1
0
mirror of https://github.com/fwbuilder/fwbuilder synced 2025-10-16 23:47:46 +02:00

see #1888, #2020, #2018 rc.conf format of the init script for PF on FreeBSD, includes inetrfaes. addresses, CARP, pfsync and pf initialization

This commit is contained in:
Vadim Kurland 2011-02-02 17:45:36 -08:00
parent 5f9e82fda1
commit 39eaf40722
34 changed files with 1726 additions and 434 deletions

View File

@ -7,7 +7,7 @@ FWB_MICRO_VERSION=0
# build number is like "nano" version number. I am incrementing build
# number during development cycle
#
BUILD_NUM="3456"
BUILD_NUM="3457"
VERSION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION.$FWB_MICRO_VERSION.$BUILD_NUM"

View File

@ -1,2 +1,2 @@
#define VERSION "4.2.0.3456"
#define VERSION "4.2.0.3457"
#define GENERATION "4.2"

View File

@ -1,3 +1,13 @@
2011-02-02 vadim <vadim@netcitadel.com>
* OSConfigurator_freebsd.cpp: see #1888 "Add option to generate
rc.conf.local file for BSD systems". Added ability to generate
initialization script in rc.conf fromat for FreeBSD. Only FreeBSD
is currently supported (not OpenBSD). Generated script includes
variables to configure interfaces and their ipv4 and ipv6
addresses, vlans, CARP and pfsync interfaces, as well as variables
that initialize PF.
2011-02-01 vadim <vadim@netcitadel.com>
* CompilerDriver_files.cpp (determineOutputFileNames): See #2015

View File

@ -3,7 +3,7 @@
%define name fwbuilder
%define version 4.2.0.3456
%define version 4.2.0.3457
%define release 1
%if "%_vendor" == "MandrakeSoft"

View File

@ -4,6 +4,6 @@ Replaces: fwbuilder (<=4.1.1-1), fwbuilder-common, fwbuilder-bsd, fwbuilder-linu
Priority: extra
Section: checkinstall
Maintainer: vadim@fwbuilder.org
Version: 4.2.0.3456-1
Version: 4.2.0.3457-1
Depends: libqt4-gui (>= 4.3.0), libxml2, libxslt1.1, libsnmp | libsnmp15
Description: Firewall Builder GUI and policy compilers

View File

@ -1,6 +1,6 @@
%define name fwbuilder
%define version 4.2.0.3456
%define version 4.2.0.3457
%define release 1
%if "%_vendor" == "MandrakeSoft"

View File

@ -117,7 +117,8 @@ QString CompilerDriver_iosacl::assembleFwScript(Cluster *cluster,
options->setStr("prolog_script", options->getStr("iosacl_prolog_script"));
options->setStr("epilog_script", options->getStr("iosacl_epilog_script"));
assembleFwScriptInternal(cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "!");
assembleFwScriptInternal(cluster, fw, cluster_member,
oscnf, &script_skeleton, &top_comment, "!", true);
return script_skeleton.expand();
}

View File

@ -160,7 +160,8 @@ QString CompilerDriver_pix::assembleFwScript(Cluster *cluster,
script_skeleton.setVariable("routing_script",
QString::fromUtf8(routing_script.c_str()));
assembleFwScriptInternal(cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "!");
assembleFwScriptInternal(cluster, fw, cluster_member, oscnf,
&script_skeleton, &top_comment, "!", true);
return script_skeleton.expand();
}

View File

@ -113,7 +113,8 @@ QString CompilerDriver_procurve_acl::assembleFwScript(Cluster *cluster,
options->setStr("prolog_script", options->getStr("procurve_acl_prolog_script"));
options->setStr("epilog_script", options->getStr("procurve_acl_epilog_script"));
assembleFwScriptInternal(cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, ";");
assembleFwScriptInternal(cluster, fw, cluster_member, oscnf,
&script_skeleton, &top_comment, ";", true);
return script_skeleton.expand();
}

View File

@ -156,7 +156,8 @@ protected:
OSConfigurator *ocsnf,
Configlet *script_skeleton,
Configlet *top_comment,
const QString &comment_char);
const QString &comment_char,
bool indent);
void _findImportedRuleSetsRecursively(libfwbuilder::Firewall *fw,
libfwbuilder::RuleSet *ruleset,

View File

@ -71,7 +71,8 @@ void CompilerDriver::assembleFwScriptInternal(Cluster *cluster,
OSConfigurator *oscnf,
Configlet *script_skeleton,
Configlet *top_comment,
const QString &comment_char)
const QString &comment_char,
bool indent)
{
FWOptions* options = fw->getOptionsObject();
string platform = fw->getStr("platform");
@ -112,17 +113,21 @@ void CompilerDriver::assembleFwScriptInternal(Cluster *cluster,
QFileInfo fw_file_info(fw_file_name);
top_comment->setVariable("manifest", assembleManifest(cluster, fw, cluster_member));
top_comment->setVariable("manifest", assembleManifest(cluster, fw,
cluster_member));
top_comment->setVariable("platform", platform.c_str());
top_comment->setVariable("fw_version", fw_version.c_str());
top_comment->setVariable("comment", prepend(comment_char + " ", fw->getComment().c_str()));
top_comment->setVariable("comment",
prepend((indent) ? comment_char + " " : "",
fw->getComment().c_str()));
script_skeleton->setVariable("have_nat", have_nat);
script_skeleton->setVariable("have_filter", have_filter);
script_skeleton->setVariable("top_comment", top_comment->expand());
script_skeleton->setVariable("errors_and_warnings",
prepend(comment_char + " ", all_errors.join("\n")));
prepend((indent) ? comment_char + " " : "",
all_errors.join("\n")));
script_skeleton->setVariable("tools", printPathForAllTools(fw, family));
script_skeleton->setVariable("timestamp", timestr);
@ -134,16 +139,21 @@ void CompilerDriver::assembleFwScriptInternal(Cluster *cluster,
script_buffer = "";
script_skeleton->setVariable("shell_functions", oscnf->printFunctions().c_str());
script_skeleton->setVariable("shell_functions",
oscnf->printFunctions().c_str());
script_skeleton->setVariable("kernel_vars_commands",
prepend(" ", oscnf->printKernelVarsCommands().c_str()));
prepend((indent) ? " " : "",
oscnf->printKernelVarsCommands().c_str()));
script_skeleton->setVariable("configure_interfaces",
prepend(" ", oscnf->configureInterfaces().c_str()));
prepend((indent) ? " " : "",
oscnf->configureInterfaces().c_str()));
// this really adds nothing for the most of the systems
script_skeleton->setVariable("other_os_configuration_commands", oscnf->getCompiledScript().c_str());
script_skeleton->setVariable("other_os_configuration_commands",
oscnf->getCompiledScript().c_str());
script_skeleton->setVariable("activation_commands", printActivationCommands(fw));
script_skeleton->setVariable("activation_commands",
printActivationCommands(fw));
script_skeleton->setVariable("verify_interfaces", "");

View File

@ -160,7 +160,8 @@ QString CompilerDriver_ipf::assembleFwScript(Cluster *cluster,
Configlet top_comment(fw, "ipf", "top_comment");
assembleFwScriptInternal(
cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "#");
cluster, fw, cluster_member, oscnf,
&script_skeleton, &top_comment, "#", true);
return script_skeleton.expand();
}
@ -200,6 +201,17 @@ QString CompilerDriver_ipf::run(const std::string &cluster_id,
determineOutputFileNames(cluster, fw, !cluster_id.empty());
// if remote file spec does not include path, the file is
// assumed to be in directory set in the "Installer" tab
// of the firewall settings dialog
//
// fw_dir is used below to generate activation commands
QString fw_dir = options->getStr("firewall_dir").c_str();
if (fw_dir.isEmpty()) fw_dir = Resources::getTargetOptionStr(
fw->getStr("host_OS"), "activation/fwdir").c_str();
QFileInfo finfo(fw_file_name);
QString ipf_file_name = finfo.completeBaseName() + "-ipf.conf";
QString nat_file_name = finfo.completeBaseName() + "-nat.conf";
@ -362,7 +374,16 @@ QString CompilerDriver_ipf::run(const std::string &cluster_id,
QString filePath;
if (remote_ipf_name[0] == '/') filePath = remote_ipf_name;
else filePath = QString("${FWDIR}/") + remote_ipf_name;
else
{
QFileInfo remote_file_info(remote_ipf_name);
if (remote_file_info.path() != ".")
filePath = remote_ipf_name;
else
filePath = fw_dir + "/" + remote_ipf_name;
//filePath = QString("${FWDIR}/") + remote_ipf_name;
}
activation_commands.push_back(
composeActivationCommand(
@ -400,7 +421,17 @@ QString CompilerDriver_ipf::run(const std::string &cluster_id,
QString filePath;
if (remote_nat_name[0] == '/') filePath = remote_nat_name;
else filePath = QString("${FWDIR}/") + remote_nat_name;
else
{
QFileInfo remote_file_info(remote_nat_name);
if (remote_file_info.path() != ".")
filePath = remote_nat_name;
else
filePath = fw_dir + "/" + remote_nat_name;
//filePath = QString("${FWDIR}/") + remote_nat_name;
}
activation_commands.push_back(
composeActivationCommand(
fw, false, ipf_dbg, fw_version, filePath.toStdString()));

View File

@ -107,7 +107,8 @@ QString CompilerDriver_ipfw::assembleFwScript(Cluster *cluster,
Configlet top_comment(fw, "ipfw", "top_comment");
assembleFwScriptInternal(
cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "#");
cluster, fw, cluster_member, oscnf,
&script_skeleton, &top_comment, "#", true);
return script_skeleton.expand();
}

View File

@ -89,7 +89,11 @@ QString CompilerDriver_pf::composeActivationCommand(Firewall *fw,
const string &pf_version,
const string &remote_file_name)
{
Configlet act(fw, "pf", "activation");
FWOptions* options = fw->getOptionsObject();
Configlet act(fw, "pf",
options->getBool("generate_rc_conf_file") ?
"rc_conf_activation" : "activation");
act.removeComments();
act.setVariable("pfctl_debug", pfctl_debug.c_str());
act.setVariable("anchor", !anchor_name.empty());
@ -113,10 +117,25 @@ QString CompilerDriver_pf::printActivationCommands(Firewall *fw)
bool debug = options->getBool("debug");
string pfctl_dbg = (debug)?"-v ":"";
// if remote file spec does not include path, the file is
// assumed to be in directory set in the "Installer" tab
// of the firewall settings dialog
QString fw_dir = options->getStr("firewall_dir").c_str();
if (fw_dir.isEmpty()) fw_dir = Resources::getTargetOptionStr(
fw->getStr("host_OS"), "activation/fwdir").c_str();
QStringList activation_commands;
QString remote_file = remote_conf_files["__main__"];
if (remote_file.isEmpty()) remote_file = conf_files["__main__"];
if (remote_file[0] != '/') remote_file = "${FWDIR}/" + remote_file;
if (remote_file[0] != '/')
{
QFileInfo remote_file_info(remote_file);
if (remote_file_info.path() != ".")
remote_file = remote_file;
else
remote_file = fw_dir + "/" + remote_file;
}
remote_file = this->escapeFileName(remote_file);
activation_commands.push_back(
@ -128,7 +147,14 @@ QString CompilerDriver_pf::printActivationCommands(Firewall *fw)
{
QString remote_file = remote_conf_files[i->first];
if (remote_file.isEmpty()) remote_file = i->second;
if (remote_file[0] != '/') remote_file = "${FWDIR}/" + remote_file;
if (remote_file[0] != '/')
{
QFileInfo remote_file_info(remote_file);
if (remote_file_info.path() != ".")
remote_file = remote_file;
else
remote_file = fw_dir + "/" + remote_file;
}
remote_file = this->escapeFileName(remote_file);
if (i->first != "__main__")
@ -179,14 +205,23 @@ QString CompilerDriver_pf::assembleFwScript(Cluster *cluster,
OSConfigurator *oscnf)
{
FWOptions* options = fw->getOptionsObject();
Configlet script_skeleton(fw, "pf", "script_skeleton");
Configlet top_comment(fw, "pf", "top_comment");
Configlet script_skeleton(
fw, "pf",
options->getBool("generate_rc_conf_file") ?
"rc_conf_skeleton" : "script_skeleton");
Configlet top_comment(fw, "pf",
options->getBool("generate_rc_conf_file") ?
"rc_conf_top_comment" : "top_comment");
script_skeleton.setVariable("routing_script",
QString::fromUtf8(routing_script.c_str()));
assembleFwScriptInternal(
cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "#");
cluster, fw, cluster_member, oscnf,
&script_skeleton, &top_comment, "#",
!options->getBool("generate_rc_conf_file"));
if (fw->getStr("platform") == "pf")
{

View File

@ -2,11 +2,9 @@
Firewall Builder
Copyright (C) 2002,2009 NetCitadel, LLC
Copyright (C) 2002-2011 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
@ -64,57 +62,6 @@ string OSConfigurator_bsd::printKernelVarsCommands()
return "";
}
string OSConfigurator_bsd::updateAddressesOfInterfaceCall(
Interface *iface, list<pair<InetAddr,InetAddr> > all_addresses)
{
QStringList arg1;
arg1.push_back(iface->getName().c_str());
for (list<pair<InetAddr,InetAddr> >::iterator j = all_addresses.begin();
j != all_addresses.end(); ++j)
{
InetAddr ipaddr = j->first;
InetAddr ipnetm = j->second;
if (ipaddr.isV6())
arg1.push_back(QString("%1/%2").arg(ipaddr.toString().c_str())
.arg(ipnetm.getLength()));
else
{
/*
on OpenBSD ifconfig prints netmask of ipv4 addresses in hex
# ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:83:4d:2f
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 10.1.1.50 netmask 0xffffff00 broadcast 10.1.1.255
inet6 fe80::20c:29ff:fe83:4d2f%em0 prefixlen 64 scopeid 0x2
*/
int nbits = ipnetm.getLength();
uint32_t netm = 0;
while (nbits)
{
netm = netm >> 1;
netm |= 1<<31;
nbits--;
}
arg1.push_back(QString("%1/0x%2")
.arg(ipaddr.toString().c_str())
.arg(netm, -8, 16));
}
}
return string("update_addresses_of_interface ") +
"\"" +
arg1.join(" ").toStdString() +
"\"" +
" \"\"";
}
void OSConfigurator_bsd::addVirtualAddressForNAT(const Network*)
{
}
@ -212,291 +159,6 @@ string OSConfigurator_bsd::printFunctions()
return ostr.str();
}
/*
* We need to sort interfaces by name but make sure carp interfaces
* are always last. See #1807
*/
bool compare_names(FWObject *a, FWObject *b)
{
QString a_name = QString(a->getName().c_str());
QString b_name = QString(b->getName().c_str());
if (a_name.startsWith("carp") && b_name.startsWith("carp")) return a_name < b_name;
if (a_name.startsWith("carp")) return false;
if (b_name.startsWith("carp")) return true;
return a_name < b_name;
}
string OSConfigurator_bsd::configureInterfaces()
{
ostringstream ostr;
FWOptions* options = fw->getOptionsObject();
// Update vlans first because we may need to update ip addresses
// on vlan interfaces later
if ( options->getBool("configure_vlan_interfaces") )
{
QStringList vlan_interfaces;
ostringstream vlan_output;
// http://blog.scottlowe.org/2007/08/31/vlan-interfaces-with-openbsd-41/
// ifconfig <VLAN interface name> vlan <VLAN ID> vlandev <physical network device>
FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME);
for ( ; i!=i.end(); ++i )
{
Interface *iface = Interface::cast(*i);
assert(iface);
vlan_output << "update_vlans_of_interface "
<< "\"" << iface->getName() << " ";
FWObjectTypedChildIterator si=iface->findByType(Interface::TYPENAME);
for ( ; si!=si.end(); ++si )
{
Interface *subinterface = Interface::cast(*si);
assert(subinterface);
if (subinterface->getOptionsObject()->getStr("type") == "8021q")
{
vlan_interfaces.push_back(subinterface->getName().c_str());
vlan_output << subinterface->getName() << " ";
}
}
vlan_output << "\"" << endl;
}
ostr << "sync_vlan_interfaces "
<< vlan_interfaces.join(" ").toStdString()
<< endl;
if (vlan_interfaces.size() > 0)
{
ostr << vlan_output.str() << endl;
}
}
if ( options->getBool("configure_carp_interfaces") )
{
/*
* Compiler::processFailoverGroup copies interfaces of the cluster to
* the member firewall objects. This means when we scan interfaces of
* the firewall here, we get both its normal interfaces and a copy of
* cluster interfaces.
*
*/
ostringstream carp_output;
QStringList carp_interfaces;
FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME);
for ( ; i!=i.end(); ++i )
{
Interface *iface = Interface::cast(*i);
assert(iface);
if ( ! iface->isFailoverInterface()) continue;
// failover_master and base_device are set in Compiler::processFailoverGroup
FWOptions *ifopt = (Interface::cast(iface))->getOptionsObject();
assert(ifopt != NULL);
bool master = ifopt->getBool("failover_master");
string base_interface = ifopt->getStr("base_device");
FWObject *failover_group =
iface->getFirstByType(FailoverClusterGroup::TYPENAME);
if (failover_group && failover_group->getStr("type") == "carp")
{
carp_interfaces.push_back(iface->getName().c_str());
FWOptions *failover_opts =
FailoverClusterGroup::cast(failover_group)->getOptionsObject();
string carp_password = failover_opts->getStr("carp_password");
if (carp_password.empty()) carp_password = "\"\"";
string vhid = failover_opts->getStr("carp_vhid");
int advbase = failover_opts->getInt("carp_advbase");
int master_advskew = failover_opts->getInt("carp_master_advskew");
int default_advskew = failover_opts->getInt("carp_default_advskew");
if (master_advskew < 0) master_advskew = 0;
if (default_advskew < 0) default_advskew = 0;
if (master_advskew == default_advskew) default_advskew++;
int use_advskew;
if (master)
use_advskew = master_advskew;
else
use_advskew = default_advskew;
Configlet configlet(fw, "bsd", "carp_interface");
configlet.removeComments();
configlet.collapseEmptyStrings(true);
configlet.setVariable("carp_interface", iface->getName().c_str());
configlet.setVariable("have_advbase", advbase > 1);
configlet.setVariable("advbase", advbase);
configlet.setVariable("have_advskew", use_advskew > 0);
configlet.setVariable("advskew", use_advskew);
configlet.setVariable("have_base_inetrface", !base_interface.empty());
configlet.setVariable("base_inetrface", base_interface.c_str());
configlet.setVariable("carp_password", carp_password.c_str());
configlet.setVariable("vhid", vhid.c_str());
carp_output << configlet.expand().toStdString() << endl;
}
}
ostr << "sync_carp_interfaces "
<< carp_interfaces.join(" ").toStdString()
<< endl;
if (carp_interfaces.size() > 0)
{
ostr << carp_output.str() << endl;
}
}
if ( options->getBool("configure_interfaces") )
{
ostr << endl;
std::auto_ptr<interfaceProperties> int_prop(
interfacePropertiesObjectFactory::getInterfacePropertiesObject(
fw->getStr("host_OS")));
list<FWObject*> all_interfaces = fw->getByTypeDeep(Interface::TYPENAME);
all_interfaces.sort(compare_names);
for (list<FWObject*>::iterator i=all_interfaces.begin();
i != all_interfaces.end(); ++i )
{
Interface *iface = Interface::cast(*i);
assert(iface);
if (!iface->isRegular()) continue;
//if (iface->isFailoverInterface()) continue;
QStringList update_addresses;
QStringList ignore_addresses;
if (int_prop->manageIpAddresses(iface, update_addresses, ignore_addresses))
{
// unfortunately addresses in update_addresses are in
// the form of address/masklen but OpenBSD ifconfig
// uses hex netmask representation and so should we.
// Will ignore update_addresses and ignore_addresses and
// build our own list here. Returned value of manageIpAddresses()
// is useful though.
list<FWObject*> all_addr = iface->getByType(IPv4::TYPENAME);
list<FWObject*> all_ipv6 = iface->getByType(IPv6::TYPENAME);
all_addr.insert(all_addr.begin(), all_ipv6.begin(), all_ipv6.end());
const InetAddr *netmask = iface->getNetmaskPtr();
list<pair<InetAddr,InetAddr> > all_addresses;
for (list<FWObject*>::iterator j = all_addr.begin();
j != all_addr.end(); ++j)
{
Address *iaddr = Address::cast(*j);
const InetAddr *ipaddr = iaddr->getAddressPtr();
const InetAddr *ipnetm = iaddr->getNetmaskPtr();
all_addresses.push_back(
pair<InetAddr,InetAddr>(*ipaddr, *ipnetm));
}
set<const Address*>::iterator it;
for (it=virtual_addresses.begin(); it!=virtual_addresses.end(); ++it)
{
const Address *addr = *it;
FWObject *iaddr = findAddressFor(addr, fw );
if (iaddr!=NULL)
{
Interface *iface_2 = Interface::cast(iaddr->getParent());
if (iface_2 == iface)
{
all_addresses.push_back(
pair<InetAddr,InetAddr>(
*(addr->getAddressPtr()), *netmask));
}
}
}
ostr << updateAddressesOfInterfaceCall(iface, all_addresses) << endl;
}
}
ostr << endl;
}
if ( options->getBool("configure_pfsync_interfaces") )
{
bool have_pfsync_interfaces = false;
ostringstream pfsync_output;
/*
* http://www.kernel-panic.it/openbsd/carp/index.html
* http://www.openbsd.org/faq/pf/carp.html
* pfsync configuration:
*
* ifconfig pfsyncN syncdev syncdev [syncpeer syncpeer]
*/
FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME);
for ( ; i!=i.end(); ++i)
{
Interface *iface = Interface::cast(*i);
assert(iface);
if ( ! iface->getOptionsObject()->getBool("state_sync_group_member"))
continue;
int state_sync_group_id = FWObjectDatabase::getIntId(
iface->getOptionsObject()->getStr("state_sync_group_id"));
StateSyncClusterGroup *state_sync_group =
StateSyncClusterGroup::cast(dbcopy->findInIndex(state_sync_group_id));
assert(state_sync_group!=NULL);
// Interface can be state sync group member, but of a different type
if (state_sync_group->getStr("type") != "pfsync") continue;
have_pfsync_interfaces = true;
Configlet configlet(fw, "bsd", "pfsync_interface");
configlet.removeComments();
configlet.collapseEmptyStrings(true);
configlet.setVariable("syncdev", iface->getName().c_str());
if (state_sync_group->getOptionsObject()->getBool("syncpeer"))
{
for (FWObjectTypedChildIterator it =
state_sync_group->findByType(FWObjectReference::TYPENAME);
it != it.end(); ++it)
{
Interface *cluster_iface = Interface::cast(
FWObjectReference::getObject(*it));
assert(cluster_iface);
if (cluster_iface->getId() == iface->getId()) continue;
IPv4 *ipv4 = IPv4::cast(cluster_iface->getFirstByType(IPv4::TYPENAME));
const InetAddr *addr = ipv4->getAddressPtr();
configlet.setVariable("have_syncpeer", 1);
configlet.setVariable("syncpeer", addr->toString().c_str());
}
}
pfsync_output << configlet.expand().toStdString() << endl;
break;
}
ostr << "sync_pfsync_interfaces ";
if (have_pfsync_interfaces) ostr << "pfsync0" << endl;
else ostr << endl;
if (have_pfsync_interfaces)
{
ostr << pfsync_output.str() << endl;
}
}
return ostr.str();
}
void OSConfigurator_bsd::setKernelVariable(Firewall *fw,
const string &var_name,
Configlet *configlet)
@ -512,4 +174,3 @@ void OSConfigurator_bsd::setKernelVariable(Firewall *fw,
}
}

View File

@ -32,25 +32,61 @@
#include <set>
#include <QString>
#include <QStringList>
class Configlet;
namespace libfwbuilder
{
class Firewall;
class Interface;
class StateSyncClusterGroup;
}
namespace fwcompiler {
namespace fwcompiler
{
class OSConfigurator_bsd : public OSConfigurator {
class OSConfigurator_bsd : public OSConfigurator
{
protected:
std::set<const libfwbuilder::Address*> virtual_addresses;
void setKernelVariable(libfwbuilder::Firewall *fw,
const std::string &var_name,
Configlet *configlet);
std::string updateAddressesOfInterfaceCall(
virtual void setKernelVariable(libfwbuilder::Firewall *fw,
const std::string &var_name,
Configlet *configlet);
// functions that generate interface address configuration
virtual QString listAllInterfacesConfigLine(QStringList intf_names,
bool ipv6);
virtual QString updateAddressesOfInterface(
libfwbuilder::Interface *iface,
std::list<std::pair<libfwbuilder::InetAddr,libfwbuilder::InetAddr> > all_addresses);
std::list<std::pair<libfwbuilder::InetAddr,libfwbuilder::InetAddr> >
all_addresses);
// functions that generate VLAN configuration
virtual QString listAllVlansConfgLine(QStringList vlan_names);
virtual QString updateVlansOfInterface(
libfwbuilder::Interface *iface, QStringList vlan_names);
// functions that generate CARP interface configuration
virtual QString listAllCARPConfgLine(QStringList carp_names);
virtual QString updateCARPInterface(libfwbuilder::Interface *iface,
libfwbuilder::FWObject *failover_group);
virtual QString updateCARPInterfaceInternal(
libfwbuilder::Interface *iface,
libfwbuilder::FWObject *failover_group,
Configlet *configlet);
// functions that generate pfsync interface configuration
virtual QString listAllPfsyncConfgLine(bool have_pfsync);
virtual QString updatePfsyncInterface(
libfwbuilder::Interface *iface,
libfwbuilder::StateSyncClusterGroup *sync_group);
public:

View File

@ -0,0 +1,470 @@
/*
Firewall Builder
Copyright (C) 2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include <assert.h>
#include "Configlet.h"
#include "OSConfigurator_bsd.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/FWOptions.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/IPv4.h"
#include "fwbuilder/IPv6.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "interfaceProperties.h"
#include "interfacePropertiesObjectFactory.h"
#include <QTextStream>
#include <QString>
#include <algorithm>
#include <memory>
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
/*
* I need to sort interfaces by name but make sure carp interfaces are
* always last. See #1807
*/
bool compare_names(FWObject *a, FWObject *b)
{
QString a_name = QString(a->getName().c_str());
QString b_name = QString(b->getName().c_str());
if (a_name.startsWith("carp") && b_name.startsWith("carp"))
return a_name < b_name;
if (a_name.startsWith("carp")) return false;
if (b_name.startsWith("carp")) return true;
return a_name < b_name;
}
string OSConfigurator_bsd::configureInterfaces()
{
ostringstream ostr;
FWOptions* options = fw->getOptionsObject();
// Update vlans first because we may need to update ip addresses
// on vlan interfaces later
if ( options->getBool("configure_vlan_interfaces") )
{
QStringList vlan_interfaces; // all vlan interfaces
QStringList vlan_output;
// http://blog.scottlowe.org/2007/08/31/vlan-interfaces-with-openbsd-41/
// ifconfig <VLAN interface name> vlan <VLAN ID> vlandev <physical network device>
FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME);
for ( ; i!=i.end(); ++i )
{
Interface *iface = Interface::cast(*i);
assert(iface);
QStringList vlan_subinterfaces;
FWObjectTypedChildIterator si=iface->findByType(Interface::TYPENAME);
for ( ; si!=si.end(); ++si )
{
Interface *subinterface = Interface::cast(*si);
assert(subinterface);
if (subinterface->getOptionsObject()->getStr("type") == "8021q")
{
vlan_subinterfaces << subinterface->getName().c_str();
vlan_interfaces << subinterface->getName().c_str();
}
}
if (vlan_subinterfaces.size() > 0)
vlan_output << updateVlansOfInterface(iface, vlan_subinterfaces);
}
// issue sync_vlan_interfaces command even if there are no vlans
// since it deletes them on the firewall if they exist
ostr << listAllVlansConfgLine(vlan_interfaces).toStdString()
<< endl;
if (vlan_output.size() > 0)
{
ostr << vlan_output.join("\n").toStdString()
<< endl;
}
}
if ( options->getBool("configure_carp_interfaces") )
{
/*
* Compiler::processFailoverGroup copies interfaces of the cluster to
* the member firewall objects. This means when we scan interfaces of
* the firewall here, we get both its normal interfaces and a copy of
* cluster interfaces.
*
*/
QStringList carp_output;
QStringList carp_interfaces;
FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME);
for ( ; i!=i.end(); ++i )
{
Interface *iface = Interface::cast(*i);
assert(iface);
if ( ! iface->isFailoverInterface()) continue;
FWObject *failover_group =
iface->getFirstByType(FailoverClusterGroup::TYPENAME);
if (failover_group && failover_group->getStr("type") == "carp")
{
carp_interfaces << iface->getName().c_str();
carp_output << updateCARPInterface(iface, failover_group);
}
}
// issue "sync_carp_interfaces" call even when we have none, it will
// delete those that might exist on the firewall
ostr << listAllCARPConfgLine(carp_interfaces).toStdString()
<< endl;
if (carp_interfaces.size() > 0)
{
ostr << carp_output.join("\n").toStdString() << endl;
}
}
if ( options->getBool("configure_interfaces") )
{
ostr << endl;
std::auto_ptr<interfaceProperties> int_prop(
interfacePropertiesObjectFactory::getInterfacePropertiesObject(
fw->getStr("host_OS")));
list<FWObject*> all_interfaces = fw->getByTypeDeep(Interface::TYPENAME);
all_interfaces.sort(compare_names);
QStringList configure_intf_commands;
QStringList intf_names;
QStringList ipv6_names;
for (list<FWObject*>::iterator i=all_interfaces.begin();
i != all_interfaces.end(); ++i )
{
Interface *iface = Interface::cast(*i);
assert(iface);
if (!iface->isRegular()) continue;
//if (iface->isFailoverInterface()) continue;
QStringList update_addresses;
QStringList ignore_addresses;
if (int_prop->manageIpAddresses(iface, update_addresses, ignore_addresses))
{
// unfortunately addresses in update_addresses are in
// the form of address/masklen but OpenBSD ifconfig
// uses hex netmask representation and so should we.
// Will ignore update_addresses and ignore_addresses and
// build our own list here. Returned value of manageIpAddresses()
// is useful though.
list<FWObject*> all_addr = iface->getByType(IPv4::TYPENAME);
list<FWObject*> all_ipv6 = iface->getByType(IPv6::TYPENAME);
all_addr.insert(all_addr.begin(), all_ipv6.begin(), all_ipv6.end());
if (all_addr.size() > 0)
intf_names << iface->getName().c_str();
if (all_ipv6.size() > 0)
ipv6_names << iface->getName().c_str();
const InetAddr *netmask = iface->getNetmaskPtr();
list<pair<InetAddr,InetAddr> > all_addresses;
for (list<FWObject*>::iterator j = all_addr.begin();
j != all_addr.end(); ++j)
{
Address *iaddr = Address::cast(*j);
const InetAddr *ipaddr = iaddr->getAddressPtr();
const InetAddr *ipnetm = iaddr->getNetmaskPtr();
all_addresses.push_back(
pair<InetAddr,InetAddr>(*ipaddr, *ipnetm));
}
set<const Address*>::iterator it;
for (it=virtual_addresses.begin(); it!=virtual_addresses.end(); ++it)
{
const Address *addr = *it;
FWObject *iaddr = findAddressFor(addr, fw );
if (iaddr!=NULL)
{
Interface *iface_2 = Interface::cast(iaddr->getParent());
if (iface_2 == iface)
{
all_addresses.push_back(
pair<InetAddr,InetAddr>(
*(addr->getAddressPtr()), *netmask));
}
}
}
configure_intf_commands << updateAddressesOfInterface(
iface, all_addresses);
}
}
QString list_command;
list_command = listAllInterfacesConfigLine(ipv6_names, true);
if (!list_command.isEmpty())
configure_intf_commands.push_front(list_command);
list_command = listAllInterfacesConfigLine(intf_names, false);
if (!list_command.isEmpty())
configure_intf_commands.push_front(list_command);
ostr << configure_intf_commands.join("\n").toStdString();
ostr << endl;
}
if ( options->getBool("configure_pfsync_interfaces") )
{
bool have_pfsync_interfaces = false;
QStringList pfsync_output;
FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME);
for ( ; i!=i.end(); ++i)
{
Interface *iface = Interface::cast(*i);
assert(iface);
if ( ! iface->getOptionsObject()->getBool("state_sync_group_member"))
continue;
int state_sync_group_id = FWObjectDatabase::getIntId(
iface->getOptionsObject()->getStr("state_sync_group_id"));
StateSyncClusterGroup *state_sync_group =
StateSyncClusterGroup::cast(dbcopy->findInIndex(state_sync_group_id));
assert(state_sync_group!=NULL);
// Interface can be state sync group member, but of a different type
if (state_sync_group->getStr("type") != "pfsync") continue;
have_pfsync_interfaces = true;
pfsync_output << updatePfsyncInterface(iface, state_sync_group);
break;
}
ostr << listAllPfsyncConfgLine(have_pfsync_interfaces).toStdString()
<< endl;
if (have_pfsync_interfaces)
{
ostr << pfsync_output.join("\n").toStdString()
<< endl;
}
}
return ostr.str();
}
QString OSConfigurator_bsd::listAllInterfacesConfigLine(QStringList , bool )
{
return "";
}
QString OSConfigurator_bsd::updateAddressesOfInterface(
Interface *iface, list<pair<InetAddr,InetAddr> > all_addresses)
{
QStringList arg1;
arg1.push_back(iface->getName().c_str());
for (list<pair<InetAddr,InetAddr> >::iterator j = all_addresses.begin();
j != all_addresses.end(); ++j)
{
InetAddr ipaddr = j->first;
InetAddr ipnetm = j->second;
if (ipaddr.isV6())
arg1.push_back(QString("%1/%2").arg(ipaddr.toString().c_str())
.arg(ipnetm.getLength()));
else
{
/*
on OpenBSD ifconfig prints netmask of ipv4 addresses in hex
# ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:83:4d:2f
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 10.1.1.50 netmask 0xffffff00 broadcast 10.1.1.255
inet6 fe80::20c:29ff:fe83:4d2f%em0 prefixlen 64 scopeid 0x2
*/
int nbits = ipnetm.getLength();
uint32_t netm = 0;
while (nbits)
{
netm = netm >> 1;
netm |= 1<<31;
nbits--;
}
arg1.push_back(QString("%1/0x%2")
.arg(ipaddr.toString().c_str())
.arg(netm, -8, 16));
}
}
return QString("update_addresses_of_interface ") +
"\"" + arg1.join(" ") + "\"" + " \"\"";
}
QString OSConfigurator_bsd::listAllVlansConfgLine(QStringList vlan_names)
{
return QString("sync_vlan_interfaces %1").arg(vlan_names.join(" "));
}
QString OSConfigurator_bsd::updateVlansOfInterface(Interface *iface,
QStringList vlan_names)
{
return QString("update_vlans_of_interface \"%1 %2\"")
.arg(iface->getName().c_str())
.arg(vlan_names.join(" "));
}
QString OSConfigurator_bsd::listAllCARPConfgLine(QStringList carp_names)
{
return QString("sync_carp_interfaces %1").arg(carp_names.join(" "));
}
QString OSConfigurator_bsd::updateCARPInterface(Interface *iface,
FWObject *failover_group)
{
Configlet configlet(fw, "bsd", "carp_interface");
return updateCARPInterfaceInternal(iface, failover_group, &configlet);
}
QString OSConfigurator_bsd::updateCARPInterfaceInternal(
Interface *iface, FWObject *failover_group, Configlet *configlet)
{
// failover_master and base_device are set in Compiler::processFailoverGroup
FWOptions *ifopt = (Interface::cast(iface))->getOptionsObject();
assert(ifopt != NULL);
bool master = ifopt->getBool("failover_master");
string base_interface = ifopt->getStr("base_device");
QStringList carp_interfaces;
carp_interfaces.push_back(iface->getName().c_str());
FWOptions *failover_opts =
FailoverClusterGroup::cast(failover_group)->getOptionsObject();
string carp_password = failover_opts->getStr("carp_password");
if (carp_password.empty()) carp_password = "\"\"";
string vhid = failover_opts->getStr("carp_vhid");
int advbase = failover_opts->getInt("carp_advbase");
int master_advskew = failover_opts->getInt("carp_master_advskew");
int default_advskew = failover_opts->getInt("carp_default_advskew");
if (master_advskew < 0) master_advskew = 0;
if (default_advskew < 0) default_advskew = 0;
if (master_advskew == default_advskew) default_advskew++;
int use_advskew;
if (master)
use_advskew = master_advskew;
else
use_advskew = default_advskew;
configlet->removeComments();
configlet->collapseEmptyStrings(true);
configlet->setVariable("carp_interface", iface->getName().c_str());
configlet->setVariable("have_advbase", advbase > 1);
configlet->setVariable("advbase", advbase);
configlet->setVariable("have_advskew", use_advskew > 0);
configlet->setVariable("advskew", use_advskew);
configlet->setVariable("have_base_inetrface", !base_interface.empty());
configlet->setVariable("base_inetrface", base_interface.c_str());
configlet->setVariable("carp_password", carp_password.c_str());
configlet->setVariable("vhid", vhid.c_str());
return configlet->expand();
}
QString OSConfigurator_bsd::listAllPfsyncConfgLine(bool have_pfsync)
{
return QString("sync_pfsync_interfaces %1").arg(have_pfsync?"pfsync0":"");
}
/*
* http://www.kernel-panic.it/openbsd/carp/index.html
* http://www.openbsd.org/faq/pf/carp.html
* pfsync configuration:
*
* ifconfig pfsyncN syncdev syncdev [syncpeer syncpeer]
*/
QString OSConfigurator_bsd::updatePfsyncInterface(
Interface *iface, StateSyncClusterGroup *state_sync_group)
{
Configlet configlet(fw, "bsd", "pfsync_interface");
configlet.removeComments();
configlet.collapseEmptyStrings(true);
configlet.setVariable("syncdev", iface->getName().c_str());
if (state_sync_group->getOptionsObject()->getBool("syncpeer"))
{
for (FWObjectTypedChildIterator it =
state_sync_group->findByType(FWObjectReference::TYPENAME);
it != it.end(); ++it)
{
Interface *cluster_iface = Interface::cast(
FWObjectReference::getObject(*it));
assert(cluster_iface);
if (cluster_iface->getId() == iface->getId()) continue;
IPv4 *ipv4 = IPv4::cast(cluster_iface->getFirstByType(IPv4::TYPENAME));
const InetAddr *addr = ipv4->getAddressPtr();
configlet.setVariable("have_syncpeer", 1);
configlet.setVariable("syncpeer", addr->toString().c_str());
}
}
return configlet.expand();
}

View File

@ -2,11 +2,9 @@
Firewall Builder
Copyright (C) 2002 NetCitadel, LLC
Copyright (C) 2002-2011 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
@ -27,15 +25,19 @@
#include "OSConfigurator_freebsd.h"
#include "Configlet.h"
#include "interfaceProperties.h"
#include "interfacePropertiesObjectFactory.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/FWOptions.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/IPv4.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include <algorithm>
#include <functional>
#include <iostream>
#include <memory>
using namespace libfwbuilder;
using namespace fwcompiler;
@ -45,13 +47,45 @@ string OSConfigurator_freebsd::myPlatformName() { return "FreeBSD"; }
string OSConfigurator_freebsd::printKernelVarsCommands()
{
Configlet kernel_vars(fw, "bsd", "kernel_vars");
kernel_vars.removeComments();
setKernelVariable(fw, "freebsd_ip_forward", &kernel_vars);
setKernelVariable(fw, "freebsd_ipv6_forward", &kernel_vars);
setKernelVariable(fw, "freebsd_ip_sourceroute", &kernel_vars);
setKernelVariable(fw, "freebsd_ip_redirect", &kernel_vars);
return kernel_vars.expand().toStdString();
FWOptions* options = fw->getOptionsObject();
std::auto_ptr<Configlet> kernel_vars;
if (options->getBool("generate_rc_conf_file"))
{
kernel_vars = std::auto_ptr<Configlet>(
new Configlet(fw, "freebsd", "rc_conf_kernel_vars"));
} else
{
kernel_vars = std::auto_ptr<Configlet>(
new Configlet(fw, "bsd", "kernel_vars"));
}
kernel_vars->removeComments();
setKernelVariable(fw, "freebsd_ip_forward", kernel_vars.get());
setKernelVariable(fw, "freebsd_ipv6_forward", kernel_vars.get());
setKernelVariable(fw, "freebsd_ip_sourceroute", kernel_vars.get());
//setKernelVariable(fw, "freebsd_ip_redirect", kernel_vars.get());
return kernel_vars->expand().toStdString();
}
void OSConfigurator_freebsd::setKernelVariable(Firewall *fw,
const string &var_name,
Configlet *configlet)
{
FWOptions* options = fw->getOptionsObject();
if (options->getBool("generate_rc_conf_file"))
{
string s;
s = options->getStr(var_name);
if (!s.empty())
{
configlet->setVariable(QString("have_") + var_name.c_str(), 1);
string yesno = (s=="1" || s=="on" || s=="On") ? "YES" : "NO";
configlet->setVariable(QString(var_name.c_str()),
QString(yesno.c_str()));
}
} else
OSConfigurator_bsd::setKernelVariable(fw, var_name, configlet);
}
int OSConfigurator_freebsd::prolog()
@ -66,4 +100,272 @@ int OSConfigurator_freebsd::prolog()
return 0;
}
QString OSConfigurator_freebsd::listAllInterfacesConfigLine(QStringList names,
bool ipv6)
{
FWOptions* options = fw->getOptionsObject();
if (options->getBool("generate_rc_conf_file"))
{
if (ipv6)
{
return "ipv6_network_interfaces=\"" + names.join(" ") + "\"";
} else
{
return "network_interfaces=\"" + names.join(" ") + "\"";
}
} else
return "";
}
QString OSConfigurator_freebsd::updateAddressesOfInterface(
Interface *iface, list<pair<InetAddr,InetAddr> > all_addresses)
{
FWOptions* options = fw->getOptionsObject();
if (options->getBool("generate_rc_conf_file"))
{
/*
* lines in rc.conf have the following format:
*
* network_interfaces="ed0 ed1 lo0"
* ifconfig_ed0="inet 192.0.2.1 netmask 0xffffff00"
* ipv4_addrs_ed0="192.0.2.129/27 192.0.2.1-5/28"
*
*/
QString interface_name = iface->getName().c_str();
QStringList addr_conf;
int ipv4_alias_counter = -2;
int ipv6_alias_counter = -2;
for (list<pair<InetAddr,InetAddr> >::iterator j = all_addresses.begin();
j != all_addresses.end(); ++j)
{
QString ipv4_conf_line;
QString ipv6_conf_line;
InetAddr ipaddr = j->first;
InetAddr ipnetm = j->second;
if (ipaddr.isV6())
{
ipv6_conf_line +=
QString("%1/%2")
.arg(ipaddr.toString().c_str())
.arg(ipnetm.getLength());
ipv6_alias_counter++;
} else
{
int nbits = ipnetm.getLength();
uint32_t netm = 0;
while (nbits)
{
netm = netm >> 1;
netm |= 1<<31;
nbits--;
}
ipv4_conf_line +=
QString("inet %1 netmask 0x%2")
.arg(ipaddr.toString().c_str())
.arg(netm, -8, 16);
ipv4_alias_counter++;
}
if (!ipv4_conf_line.isEmpty())
{
QString suffix;
if (ipv4_alias_counter>=0)
suffix = QString("_alias%1").arg(ipv4_alias_counter);
addr_conf << QString("ifconfig_%1%2=\"%3\"")
.arg(interface_name)
.arg(suffix)
.arg(ipv4_conf_line);
}
if (!ipv6_conf_line.isEmpty())
{
QString suffix;
if (ipv6_alias_counter>=0)
suffix = QString("_alias%1").arg(ipv6_alias_counter);
addr_conf << QString("ipv6_ifconfig_%1%2=\"%3\"")
.arg(interface_name)
.arg(suffix)
.arg(ipv6_conf_line);
}
}
return addr_conf.join("\n");
} else
return OSConfigurator_bsd::updateAddressesOfInterface(iface, all_addresses);
}
QString OSConfigurator_freebsd::listAllVlansConfgLine(QStringList vlan_names)
{
FWOptions* options = fw->getOptionsObject();
if (options->getBool("generate_rc_conf_file"))
{
return "";
} else
return QString("sync_vlan_interfaces %1").arg(vlan_names.join(" "));
}
/*
For rc.conf format:
If a vlans_<interface> variable is set, a vlan(4) interface
will be created for each item in the list with the vlandev
argument set to interface. If a vlan interface's name is a
number, then that number is used as the vlan tag and the new
vlan interface is named interface.tag. Otherwise, the vlan
tag must be specified via a vlan parameter in the
create_args_<interface> variable.
To create a vlan device named em0.101 on em0 with the vlan
tag 101:
vlans_em0="101"
To create a vlan device named myvlan on em0 with the vlan tag
102:
vlans_em0="myvlan"
create_args_myvlan="vlan 102"
*/
QString OSConfigurator_freebsd::updateVlansOfInterface(Interface *iface,
QStringList vlan_names)
{
FWOptions* options = fw->getOptionsObject();
if (options->getBool("generate_rc_conf_file"))
{
QStringList outp;
outp << QString("vlans_%1=\"%2\"").arg(iface->getName().c_str())
.arg(vlan_names.join(" "));
foreach(QString vlan_intf_name, vlan_names)
{
std::auto_ptr<interfaceProperties> int_prop(
interfacePropertiesObjectFactory::getInterfacePropertiesObject(
fw->getStr("host_OS")));
QString parent_name_from_regex;
int vlan_id;
if (int_prop->parseVlan(vlan_intf_name,
&parent_name_from_regex, &vlan_id))
{
outp << QString("create_args_%1=\"vlan %2\"")
.arg(vlan_intf_name).arg(vlan_id);
}
}
return outp.join("\n");
} else
return QString("update_vlans_of_interface \"%1 %2\"")
.arg(iface->getName().c_str())
.arg(vlan_names.join(" "));
}
QString OSConfigurator_freebsd::listAllCARPConfgLine(QStringList carp_names)
{
FWOptions* options = fw->getOptionsObject();
if (options->getBool("generate_rc_conf_file"))
{
return QString("cloned_interfaces=\"%1\"").arg(carp_names.join(" "));;
} else
return OSConfigurator_bsd::listAllCARPConfgLine(carp_names);
}
QString OSConfigurator_freebsd::updateCARPInterface(Interface *iface,
FWObject *failover_group)
{
FWOptions* options = fw->getOptionsObject();
if (options->getBool("generate_rc_conf_file"))
{
Configlet configlet(fw, "freebsd", "rc_conf_carp_interface");
return updateCARPInterfaceInternal(iface, failover_group, &configlet);
} else
return OSConfigurator_bsd::updateCARPInterface(iface, failover_group);
}
QString OSConfigurator_freebsd::listAllPfsyncConfgLine(bool have_pfsync)
{
FWOptions* options = fw->getOptionsObject();
if (options->getBool("generate_rc_conf_file"))
{
return "pfsync_enable=\"YES\"";
} else
return OSConfigurator_bsd::listAllPfsyncConfgLine(have_pfsync);
}
/*
in rc.conf format:
pfsync_enable
(bool) Set to ``NO'' by default. Setting this to ``YES''
enables exposing pf(4) state changes to other hosts over the
network by means of pfsync(4). The pfsync_syncdev variable
must also be set then.
pfsync_syncdev
(str) Empty by default. This variable specifies the name of
the network interface pfsync(4) should operate through. It
must be set accordingly if pfsync_enable is set to ``YES''.
pfsync_syncpeer
(str) Empty by default. This variable is optional. By
default, state change messages are sent out on the synchroni-
sation interface using IP multicast packets. The protocol is
IP protocol 240, PFSYNC, and the multicast group used is
224.0.0.240. When a peer address is specified using the
pfsync_syncpeer option, the peer address is used as a desti-
nation for the pfsync traffic, and the traffic can then be
protected using ipsec(4). See the pfsync(4) manpage for more
details about using ipsec(4) with pfsync(4) interfaces.
pfsync_ifconfig
(str) Empty by default. This variable can contain additional
options to be passed to the ifconfig(8) command used to set
up pfsync(4).
*/
QString OSConfigurator_freebsd::updatePfsyncInterface(
Interface *iface, StateSyncClusterGroup *state_sync_group)
{
FWOptions* options = fw->getOptionsObject();
if (options->getBool("generate_rc_conf_file"))
{
Configlet configlet(fw, "freebsd", "rc_conf_pfsync_interface");
configlet.removeComments();
configlet.collapseEmptyStrings(true);
configlet.setVariable("syncdev", iface->getName().c_str());
if (state_sync_group->getOptionsObject()->getBool("syncpeer"))
{
for (FWObjectTypedChildIterator it =
state_sync_group->findByType(FWObjectReference::TYPENAME);
it != it.end(); ++it)
{
Interface *cluster_iface = Interface::cast(
FWObjectReference::getObject(*it));
assert(cluster_iface);
if (cluster_iface->getId() == iface->getId()) continue;
IPv4 *ipv4 = IPv4::cast(cluster_iface->getFirstByType(IPv4::TYPENAME));
const InetAddr *addr = ipv4->getAddressPtr();
configlet.setVariable("have_syncpeer", 1);
configlet.setVariable("syncpeer", addr->toString().c_str());
}
}
return configlet.expand();
} else
return OSConfigurator_bsd::updatePfsyncInterface(iface, state_sync_group);
}

View File

@ -31,10 +31,41 @@
#include "OSConfigurator_bsd.h"
#include "OSData.h"
namespace fwcompiler {
namespace fwcompiler
{
class OSConfigurator_freebsd : public OSConfigurator_bsd {
class OSConfigurator_freebsd : public OSConfigurator_bsd
{
virtual void setKernelVariable(libfwbuilder::Firewall *fw,
const std::string &var_name,
Configlet *configlet);
virtual QString listAllInterfacesConfigLine(QStringList intf_names,
bool ipv6);
virtual QString updateAddressesOfInterface(
libfwbuilder::Interface *iface,
std::list<std::pair<libfwbuilder::InetAddr,libfwbuilder::InetAddr> >
all_addresses);
virtual QString listAllVlansConfgLine(QStringList vlan_names);
virtual QString updateVlansOfInterface(
libfwbuilder::Interface *iface, QStringList vlan_names);
// functions that generate CARP interface configuration
virtual QString listAllCARPConfgLine(QStringList carp_names);
virtual QString updateCARPInterface(libfwbuilder::Interface *iface,
libfwbuilder::FWObject *failover_group);
// functions that generate pfsync interface configuration
virtual QString listAllPfsyncConfgLine(bool have_pfsync);
virtual QString updatePfsyncInterface(
libfwbuilder::Interface *iface,
libfwbuilder::StateSyncClusterGroup *sync_group);
public:
virtual ~OSConfigurator_freebsd() {};

View File

@ -31,9 +31,11 @@
#include "OSConfigurator_bsd.h"
#include "OSData.h"
namespace fwcompiler {
namespace fwcompiler
{
class OSConfigurator_macosx : public OSConfigurator_bsd {
class OSConfigurator_macosx : public OSConfigurator_bsd
{
public:

View File

@ -31,9 +31,11 @@
#include "OSConfigurator_bsd.h"
#include "OSData.h"
namespace fwcompiler {
namespace fwcompiler
{
class OSConfigurator_openbsd : public OSConfigurator_bsd {
class OSConfigurator_openbsd : public OSConfigurator_bsd
{
public:

View File

@ -129,7 +129,3 @@ string OSConfigurator_solaris::configureInterfaces()
return ostr.str();
}

View File

@ -43,11 +43,13 @@
* generic name, something like OSConfigurator_generic_pf_ipf_family
*/
namespace fwcompiler {
namespace fwcompiler
{
class OSConfigurator_solaris : public OSConfigurator_bsd {
class OSConfigurator_solaris : public OSConfigurator_bsd
{
OSData os_data;
OSData os_data;
std::vector<libfwbuilder::InetAddr> virtual_addresses;

View File

@ -14,6 +14,7 @@ SOURCES = TableFactory.cpp \
NATCompiler_pf_negation.cpp \
NATCompiler_pf_writers.cpp \
OSConfigurator_bsd.cpp \
OSConfigurator_bsd_interfaces.cpp \
OSConfigurator_freebsd.cpp \
OSConfigurator_macosx.cpp \
OSConfigurator_openbsd.cpp \

View File

@ -0,0 +1,22 @@
## -*- mode: shell-script; -*-
##
## Lines that start with "##" will be removed before this code is
## added to the generated script. Regular shell comments can be added
## using single "#", these will appear in the script.
##
##
## CARP
## ifconfig carp-interface [advbase n] [advskew n] [carpdev iface]
## [pass passphrase] [state state] [vhid host-id]
##
## for pfsync and CARP see http://www.kernel-panic.it/openbsd/carp/
## "Redundant firewalls with OpenBSD, CARP and pfsync"
##
## here is how to configure CARP interfaces in rc.conf
##
## http://blas.phemo.us/articles/2007/04/04/setting-up-and-configuring-carp-interfaces-on-freebsd
ifconfig_{{$carp_interface}}="vhid {{$vhid}} pass {{$carp_password}} {{if have_advbase}} advbase {{$advbase}}{{endif}} {{if have_advskew}} advskew {{$advskew}}{{endif}} {{if have_base_inetrface}} carpdev {{$base_inetrface}}{{endif}}"

View File

@ -0,0 +1,19 @@
## -*- mode: shell-script; -*-
##
## To be able to make changes to the part of configuration created
## from this configlet you need to copy this file to the directory
## fwbuilder/configlets/freebsd/ in your home directory and modify it.
## Double "##" comments are removed during processing but single "#"
## comments are be retained and appear in the generated script. Empty
## lines are removed as well.
##
## Configlets support simple macro language with these constructs:
## {{$var}} is variable expansion
## {{if var}} is conditional operator.
{{if have_freebsd_ip_forward}}gateway_enable="{{$freebsd_ip_forward}}"{{endif}}
{{if have_freebsd_ipv6_forward}}ipv6_gateway_enable="{{$freebsd_ipv6_forward}}"{{endif}}
{{if have_freebsd_ip_sourceroute}}forward_sourceroute="{{$freebsd_ip_sourceroute}}"{{endif}}
{{if have_freebsd_ip_sourceroute}}accept_sourceroute="{{$freebsd_ip_sourceroute}}"{{endif}}

View File

@ -0,0 +1,10 @@
## -*- mode: shell-script; -*-
##
## Lines that start with "##" will be removed before this code is
## added to the generated script. Regular shell comments can be added
## using single "#", these will appear in the script.
##
##
pfsync_syncdev="{{$syncdev}}"
{{if have_syncpeer}}pfsync_syncpeer="{{$syncpeer}}"{{endif}}

View File

@ -0,0 +1,14 @@
## -*- mode: shell-script; -*-
##
## To be able to make changes to the part of configuration created
## from this configlet you need to copy this file to the directory
## fwbuilder/configlets/pf/ in your home directory and modify it.
## Double "##" comments are removed during processing but single "#"
## comments are be retained and appear in the generated script. Empty
## lines are removed as well.
##
## Configlets support simple macro language with these constructs:
## {{$var}} is variable expansion
## {{if var}} is conditional operator.
##
pf_rules="{{$remote_file}}"

View File

@ -0,0 +1,32 @@
## -*- mode: shell-script; -*-
##
## To be able to make changes to the part of configuration created
## from this configlet you need to copy this file to the directory
## fwbuilder/configlets/pf/ in your home directory and modify it.
## Double "##" comments are removed during processing but single "#"
## comments are be retained and appear in the generated script. Empty
## lines are removed as well.
##
## Configlets support simple macro language with these constructs:
## {{$var}} is variable expansion
## {{if var}} is conditional operator.
##
## Parts of this configlets will be translated to variable=value syntax
## used by rc.conf files
##
{{$top_comment}}
{{$errors_and_warnings}}
{{$kernel_vars_commands}}
{{$prolog_script}}
{{$configure_interfaces}}
pf_enable="YES"
{{$activation_commands}}
{{$routing_script}}
{{$epilog_script}}

View File

@ -0,0 +1,12 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v{{$version}}
#
# Generated {{$timestamp}} {{$tz}} by {{$user}}
#
{{$manifest}}
#
# Compiled for {{$platform}} {{$fw_version}}
#
{{$comment}}

View File

@ -238,7 +238,7 @@ void GeneratedScriptTest::ActivationCommandsTest_1()
{
objdb = new FWObjectDatabase();
QString res = Configlet::findConfigletInFile("activation", "ipf1.fw");
CPPUNIT_ASSERT(res.indexOf("$IPF -I -f ${FWDIR}/ipf1-ipf.conf") != -1);
CPPUNIT_ASSERT(res.indexOf("$IPF -I -f /etc/ipf1-ipf.conf") != -1);
delete objdb;
}
@ -246,7 +246,7 @@ void GeneratedScriptTest::ActivationCommandsTest_2()
{
objdb = new FWObjectDatabase();
QString res = Configlet::findConfigletInFile("activation", "ipf2-1.fw");
CPPUNIT_ASSERT(res.indexOf("$IPF -I -f ${FWDIR}/ipf2-1-ipf.conf") != -1);
CPPUNIT_ASSERT(res.indexOf("$IPF -I -f /etc/ipf2-1-ipf.conf") != -1);
delete objdb;
}
@ -254,7 +254,7 @@ void GeneratedScriptTest::ActivationCommandsTest_3()
{
objdb = new FWObjectDatabase();
QString res = Configlet::findConfigletInFile("activation", "ipf2-1");
CPPUNIT_ASSERT(res.indexOf("$IPF -I -f ${FWDIR}/ipf2-1-ipf.conf") != -1);
CPPUNIT_ASSERT(res.indexOf("$IPF -I -f /etc/ipf2-1-ipf.conf") != -1);
delete objdb;
}
@ -262,7 +262,7 @@ void GeneratedScriptTest::ActivationCommandsTest_4()
{
objdb = new FWObjectDatabase();
QString res = Configlet::findConfigletInFile("activation", "ipf2-1.fw");
CPPUNIT_ASSERT(res.indexOf("$IPF -I -f ${FWDIR}/ipf2-1-ipf.conf") != -1);
CPPUNIT_ASSERT(res.indexOf("$IPF -I -f /etc/ipf2-1-ipf.conf") != -1);
delete objdb;
}

View File

@ -278,7 +278,7 @@ void GeneratedScriptTest::ActivationCommandsTest_1()
objdb = new FWObjectDatabase();
QString res = Configlet::findConfigletInFile("activation", "pf1.fw")
.split(QRegExp("\\s+")).join(" ");
CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ ${FWDIR}/pf1.conf") != -1);
CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ /etc/pf1.conf") != -1);
delete objdb;
}
@ -287,7 +287,7 @@ void GeneratedScriptTest::ActivationCommandsTest_2()
objdb = new FWObjectDatabase();
QString res = Configlet::findConfigletInFile("activation", "ipf2-1.fw")
.split(QRegExp("\\s+")).join(" ");
CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ ${FWDIR}/ipf2-1.conf") != -1);
CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ /etc/ipf2-1.conf") != -1);
delete objdb;
}
@ -296,7 +296,7 @@ void GeneratedScriptTest::ActivationCommandsTest_3()
objdb = new FWObjectDatabase();
QString res = Configlet::findConfigletInFile("activation", "ipf2-1.fw")
.split(QRegExp("\\s+")).join(" ");
CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ ${FWDIR}/ipf2-1.conf") != -1);
CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ /etc/ipf2-1.conf") != -1);
delete objdb;
}
@ -305,7 +305,7 @@ void GeneratedScriptTest::ActivationCommandsTest_4()
objdb = new FWObjectDatabase();
QString res = Configlet::findConfigletInFile("activation", "pf2-1.fw")
.split(QRegExp("\\s+")).join(" ");
CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ ${FWDIR}/ipf2-1.conf") != -1);
CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ /etc/ipf2-1.conf") != -1);
delete objdb;
}
@ -333,7 +333,7 @@ void GeneratedScriptTest::ActivationCommandsTest_8()
objdb = new FWObjectDatabase();
QString res = Configlet::findConfigletInFile("activation", "pf5.fw")
.split(QRegExp("\\s+")).join(" ");
CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ ${FWDIR}/pf5.conf") != -1);
CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ /etc/pf5.conf") != -1);
delete objdb;
}

View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1269892626" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1296692941" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -105,6 +105,7 @@
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
</CustomService>
<CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
@ -112,6 +113,7 @@
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
</CustomService>
<ServiceGroup id="stdid10" name="Groups" comment="" ro="False">
<ServiceGroup id="sg-DHCP" name="DHCP" comment="" ro="False">
@ -141,6 +143,12 @@
<ServiceRef ref="icmp-ping_reply"/>
<ServiceRef ref="icmp-Unreachables"/>
</ServiceGroup>
<ServiceGroup id="id1569X4889" name="Ipv6 unreachable messages" comment="" ro="False">
<ServiceRef ref="idE0D27650"/>
<ServiceRef ref="idCFE27650"/>
<ServiceRef ref="idE0B27650"/>
<ServiceRef ref="id1519Z388"/>
</ServiceGroup>
<ServiceGroup id="id3B4FEDD9" name="kerberos" comment="" ro="False">
<ServiceRef ref="id3B4FEDA5"/>
<ServiceRef ref="id3B4FEDA9"/>
@ -203,6 +211,7 @@
<ICMP6Service id="ipv6-icmp-neighbrsol" code="0" type="135" name="ipv6 neighbrsol" comment="IPv6 neighbor solicitation" ro="False"/>
<ICMP6Service id="ipv6-icmp-neighbradv" code="0" type="136" name="ipv6 neighbradv" comment="IPv6 neighbor advertisement" ro="False"/>
<ICMP6Service id="ipv6-icmp-redir" code="0" type="137" name="ipv6 redir" comment="IPv6 redirect: shorter route exists" ro="False"/>
<ICMP6Service id="id1519Z388" code="-1" type="4" name="ipv6 parameter problem" comment="IPv6 Parameter Problem: RFC4443" ro="False"/>
<ICMP6Service id="idCFE27650" code="0" type="3" name="ipv6 time exceeded" comment="Time exceeded in transit" ro="False"/>
<ICMP6Service id="idCFF27650" code="1" type="3" name="ipv6 time exceeded in reassembly" comment="Time exceeded in reassembly" ro="False"/>
<ICMP6Service id="idE0B27650" code="-1" type="2" name="ipv6 packet too big" comment="" ro="False"/>
@ -504,7 +513,7 @@
</Interface>
<Cluster id="id2366X75741" host_OS="secuwall" lastCompiled="1247150655" lastInstalled="0" lastModified="1242671896" platform="iptables" name="cluster1" comment="" ro="False">
<NAT id="id2370X75741" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id4606X78273" disabled="False" position="0" action="Translate" comment="">
<NATRule id="id4606X78273" disabled="False" group="" position="0" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
@ -528,7 +537,7 @@
<RuleSetOptions/>
</NAT>
<Policy id="id2369X75741" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id2913X78273" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
<PolicyRule id="id2913X78273" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -546,7 +555,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2896X78273" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<PolicyRule id="id2896X78273" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -564,7 +573,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2879X78273" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<PolicyRule id="id2879X78273" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -582,7 +591,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2862X78273" disabled="False" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<PolicyRule id="id2862X78273" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -600,7 +609,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2845X78273" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<PolicyRule id="id2845X78273" disabled="False" group="" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -618,7 +627,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2828X78273" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<PolicyRule id="id2828X78273" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -636,7 +645,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2811X78273" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
<PolicyRule id="id2811X78273" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -694,7 +703,7 @@
</Cluster>
<Cluster id="id2772X94039" host_OS="linux24" inactive="False" lastCompiled="1247150656" lastInstalled="0" lastModified="1243709194" platform="iptables" name="linux_cluster_1" comment="" ro="False">
<NAT id="id2866X94039" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id2867X94039" disabled="False" position="0" action="Translate" comment="">
<NATRule id="id2867X94039" disabled="False" group="" position="0" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
@ -738,7 +747,7 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2781X94039" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<PolicyRule id="id2781X94039" disabled="False" group="" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -756,7 +765,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2794X94039" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<PolicyRule id="id2794X94039" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -774,7 +783,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2806X94039" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<PolicyRule id="id2806X94039" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -810,7 +819,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2818X94039" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<PolicyRule id="id2818X94039" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -828,7 +837,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2830X94039" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<PolicyRule id="id2830X94039" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -870,7 +879,7 @@
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2842X94039" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
<PolicyRule id="id2842X94039" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -888,7 +897,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2854X94039" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
<PolicyRule id="id2854X94039" disabled="False" group="" log="True" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1616,12 +1625,19 @@
<Interface id="id39617X50958" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="Interface" comment="" ro="False">
<InterfaceOptions/>
</Interface>
<Interface id="id200602X1082" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vlan0" comment="" ro="False">
<InterfaceOptions>
<Option name="type">8021q</Option>
<Option name="vlan_id">100</Option>
</InterfaceOptions>
</Interface>
<IPv4 id="id200734X1082" name="pf_cluster_4:carp0:ip-1" comment="" ro="False" address="172.24.0.1" netmask="255.255.255.0"/>
</Library>
<Library id="id1495X69605" color="#d2ffd0" name="User" comment="" ro="False">
<ObjectGroup id="id1502X69605" name="Clusters" comment="" ro="False">
<Cluster id="id3631X95766" host_OS="openbsd" inactive="False" lastCompiled="1248551815" lastInstalled="0" lastModified="1269718315" platform="pf" name="pf_cluster_1" comment=" " ro="False">
<NAT id="id3640X95766" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id3162X39764" disabled="False" position="0" action="Translate" comment="">
<NATRule id="id3162X39764" disabled="False" group="" position="0" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
@ -1933,7 +1949,7 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5942X26920" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
<PolicyRule id="id5942X26920" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -2012,7 +2028,7 @@
<RuleSetOptions/>
</NAT>
<Policy id="id5498X42213" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id5547X42213" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="">
<PolicyRule id="id5547X42213" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -2088,7 +2104,7 @@
<RuleSetOptions/>
</NAT>
<Policy id="id3645X20162" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id39732X50958" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="">
<PolicyRule id="id39732X50958" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="id3642X20162"/>
</Src>
@ -2420,6 +2436,81 @@
<ClusterGroupOptions/>
</StateSyncClusterGroup>
</Cluster>
<Cluster id="id200714X1082" host_OS="freebsd" inactive="False" lastCompiled="1247150757" lastInstalled="0" lastModified="1296694664" platform="pf" name="pf_cluster_4" comment="using multicast address for pfsync and FreeBSD" ro="False">
<NAT id="id200787X1082" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id200756X1082" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id200758X1082" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id200790X1082" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id200724X1082" dedicated_failover="False" dyn="False" label="pf_clsuter_1 carp0" mgmt="False" security_level="0" unnum="False" unprotected="False" name="carp0" comment="" ro="False">
<IPv4 id="id200733X1082" name="pf_cluster_4:carp0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="iface_mtu">1500</Option>
<Option name="type">carp</Option>
</InterfaceOptions>
<FailoverClusterGroup id="id200736X1082" master_iface="id200595X1082" type="carp" name="pf_cluster_4:carp0:members" comment="">
<ObjectRef ref="id200634X1082"/>
<ObjectRef ref="id200595X1082"/>
<ClusterGroupOptions>
<Option name="carp_advbase">1</Option>
<Option name="carp_default_advskew">10</Option>
<Option name="carp_master_advskew">5</Option>
<Option name="carp_password">secret</Option>
<Option name="carp_vhid">101</Option>
</ClusterGroupOptions>
</FailoverClusterGroup>
</Interface>
<Interface id="id200741X1082" dedicated_failover="False" dyn="False" label="pf_cluster_1 carp1" mgmt="False" security_level="0" unnum="False" unprotected="False" name="carp1" comment="" ro="False">
<IPv4 id="id200749X1082" name="pf_cluster_4:carp1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="iface_mtu">1500</Option>
<Option name="type">carp</Option>
</InterfaceOptions>
<FailoverClusterGroup id="id200751X1082" master_iface="id200605X1082" type="carp" name="pf_cluster_4:carp1:members" comment="">
<ObjectRef ref="id200605X1082"/>
<ObjectRef ref="id200639X1082"/>
<ClusterGroupOptions>
<Option name="carp_advbase">1</Option>
<Option name="carp_default_advskew">10</Option>
<Option name="carp_master_advskew">5</Option>
<Option name="carp_password">secret</Option>
<Option name="carp_vhid">100</Option>
</ClusterGroupOptions>
</FailoverClusterGroup>
</Interface>
<FirewallOptions/>
<StateSyncClusterGroup id="id200794X1082" type="pfsync" name="pf_cluster_4:members-1" comment="">
<ObjectRef ref="id200634X1082"/>
<ObjectRef ref="id200595X1082"/>
<ClusterGroupOptions>
<Option name="syncpeer">True</Option>
</ClusterGroupOptions>
</StateSyncClusterGroup>
</Cluster>
</ObjectGroup>
<ObjectGroup id="id1496X69605" name="Objects" comment="" ro="False">
<ObjectGroup id="id1497X69605" name="Addresses" comment="" ro="False">
@ -3180,6 +3271,252 @@
<Option name="sshArgs"></Option>
</FirewallOptions>
</Firewall>
<Firewall id="id200587X1082" host_OS="freebsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1296694652" platform="pf" version="" name="freebsd-1-1" comment="" ro="False">
<NAT id="id200613X1082" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id200610X1082" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Policy>
<Routing id="id200616X1082" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id200595X1082" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="en0" comment="" ro="False">
<IPv4 id="id200600X1082" name="freebsd-1:en0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id200605X1082" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="en1" comment="" ro="False">
<IPv4 id="id200608X1082" name="freebsd-1:en1:ip" comment="" ro="False" address="192.168.1.2" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="conf1_file">pf.conf</Option>
<Option name="conf_file_name_on_firewall"></Option>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="generate_rc_conf_file">True</Option>
<Option name="generate_shell_script">False</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">true</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file">rc.conf.local</Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_src_nodes">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_limit_table_entries">False</Option>
<Option name="pf_do_limit_tables">False</Option>
<Option name="pf_do_scrub">False</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_flush_states">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_src_nodes">0</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_modulate_state">False</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">0</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_reassemble_tcp">False</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_state_policy"></Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="script_name_on_firewall"></Option>
<Option name="sshArgs"></Option>
</FirewallOptions>
</Firewall>
<Firewall id="id200626X1082" host_OS="freebsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1296694663" platform="pf" version="" name="freebsd-2-1" comment="" ro="False">
<NAT id="id200647X1082" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id200644X1082" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Policy>
<Routing id="id200650X1082" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id200634X1082" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="en0" comment="" ro="False">
<IPv4 id="id200637X1082" name="freebsd-2:en0:ip" comment="" ro="False" address="172.24.0.3" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id200639X1082" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="en1" comment="" ro="False">
<IPv4 id="id200642X1082" name="freebsd-2:en1:ip" comment="" ro="False" address="192.168.1.3" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="conf1_file">pf.conf</Option>
<Option name="conf_file_name_on_firewall"></Option>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="generate_rc_conf_file">True</Option>
<Option name="generate_shell_script">False</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">true</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file">rc.conf.local</Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_src_nodes">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_limit_table_entries">False</Option>
<Option name="pf_do_limit_tables">False</Option>
<Option name="pf_do_scrub">False</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_flush_states">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_src_nodes">0</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_modulate_state">False</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">0</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_reassemble_tcp">False</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_state_policy"></Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="script_name_on_firewall"></Option>
<Option name="sshArgs"></Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="id1515X69605" name="Time" comment="" ro="False"/>
</Library>

View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1296513757" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1296687832" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -19939,6 +19939,258 @@
<Option name="sshArgs"></Option>
</FirewallOptions>
</Firewall>
<Firewall id="id32878X1082" host_OS="freebsd" inactive="False" lastCompiled="1296677661" lastInstalled="0" lastModified="1296687915" platform="pf" version="" name="firewall-ipv6-3" comment="" ro="False">
<NAT id="id33298X1082" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id32900X1082" name="Policy_ipv4" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id32902X1082" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id32893X1082"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Policy id="id32959X1082" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
<PolicyRule id="id32961X1082" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id32893X1082"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id33301X1082" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id32886X1082" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="50" unnum="False" unprotected="False" name="ed0" comment="" ro="False">
<IPv4 id="id32890X1082" name="firewall-ipv6-3:ed0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
<IPv4 id="id33436X1082" name="firewall-ipv6-3:ed0:ip-1" comment="" ro="False" address="10.10.10.1" netmask="255.255.255.0"/>
<IPv4 id="id33467X1082" name="firewall-ipv6-3:ed0:ip-2" comment="" ro="False" address="10.10.10.2" netmask="255.255.255.0"/>
<IPv6 id="id32891X1082" name="firewall-ipv6-3:ed0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
<IPv6 id="id33445X1082" name="firewall-ipv6-3:ed0:ipv6" comment="" ro="False" address="2001:db8::1" netmask="64"/>
<IPv6 id="id33458X1082" name="firewall-ipv6-3:ed0:ipv6-1" comment="" ro="False" address="2001:db8::2" netmask="64"/>
<InterfaceOptions/>
</Interface>
<Interface id="id32893X1082" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo0" comment="" ro="False">
<IPv4 id="id32897X1082" name="firewall-ipv6-3:lo0:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
<IPv6 id="id32898X1082" name="firewall-ipv6-3:lo0:ip6" comment="" ro="False" address="::1" netmask="128"/>
<InterfaceOptions/>
</Interface>
<Interface id="id196213X1082" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="ed1" comment="" ro="False">
<InterfaceOptions>
<Option name="type">ethernet</Option>
</InterfaceOptions>
<Interface id="id196239X1082" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan100" comment="" ro="False">
<IPv4 id="id196259X1082" name="firewall-ipv6-3:ed1:vlan100:ip" comment="" ro="False" address="172.16.1.1" netmask="255.255.255.240"/>
<InterfaceOptions>
<Option name="type">8021q</Option>
<Option name="vlan_id">100</Option>
</InterfaceOptions>
</Interface>
<Interface id="id196253X1082" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="vlan101" comment="" ro="False">
<IPv4 id="id196268X1082" name="firewall-ipv6-3:ed1:vlan101:ip" comment="" ro="False" address="172.16.2.1" netmask="255.255.255.240"/>
<InterfaceOptions>
<Option name="type">8021q</Option>
<Option name="vlan_id">101</Option>
</InterfaceOptions>
</Interface>
</Interface>
<Management address="1.1.1.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline">-xt</Option>
<Option name="compiler"></Option>
<Option name="conf1_file"></Option>
<Option name="conf_file_name_on_firewall"></Option>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="enable_ipv6">True</Option>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="freebsd_ip_redirect"></Option>
<Option name="freebsd_ip_sourceroute"></Option>
<Option name="freebsd_ipv6_forward">1</Option>
<Option name="freebsd_path_ipf"></Option>
<Option name="freebsd_path_ipfw"></Option>
<Option name="freebsd_path_ipnat"></Option>
<Option name="freebsd_path_sysctl"></Option>
<Option name="generate_rc_conf_file">True</Option>
<Option name="generate_shell_script">False</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_include_comments">true</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
<Option name="local_nat">False</Option>
<Option name="log_all">False</Option>
<Option name="log_invalid">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="no_ipv6_default_policy">False</Option>
<Option name="openbsd_ip_directed_broadcast"></Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="openbsd_ip_redirect"></Option>
<Option name="openbsd_ip_sourceroute"></Option>
<Option name="openbsd_ipv6_forward">1</Option>
<Option name="openbsd_path_pfctl"></Option>
<Option name="openbsd_path_sysctl"></Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_src_nodes">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_limit_table_entries">False</Option>
<Option name="pf_do_limit_tables">False</Option>
<Option name="pf_do_scrub">False</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_flush_states">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_src_nodes">0</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_modulate_state">False</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">0</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_reassemble_tcp">False</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_state_policy"></Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"></Option>
<Option name="script_name_on_firewall"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="use_ULOG">False</Option>
<Option name="use_iptables_restore">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="stdid11_1" name="Time" comment="" ro="False"/>
</Library>