2-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id3F957BF9" dedicated_failover="False" dyn="True" label="" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<InterfaceOptions/>
</Interface>
<Interface id="id3F957BFB" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<Interface id="id3F957BFB" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<IPv4 id="id3F957BFD" name="test:ethernet1(ip)" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -8654,6 +8719,7 @@ no sysopt nodnsalias outbound
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id444A03A49567" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id444A03A59567" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="blocking short fragments">
@ -9201,17 +9267,20 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id444A05A09567" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id444A05A19567" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<Routing id="id444A05A09567" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id444A05A19567" dedicated_failover="False" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<IPv4 id="id444A05A39567" name="fwsm1:ethernet1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id444A05A49567" dyn="False" label="inside" mgmt="True" network_zone="id3DAA5110" security_level="100" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<Interface id="id444A05A49567" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="id3DAA5110" security_level="100" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<IPv4 id="id444A05A69567" name="fwsm1:ethernet0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id444A05A79567" dyn="False" label="dmz" mgmt="False" network_zone="id3B022266" security_level="50" unnum="False" unprotected="False" name="ethernet2" comment="" ro="False">
<Interface id="id444A05A79567" dedicated_failover="False" dyn="False" label="dmz" mgmt="False" network_zone="id3B022266" security_level="50" unnum="False" unprotected="False" name="ethernet2" comment="" ro="False">
<IPv4 id="id444A05A99567" name="fwsm1:ethernet2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -9540,6 +9609,7 @@ no sysopt nodnsalias outbound
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id43867C1618346" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id43867C1718346" disabled="False" log="False" position="0" action="Deny" direction="Inbound" comment="">
@ -9769,12 +9839,15 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id43867C5718346" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id43867C5818346" dyn="True" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0.100" comment="VLAN interface" ro="False">
<Routing id="id43867C5718346" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id43867C5818346" dedicated_failover="False" dyn="True" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0.100" comment="VLAN interface" ro="False">
<InterfaceOptions/>
</Interface>
<Interface id="id43867C5C18346" dyn="False" label="inside" mgmt="True" network_zone="net-Internal_net" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<Interface id="id43867C5C18346" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="net-Internal_net" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id43867C5E18346" name="firewall33:eth1:ip" comment="" ro="False" address="192.168.1.100" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -9912,6 +9985,7 @@ no sysopt nodnsalias outbound
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id4389EDB418346" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4389EDB518346" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
@ -10129,12 +10203,15 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id4389EE8318346" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id4389EE8418346" dyn="True" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0.100" comment="VLAN interface" ro="False">
<Routing id="id4389EE8318346" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id4389EE8418346" dedicated_failover="False" dyn="True" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0.100" comment="VLAN interface" ro="False">
<InterfaceOptions/>
</Interface>
<Interface id="id4389EE8818346" dyn="False" label="inside" mgmt="True" network_zone="net-Internal_net" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<Interface id="id4389EE8818346" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="net-Internal_net" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id4389EE8A18346" name="firewall34:eth1:ip" comment="" ro="False" address="192.168.1.100" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -10570,6 +10647,7 @@ no sysopt nodnsalias outbound
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id45142F6C28543" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id45142F6D28543" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="blocking short fragments">
@ -11193,17 +11271,20 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id4514316828543" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id4514316928543" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<Routing id="id4514316828543" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id4514316928543" dedicated_failover="False" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<IPv4 id="id4514316B28543" name="firewall50:ethernet1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id4514316C28543" dyn="False" label="inside" mgmt="True" network_zone="id3DAA5110" security_level="100" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<Interface id="id4514316C28543" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="id3DAA5110" security_level="100" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<IPv4 id="id4514316E28543" name="firewall50:ethernet0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id4514316F28543" dyn="False" label="dmz" mgmt="False" network_zone="id3B022266" security_level="50" unnum="False" unprotected="False" name="ethernet2" comment="" ro="False">
<Interface id="id4514316F28543" dedicated_failover="False" dyn="False" label="dmz" mgmt="False" network_zone="id3B022266" security_level="50" unnum="False" unprotected="False" name="ethernet2" comment="" ro="False">
<IPv4 id="id4514317128543" name="firewall50:ethernet2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -11534,6 +11615,7 @@ no sysopt nodnsalias outbound
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id4528A4F920039" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4528A4FA20039" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
@ -11708,17 +11790,20 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id4528A58220039" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id4528A58320039" dyn="False" label="outside" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<Routing id="id4528A58220039" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id4528A58320039" dedicated_failover="False" dyn="False" label="outside" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id4528A58520039" name="firewall20:eth0:ip" comment="" ro="False" address="10.5.70.20" netmask="255.255.240.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id4528A58620039" dyn="False" label="dmz" network_zone="id3D420A09" security_level="50" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<Interface id="id4528A58620039" dedicated_failover="False" dyn="False" label="dmz" network_zone="id3D420A09" security_level="50" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id4528A58820039" name="firewall20:eth1:ip" comment="" ro="False" address="192.168.2.20" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id4528A58920039" dyn="False" label="inside" mgmt="True" network_zone="id3D420A0B" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<Interface id="id4528A58920039" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="id3D420A0B" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id4528A58B20039" name="firewall20:eth2:ip" comment="" ro="False" address="192.168.1.20" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -11996,6 +12081,7 @@ no sysopt nodnsalias outbound
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id45293E8120039" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id45293E8220039" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
@ -12442,17 +12528,20 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id45293F3B20039" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id45293F3C20039" dyn="False" label="outside" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<Routing id="id45293F3B20039" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id45293F3C20039" dedicated_failover="False" dyn="False" label="outside" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id45293F3E20039" name="firewall21:eth0:ip" comment="" ro="False" address="10.5.70.20" netmask="255.255.240.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id45293F3F20039" dyn="False" label="dmz" network_zone="id3D420A09" security_level="50" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<Interface id="id45293F3F20039" dedicated_failover="False" dyn="False" label="dmz" network_zone="id3D420A09" security_level="50" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id45293F4120039" name="firewall21:eth1:ip" comment="" ro="False" address="192.168.2.20" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id45293F4220039" dyn="False" label="inside" mgmt="True" network_zone="id3D420A0B" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<Interface id="id45293F4220039" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="id3D420A0B" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id45293F4420039" name="firewall21:eth2:ip" comment="" ro="False" address="192.168.1.20" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -12730,6 +12819,7 @@ no sysopt nodnsalias outbound
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id4529E34516799" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4529E34616799" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
@ -13176,17 +13266,20 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id4529E49B16799" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id4529E49C16799" dyn="False" label="outside" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<Routing id="id4529E49B16799" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id4529E49C16799" dedicated_failover="False" dyn="False" label="outside" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id4529E49E16799" name="firewall22:eth0:ip" comment="" ro="False" address="10.5.70.20" netmask="255.255.240.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id4529E49F16799" dyn="False" label="dmz" network_zone="id3D420A09" security_level="50" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<Interface id="id4529E49F16799" dedicated_failover="False" dyn="False" label="dmz" network_zone="id3D420A09" security_level="50" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id4529E4A116799" name="firewall22:eth1:ip" comment="" ro="False" address="192.168.2.20" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id4529E4A216799" dyn="False" label="inside" mgmt="True" network_zone="id3D420A0B" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<Interface id="id4529E4A216799" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="id3D420A0B" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id4529E4A416799" name="firewall22:eth2:ip" comment="" ro="False" address="192.168.1.20" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -13466,6 +13559,7 @@ no sysopt nodnsalias outbound
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id4529FD5016799" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4529FD5116799" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
@ -13912,17 +14006,20 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id4529FEA616799" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id4529FEA716799" dyn="False" label="outside" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<Routing id="id4529FEA616799" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id4529FEA716799" dedicated_failover="False" dyn="False" label="outside" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id4529FEA916799" name="firewall21-1:eth0:ip" comment="" ro="False" address="10.5.70.20" netmask="255.255.240.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id4529FEAA16799" dyn="False" label="dmz" network_zone="id3D420A09" security_level="50" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<Interface id="id4529FEAA16799" dedicated_failover="False" dyn="False" label="dmz" network_zone="id3D420A09" security_level="50" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id4529FEAC16799" name="firewall21-1:eth1:ip" comment="" ro="False" address="192.168.2.20" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id4529FEAD16799" dyn="False" label="inside" mgmt="True" network_zone="id3D420A0B" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<Interface id="id4529FEAD16799" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="id3D420A0B" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id4529FEAF16799" name="firewall21-1:eth2:ip" comment="" ro="False" address="192.168.1.20" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -14137,6 +14234,7 @@ no sysopt nodnsalias outbound
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id47B7A6A221818" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id47B7A6BC21818" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
@ -14254,6 +14352,7 @@ no sysopt nodnsalias outbound
</When>
<PolicyRuleOptions/>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id47B7A72221818" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RoutingRule id="id64513X21455" disabled="False" group="" metric="0" position="0" comment="The default metric on PIX is 1, so the GUI default value of 0 becomes 1 in&#10;the compiled rules.">
@ -14280,12 +14379,13 @@ no sysopt nodnsalias outbound
</RItf>
<RoutingRuleOptions/>
</RoutingRule>
<RuleSetOptions/>
</Routing>
<Interface id="id47B7A72321818" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<Interface id="id47B7A72321818" dedicated_failover="False" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<IPv4 id="id47B7A72F21818" name="pix515:ethernet0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id47B7A72421818" dyn="False" label="inside" mgmt="True" network_zone="id47B7C22921818" security_level="100" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<Interface id="id47B7A72421818" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="id47B7C22921818" security_level="100" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<IPv4 id="id47B7A72621818" name="pix515:ethernet1:ip" comment="" ro="False" address="10.3.14.206" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
@ -14463,8 +14563,6 @@ no sysopt nodnsalias outbound
<IntervalGroup id="id4387B44818346" name="Time" comment="" ro="False"/>
</Library>
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
<ServiceGroup id="stdid06" name="IP" comment="" ro="False">
<IPService id="ip-IPSEC" fragm="False" lsrr="False" protocol_num="50" rr="False" short_fragm="False" ssrr="False" ts="False" name="ESP" comment="IPSEC Encapsulating Security Payload Protocol" ro="False"/>
@ -14534,11 +14632,13 @@ no sysopt nodnsalias outbound
</ServiceGroup>
</ServiceGroup>
</ServiceGroup>
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyInterval id="sysid2" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1" name="Any" comment="Any Interval" ro="False"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
<ObjectGroup id="stdid01" name="Objects" comment="" ro="False">
<ObjectGroup id="stdid02" name="Hosts" comment="" ro="False">
<Host id="id3D84EECF" name="server on dmz" comment="This host is used in examples and template objects" ro="False">
<Interface id="id3D84EEE3" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<Interface id="id3D84EEE3" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3D84EEE4" name="ip" comment="" ro="False" address="192.168.2.10" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>