mirror of
https://github.com/fwbuilder/fwbuilder
synced 2025-10-16 23:47:46 +02:00
see #1888, #2020, #2018 rc.conf format of the init script for PF on FreeBSD, includes inetrfaes. addresses, CARP, pfsync and pf initialization
This commit is contained in:
parent
5f9e82fda1
commit
39eaf40722
2
VERSION
2
VERSION
@ -7,7 +7,7 @@ FWB_MICRO_VERSION=0
|
||||
# build number is like "nano" version number. I am incrementing build
|
||||
# number during development cycle
|
||||
#
|
||||
BUILD_NUM="3456"
|
||||
BUILD_NUM="3457"
|
||||
|
||||
VERSION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION.$FWB_MICRO_VERSION.$BUILD_NUM"
|
||||
|
||||
|
@ -1,2 +1,2 @@
|
||||
#define VERSION "4.2.0.3456"
|
||||
#define VERSION "4.2.0.3457"
|
||||
#define GENERATION "4.2"
|
||||
|
@ -1,3 +1,13 @@
|
||||
2011-02-02 vadim <vadim@netcitadel.com>
|
||||
|
||||
* OSConfigurator_freebsd.cpp: see #1888 "Add option to generate
|
||||
rc.conf.local file for BSD systems". Added ability to generate
|
||||
initialization script in rc.conf fromat for FreeBSD. Only FreeBSD
|
||||
is currently supported (not OpenBSD). Generated script includes
|
||||
variables to configure interfaces and their ipv4 and ipv6
|
||||
addresses, vlans, CARP and pfsync interfaces, as well as variables
|
||||
that initialize PF.
|
||||
|
||||
2011-02-01 vadim <vadim@netcitadel.com>
|
||||
|
||||
* CompilerDriver_files.cpp (determineOutputFileNames): See #2015
|
||||
|
@ -3,7 +3,7 @@
|
||||
|
||||
|
||||
%define name fwbuilder
|
||||
%define version 4.2.0.3456
|
||||
%define version 4.2.0.3457
|
||||
%define release 1
|
||||
|
||||
%if "%_vendor" == "MandrakeSoft"
|
||||
|
@ -4,6 +4,6 @@ Replaces: fwbuilder (<=4.1.1-1), fwbuilder-common, fwbuilder-bsd, fwbuilder-linu
|
||||
Priority: extra
|
||||
Section: checkinstall
|
||||
Maintainer: vadim@fwbuilder.org
|
||||
Version: 4.2.0.3456-1
|
||||
Version: 4.2.0.3457-1
|
||||
Depends: libqt4-gui (>= 4.3.0), libxml2, libxslt1.1, libsnmp | libsnmp15
|
||||
Description: Firewall Builder GUI and policy compilers
|
||||
|
@ -1,6 +1,6 @@
|
||||
|
||||
%define name fwbuilder
|
||||
%define version 4.2.0.3456
|
||||
%define version 4.2.0.3457
|
||||
%define release 1
|
||||
|
||||
%if "%_vendor" == "MandrakeSoft"
|
||||
|
@ -117,7 +117,8 @@ QString CompilerDriver_iosacl::assembleFwScript(Cluster *cluster,
|
||||
options->setStr("prolog_script", options->getStr("iosacl_prolog_script"));
|
||||
options->setStr("epilog_script", options->getStr("iosacl_epilog_script"));
|
||||
|
||||
assembleFwScriptInternal(cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "!");
|
||||
assembleFwScriptInternal(cluster, fw, cluster_member,
|
||||
oscnf, &script_skeleton, &top_comment, "!", true);
|
||||
return script_skeleton.expand();
|
||||
}
|
||||
|
||||
|
@ -160,7 +160,8 @@ QString CompilerDriver_pix::assembleFwScript(Cluster *cluster,
|
||||
script_skeleton.setVariable("routing_script",
|
||||
QString::fromUtf8(routing_script.c_str()));
|
||||
|
||||
assembleFwScriptInternal(cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "!");
|
||||
assembleFwScriptInternal(cluster, fw, cluster_member, oscnf,
|
||||
&script_skeleton, &top_comment, "!", true);
|
||||
return script_skeleton.expand();
|
||||
}
|
||||
|
||||
|
@ -113,7 +113,8 @@ QString CompilerDriver_procurve_acl::assembleFwScript(Cluster *cluster,
|
||||
options->setStr("prolog_script", options->getStr("procurve_acl_prolog_script"));
|
||||
options->setStr("epilog_script", options->getStr("procurve_acl_epilog_script"));
|
||||
|
||||
assembleFwScriptInternal(cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, ";");
|
||||
assembleFwScriptInternal(cluster, fw, cluster_member, oscnf,
|
||||
&script_skeleton, &top_comment, ";", true);
|
||||
return script_skeleton.expand();
|
||||
}
|
||||
|
||||
|
@ -156,7 +156,8 @@ protected:
|
||||
OSConfigurator *ocsnf,
|
||||
Configlet *script_skeleton,
|
||||
Configlet *top_comment,
|
||||
const QString &comment_char);
|
||||
const QString &comment_char,
|
||||
bool indent);
|
||||
|
||||
void _findImportedRuleSetsRecursively(libfwbuilder::Firewall *fw,
|
||||
libfwbuilder::RuleSet *ruleset,
|
||||
|
@ -71,7 +71,8 @@ void CompilerDriver::assembleFwScriptInternal(Cluster *cluster,
|
||||
OSConfigurator *oscnf,
|
||||
Configlet *script_skeleton,
|
||||
Configlet *top_comment,
|
||||
const QString &comment_char)
|
||||
const QString &comment_char,
|
||||
bool indent)
|
||||
{
|
||||
FWOptions* options = fw->getOptionsObject();
|
||||
string platform = fw->getStr("platform");
|
||||
@ -112,17 +113,21 @@ void CompilerDriver::assembleFwScriptInternal(Cluster *cluster,
|
||||
|
||||
QFileInfo fw_file_info(fw_file_name);
|
||||
|
||||
top_comment->setVariable("manifest", assembleManifest(cluster, fw, cluster_member));
|
||||
top_comment->setVariable("manifest", assembleManifest(cluster, fw,
|
||||
cluster_member));
|
||||
top_comment->setVariable("platform", platform.c_str());
|
||||
top_comment->setVariable("fw_version", fw_version.c_str());
|
||||
top_comment->setVariable("comment", prepend(comment_char + " ", fw->getComment().c_str()));
|
||||
top_comment->setVariable("comment",
|
||||
prepend((indent) ? comment_char + " " : "",
|
||||
fw->getComment().c_str()));
|
||||
|
||||
script_skeleton->setVariable("have_nat", have_nat);
|
||||
script_skeleton->setVariable("have_filter", have_filter);
|
||||
|
||||
script_skeleton->setVariable("top_comment", top_comment->expand());
|
||||
script_skeleton->setVariable("errors_and_warnings",
|
||||
prepend(comment_char + " ", all_errors.join("\n")));
|
||||
prepend((indent) ? comment_char + " " : "",
|
||||
all_errors.join("\n")));
|
||||
script_skeleton->setVariable("tools", printPathForAllTools(fw, family));
|
||||
|
||||
script_skeleton->setVariable("timestamp", timestr);
|
||||
@ -134,16 +139,21 @@ void CompilerDriver::assembleFwScriptInternal(Cluster *cluster,
|
||||
|
||||
script_buffer = "";
|
||||
|
||||
script_skeleton->setVariable("shell_functions", oscnf->printFunctions().c_str());
|
||||
script_skeleton->setVariable("shell_functions",
|
||||
oscnf->printFunctions().c_str());
|
||||
script_skeleton->setVariable("kernel_vars_commands",
|
||||
prepend(" ", oscnf->printKernelVarsCommands().c_str()));
|
||||
prepend((indent) ? " " : "",
|
||||
oscnf->printKernelVarsCommands().c_str()));
|
||||
script_skeleton->setVariable("configure_interfaces",
|
||||
prepend(" ", oscnf->configureInterfaces().c_str()));
|
||||
prepend((indent) ? " " : "",
|
||||
oscnf->configureInterfaces().c_str()));
|
||||
|
||||
// this really adds nothing for the most of the systems
|
||||
script_skeleton->setVariable("other_os_configuration_commands", oscnf->getCompiledScript().c_str());
|
||||
script_skeleton->setVariable("other_os_configuration_commands",
|
||||
oscnf->getCompiledScript().c_str());
|
||||
|
||||
script_skeleton->setVariable("activation_commands", printActivationCommands(fw));
|
||||
script_skeleton->setVariable("activation_commands",
|
||||
printActivationCommands(fw));
|
||||
|
||||
script_skeleton->setVariable("verify_interfaces", "");
|
||||
|
||||
|
@ -160,7 +160,8 @@ QString CompilerDriver_ipf::assembleFwScript(Cluster *cluster,
|
||||
Configlet top_comment(fw, "ipf", "top_comment");
|
||||
|
||||
assembleFwScriptInternal(
|
||||
cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "#");
|
||||
cluster, fw, cluster_member, oscnf,
|
||||
&script_skeleton, &top_comment, "#", true);
|
||||
return script_skeleton.expand();
|
||||
}
|
||||
|
||||
@ -200,6 +201,17 @@ QString CompilerDriver_ipf::run(const std::string &cluster_id,
|
||||
|
||||
determineOutputFileNames(cluster, fw, !cluster_id.empty());
|
||||
|
||||
// if remote file spec does not include path, the file is
|
||||
// assumed to be in directory set in the "Installer" tab
|
||||
// of the firewall settings dialog
|
||||
//
|
||||
// fw_dir is used below to generate activation commands
|
||||
|
||||
QString fw_dir = options->getStr("firewall_dir").c_str();
|
||||
|
||||
if (fw_dir.isEmpty()) fw_dir = Resources::getTargetOptionStr(
|
||||
fw->getStr("host_OS"), "activation/fwdir").c_str();
|
||||
|
||||
QFileInfo finfo(fw_file_name);
|
||||
QString ipf_file_name = finfo.completeBaseName() + "-ipf.conf";
|
||||
QString nat_file_name = finfo.completeBaseName() + "-nat.conf";
|
||||
@ -362,7 +374,16 @@ QString CompilerDriver_ipf::run(const std::string &cluster_id,
|
||||
|
||||
QString filePath;
|
||||
if (remote_ipf_name[0] == '/') filePath = remote_ipf_name;
|
||||
else filePath = QString("${FWDIR}/") + remote_ipf_name;
|
||||
else
|
||||
{
|
||||
QFileInfo remote_file_info(remote_ipf_name);
|
||||
if (remote_file_info.path() != ".")
|
||||
filePath = remote_ipf_name;
|
||||
else
|
||||
filePath = fw_dir + "/" + remote_ipf_name;
|
||||
|
||||
//filePath = QString("${FWDIR}/") + remote_ipf_name;
|
||||
}
|
||||
|
||||
activation_commands.push_back(
|
||||
composeActivationCommand(
|
||||
@ -400,7 +421,17 @@ QString CompilerDriver_ipf::run(const std::string &cluster_id,
|
||||
|
||||
QString filePath;
|
||||
if (remote_nat_name[0] == '/') filePath = remote_nat_name;
|
||||
else filePath = QString("${FWDIR}/") + remote_nat_name;
|
||||
else
|
||||
{
|
||||
QFileInfo remote_file_info(remote_nat_name);
|
||||
if (remote_file_info.path() != ".")
|
||||
filePath = remote_nat_name;
|
||||
else
|
||||
filePath = fw_dir + "/" + remote_nat_name;
|
||||
|
||||
//filePath = QString("${FWDIR}/") + remote_nat_name;
|
||||
}
|
||||
|
||||
activation_commands.push_back(
|
||||
composeActivationCommand(
|
||||
fw, false, ipf_dbg, fw_version, filePath.toStdString()));
|
||||
|
@ -107,7 +107,8 @@ QString CompilerDriver_ipfw::assembleFwScript(Cluster *cluster,
|
||||
Configlet top_comment(fw, "ipfw", "top_comment");
|
||||
|
||||
assembleFwScriptInternal(
|
||||
cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "#");
|
||||
cluster, fw, cluster_member, oscnf,
|
||||
&script_skeleton, &top_comment, "#", true);
|
||||
return script_skeleton.expand();
|
||||
}
|
||||
|
||||
|
@ -89,7 +89,11 @@ QString CompilerDriver_pf::composeActivationCommand(Firewall *fw,
|
||||
const string &pf_version,
|
||||
const string &remote_file_name)
|
||||
{
|
||||
Configlet act(fw, "pf", "activation");
|
||||
FWOptions* options = fw->getOptionsObject();
|
||||
Configlet act(fw, "pf",
|
||||
options->getBool("generate_rc_conf_file") ?
|
||||
"rc_conf_activation" : "activation");
|
||||
|
||||
act.removeComments();
|
||||
act.setVariable("pfctl_debug", pfctl_debug.c_str());
|
||||
act.setVariable("anchor", !anchor_name.empty());
|
||||
@ -113,10 +117,25 @@ QString CompilerDriver_pf::printActivationCommands(Firewall *fw)
|
||||
bool debug = options->getBool("debug");
|
||||
string pfctl_dbg = (debug)?"-v ":"";
|
||||
|
||||
// if remote file spec does not include path, the file is
|
||||
// assumed to be in directory set in the "Installer" tab
|
||||
// of the firewall settings dialog
|
||||
QString fw_dir = options->getStr("firewall_dir").c_str();
|
||||
|
||||
if (fw_dir.isEmpty()) fw_dir = Resources::getTargetOptionStr(
|
||||
fw->getStr("host_OS"), "activation/fwdir").c_str();
|
||||
|
||||
QStringList activation_commands;
|
||||
QString remote_file = remote_conf_files["__main__"];
|
||||
if (remote_file.isEmpty()) remote_file = conf_files["__main__"];
|
||||
if (remote_file[0] != '/') remote_file = "${FWDIR}/" + remote_file;
|
||||
if (remote_file[0] != '/')
|
||||
{
|
||||
QFileInfo remote_file_info(remote_file);
|
||||
if (remote_file_info.path() != ".")
|
||||
remote_file = remote_file;
|
||||
else
|
||||
remote_file = fw_dir + "/" + remote_file;
|
||||
}
|
||||
remote_file = this->escapeFileName(remote_file);
|
||||
|
||||
activation_commands.push_back(
|
||||
@ -128,7 +147,14 @@ QString CompilerDriver_pf::printActivationCommands(Firewall *fw)
|
||||
{
|
||||
QString remote_file = remote_conf_files[i->first];
|
||||
if (remote_file.isEmpty()) remote_file = i->second;
|
||||
if (remote_file[0] != '/') remote_file = "${FWDIR}/" + remote_file;
|
||||
if (remote_file[0] != '/')
|
||||
{
|
||||
QFileInfo remote_file_info(remote_file);
|
||||
if (remote_file_info.path() != ".")
|
||||
remote_file = remote_file;
|
||||
else
|
||||
remote_file = fw_dir + "/" + remote_file;
|
||||
}
|
||||
remote_file = this->escapeFileName(remote_file);
|
||||
|
||||
if (i->first != "__main__")
|
||||
@ -179,14 +205,23 @@ QString CompilerDriver_pf::assembleFwScript(Cluster *cluster,
|
||||
OSConfigurator *oscnf)
|
||||
{
|
||||
FWOptions* options = fw->getOptionsObject();
|
||||
Configlet script_skeleton(fw, "pf", "script_skeleton");
|
||||
Configlet top_comment(fw, "pf", "top_comment");
|
||||
|
||||
Configlet script_skeleton(
|
||||
fw, "pf",
|
||||
options->getBool("generate_rc_conf_file") ?
|
||||
"rc_conf_skeleton" : "script_skeleton");
|
||||
|
||||
Configlet top_comment(fw, "pf",
|
||||
options->getBool("generate_rc_conf_file") ?
|
||||
"rc_conf_top_comment" : "top_comment");
|
||||
|
||||
script_skeleton.setVariable("routing_script",
|
||||
QString::fromUtf8(routing_script.c_str()));
|
||||
|
||||
assembleFwScriptInternal(
|
||||
cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "#");
|
||||
cluster, fw, cluster_member, oscnf,
|
||||
&script_skeleton, &top_comment, "#",
|
||||
!options->getBool("generate_rc_conf_file"));
|
||||
|
||||
if (fw->getStr("platform") == "pf")
|
||||
{
|
||||
|
@ -2,11 +2,9 @@
|
||||
|
||||
Firewall Builder
|
||||
|
||||
Copyright (C) 2002,2009 NetCitadel, LLC
|
||||
Copyright (C) 2002-2011 NetCitadel, LLC
|
||||
|
||||
Author: Vadim Kurland vadim@vk.crocodile.org
|
||||
|
||||
$Id$
|
||||
Author: Vadim Kurland vadim@fwbuilder.org
|
||||
|
||||
This program is free software which we release under the GNU General Public
|
||||
License. You may redistribute and/or modify this program under the terms
|
||||
@ -64,57 +62,6 @@ string OSConfigurator_bsd::printKernelVarsCommands()
|
||||
return "";
|
||||
}
|
||||
|
||||
string OSConfigurator_bsd::updateAddressesOfInterfaceCall(
|
||||
Interface *iface, list<pair<InetAddr,InetAddr> > all_addresses)
|
||||
{
|
||||
QStringList arg1;
|
||||
arg1.push_back(iface->getName().c_str());
|
||||
|
||||
for (list<pair<InetAddr,InetAddr> >::iterator j = all_addresses.begin();
|
||||
j != all_addresses.end(); ++j)
|
||||
{
|
||||
InetAddr ipaddr = j->first;
|
||||
InetAddr ipnetm = j->second;
|
||||
|
||||
if (ipaddr.isV6())
|
||||
arg1.push_back(QString("%1/%2").arg(ipaddr.toString().c_str())
|
||||
.arg(ipnetm.getLength()));
|
||||
else
|
||||
{
|
||||
/*
|
||||
on OpenBSD ifconfig prints netmask of ipv4 addresses in hex
|
||||
|
||||
# ifconfig em0
|
||||
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
|
||||
lladdr 00:0c:29:83:4d:2f
|
||||
media: Ethernet autoselect (1000baseT full-duplex,master)
|
||||
status: active
|
||||
inet 10.1.1.50 netmask 0xffffff00 broadcast 10.1.1.255
|
||||
inet6 fe80::20c:29ff:fe83:4d2f%em0 prefixlen 64 scopeid 0x2
|
||||
*/
|
||||
int nbits = ipnetm.getLength();
|
||||
uint32_t netm = 0;
|
||||
while (nbits)
|
||||
{
|
||||
netm = netm >> 1;
|
||||
netm |= 1<<31;
|
||||
nbits--;
|
||||
}
|
||||
|
||||
arg1.push_back(QString("%1/0x%2")
|
||||
.arg(ipaddr.toString().c_str())
|
||||
.arg(netm, -8, 16));
|
||||
}
|
||||
}
|
||||
|
||||
return string("update_addresses_of_interface ") +
|
||||
"\"" +
|
||||
arg1.join(" ").toStdString() +
|
||||
"\"" +
|
||||
" \"\"";
|
||||
}
|
||||
|
||||
|
||||
void OSConfigurator_bsd::addVirtualAddressForNAT(const Network*)
|
||||
{
|
||||
}
|
||||
@ -212,291 +159,6 @@ string OSConfigurator_bsd::printFunctions()
|
||||
return ostr.str();
|
||||
}
|
||||
|
||||
/*
|
||||
* We need to sort interfaces by name but make sure carp interfaces
|
||||
* are always last. See #1807
|
||||
*/
|
||||
bool compare_names(FWObject *a, FWObject *b)
|
||||
{
|
||||
QString a_name = QString(a->getName().c_str());
|
||||
QString b_name = QString(b->getName().c_str());
|
||||
if (a_name.startsWith("carp") && b_name.startsWith("carp")) return a_name < b_name;
|
||||
if (a_name.startsWith("carp")) return false;
|
||||
if (b_name.startsWith("carp")) return true;
|
||||
return a_name < b_name;
|
||||
}
|
||||
|
||||
string OSConfigurator_bsd::configureInterfaces()
|
||||
{
|
||||
ostringstream ostr;
|
||||
FWOptions* options = fw->getOptionsObject();
|
||||
|
||||
// Update vlans first because we may need to update ip addresses
|
||||
// on vlan interfaces later
|
||||
if ( options->getBool("configure_vlan_interfaces") )
|
||||
{
|
||||
QStringList vlan_interfaces;
|
||||
ostringstream vlan_output;
|
||||
// http://blog.scottlowe.org/2007/08/31/vlan-interfaces-with-openbsd-41/
|
||||
// ifconfig <VLAN interface name> vlan <VLAN ID> vlandev <physical network device>
|
||||
FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME);
|
||||
for ( ; i!=i.end(); ++i )
|
||||
{
|
||||
Interface *iface = Interface::cast(*i);
|
||||
assert(iface);
|
||||
|
||||
vlan_output << "update_vlans_of_interface "
|
||||
<< "\"" << iface->getName() << " ";
|
||||
|
||||
FWObjectTypedChildIterator si=iface->findByType(Interface::TYPENAME);
|
||||
for ( ; si!=si.end(); ++si )
|
||||
{
|
||||
Interface *subinterface = Interface::cast(*si);
|
||||
assert(subinterface);
|
||||
|
||||
if (subinterface->getOptionsObject()->getStr("type") == "8021q")
|
||||
{
|
||||
vlan_interfaces.push_back(subinterface->getName().c_str());
|
||||
vlan_output << subinterface->getName() << " ";
|
||||
}
|
||||
}
|
||||
vlan_output << "\"" << endl;
|
||||
}
|
||||
|
||||
ostr << "sync_vlan_interfaces "
|
||||
<< vlan_interfaces.join(" ").toStdString()
|
||||
<< endl;
|
||||
|
||||
if (vlan_interfaces.size() > 0)
|
||||
{
|
||||
ostr << vlan_output.str() << endl;
|
||||
}
|
||||
}
|
||||
|
||||
if ( options->getBool("configure_carp_interfaces") )
|
||||
{
|
||||
/*
|
||||
* Compiler::processFailoverGroup copies interfaces of the cluster to
|
||||
* the member firewall objects. This means when we scan interfaces of
|
||||
* the firewall here, we get both its normal interfaces and a copy of
|
||||
* cluster interfaces.
|
||||
*
|
||||
*/
|
||||
ostringstream carp_output;
|
||||
QStringList carp_interfaces;
|
||||
|
||||
FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME);
|
||||
for ( ; i!=i.end(); ++i )
|
||||
{
|
||||
Interface *iface = Interface::cast(*i);
|
||||
assert(iface);
|
||||
|
||||
if ( ! iface->isFailoverInterface()) continue;
|
||||
|
||||
// failover_master and base_device are set in Compiler::processFailoverGroup
|
||||
FWOptions *ifopt = (Interface::cast(iface))->getOptionsObject();
|
||||
assert(ifopt != NULL);
|
||||
|
||||
bool master = ifopt->getBool("failover_master");
|
||||
string base_interface = ifopt->getStr("base_device");
|
||||
|
||||
FWObject *failover_group =
|
||||
iface->getFirstByType(FailoverClusterGroup::TYPENAME);
|
||||
if (failover_group && failover_group->getStr("type") == "carp")
|
||||
{
|
||||
carp_interfaces.push_back(iface->getName().c_str());
|
||||
|
||||
FWOptions *failover_opts =
|
||||
FailoverClusterGroup::cast(failover_group)->getOptionsObject();
|
||||
string carp_password = failover_opts->getStr("carp_password");
|
||||
if (carp_password.empty()) carp_password = "\"\"";
|
||||
string vhid = failover_opts->getStr("carp_vhid");
|
||||
int advbase = failover_opts->getInt("carp_advbase");
|
||||
int master_advskew = failover_opts->getInt("carp_master_advskew");
|
||||
int default_advskew = failover_opts->getInt("carp_default_advskew");
|
||||
|
||||
if (master_advskew < 0) master_advskew = 0;
|
||||
if (default_advskew < 0) default_advskew = 0;
|
||||
if (master_advskew == default_advskew) default_advskew++;
|
||||
|
||||
int use_advskew;
|
||||
if (master)
|
||||
use_advskew = master_advskew;
|
||||
else
|
||||
use_advskew = default_advskew;
|
||||
|
||||
Configlet configlet(fw, "bsd", "carp_interface");
|
||||
configlet.removeComments();
|
||||
configlet.collapseEmptyStrings(true);
|
||||
configlet.setVariable("carp_interface", iface->getName().c_str());
|
||||
configlet.setVariable("have_advbase", advbase > 1);
|
||||
configlet.setVariable("advbase", advbase);
|
||||
configlet.setVariable("have_advskew", use_advskew > 0);
|
||||
configlet.setVariable("advskew", use_advskew);
|
||||
configlet.setVariable("have_base_inetrface", !base_interface.empty());
|
||||
configlet.setVariable("base_inetrface", base_interface.c_str());
|
||||
configlet.setVariable("carp_password", carp_password.c_str());
|
||||
configlet.setVariable("vhid", vhid.c_str());
|
||||
|
||||
carp_output << configlet.expand().toStdString() << endl;
|
||||
}
|
||||
}
|
||||
|
||||
ostr << "sync_carp_interfaces "
|
||||
<< carp_interfaces.join(" ").toStdString()
|
||||
<< endl;
|
||||
|
||||
if (carp_interfaces.size() > 0)
|
||||
{
|
||||
ostr << carp_output.str() << endl;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if ( options->getBool("configure_interfaces") )
|
||||
{
|
||||
ostr << endl;
|
||||
|
||||
std::auto_ptr<interfaceProperties> int_prop(
|
||||
interfacePropertiesObjectFactory::getInterfacePropertiesObject(
|
||||
fw->getStr("host_OS")));
|
||||
|
||||
list<FWObject*> all_interfaces = fw->getByTypeDeep(Interface::TYPENAME);
|
||||
all_interfaces.sort(compare_names);
|
||||
for (list<FWObject*>::iterator i=all_interfaces.begin();
|
||||
i != all_interfaces.end(); ++i )
|
||||
{
|
||||
Interface *iface = Interface::cast(*i);
|
||||
assert(iface);
|
||||
|
||||
if (!iface->isRegular()) continue;
|
||||
//if (iface->isFailoverInterface()) continue;
|
||||
|
||||
QStringList update_addresses;
|
||||
QStringList ignore_addresses;
|
||||
if (int_prop->manageIpAddresses(iface, update_addresses, ignore_addresses))
|
||||
{
|
||||
// unfortunately addresses in update_addresses are in
|
||||
// the form of address/masklen but OpenBSD ifconfig
|
||||
// uses hex netmask representation and so should we.
|
||||
// Will ignore update_addresses and ignore_addresses and
|
||||
// build our own list here. Returned value of manageIpAddresses()
|
||||
// is useful though.
|
||||
list<FWObject*> all_addr = iface->getByType(IPv4::TYPENAME);
|
||||
list<FWObject*> all_ipv6 = iface->getByType(IPv6::TYPENAME);
|
||||
all_addr.insert(all_addr.begin(), all_ipv6.begin(), all_ipv6.end());
|
||||
|
||||
const InetAddr *netmask = iface->getNetmaskPtr();
|
||||
|
||||
list<pair<InetAddr,InetAddr> > all_addresses;
|
||||
|
||||
for (list<FWObject*>::iterator j = all_addr.begin();
|
||||
j != all_addr.end(); ++j)
|
||||
{
|
||||
Address *iaddr = Address::cast(*j);
|
||||
const InetAddr *ipaddr = iaddr->getAddressPtr();
|
||||
const InetAddr *ipnetm = iaddr->getNetmaskPtr();
|
||||
all_addresses.push_back(
|
||||
pair<InetAddr,InetAddr>(*ipaddr, *ipnetm));
|
||||
}
|
||||
|
||||
set<const Address*>::iterator it;
|
||||
for (it=virtual_addresses.begin(); it!=virtual_addresses.end(); ++it)
|
||||
{
|
||||
const Address *addr = *it;
|
||||
FWObject *iaddr = findAddressFor(addr, fw );
|
||||
if (iaddr!=NULL)
|
||||
{
|
||||
Interface *iface_2 = Interface::cast(iaddr->getParent());
|
||||
if (iface_2 == iface)
|
||||
{
|
||||
all_addresses.push_back(
|
||||
pair<InetAddr,InetAddr>(
|
||||
*(addr->getAddressPtr()), *netmask));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
ostr << updateAddressesOfInterfaceCall(iface, all_addresses) << endl;
|
||||
}
|
||||
}
|
||||
ostr << endl;
|
||||
}
|
||||
|
||||
|
||||
if ( options->getBool("configure_pfsync_interfaces") )
|
||||
{
|
||||
bool have_pfsync_interfaces = false;
|
||||
ostringstream pfsync_output;
|
||||
/*
|
||||
* http://www.kernel-panic.it/openbsd/carp/index.html
|
||||
* http://www.openbsd.org/faq/pf/carp.html
|
||||
* pfsync configuration:
|
||||
*
|
||||
* ifconfig pfsyncN syncdev syncdev [syncpeer syncpeer]
|
||||
*/
|
||||
FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME);
|
||||
for ( ; i!=i.end(); ++i)
|
||||
{
|
||||
Interface *iface = Interface::cast(*i);
|
||||
assert(iface);
|
||||
|
||||
if ( ! iface->getOptionsObject()->getBool("state_sync_group_member"))
|
||||
continue;
|
||||
|
||||
int state_sync_group_id = FWObjectDatabase::getIntId(
|
||||
iface->getOptionsObject()->getStr("state_sync_group_id"));
|
||||
StateSyncClusterGroup *state_sync_group =
|
||||
StateSyncClusterGroup::cast(dbcopy->findInIndex(state_sync_group_id));
|
||||
assert(state_sync_group!=NULL);
|
||||
|
||||
// Interface can be state sync group member, but of a different type
|
||||
if (state_sync_group->getStr("type") != "pfsync") continue;
|
||||
|
||||
have_pfsync_interfaces = true;
|
||||
|
||||
Configlet configlet(fw, "bsd", "pfsync_interface");
|
||||
configlet.removeComments();
|
||||
configlet.collapseEmptyStrings(true);
|
||||
configlet.setVariable("syncdev", iface->getName().c_str());
|
||||
|
||||
if (state_sync_group->getOptionsObject()->getBool("syncpeer"))
|
||||
{
|
||||
for (FWObjectTypedChildIterator it =
|
||||
state_sync_group->findByType(FWObjectReference::TYPENAME);
|
||||
it != it.end(); ++it)
|
||||
{
|
||||
Interface *cluster_iface = Interface::cast(
|
||||
FWObjectReference::getObject(*it));
|
||||
assert(cluster_iface);
|
||||
|
||||
if (cluster_iface->getId() == iface->getId()) continue;
|
||||
|
||||
IPv4 *ipv4 = IPv4::cast(cluster_iface->getFirstByType(IPv4::TYPENAME));
|
||||
const InetAddr *addr = ipv4->getAddressPtr();
|
||||
|
||||
configlet.setVariable("have_syncpeer", 1);
|
||||
configlet.setVariable("syncpeer", addr->toString().c_str());
|
||||
}
|
||||
}
|
||||
pfsync_output << configlet.expand().toStdString() << endl;
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
ostr << "sync_pfsync_interfaces ";
|
||||
if (have_pfsync_interfaces) ostr << "pfsync0" << endl;
|
||||
else ostr << endl;
|
||||
|
||||
if (have_pfsync_interfaces)
|
||||
{
|
||||
ostr << pfsync_output.str() << endl;
|
||||
}
|
||||
}
|
||||
|
||||
return ostr.str();
|
||||
}
|
||||
|
||||
void OSConfigurator_bsd::setKernelVariable(Firewall *fw,
|
||||
const string &var_name,
|
||||
Configlet *configlet)
|
||||
@ -512,4 +174,3 @@ void OSConfigurator_bsd::setKernelVariable(Firewall *fw,
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
@ -32,25 +32,61 @@
|
||||
|
||||
#include <set>
|
||||
|
||||
#include <QString>
|
||||
#include <QStringList>
|
||||
|
||||
|
||||
class Configlet;
|
||||
|
||||
namespace libfwbuilder
|
||||
{
|
||||
class Firewall;
|
||||
class Interface;
|
||||
class StateSyncClusterGroup;
|
||||
}
|
||||
|
||||
namespace fwcompiler {
|
||||
namespace fwcompiler
|
||||
{
|
||||
|
||||
class OSConfigurator_bsd : public OSConfigurator {
|
||||
class OSConfigurator_bsd : public OSConfigurator
|
||||
{
|
||||
|
||||
protected:
|
||||
std::set<const libfwbuilder::Address*> virtual_addresses;
|
||||
|
||||
void setKernelVariable(libfwbuilder::Firewall *fw,
|
||||
const std::string &var_name,
|
||||
Configlet *configlet);
|
||||
std::string updateAddressesOfInterfaceCall(
|
||||
virtual void setKernelVariable(libfwbuilder::Firewall *fw,
|
||||
const std::string &var_name,
|
||||
Configlet *configlet);
|
||||
|
||||
// functions that generate interface address configuration
|
||||
virtual QString listAllInterfacesConfigLine(QStringList intf_names,
|
||||
bool ipv6);
|
||||
|
||||
virtual QString updateAddressesOfInterface(
|
||||
libfwbuilder::Interface *iface,
|
||||
std::list<std::pair<libfwbuilder::InetAddr,libfwbuilder::InetAddr> > all_addresses);
|
||||
std::list<std::pair<libfwbuilder::InetAddr,libfwbuilder::InetAddr> >
|
||||
all_addresses);
|
||||
|
||||
// functions that generate VLAN configuration
|
||||
virtual QString listAllVlansConfgLine(QStringList vlan_names);
|
||||
|
||||
virtual QString updateVlansOfInterface(
|
||||
libfwbuilder::Interface *iface, QStringList vlan_names);
|
||||
|
||||
// functions that generate CARP interface configuration
|
||||
virtual QString listAllCARPConfgLine(QStringList carp_names);
|
||||
virtual QString updateCARPInterface(libfwbuilder::Interface *iface,
|
||||
libfwbuilder::FWObject *failover_group);
|
||||
virtual QString updateCARPInterfaceInternal(
|
||||
libfwbuilder::Interface *iface,
|
||||
libfwbuilder::FWObject *failover_group,
|
||||
Configlet *configlet);
|
||||
|
||||
// functions that generate pfsync interface configuration
|
||||
virtual QString listAllPfsyncConfgLine(bool have_pfsync);
|
||||
virtual QString updatePfsyncInterface(
|
||||
libfwbuilder::Interface *iface,
|
||||
libfwbuilder::StateSyncClusterGroup *sync_group);
|
||||
|
||||
|
||||
public:
|
||||
|
||||
|
470
src/pflib/OSConfigurator_bsd_interfaces.cpp
Normal file
470
src/pflib/OSConfigurator_bsd_interfaces.cpp
Normal file
@ -0,0 +1,470 @@
|
||||
/*
|
||||
|
||||
Firewall Builder
|
||||
|
||||
Copyright (C) 2011 NetCitadel, LLC
|
||||
|
||||
Author: Vadim Kurland vadim@fwbuilder.org
|
||||
|
||||
This program is free software which we release under the GNU General Public
|
||||
License. You may redistribute and/or modify this program under the terms
|
||||
of that license as published by the Free Software Foundation; either
|
||||
version 2 of the License, or (at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
To get a copy of the GNU General Public License, write to the Free Software
|
||||
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
|
||||
*/
|
||||
|
||||
#include <assert.h>
|
||||
|
||||
#include "Configlet.h"
|
||||
#include "OSConfigurator_bsd.h"
|
||||
|
||||
#include "fwbuilder/Firewall.h"
|
||||
#include "fwbuilder/FWOptions.h"
|
||||
#include "fwbuilder/Interface.h"
|
||||
#include "fwbuilder/IPv4.h"
|
||||
#include "fwbuilder/IPv6.h"
|
||||
#include "fwbuilder/FailoverClusterGroup.h"
|
||||
#include "fwbuilder/StateSyncClusterGroup.h"
|
||||
|
||||
#include "interfaceProperties.h"
|
||||
#include "interfacePropertiesObjectFactory.h"
|
||||
|
||||
#include <QTextStream>
|
||||
#include <QString>
|
||||
|
||||
#include <algorithm>
|
||||
#include <memory>
|
||||
|
||||
|
||||
using namespace libfwbuilder;
|
||||
using namespace fwcompiler;
|
||||
using namespace std;
|
||||
|
||||
|
||||
/*
|
||||
* I need to sort interfaces by name but make sure carp interfaces are
|
||||
* always last. See #1807
|
||||
*/
|
||||
bool compare_names(FWObject *a, FWObject *b)
|
||||
{
|
||||
QString a_name = QString(a->getName().c_str());
|
||||
QString b_name = QString(b->getName().c_str());
|
||||
if (a_name.startsWith("carp") && b_name.startsWith("carp"))
|
||||
return a_name < b_name;
|
||||
if (a_name.startsWith("carp")) return false;
|
||||
if (b_name.startsWith("carp")) return true;
|
||||
return a_name < b_name;
|
||||
}
|
||||
|
||||
|
||||
string OSConfigurator_bsd::configureInterfaces()
|
||||
{
|
||||
ostringstream ostr;
|
||||
FWOptions* options = fw->getOptionsObject();
|
||||
|
||||
// Update vlans first because we may need to update ip addresses
|
||||
// on vlan interfaces later
|
||||
if ( options->getBool("configure_vlan_interfaces") )
|
||||
{
|
||||
QStringList vlan_interfaces; // all vlan interfaces
|
||||
QStringList vlan_output;
|
||||
|
||||
// http://blog.scottlowe.org/2007/08/31/vlan-interfaces-with-openbsd-41/
|
||||
// ifconfig <VLAN interface name> vlan <VLAN ID> vlandev <physical network device>
|
||||
FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME);
|
||||
for ( ; i!=i.end(); ++i )
|
||||
{
|
||||
Interface *iface = Interface::cast(*i);
|
||||
assert(iface);
|
||||
|
||||
QStringList vlan_subinterfaces;
|
||||
|
||||
FWObjectTypedChildIterator si=iface->findByType(Interface::TYPENAME);
|
||||
for ( ; si!=si.end(); ++si )
|
||||
{
|
||||
Interface *subinterface = Interface::cast(*si);
|
||||
assert(subinterface);
|
||||
|
||||
if (subinterface->getOptionsObject()->getStr("type") == "8021q")
|
||||
{
|
||||
vlan_subinterfaces << subinterface->getName().c_str();
|
||||
vlan_interfaces << subinterface->getName().c_str();
|
||||
}
|
||||
}
|
||||
|
||||
if (vlan_subinterfaces.size() > 0)
|
||||
vlan_output << updateVlansOfInterface(iface, vlan_subinterfaces);
|
||||
}
|
||||
|
||||
// issue sync_vlan_interfaces command even if there are no vlans
|
||||
// since it deletes them on the firewall if they exist
|
||||
ostr << listAllVlansConfgLine(vlan_interfaces).toStdString()
|
||||
<< endl;
|
||||
|
||||
if (vlan_output.size() > 0)
|
||||
{
|
||||
ostr << vlan_output.join("\n").toStdString()
|
||||
<< endl;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if ( options->getBool("configure_carp_interfaces") )
|
||||
{
|
||||
/*
|
||||
* Compiler::processFailoverGroup copies interfaces of the cluster to
|
||||
* the member firewall objects. This means when we scan interfaces of
|
||||
* the firewall here, we get both its normal interfaces and a copy of
|
||||
* cluster interfaces.
|
||||
*
|
||||
*/
|
||||
QStringList carp_output;
|
||||
QStringList carp_interfaces;
|
||||
|
||||
FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME);
|
||||
for ( ; i!=i.end(); ++i )
|
||||
{
|
||||
Interface *iface = Interface::cast(*i);
|
||||
assert(iface);
|
||||
|
||||
if ( ! iface->isFailoverInterface()) continue;
|
||||
|
||||
FWObject *failover_group =
|
||||
iface->getFirstByType(FailoverClusterGroup::TYPENAME);
|
||||
if (failover_group && failover_group->getStr("type") == "carp")
|
||||
{
|
||||
carp_interfaces << iface->getName().c_str();
|
||||
carp_output << updateCARPInterface(iface, failover_group);
|
||||
}
|
||||
}
|
||||
|
||||
// issue "sync_carp_interfaces" call even when we have none, it will
|
||||
// delete those that might exist on the firewall
|
||||
ostr << listAllCARPConfgLine(carp_interfaces).toStdString()
|
||||
<< endl;
|
||||
|
||||
if (carp_interfaces.size() > 0)
|
||||
{
|
||||
ostr << carp_output.join("\n").toStdString() << endl;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if ( options->getBool("configure_interfaces") )
|
||||
{
|
||||
ostr << endl;
|
||||
|
||||
std::auto_ptr<interfaceProperties> int_prop(
|
||||
interfacePropertiesObjectFactory::getInterfacePropertiesObject(
|
||||
fw->getStr("host_OS")));
|
||||
|
||||
list<FWObject*> all_interfaces = fw->getByTypeDeep(Interface::TYPENAME);
|
||||
all_interfaces.sort(compare_names);
|
||||
|
||||
QStringList configure_intf_commands;
|
||||
QStringList intf_names;
|
||||
QStringList ipv6_names;
|
||||
|
||||
for (list<FWObject*>::iterator i=all_interfaces.begin();
|
||||
i != all_interfaces.end(); ++i )
|
||||
{
|
||||
Interface *iface = Interface::cast(*i);
|
||||
assert(iface);
|
||||
|
||||
if (!iface->isRegular()) continue;
|
||||
//if (iface->isFailoverInterface()) continue;
|
||||
|
||||
QStringList update_addresses;
|
||||
QStringList ignore_addresses;
|
||||
if (int_prop->manageIpAddresses(iface, update_addresses, ignore_addresses))
|
||||
{
|
||||
// unfortunately addresses in update_addresses are in
|
||||
// the form of address/masklen but OpenBSD ifconfig
|
||||
// uses hex netmask representation and so should we.
|
||||
// Will ignore update_addresses and ignore_addresses and
|
||||
// build our own list here. Returned value of manageIpAddresses()
|
||||
// is useful though.
|
||||
list<FWObject*> all_addr = iface->getByType(IPv4::TYPENAME);
|
||||
list<FWObject*> all_ipv6 = iface->getByType(IPv6::TYPENAME);
|
||||
all_addr.insert(all_addr.begin(), all_ipv6.begin(), all_ipv6.end());
|
||||
|
||||
if (all_addr.size() > 0)
|
||||
intf_names << iface->getName().c_str();
|
||||
|
||||
if (all_ipv6.size() > 0)
|
||||
ipv6_names << iface->getName().c_str();
|
||||
|
||||
const InetAddr *netmask = iface->getNetmaskPtr();
|
||||
|
||||
list<pair<InetAddr,InetAddr> > all_addresses;
|
||||
|
||||
for (list<FWObject*>::iterator j = all_addr.begin();
|
||||
j != all_addr.end(); ++j)
|
||||
{
|
||||
Address *iaddr = Address::cast(*j);
|
||||
const InetAddr *ipaddr = iaddr->getAddressPtr();
|
||||
const InetAddr *ipnetm = iaddr->getNetmaskPtr();
|
||||
all_addresses.push_back(
|
||||
pair<InetAddr,InetAddr>(*ipaddr, *ipnetm));
|
||||
}
|
||||
|
||||
set<const Address*>::iterator it;
|
||||
for (it=virtual_addresses.begin(); it!=virtual_addresses.end(); ++it)
|
||||
{
|
||||
const Address *addr = *it;
|
||||
FWObject *iaddr = findAddressFor(addr, fw );
|
||||
if (iaddr!=NULL)
|
||||
{
|
||||
Interface *iface_2 = Interface::cast(iaddr->getParent());
|
||||
if (iface_2 == iface)
|
||||
{
|
||||
all_addresses.push_back(
|
||||
pair<InetAddr,InetAddr>(
|
||||
*(addr->getAddressPtr()), *netmask));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
configure_intf_commands << updateAddressesOfInterface(
|
||||
iface, all_addresses);
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
QString list_command;
|
||||
list_command = listAllInterfacesConfigLine(ipv6_names, true);
|
||||
if (!list_command.isEmpty())
|
||||
configure_intf_commands.push_front(list_command);
|
||||
|
||||
list_command = listAllInterfacesConfigLine(intf_names, false);
|
||||
if (!list_command.isEmpty())
|
||||
configure_intf_commands.push_front(list_command);
|
||||
|
||||
ostr << configure_intf_commands.join("\n").toStdString();
|
||||
ostr << endl;
|
||||
}
|
||||
|
||||
|
||||
if ( options->getBool("configure_pfsync_interfaces") )
|
||||
{
|
||||
bool have_pfsync_interfaces = false;
|
||||
QStringList pfsync_output;
|
||||
|
||||
FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME);
|
||||
for ( ; i!=i.end(); ++i)
|
||||
{
|
||||
Interface *iface = Interface::cast(*i);
|
||||
assert(iface);
|
||||
|
||||
if ( ! iface->getOptionsObject()->getBool("state_sync_group_member"))
|
||||
continue;
|
||||
|
||||
int state_sync_group_id = FWObjectDatabase::getIntId(
|
||||
iface->getOptionsObject()->getStr("state_sync_group_id"));
|
||||
StateSyncClusterGroup *state_sync_group =
|
||||
StateSyncClusterGroup::cast(dbcopy->findInIndex(state_sync_group_id));
|
||||
assert(state_sync_group!=NULL);
|
||||
|
||||
// Interface can be state sync group member, but of a different type
|
||||
if (state_sync_group->getStr("type") != "pfsync") continue;
|
||||
|
||||
have_pfsync_interfaces = true;
|
||||
|
||||
pfsync_output << updatePfsyncInterface(iface, state_sync_group);
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
ostr << listAllPfsyncConfgLine(have_pfsync_interfaces).toStdString()
|
||||
<< endl;
|
||||
|
||||
if (have_pfsync_interfaces)
|
||||
{
|
||||
ostr << pfsync_output.join("\n").toStdString()
|
||||
<< endl;
|
||||
}
|
||||
}
|
||||
|
||||
return ostr.str();
|
||||
}
|
||||
|
||||
QString OSConfigurator_bsd::listAllInterfacesConfigLine(QStringList , bool )
|
||||
{
|
||||
return "";
|
||||
}
|
||||
|
||||
QString OSConfigurator_bsd::updateAddressesOfInterface(
|
||||
Interface *iface, list<pair<InetAddr,InetAddr> > all_addresses)
|
||||
{
|
||||
QStringList arg1;
|
||||
arg1.push_back(iface->getName().c_str());
|
||||
|
||||
for (list<pair<InetAddr,InetAddr> >::iterator j = all_addresses.begin();
|
||||
j != all_addresses.end(); ++j)
|
||||
{
|
||||
InetAddr ipaddr = j->first;
|
||||
InetAddr ipnetm = j->second;
|
||||
|
||||
if (ipaddr.isV6())
|
||||
arg1.push_back(QString("%1/%2").arg(ipaddr.toString().c_str())
|
||||
.arg(ipnetm.getLength()));
|
||||
else
|
||||
{
|
||||
/*
|
||||
on OpenBSD ifconfig prints netmask of ipv4 addresses in hex
|
||||
|
||||
# ifconfig em0
|
||||
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
|
||||
lladdr 00:0c:29:83:4d:2f
|
||||
media: Ethernet autoselect (1000baseT full-duplex,master)
|
||||
status: active
|
||||
inet 10.1.1.50 netmask 0xffffff00 broadcast 10.1.1.255
|
||||
inet6 fe80::20c:29ff:fe83:4d2f%em0 prefixlen 64 scopeid 0x2
|
||||
*/
|
||||
int nbits = ipnetm.getLength();
|
||||
uint32_t netm = 0;
|
||||
while (nbits)
|
||||
{
|
||||
netm = netm >> 1;
|
||||
netm |= 1<<31;
|
||||
nbits--;
|
||||
}
|
||||
|
||||
arg1.push_back(QString("%1/0x%2")
|
||||
.arg(ipaddr.toString().c_str())
|
||||
.arg(netm, -8, 16));
|
||||
}
|
||||
}
|
||||
|
||||
return QString("update_addresses_of_interface ") +
|
||||
"\"" + arg1.join(" ") + "\"" + " \"\"";
|
||||
}
|
||||
|
||||
|
||||
|
||||
QString OSConfigurator_bsd::listAllVlansConfgLine(QStringList vlan_names)
|
||||
{
|
||||
return QString("sync_vlan_interfaces %1").arg(vlan_names.join(" "));
|
||||
}
|
||||
|
||||
|
||||
QString OSConfigurator_bsd::updateVlansOfInterface(Interface *iface,
|
||||
QStringList vlan_names)
|
||||
{
|
||||
return QString("update_vlans_of_interface \"%1 %2\"")
|
||||
.arg(iface->getName().c_str())
|
||||
.arg(vlan_names.join(" "));
|
||||
}
|
||||
|
||||
QString OSConfigurator_bsd::listAllCARPConfgLine(QStringList carp_names)
|
||||
{
|
||||
return QString("sync_carp_interfaces %1").arg(carp_names.join(" "));
|
||||
}
|
||||
|
||||
QString OSConfigurator_bsd::updateCARPInterface(Interface *iface,
|
||||
FWObject *failover_group)
|
||||
{
|
||||
Configlet configlet(fw, "bsd", "carp_interface");
|
||||
return updateCARPInterfaceInternal(iface, failover_group, &configlet);
|
||||
}
|
||||
|
||||
QString OSConfigurator_bsd::updateCARPInterfaceInternal(
|
||||
Interface *iface, FWObject *failover_group, Configlet *configlet)
|
||||
{
|
||||
// failover_master and base_device are set in Compiler::processFailoverGroup
|
||||
FWOptions *ifopt = (Interface::cast(iface))->getOptionsObject();
|
||||
assert(ifopt != NULL);
|
||||
|
||||
bool master = ifopt->getBool("failover_master");
|
||||
string base_interface = ifopt->getStr("base_device");
|
||||
QStringList carp_interfaces;
|
||||
|
||||
carp_interfaces.push_back(iface->getName().c_str());
|
||||
|
||||
FWOptions *failover_opts =
|
||||
FailoverClusterGroup::cast(failover_group)->getOptionsObject();
|
||||
string carp_password = failover_opts->getStr("carp_password");
|
||||
if (carp_password.empty()) carp_password = "\"\"";
|
||||
string vhid = failover_opts->getStr("carp_vhid");
|
||||
int advbase = failover_opts->getInt("carp_advbase");
|
||||
int master_advskew = failover_opts->getInt("carp_master_advskew");
|
||||
int default_advskew = failover_opts->getInt("carp_default_advskew");
|
||||
|
||||
if (master_advskew < 0) master_advskew = 0;
|
||||
if (default_advskew < 0) default_advskew = 0;
|
||||
if (master_advskew == default_advskew) default_advskew++;
|
||||
|
||||
int use_advskew;
|
||||
if (master)
|
||||
use_advskew = master_advskew;
|
||||
else
|
||||
use_advskew = default_advskew;
|
||||
|
||||
configlet->removeComments();
|
||||
configlet->collapseEmptyStrings(true);
|
||||
configlet->setVariable("carp_interface", iface->getName().c_str());
|
||||
configlet->setVariable("have_advbase", advbase > 1);
|
||||
configlet->setVariable("advbase", advbase);
|
||||
configlet->setVariable("have_advskew", use_advskew > 0);
|
||||
configlet->setVariable("advskew", use_advskew);
|
||||
configlet->setVariable("have_base_inetrface", !base_interface.empty());
|
||||
configlet->setVariable("base_inetrface", base_interface.c_str());
|
||||
configlet->setVariable("carp_password", carp_password.c_str());
|
||||
configlet->setVariable("vhid", vhid.c_str());
|
||||
|
||||
return configlet->expand();
|
||||
}
|
||||
|
||||
QString OSConfigurator_bsd::listAllPfsyncConfgLine(bool have_pfsync)
|
||||
{
|
||||
return QString("sync_pfsync_interfaces %1").arg(have_pfsync?"pfsync0":"");
|
||||
}
|
||||
|
||||
/*
|
||||
* http://www.kernel-panic.it/openbsd/carp/index.html
|
||||
* http://www.openbsd.org/faq/pf/carp.html
|
||||
* pfsync configuration:
|
||||
*
|
||||
* ifconfig pfsyncN syncdev syncdev [syncpeer syncpeer]
|
||||
*/
|
||||
|
||||
QString OSConfigurator_bsd::updatePfsyncInterface(
|
||||
Interface *iface, StateSyncClusterGroup *state_sync_group)
|
||||
{
|
||||
Configlet configlet(fw, "bsd", "pfsync_interface");
|
||||
configlet.removeComments();
|
||||
configlet.collapseEmptyStrings(true);
|
||||
configlet.setVariable("syncdev", iface->getName().c_str());
|
||||
|
||||
if (state_sync_group->getOptionsObject()->getBool("syncpeer"))
|
||||
{
|
||||
for (FWObjectTypedChildIterator it =
|
||||
state_sync_group->findByType(FWObjectReference::TYPENAME);
|
||||
it != it.end(); ++it)
|
||||
{
|
||||
Interface *cluster_iface = Interface::cast(
|
||||
FWObjectReference::getObject(*it));
|
||||
assert(cluster_iface);
|
||||
|
||||
if (cluster_iface->getId() == iface->getId()) continue;
|
||||
|
||||
IPv4 *ipv4 = IPv4::cast(cluster_iface->getFirstByType(IPv4::TYPENAME));
|
||||
const InetAddr *addr = ipv4->getAddressPtr();
|
||||
|
||||
configlet.setVariable("have_syncpeer", 1);
|
||||
configlet.setVariable("syncpeer", addr->toString().c_str());
|
||||
}
|
||||
}
|
||||
return configlet.expand();
|
||||
}
|
||||
|
||||
|
||||
|
@ -2,11 +2,9 @@
|
||||
|
||||
Firewall Builder
|
||||
|
||||
Copyright (C) 2002 NetCitadel, LLC
|
||||
Copyright (C) 2002-2011 NetCitadel, LLC
|
||||
|
||||
Author: Vadim Kurland vadim@vk.crocodile.org
|
||||
|
||||
$Id$
|
||||
Author: Vadim Kurland vadim@fwbuilder.org
|
||||
|
||||
This program is free software which we release under the GNU General Public
|
||||
License. You may redistribute and/or modify this program under the terms
|
||||
@ -27,15 +25,19 @@
|
||||
|
||||
#include "OSConfigurator_freebsd.h"
|
||||
#include "Configlet.h"
|
||||
#include "interfaceProperties.h"
|
||||
#include "interfacePropertiesObjectFactory.h"
|
||||
|
||||
#include "fwbuilder/Firewall.h"
|
||||
#include "fwbuilder/FWOptions.h"
|
||||
#include "fwbuilder/Interface.h"
|
||||
#include "fwbuilder/IPv4.h"
|
||||
#include "fwbuilder/FailoverClusterGroup.h"
|
||||
#include "fwbuilder/StateSyncClusterGroup.h"
|
||||
|
||||
#include <algorithm>
|
||||
#include <functional>
|
||||
#include <iostream>
|
||||
#include <memory>
|
||||
|
||||
|
||||
using namespace libfwbuilder;
|
||||
using namespace fwcompiler;
|
||||
@ -45,13 +47,45 @@ string OSConfigurator_freebsd::myPlatformName() { return "FreeBSD"; }
|
||||
|
||||
string OSConfigurator_freebsd::printKernelVarsCommands()
|
||||
{
|
||||
Configlet kernel_vars(fw, "bsd", "kernel_vars");
|
||||
kernel_vars.removeComments();
|
||||
setKernelVariable(fw, "freebsd_ip_forward", &kernel_vars);
|
||||
setKernelVariable(fw, "freebsd_ipv6_forward", &kernel_vars);
|
||||
setKernelVariable(fw, "freebsd_ip_sourceroute", &kernel_vars);
|
||||
setKernelVariable(fw, "freebsd_ip_redirect", &kernel_vars);
|
||||
return kernel_vars.expand().toStdString();
|
||||
FWOptions* options = fw->getOptionsObject();
|
||||
std::auto_ptr<Configlet> kernel_vars;
|
||||
if (options->getBool("generate_rc_conf_file"))
|
||||
{
|
||||
kernel_vars = std::auto_ptr<Configlet>(
|
||||
new Configlet(fw, "freebsd", "rc_conf_kernel_vars"));
|
||||
} else
|
||||
{
|
||||
kernel_vars = std::auto_ptr<Configlet>(
|
||||
new Configlet(fw, "bsd", "kernel_vars"));
|
||||
}
|
||||
|
||||
kernel_vars->removeComments();
|
||||
setKernelVariable(fw, "freebsd_ip_forward", kernel_vars.get());
|
||||
setKernelVariable(fw, "freebsd_ipv6_forward", kernel_vars.get());
|
||||
setKernelVariable(fw, "freebsd_ip_sourceroute", kernel_vars.get());
|
||||
//setKernelVariable(fw, "freebsd_ip_redirect", kernel_vars.get());
|
||||
return kernel_vars->expand().toStdString();
|
||||
}
|
||||
|
||||
void OSConfigurator_freebsd::setKernelVariable(Firewall *fw,
|
||||
const string &var_name,
|
||||
Configlet *configlet)
|
||||
{
|
||||
FWOptions* options = fw->getOptionsObject();
|
||||
|
||||
if (options->getBool("generate_rc_conf_file"))
|
||||
{
|
||||
string s;
|
||||
s = options->getStr(var_name);
|
||||
if (!s.empty())
|
||||
{
|
||||
configlet->setVariable(QString("have_") + var_name.c_str(), 1);
|
||||
string yesno = (s=="1" || s=="on" || s=="On") ? "YES" : "NO";
|
||||
configlet->setVariable(QString(var_name.c_str()),
|
||||
QString(yesno.c_str()));
|
||||
}
|
||||
} else
|
||||
OSConfigurator_bsd::setKernelVariable(fw, var_name, configlet);
|
||||
}
|
||||
|
||||
int OSConfigurator_freebsd::prolog()
|
||||
@ -66,4 +100,272 @@ int OSConfigurator_freebsd::prolog()
|
||||
return 0;
|
||||
}
|
||||
|
||||
QString OSConfigurator_freebsd::listAllInterfacesConfigLine(QStringList names,
|
||||
bool ipv6)
|
||||
{
|
||||
FWOptions* options = fw->getOptionsObject();
|
||||
if (options->getBool("generate_rc_conf_file"))
|
||||
{
|
||||
if (ipv6)
|
||||
{
|
||||
return "ipv6_network_interfaces=\"" + names.join(" ") + "\"";
|
||||
} else
|
||||
{
|
||||
return "network_interfaces=\"" + names.join(" ") + "\"";
|
||||
}
|
||||
} else
|
||||
return "";
|
||||
}
|
||||
|
||||
QString OSConfigurator_freebsd::updateAddressesOfInterface(
|
||||
Interface *iface, list<pair<InetAddr,InetAddr> > all_addresses)
|
||||
{
|
||||
FWOptions* options = fw->getOptionsObject();
|
||||
if (options->getBool("generate_rc_conf_file"))
|
||||
{
|
||||
/*
|
||||
* lines in rc.conf have the following format:
|
||||
*
|
||||
* network_interfaces="ed0 ed1 lo0"
|
||||
* ifconfig_ed0="inet 192.0.2.1 netmask 0xffffff00"
|
||||
* ipv4_addrs_ed0="192.0.2.129/27 192.0.2.1-5/28"
|
||||
*
|
||||
*/
|
||||
|
||||
QString interface_name = iface->getName().c_str();
|
||||
QStringList addr_conf;
|
||||
|
||||
int ipv4_alias_counter = -2;
|
||||
int ipv6_alias_counter = -2;
|
||||
|
||||
for (list<pair<InetAddr,InetAddr> >::iterator j = all_addresses.begin();
|
||||
j != all_addresses.end(); ++j)
|
||||
{
|
||||
QString ipv4_conf_line;
|
||||
QString ipv6_conf_line;
|
||||
|
||||
InetAddr ipaddr = j->first;
|
||||
InetAddr ipnetm = j->second;
|
||||
|
||||
if (ipaddr.isV6())
|
||||
{
|
||||
ipv6_conf_line +=
|
||||
QString("%1/%2")
|
||||
.arg(ipaddr.toString().c_str())
|
||||
.arg(ipnetm.getLength());
|
||||
ipv6_alias_counter++;
|
||||
} else
|
||||
{
|
||||
int nbits = ipnetm.getLength();
|
||||
uint32_t netm = 0;
|
||||
while (nbits)
|
||||
{
|
||||
netm = netm >> 1;
|
||||
netm |= 1<<31;
|
||||
nbits--;
|
||||
}
|
||||
|
||||
ipv4_conf_line +=
|
||||
QString("inet %1 netmask 0x%2")
|
||||
.arg(ipaddr.toString().c_str())
|
||||
.arg(netm, -8, 16);
|
||||
|
||||
ipv4_alias_counter++;
|
||||
}
|
||||
|
||||
if (!ipv4_conf_line.isEmpty())
|
||||
{
|
||||
QString suffix;
|
||||
if (ipv4_alias_counter>=0)
|
||||
suffix = QString("_alias%1").arg(ipv4_alias_counter);
|
||||
addr_conf << QString("ifconfig_%1%2=\"%3\"")
|
||||
.arg(interface_name)
|
||||
.arg(suffix)
|
||||
.arg(ipv4_conf_line);
|
||||
}
|
||||
|
||||
if (!ipv6_conf_line.isEmpty())
|
||||
{
|
||||
QString suffix;
|
||||
if (ipv6_alias_counter>=0)
|
||||
suffix = QString("_alias%1").arg(ipv6_alias_counter);
|
||||
addr_conf << QString("ipv6_ifconfig_%1%2=\"%3\"")
|
||||
.arg(interface_name)
|
||||
.arg(suffix)
|
||||
.arg(ipv6_conf_line);
|
||||
}
|
||||
}
|
||||
|
||||
return addr_conf.join("\n");
|
||||
|
||||
} else
|
||||
return OSConfigurator_bsd::updateAddressesOfInterface(iface, all_addresses);
|
||||
}
|
||||
|
||||
QString OSConfigurator_freebsd::listAllVlansConfgLine(QStringList vlan_names)
|
||||
{
|
||||
FWOptions* options = fw->getOptionsObject();
|
||||
if (options->getBool("generate_rc_conf_file"))
|
||||
{
|
||||
return "";
|
||||
} else
|
||||
return QString("sync_vlan_interfaces %1").arg(vlan_names.join(" "));
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
For rc.conf format:
|
||||
|
||||
If a vlans_<interface> variable is set, a vlan(4) interface
|
||||
will be created for each item in the list with the vlandev
|
||||
argument set to interface. If a vlan interface's name is a
|
||||
number, then that number is used as the vlan tag and the new
|
||||
vlan interface is named interface.tag. Otherwise, the vlan
|
||||
tag must be specified via a vlan parameter in the
|
||||
create_args_<interface> variable.
|
||||
|
||||
To create a vlan device named em0.101 on em0 with the vlan
|
||||
tag 101:
|
||||
|
||||
vlans_em0="101"
|
||||
|
||||
To create a vlan device named myvlan on em0 with the vlan tag
|
||||
102:
|
||||
|
||||
vlans_em0="myvlan"
|
||||
create_args_myvlan="vlan 102"
|
||||
|
||||
*/
|
||||
QString OSConfigurator_freebsd::updateVlansOfInterface(Interface *iface,
|
||||
QStringList vlan_names)
|
||||
{
|
||||
FWOptions* options = fw->getOptionsObject();
|
||||
if (options->getBool("generate_rc_conf_file"))
|
||||
{
|
||||
QStringList outp;
|
||||
outp << QString("vlans_%1=\"%2\"").arg(iface->getName().c_str())
|
||||
.arg(vlan_names.join(" "));
|
||||
foreach(QString vlan_intf_name, vlan_names)
|
||||
{
|
||||
std::auto_ptr<interfaceProperties> int_prop(
|
||||
interfacePropertiesObjectFactory::getInterfacePropertiesObject(
|
||||
fw->getStr("host_OS")));
|
||||
QString parent_name_from_regex;
|
||||
int vlan_id;
|
||||
if (int_prop->parseVlan(vlan_intf_name,
|
||||
&parent_name_from_regex, &vlan_id))
|
||||
{
|
||||
outp << QString("create_args_%1=\"vlan %2\"")
|
||||
.arg(vlan_intf_name).arg(vlan_id);
|
||||
}
|
||||
}
|
||||
return outp.join("\n");
|
||||
} else
|
||||
return QString("update_vlans_of_interface \"%1 %2\"")
|
||||
.arg(iface->getName().c_str())
|
||||
.arg(vlan_names.join(" "));
|
||||
}
|
||||
|
||||
|
||||
QString OSConfigurator_freebsd::listAllCARPConfgLine(QStringList carp_names)
|
||||
{
|
||||
FWOptions* options = fw->getOptionsObject();
|
||||
if (options->getBool("generate_rc_conf_file"))
|
||||
{
|
||||
return QString("cloned_interfaces=\"%1\"").arg(carp_names.join(" "));;
|
||||
} else
|
||||
return OSConfigurator_bsd::listAllCARPConfgLine(carp_names);
|
||||
}
|
||||
|
||||
QString OSConfigurator_freebsd::updateCARPInterface(Interface *iface,
|
||||
FWObject *failover_group)
|
||||
{
|
||||
FWOptions* options = fw->getOptionsObject();
|
||||
if (options->getBool("generate_rc_conf_file"))
|
||||
{
|
||||
Configlet configlet(fw, "freebsd", "rc_conf_carp_interface");
|
||||
return updateCARPInterfaceInternal(iface, failover_group, &configlet);
|
||||
} else
|
||||
return OSConfigurator_bsd::updateCARPInterface(iface, failover_group);
|
||||
}
|
||||
|
||||
QString OSConfigurator_freebsd::listAllPfsyncConfgLine(bool have_pfsync)
|
||||
{
|
||||
FWOptions* options = fw->getOptionsObject();
|
||||
if (options->getBool("generate_rc_conf_file"))
|
||||
{
|
||||
return "pfsync_enable=\"YES\"";
|
||||
} else
|
||||
return OSConfigurator_bsd::listAllPfsyncConfgLine(have_pfsync);
|
||||
}
|
||||
|
||||
/*
|
||||
in rc.conf format:
|
||||
|
||||
pfsync_enable
|
||||
(bool) Set to ``NO'' by default. Setting this to ``YES''
|
||||
enables exposing pf(4) state changes to other hosts over the
|
||||
network by means of pfsync(4). The pfsync_syncdev variable
|
||||
must also be set then.
|
||||
|
||||
pfsync_syncdev
|
||||
(str) Empty by default. This variable specifies the name of
|
||||
the network interface pfsync(4) should operate through. It
|
||||
must be set accordingly if pfsync_enable is set to ``YES''.
|
||||
|
||||
pfsync_syncpeer
|
||||
(str) Empty by default. This variable is optional. By
|
||||
default, state change messages are sent out on the synchroni-
|
||||
sation interface using IP multicast packets. The protocol is
|
||||
IP protocol 240, PFSYNC, and the multicast group used is
|
||||
224.0.0.240. When a peer address is specified using the
|
||||
pfsync_syncpeer option, the peer address is used as a desti-
|
||||
nation for the pfsync traffic, and the traffic can then be
|
||||
protected using ipsec(4). See the pfsync(4) manpage for more
|
||||
details about using ipsec(4) with pfsync(4) interfaces.
|
||||
|
||||
pfsync_ifconfig
|
||||
(str) Empty by default. This variable can contain additional
|
||||
options to be passed to the ifconfig(8) command used to set
|
||||
up pfsync(4).
|
||||
*/
|
||||
|
||||
QString OSConfigurator_freebsd::updatePfsyncInterface(
|
||||
Interface *iface, StateSyncClusterGroup *state_sync_group)
|
||||
{
|
||||
FWOptions* options = fw->getOptionsObject();
|
||||
if (options->getBool("generate_rc_conf_file"))
|
||||
{
|
||||
Configlet configlet(fw, "freebsd", "rc_conf_pfsync_interface");
|
||||
configlet.removeComments();
|
||||
configlet.collapseEmptyStrings(true);
|
||||
configlet.setVariable("syncdev", iface->getName().c_str());
|
||||
|
||||
if (state_sync_group->getOptionsObject()->getBool("syncpeer"))
|
||||
{
|
||||
for (FWObjectTypedChildIterator it =
|
||||
state_sync_group->findByType(FWObjectReference::TYPENAME);
|
||||
it != it.end(); ++it)
|
||||
{
|
||||
Interface *cluster_iface = Interface::cast(
|
||||
FWObjectReference::getObject(*it));
|
||||
assert(cluster_iface);
|
||||
|
||||
if (cluster_iface->getId() == iface->getId()) continue;
|
||||
|
||||
IPv4 *ipv4 = IPv4::cast(cluster_iface->getFirstByType(IPv4::TYPENAME));
|
||||
const InetAddr *addr = ipv4->getAddressPtr();
|
||||
|
||||
configlet.setVariable("have_syncpeer", 1);
|
||||
configlet.setVariable("syncpeer", addr->toString().c_str());
|
||||
}
|
||||
}
|
||||
return configlet.expand();
|
||||
|
||||
} else
|
||||
return OSConfigurator_bsd::updatePfsyncInterface(iface, state_sync_group);
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
@ -31,10 +31,41 @@
|
||||
#include "OSConfigurator_bsd.h"
|
||||
#include "OSData.h"
|
||||
|
||||
namespace fwcompiler {
|
||||
namespace fwcompiler
|
||||
{
|
||||
|
||||
class OSConfigurator_freebsd : public OSConfigurator_bsd {
|
||||
class OSConfigurator_freebsd : public OSConfigurator_bsd
|
||||
{
|
||||
|
||||
virtual void setKernelVariable(libfwbuilder::Firewall *fw,
|
||||
const std::string &var_name,
|
||||
Configlet *configlet);
|
||||
|
||||
virtual QString listAllInterfacesConfigLine(QStringList intf_names,
|
||||
bool ipv6);
|
||||
virtual QString updateAddressesOfInterface(
|
||||
libfwbuilder::Interface *iface,
|
||||
std::list<std::pair<libfwbuilder::InetAddr,libfwbuilder::InetAddr> >
|
||||
all_addresses);
|
||||
|
||||
|
||||
virtual QString listAllVlansConfgLine(QStringList vlan_names);
|
||||
|
||||
virtual QString updateVlansOfInterface(
|
||||
libfwbuilder::Interface *iface, QStringList vlan_names);
|
||||
|
||||
// functions that generate CARP interface configuration
|
||||
virtual QString listAllCARPConfgLine(QStringList carp_names);
|
||||
virtual QString updateCARPInterface(libfwbuilder::Interface *iface,
|
||||
libfwbuilder::FWObject *failover_group);
|
||||
|
||||
// functions that generate pfsync interface configuration
|
||||
virtual QString listAllPfsyncConfgLine(bool have_pfsync);
|
||||
virtual QString updatePfsyncInterface(
|
||||
libfwbuilder::Interface *iface,
|
||||
libfwbuilder::StateSyncClusterGroup *sync_group);
|
||||
|
||||
|
||||
public:
|
||||
|
||||
virtual ~OSConfigurator_freebsd() {};
|
||||
|
@ -31,9 +31,11 @@
|
||||
#include "OSConfigurator_bsd.h"
|
||||
#include "OSData.h"
|
||||
|
||||
namespace fwcompiler {
|
||||
namespace fwcompiler
|
||||
{
|
||||
|
||||
class OSConfigurator_macosx : public OSConfigurator_bsd {
|
||||
class OSConfigurator_macosx : public OSConfigurator_bsd
|
||||
{
|
||||
|
||||
public:
|
||||
|
||||
|
@ -31,9 +31,11 @@
|
||||
#include "OSConfigurator_bsd.h"
|
||||
#include "OSData.h"
|
||||
|
||||
namespace fwcompiler {
|
||||
namespace fwcompiler
|
||||
{
|
||||
|
||||
class OSConfigurator_openbsd : public OSConfigurator_bsd {
|
||||
class OSConfigurator_openbsd : public OSConfigurator_bsd
|
||||
{
|
||||
|
||||
public:
|
||||
|
||||
|
@ -129,7 +129,3 @@ string OSConfigurator_solaris::configureInterfaces()
|
||||
return ostr.str();
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -43,11 +43,13 @@
|
||||
* generic name, something like OSConfigurator_generic_pf_ipf_family
|
||||
*/
|
||||
|
||||
namespace fwcompiler {
|
||||
namespace fwcompiler
|
||||
{
|
||||
|
||||
class OSConfigurator_solaris : public OSConfigurator_bsd {
|
||||
class OSConfigurator_solaris : public OSConfigurator_bsd
|
||||
{
|
||||
|
||||
OSData os_data;
|
||||
OSData os_data;
|
||||
|
||||
std::vector<libfwbuilder::InetAddr> virtual_addresses;
|
||||
|
||||
|
@ -14,6 +14,7 @@ SOURCES = TableFactory.cpp \
|
||||
NATCompiler_pf_negation.cpp \
|
||||
NATCompiler_pf_writers.cpp \
|
||||
OSConfigurator_bsd.cpp \
|
||||
OSConfigurator_bsd_interfaces.cpp \
|
||||
OSConfigurator_freebsd.cpp \
|
||||
OSConfigurator_macosx.cpp \
|
||||
OSConfigurator_openbsd.cpp \
|
||||
|
22
src/res/configlets/freebsd/rc_conf_carp_interface
Normal file
22
src/res/configlets/freebsd/rc_conf_carp_interface
Normal file
@ -0,0 +1,22 @@
|
||||
## -*- mode: shell-script; -*-
|
||||
##
|
||||
## Lines that start with "##" will be removed before this code is
|
||||
## added to the generated script. Regular shell comments can be added
|
||||
## using single "#", these will appear in the script.
|
||||
##
|
||||
##
|
||||
## CARP
|
||||
## ifconfig carp-interface [advbase n] [advskew n] [carpdev iface]
|
||||
## [pass passphrase] [state state] [vhid host-id]
|
||||
##
|
||||
## for pfsync and CARP see http://www.kernel-panic.it/openbsd/carp/
|
||||
## "Redundant firewalls with OpenBSD, CARP and pfsync"
|
||||
##
|
||||
## here is how to configure CARP interfaces in rc.conf
|
||||
##
|
||||
## http://blas.phemo.us/articles/2007/04/04/setting-up-and-configuring-carp-interfaces-on-freebsd
|
||||
|
||||
ifconfig_{{$carp_interface}}="vhid {{$vhid}} pass {{$carp_password}} {{if have_advbase}} advbase {{$advbase}}{{endif}} {{if have_advskew}} advskew {{$advskew}}{{endif}} {{if have_base_inetrface}} carpdev {{$base_inetrface}}{{endif}}"
|
||||
|
||||
|
||||
|
19
src/res/configlets/freebsd/rc_conf_kernel_vars
Normal file
19
src/res/configlets/freebsd/rc_conf_kernel_vars
Normal file
@ -0,0 +1,19 @@
|
||||
## -*- mode: shell-script; -*-
|
||||
##
|
||||
## To be able to make changes to the part of configuration created
|
||||
## from this configlet you need to copy this file to the directory
|
||||
## fwbuilder/configlets/freebsd/ in your home directory and modify it.
|
||||
## Double "##" comments are removed during processing but single "#"
|
||||
## comments are be retained and appear in the generated script. Empty
|
||||
## lines are removed as well.
|
||||
##
|
||||
## Configlets support simple macro language with these constructs:
|
||||
## {{$var}} is variable expansion
|
||||
## {{if var}} is conditional operator.
|
||||
|
||||
{{if have_freebsd_ip_forward}}gateway_enable="{{$freebsd_ip_forward}}"{{endif}}
|
||||
{{if have_freebsd_ipv6_forward}}ipv6_gateway_enable="{{$freebsd_ipv6_forward}}"{{endif}}
|
||||
|
||||
{{if have_freebsd_ip_sourceroute}}forward_sourceroute="{{$freebsd_ip_sourceroute}}"{{endif}}
|
||||
{{if have_freebsd_ip_sourceroute}}accept_sourceroute="{{$freebsd_ip_sourceroute}}"{{endif}}
|
||||
|
10
src/res/configlets/freebsd/rc_conf_pfsync_interface
Normal file
10
src/res/configlets/freebsd/rc_conf_pfsync_interface
Normal file
@ -0,0 +1,10 @@
|
||||
## -*- mode: shell-script; -*-
|
||||
##
|
||||
## Lines that start with "##" will be removed before this code is
|
||||
## added to the generated script. Regular shell comments can be added
|
||||
## using single "#", these will appear in the script.
|
||||
##
|
||||
##
|
||||
|
||||
pfsync_syncdev="{{$syncdev}}"
|
||||
{{if have_syncpeer}}pfsync_syncpeer="{{$syncpeer}}"{{endif}}
|
14
src/res/configlets/pf/rc_conf_activation
Normal file
14
src/res/configlets/pf/rc_conf_activation
Normal file
@ -0,0 +1,14 @@
|
||||
## -*- mode: shell-script; -*-
|
||||
##
|
||||
## To be able to make changes to the part of configuration created
|
||||
## from this configlet you need to copy this file to the directory
|
||||
## fwbuilder/configlets/pf/ in your home directory and modify it.
|
||||
## Double "##" comments are removed during processing but single "#"
|
||||
## comments are be retained and appear in the generated script. Empty
|
||||
## lines are removed as well.
|
||||
##
|
||||
## Configlets support simple macro language with these constructs:
|
||||
## {{$var}} is variable expansion
|
||||
## {{if var}} is conditional operator.
|
||||
##
|
||||
pf_rules="{{$remote_file}}"
|
32
src/res/configlets/pf/rc_conf_skeleton
Normal file
32
src/res/configlets/pf/rc_conf_skeleton
Normal file
@ -0,0 +1,32 @@
|
||||
## -*- mode: shell-script; -*-
|
||||
##
|
||||
## To be able to make changes to the part of configuration created
|
||||
## from this configlet you need to copy this file to the directory
|
||||
## fwbuilder/configlets/pf/ in your home directory and modify it.
|
||||
## Double "##" comments are removed during processing but single "#"
|
||||
## comments are be retained and appear in the generated script. Empty
|
||||
## lines are removed as well.
|
||||
##
|
||||
## Configlets support simple macro language with these constructs:
|
||||
## {{$var}} is variable expansion
|
||||
## {{if var}} is conditional operator.
|
||||
##
|
||||
## Parts of this configlets will be translated to variable=value syntax
|
||||
## used by rc.conf files
|
||||
##
|
||||
{{$top_comment}}
|
||||
|
||||
{{$errors_and_warnings}}
|
||||
|
||||
{{$kernel_vars_commands}}
|
||||
|
||||
{{$prolog_script}}
|
||||
|
||||
{{$configure_interfaces}}
|
||||
|
||||
pf_enable="YES"
|
||||
{{$activation_commands}}
|
||||
|
||||
{{$routing_script}}
|
||||
|
||||
{{$epilog_script}}
|
12
src/res/configlets/pf/rc_conf_top_comment
Normal file
12
src/res/configlets/pf/rc_conf_top_comment
Normal file
@ -0,0 +1,12 @@
|
||||
#
|
||||
# This is automatically generated file. DO NOT MODIFY !
|
||||
#
|
||||
# Firewall Builder fwb_pf v{{$version}}
|
||||
#
|
||||
# Generated {{$timestamp}} {{$tz}} by {{$user}}
|
||||
#
|
||||
{{$manifest}}
|
||||
#
|
||||
# Compiled for {{$platform}} {{$fw_version}}
|
||||
#
|
||||
{{$comment}}
|
@ -238,7 +238,7 @@ void GeneratedScriptTest::ActivationCommandsTest_1()
|
||||
{
|
||||
objdb = new FWObjectDatabase();
|
||||
QString res = Configlet::findConfigletInFile("activation", "ipf1.fw");
|
||||
CPPUNIT_ASSERT(res.indexOf("$IPF -I -f ${FWDIR}/ipf1-ipf.conf") != -1);
|
||||
CPPUNIT_ASSERT(res.indexOf("$IPF -I -f /etc/ipf1-ipf.conf") != -1);
|
||||
delete objdb;
|
||||
}
|
||||
|
||||
@ -246,7 +246,7 @@ void GeneratedScriptTest::ActivationCommandsTest_2()
|
||||
{
|
||||
objdb = new FWObjectDatabase();
|
||||
QString res = Configlet::findConfigletInFile("activation", "ipf2-1.fw");
|
||||
CPPUNIT_ASSERT(res.indexOf("$IPF -I -f ${FWDIR}/ipf2-1-ipf.conf") != -1);
|
||||
CPPUNIT_ASSERT(res.indexOf("$IPF -I -f /etc/ipf2-1-ipf.conf") != -1);
|
||||
delete objdb;
|
||||
}
|
||||
|
||||
@ -254,7 +254,7 @@ void GeneratedScriptTest::ActivationCommandsTest_3()
|
||||
{
|
||||
objdb = new FWObjectDatabase();
|
||||
QString res = Configlet::findConfigletInFile("activation", "ipf2-1");
|
||||
CPPUNIT_ASSERT(res.indexOf("$IPF -I -f ${FWDIR}/ipf2-1-ipf.conf") != -1);
|
||||
CPPUNIT_ASSERT(res.indexOf("$IPF -I -f /etc/ipf2-1-ipf.conf") != -1);
|
||||
delete objdb;
|
||||
}
|
||||
|
||||
@ -262,7 +262,7 @@ void GeneratedScriptTest::ActivationCommandsTest_4()
|
||||
{
|
||||
objdb = new FWObjectDatabase();
|
||||
QString res = Configlet::findConfigletInFile("activation", "ipf2-1.fw");
|
||||
CPPUNIT_ASSERT(res.indexOf("$IPF -I -f ${FWDIR}/ipf2-1-ipf.conf") != -1);
|
||||
CPPUNIT_ASSERT(res.indexOf("$IPF -I -f /etc/ipf2-1-ipf.conf") != -1);
|
||||
delete objdb;
|
||||
}
|
||||
|
||||
|
@ -278,7 +278,7 @@ void GeneratedScriptTest::ActivationCommandsTest_1()
|
||||
objdb = new FWObjectDatabase();
|
||||
QString res = Configlet::findConfigletInFile("activation", "pf1.fw")
|
||||
.split(QRegExp("\\s+")).join(" ");
|
||||
CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ ${FWDIR}/pf1.conf") != -1);
|
||||
CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ /etc/pf1.conf") != -1);
|
||||
delete objdb;
|
||||
}
|
||||
|
||||
@ -287,7 +287,7 @@ void GeneratedScriptTest::ActivationCommandsTest_2()
|
||||
objdb = new FWObjectDatabase();
|
||||
QString res = Configlet::findConfigletInFile("activation", "ipf2-1.fw")
|
||||
.split(QRegExp("\\s+")).join(" ");
|
||||
CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ ${FWDIR}/ipf2-1.conf") != -1);
|
||||
CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ /etc/ipf2-1.conf") != -1);
|
||||
delete objdb;
|
||||
}
|
||||
|
||||
@ -296,7 +296,7 @@ void GeneratedScriptTest::ActivationCommandsTest_3()
|
||||
objdb = new FWObjectDatabase();
|
||||
QString res = Configlet::findConfigletInFile("activation", "ipf2-1.fw")
|
||||
.split(QRegExp("\\s+")).join(" ");
|
||||
CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ ${FWDIR}/ipf2-1.conf") != -1);
|
||||
CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ /etc/ipf2-1.conf") != -1);
|
||||
delete objdb;
|
||||
}
|
||||
|
||||
@ -305,7 +305,7 @@ void GeneratedScriptTest::ActivationCommandsTest_4()
|
||||
objdb = new FWObjectDatabase();
|
||||
QString res = Configlet::findConfigletInFile("activation", "pf2-1.fw")
|
||||
.split(QRegExp("\\s+")).join(" ");
|
||||
CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ ${FWDIR}/ipf2-1.conf") != -1);
|
||||
CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ /etc/ipf2-1.conf") != -1);
|
||||
delete objdb;
|
||||
}
|
||||
|
||||
@ -333,7 +333,7 @@ void GeneratedScriptTest::ActivationCommandsTest_8()
|
||||
objdb = new FWObjectDatabase();
|
||||
QString res = Configlet::findConfigletInFile("activation", "pf5.fw")
|
||||
.split(QRegExp("\\s+")).join(" ");
|
||||
CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ ${FWDIR}/pf5.conf") != -1);
|
||||
CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ /etc/pf5.conf") != -1);
|
||||
delete objdb;
|
||||
}
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
|
||||
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1269892626" id="root">
|
||||
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1296692941" id="root">
|
||||
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
|
||||
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
|
||||
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
|
||||
@ -105,6 +105,7 @@
|
||||
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
|
||||
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
|
||||
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
|
||||
</CustomService>
|
||||
<CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
|
||||
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
||||
@ -112,6 +113,7 @@
|
||||
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
||||
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
|
||||
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
|
||||
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
|
||||
</CustomService>
|
||||
<ServiceGroup id="stdid10" name="Groups" comment="" ro="False">
|
||||
<ServiceGroup id="sg-DHCP" name="DHCP" comment="" ro="False">
|
||||
@ -141,6 +143,12 @@
|
||||
<ServiceRef ref="icmp-ping_reply"/>
|
||||
<ServiceRef ref="icmp-Unreachables"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="id1569X4889" name="Ipv6 unreachable messages" comment="" ro="False">
|
||||
<ServiceRef ref="idE0D27650"/>
|
||||
<ServiceRef ref="idCFE27650"/>
|
||||
<ServiceRef ref="idE0B27650"/>
|
||||
<ServiceRef ref="id1519Z388"/>
|
||||
</ServiceGroup>
|
||||
<ServiceGroup id="id3B4FEDD9" name="kerberos" comment="" ro="False">
|
||||
<ServiceRef ref="id3B4FEDA5"/>
|
||||
<ServiceRef ref="id3B4FEDA9"/>
|
||||
@ -203,6 +211,7 @@
|
||||
<ICMP6Service id="ipv6-icmp-neighbrsol" code="0" type="135" name="ipv6 neighbrsol" comment="IPv6 neighbor solicitation" ro="False"/>
|
||||
<ICMP6Service id="ipv6-icmp-neighbradv" code="0" type="136" name="ipv6 neighbradv" comment="IPv6 neighbor advertisement" ro="False"/>
|
||||
<ICMP6Service id="ipv6-icmp-redir" code="0" type="137" name="ipv6 redir" comment="IPv6 redirect: shorter route exists" ro="False"/>
|
||||
<ICMP6Service id="id1519Z388" code="-1" type="4" name="ipv6 parameter problem" comment="IPv6 Parameter Problem: RFC4443" ro="False"/>
|
||||
<ICMP6Service id="idCFE27650" code="0" type="3" name="ipv6 time exceeded" comment="Time exceeded in transit" ro="False"/>
|
||||
<ICMP6Service id="idCFF27650" code="1" type="3" name="ipv6 time exceeded in reassembly" comment="Time exceeded in reassembly" ro="False"/>
|
||||
<ICMP6Service id="idE0B27650" code="-1" type="2" name="ipv6 packet too big" comment="" ro="False"/>
|
||||
@ -504,7 +513,7 @@
|
||||
</Interface>
|
||||
<Cluster id="id2366X75741" host_OS="secuwall" lastCompiled="1247150655" lastInstalled="0" lastModified="1242671896" platform="iptables" name="cluster1" comment="" ro="False">
|
||||
<NAT id="id2370X75741" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
||||
<NATRule id="id4606X78273" disabled="False" position="0" action="Translate" comment="">
|
||||
<NATRule id="id4606X78273" disabled="False" group="" position="0" action="Translate" comment="">
|
||||
<OSrc neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</OSrc>
|
||||
@ -528,7 +537,7 @@
|
||||
<RuleSetOptions/>
|
||||
</NAT>
|
||||
<Policy id="id2369X75741" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
||||
<PolicyRule id="id2913X78273" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
|
||||
<PolicyRule id="id2913X78273" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -546,7 +555,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule id="id2896X78273" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
|
||||
<PolicyRule id="id2896X78273" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -564,7 +573,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule id="id2879X78273" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted only from internal network">
|
||||
<PolicyRule id="id2879X78273" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted only from internal network">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -582,7 +591,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule id="id2862X78273" disabled="False" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines on internal network for DNS">
|
||||
<PolicyRule id="id2862X78273" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines on internal network for DNS">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -600,7 +609,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule id="id2845X78273" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to the firewall are denied and logged">
|
||||
<PolicyRule id="id2845X78273" disabled="False" group="" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to the firewall are denied and logged">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -618,7 +627,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule id="id2828X78273" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
|
||||
<PolicyRule id="id2828X78273" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -636,7 +645,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule id="id2811X78273" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
|
||||
<PolicyRule id="id2811X78273" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -694,7 +703,7 @@
|
||||
</Cluster>
|
||||
<Cluster id="id2772X94039" host_OS="linux24" inactive="False" lastCompiled="1247150656" lastInstalled="0" lastModified="1243709194" platform="iptables" name="linux_cluster_1" comment="" ro="False">
|
||||
<NAT id="id2866X94039" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
||||
<NATRule id="id2867X94039" disabled="False" position="0" action="Translate" comment="">
|
||||
<NATRule id="id2867X94039" disabled="False" group="" position="0" action="Translate" comment="">
|
||||
<OSrc neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</OSrc>
|
||||
@ -738,7 +747,7 @@
|
||||
<Option name="stateless">False</Option>
|
||||
</PolicyRuleOptions>
|
||||
</PolicyRule>
|
||||
<PolicyRule id="id2781X94039" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
|
||||
<PolicyRule id="id2781X94039" disabled="False" group="" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -756,7 +765,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule id="id2794X94039" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
|
||||
<PolicyRule id="id2794X94039" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -774,7 +783,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule id="id2806X94039" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted only from internal network">
|
||||
<PolicyRule id="id2806X94039" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted only from internal network">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -810,7 +819,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule id="id2818X94039" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines on internal network for DNS">
|
||||
<PolicyRule id="id2818X94039" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines on internal network for DNS">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -828,7 +837,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule id="id2830X94039" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to the firewall are denied and logged">
|
||||
<PolicyRule id="id2830X94039" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to the firewall are denied and logged">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -870,7 +879,7 @@
|
||||
<Option name="ulog_nlgroup">1</Option>
|
||||
</PolicyRuleOptions>
|
||||
</PolicyRule>
|
||||
<PolicyRule id="id2842X94039" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
|
||||
<PolicyRule id="id2842X94039" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</Src>
|
||||
@ -888,7 +897,7 @@
|
||||
</When>
|
||||
<PolicyRuleOptions/>
|
||||
</PolicyRule>
|
||||
<PolicyRule id="id2854X94039" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
|
||||
<PolicyRule id="id2854X94039" disabled="False" group="" log="True" position="8" action="Deny" direction="Both" comment="">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -1616,12 +1625,19 @@
|
||||
<Interface id="id39617X50958" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="Interface" comment="" ro="False">
|
||||
<InterfaceOptions/>
|
||||
</Interface>
|
||||
<Interface id="id200602X1082" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vlan0" comment="" ro="False">
|
||||
<InterfaceOptions>
|
||||
<Option name="type">8021q</Option>
|
||||
<Option name="vlan_id">100</Option>
|
||||
</InterfaceOptions>
|
||||
</Interface>
|
||||
<IPv4 id="id200734X1082" name="pf_cluster_4:carp0:ip-1" comment="" ro="False" address="172.24.0.1" netmask="255.255.255.0"/>
|
||||
</Library>
|
||||
<Library id="id1495X69605" color="#d2ffd0" name="User" comment="" ro="False">
|
||||
<ObjectGroup id="id1502X69605" name="Clusters" comment="" ro="False">
|
||||
<Cluster id="id3631X95766" host_OS="openbsd" inactive="False" lastCompiled="1248551815" lastInstalled="0" lastModified="1269718315" platform="pf" name="pf_cluster_1" comment=" " ro="False">
|
||||
<NAT id="id3640X95766" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
||||
<NATRule id="id3162X39764" disabled="False" position="0" action="Translate" comment="">
|
||||
<NATRule id="id3162X39764" disabled="False" group="" position="0" action="Translate" comment="">
|
||||
<OSrc neg="False">
|
||||
<ObjectRef ref="id3DC75CE7-1"/>
|
||||
</OSrc>
|
||||
@ -1933,7 +1949,7 @@
|
||||
<Option name="stateless">False</Option>
|
||||
</PolicyRuleOptions>
|
||||
</PolicyRule>
|
||||
<PolicyRule id="id5942X26920" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
|
||||
<PolicyRule id="id5942X26920" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -2012,7 +2028,7 @@
|
||||
<RuleSetOptions/>
|
||||
</NAT>
|
||||
<Policy id="id5498X42213" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
||||
<PolicyRule id="id5547X42213" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="">
|
||||
<PolicyRule id="id5547X42213" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
@ -2088,7 +2104,7 @@
|
||||
<RuleSetOptions/>
|
||||
</NAT>
|
||||
<Policy id="id3645X20162" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
||||
<PolicyRule id="id39732X50958" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="">
|
||||
<PolicyRule id="id39732X50958" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id3642X20162"/>
|
||||
</Src>
|
||||
@ -2420,6 +2436,81 @@
|
||||
<ClusterGroupOptions/>
|
||||
</StateSyncClusterGroup>
|
||||
</Cluster>
|
||||
<Cluster id="id200714X1082" host_OS="freebsd" inactive="False" lastCompiled="1247150757" lastInstalled="0" lastModified="1296694664" platform="pf" name="pf_cluster_4" comment="using multicast address for pfsync and FreeBSD" ro="False">
|
||||
<NAT id="id200787X1082" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
||||
<RuleSetOptions/>
|
||||
</NAT>
|
||||
<Policy id="id200756X1082" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
||||
<PolicyRule id="id200758X1082" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
<Dst neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Dst>
|
||||
<Srv neg="False">
|
||||
<ServiceRef ref="sysid1"/>
|
||||
</Srv>
|
||||
<Itf neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Itf>
|
||||
<When neg="False">
|
||||
<IntervalRef ref="sysid2"/>
|
||||
</When>
|
||||
<PolicyRuleOptions>
|
||||
<Option name="stateless">True</Option>
|
||||
</PolicyRuleOptions>
|
||||
</PolicyRule>
|
||||
<RuleSetOptions/>
|
||||
</Policy>
|
||||
<Routing id="id200790X1082" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
||||
<RuleSetOptions/>
|
||||
</Routing>
|
||||
<Interface id="id200724X1082" dedicated_failover="False" dyn="False" label="pf_clsuter_1 carp0" mgmt="False" security_level="0" unnum="False" unprotected="False" name="carp0" comment="" ro="False">
|
||||
<IPv4 id="id200733X1082" name="pf_cluster_4:carp0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.255.0"/>
|
||||
<InterfaceOptions>
|
||||
<Option name="iface_mtu">1500</Option>
|
||||
<Option name="type">carp</Option>
|
||||
</InterfaceOptions>
|
||||
<FailoverClusterGroup id="id200736X1082" master_iface="id200595X1082" type="carp" name="pf_cluster_4:carp0:members" comment="">
|
||||
<ObjectRef ref="id200634X1082"/>
|
||||
<ObjectRef ref="id200595X1082"/>
|
||||
<ClusterGroupOptions>
|
||||
<Option name="carp_advbase">1</Option>
|
||||
<Option name="carp_default_advskew">10</Option>
|
||||
<Option name="carp_master_advskew">5</Option>
|
||||
<Option name="carp_password">secret</Option>
|
||||
<Option name="carp_vhid">101</Option>
|
||||
</ClusterGroupOptions>
|
||||
</FailoverClusterGroup>
|
||||
</Interface>
|
||||
<Interface id="id200741X1082" dedicated_failover="False" dyn="False" label="pf_cluster_1 carp1" mgmt="False" security_level="0" unnum="False" unprotected="False" name="carp1" comment="" ro="False">
|
||||
<IPv4 id="id200749X1082" name="pf_cluster_4:carp1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
<InterfaceOptions>
|
||||
<Option name="iface_mtu">1500</Option>
|
||||
<Option name="type">carp</Option>
|
||||
</InterfaceOptions>
|
||||
<FailoverClusterGroup id="id200751X1082" master_iface="id200605X1082" type="carp" name="pf_cluster_4:carp1:members" comment="">
|
||||
<ObjectRef ref="id200605X1082"/>
|
||||
<ObjectRef ref="id200639X1082"/>
|
||||
<ClusterGroupOptions>
|
||||
<Option name="carp_advbase">1</Option>
|
||||
<Option name="carp_default_advskew">10</Option>
|
||||
<Option name="carp_master_advskew">5</Option>
|
||||
<Option name="carp_password">secret</Option>
|
||||
<Option name="carp_vhid">100</Option>
|
||||
</ClusterGroupOptions>
|
||||
</FailoverClusterGroup>
|
||||
</Interface>
|
||||
<FirewallOptions/>
|
||||
<StateSyncClusterGroup id="id200794X1082" type="pfsync" name="pf_cluster_4:members-1" comment="">
|
||||
<ObjectRef ref="id200634X1082"/>
|
||||
<ObjectRef ref="id200595X1082"/>
|
||||
<ClusterGroupOptions>
|
||||
<Option name="syncpeer">True</Option>
|
||||
</ClusterGroupOptions>
|
||||
</StateSyncClusterGroup>
|
||||
</Cluster>
|
||||
</ObjectGroup>
|
||||
<ObjectGroup id="id1496X69605" name="Objects" comment="" ro="False">
|
||||
<ObjectGroup id="id1497X69605" name="Addresses" comment="" ro="False">
|
||||
@ -3180,6 +3271,252 @@
|
||||
<Option name="sshArgs"></Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall id="id200587X1082" host_OS="freebsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1296694652" platform="pf" version="" name="freebsd-1-1" comment="" ro="False">
|
||||
<NAT id="id200613X1082" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
||||
<RuleSetOptions/>
|
||||
</NAT>
|
||||
<Policy id="id200610X1082" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
||||
<RuleSetOptions/>
|
||||
</Policy>
|
||||
<Routing id="id200616X1082" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
||||
<RuleSetOptions/>
|
||||
</Routing>
|
||||
<Interface id="id200595X1082" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="en0" comment="" ro="False">
|
||||
<IPv4 id="id200600X1082" name="freebsd-1:en0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.255.0"/>
|
||||
<InterfaceOptions/>
|
||||
</Interface>
|
||||
<Interface id="id200605X1082" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="en1" comment="" ro="False">
|
||||
<IPv4 id="id200608X1082" name="freebsd-1:en1:ip" comment="" ro="False" address="192.168.1.2" netmask="255.255.255.0"/>
|
||||
<InterfaceOptions/>
|
||||
</Interface>
|
||||
<Management address="0.0.0.0">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
<FWBDManagement enabled="False" identity="" port="-1"/>
|
||||
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
||||
</Management>
|
||||
<FirewallOptions>
|
||||
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
||||
<Option name="activationCmd"></Option>
|
||||
<Option name="admUser"></Option>
|
||||
<Option name="altAddress"></Option>
|
||||
<Option name="check_shading">False</Option>
|
||||
<Option name="cmdline"></Option>
|
||||
<Option name="compiler"></Option>
|
||||
<Option name="conf1_file">pf.conf</Option>
|
||||
<Option name="conf_file_name_on_firewall"></Option>
|
||||
<Option name="configure_carp_interfaces">True</Option>
|
||||
<Option name="configure_interfaces">True</Option>
|
||||
<Option name="configure_pfsync_interfaces">True</Option>
|
||||
<Option name="configure_vlan_interfaces">True</Option>
|
||||
<Option name="debug">False</Option>
|
||||
<Option name="epilog_script"></Option>
|
||||
<Option name="fallback_log">False</Option>
|
||||
<Option name="firewall_dir">/etc</Option>
|
||||
<Option name="freebsd_ip_forward">1</Option>
|
||||
<Option name="generate_rc_conf_file">True</Option>
|
||||
<Option name="generate_shell_script">False</Option>
|
||||
<Option name="ignore_empty_groups">False</Option>
|
||||
<Option name="in_out_code">true</Option>
|
||||
<Option name="ipv4_6_order">ipv4_first</Option>
|
||||
<Option name="log_prefix">RULE %N -- %A </Option>
|
||||
<Option name="loopback_interface">lo0</Option>
|
||||
<Option name="manage_virtual_addr">True</Option>
|
||||
<Option name="mgmt_addr"></Option>
|
||||
<Option name="mgmt_ssh">False</Option>
|
||||
<Option name="modulate_state">False</Option>
|
||||
<Option name="openbsd_ip_forward">1</Option>
|
||||
<Option name="output_file">rc.conf.local</Option>
|
||||
<Option name="pass_all_out">false</Option>
|
||||
<Option name="pf_adaptive_end">0</Option>
|
||||
<Option name="pf_adaptive_start">0</Option>
|
||||
<Option name="pf_do_limit_frags">False</Option>
|
||||
<Option name="pf_do_limit_src_nodes">False</Option>
|
||||
<Option name="pf_do_limit_states">False</Option>
|
||||
<Option name="pf_do_limit_table_entries">False</Option>
|
||||
<Option name="pf_do_limit_tables">False</Option>
|
||||
<Option name="pf_do_scrub">False</Option>
|
||||
<Option name="pf_do_timeout_frag">False</Option>
|
||||
<Option name="pf_do_timeout_interval">False</Option>
|
||||
<Option name="pf_flush_states">False</Option>
|
||||
<Option name="pf_icmp_error">0</Option>
|
||||
<Option name="pf_icmp_first">0</Option>
|
||||
<Option name="pf_limit_frags">5000</Option>
|
||||
<Option name="pf_limit_src_nodes">0</Option>
|
||||
<Option name="pf_limit_states">10000</Option>
|
||||
<Option name="pf_limit_table_entries">0</Option>
|
||||
<Option name="pf_limit_tables">0</Option>
|
||||
<Option name="pf_modulate_state">False</Option>
|
||||
<Option name="pf_optimization"></Option>
|
||||
<Option name="pf_other_first">0</Option>
|
||||
<Option name="pf_other_multiple">0</Option>
|
||||
<Option name="pf_other_single">0</Option>
|
||||
<Option name="pf_scrub_fragm_crop">False</Option>
|
||||
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
||||
<Option name="pf_scrub_maxmss">1460</Option>
|
||||
<Option name="pf_scrub_minttl">0</Option>
|
||||
<Option name="pf_scrub_no_df">False</Option>
|
||||
<Option name="pf_scrub_random_id">False</Option>
|
||||
<Option name="pf_scrub_reassemble">True</Option>
|
||||
<Option name="pf_scrub_reassemble_tcp">False</Option>
|
||||
<Option name="pf_scrub_use_maxmss">False</Option>
|
||||
<Option name="pf_scrub_use_minttl">False</Option>
|
||||
<Option name="pf_set_adaptive">False</Option>
|
||||
<Option name="pf_set_icmp_error">False</Option>
|
||||
<Option name="pf_set_icmp_first">False</Option>
|
||||
<Option name="pf_set_other_first">False</Option>
|
||||
<Option name="pf_set_other_multiple">False</Option>
|
||||
<Option name="pf_set_other_single">False</Option>
|
||||
<Option name="pf_set_tcp_closed">False</Option>
|
||||
<Option name="pf_set_tcp_closing">False</Option>
|
||||
<Option name="pf_set_tcp_established">False</Option>
|
||||
<Option name="pf_set_tcp_finwait">False</Option>
|
||||
<Option name="pf_set_tcp_first">False</Option>
|
||||
<Option name="pf_set_tcp_opening">False</Option>
|
||||
<Option name="pf_set_udp_first">False</Option>
|
||||
<Option name="pf_set_udp_multiple">False</Option>
|
||||
<Option name="pf_set_udp_single">False</Option>
|
||||
<Option name="pf_state_policy"></Option>
|
||||
<Option name="pf_tcp_closed">0</Option>
|
||||
<Option name="pf_tcp_closing">0</Option>
|
||||
<Option name="pf_tcp_established">0</Option>
|
||||
<Option name="pf_tcp_finwait">0</Option>
|
||||
<Option name="pf_tcp_first">0</Option>
|
||||
<Option name="pf_tcp_opening">0</Option>
|
||||
<Option name="pf_timeout_frag">30</Option>
|
||||
<Option name="pf_timeout_interval">10</Option>
|
||||
<Option name="pf_udp_first">0</Option>
|
||||
<Option name="pf_udp_multiple">0</Option>
|
||||
<Option name="pf_udp_single">0</Option>
|
||||
<Option name="prolog_place">fw_file</Option>
|
||||
<Option name="prolog_script"></Option>
|
||||
<Option name="scpArgs"></Option>
|
||||
<Option name="script_name_on_firewall"></Option>
|
||||
<Option name="sshArgs"></Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall id="id200626X1082" host_OS="freebsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1296694663" platform="pf" version="" name="freebsd-2-1" comment="" ro="False">
|
||||
<NAT id="id200647X1082" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
||||
<RuleSetOptions/>
|
||||
</NAT>
|
||||
<Policy id="id200644X1082" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
||||
<RuleSetOptions/>
|
||||
</Policy>
|
||||
<Routing id="id200650X1082" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
||||
<RuleSetOptions/>
|
||||
</Routing>
|
||||
<Interface id="id200634X1082" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="en0" comment="" ro="False">
|
||||
<IPv4 id="id200637X1082" name="freebsd-2:en0:ip" comment="" ro="False" address="172.24.0.3" netmask="255.255.255.0"/>
|
||||
<InterfaceOptions/>
|
||||
</Interface>
|
||||
<Interface id="id200639X1082" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="en1" comment="" ro="False">
|
||||
<IPv4 id="id200642X1082" name="freebsd-2:en1:ip" comment="" ro="False" address="192.168.1.3" netmask="255.255.255.0"/>
|
||||
<InterfaceOptions/>
|
||||
</Interface>
|
||||
<Management address="0.0.0.0">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
<FWBDManagement enabled="False" identity="" port="-1"/>
|
||||
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
||||
</Management>
|
||||
<FirewallOptions>
|
||||
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
||||
<Option name="activationCmd"></Option>
|
||||
<Option name="admUser"></Option>
|
||||
<Option name="altAddress"></Option>
|
||||
<Option name="check_shading">False</Option>
|
||||
<Option name="cmdline"></Option>
|
||||
<Option name="compiler"></Option>
|
||||
<Option name="conf1_file">pf.conf</Option>
|
||||
<Option name="conf_file_name_on_firewall"></Option>
|
||||
<Option name="configure_carp_interfaces">True</Option>
|
||||
<Option name="configure_interfaces">True</Option>
|
||||
<Option name="configure_pfsync_interfaces">True</Option>
|
||||
<Option name="configure_vlan_interfaces">True</Option>
|
||||
<Option name="debug">False</Option>
|
||||
<Option name="epilog_script"></Option>
|
||||
<Option name="fallback_log">False</Option>
|
||||
<Option name="firewall_dir">/etc</Option>
|
||||
<Option name="freebsd_ip_forward">1</Option>
|
||||
<Option name="generate_rc_conf_file">True</Option>
|
||||
<Option name="generate_shell_script">False</Option>
|
||||
<Option name="ignore_empty_groups">False</Option>
|
||||
<Option name="in_out_code">true</Option>
|
||||
<Option name="ipv4_6_order">ipv4_first</Option>
|
||||
<Option name="log_prefix">RULE %N -- %A </Option>
|
||||
<Option name="loopback_interface">lo0</Option>
|
||||
<Option name="manage_virtual_addr">True</Option>
|
||||
<Option name="mgmt_addr"></Option>
|
||||
<Option name="mgmt_ssh">False</Option>
|
||||
<Option name="modulate_state">False</Option>
|
||||
<Option name="openbsd_ip_forward">1</Option>
|
||||
<Option name="output_file">rc.conf.local</Option>
|
||||
<Option name="pass_all_out">false</Option>
|
||||
<Option name="pf_adaptive_end">0</Option>
|
||||
<Option name="pf_adaptive_start">0</Option>
|
||||
<Option name="pf_do_limit_frags">False</Option>
|
||||
<Option name="pf_do_limit_src_nodes">False</Option>
|
||||
<Option name="pf_do_limit_states">False</Option>
|
||||
<Option name="pf_do_limit_table_entries">False</Option>
|
||||
<Option name="pf_do_limit_tables">False</Option>
|
||||
<Option name="pf_do_scrub">False</Option>
|
||||
<Option name="pf_do_timeout_frag">False</Option>
|
||||
<Option name="pf_do_timeout_interval">False</Option>
|
||||
<Option name="pf_flush_states">False</Option>
|
||||
<Option name="pf_icmp_error">0</Option>
|
||||
<Option name="pf_icmp_first">0</Option>
|
||||
<Option name="pf_limit_frags">5000</Option>
|
||||
<Option name="pf_limit_src_nodes">0</Option>
|
||||
<Option name="pf_limit_states">10000</Option>
|
||||
<Option name="pf_limit_table_entries">0</Option>
|
||||
<Option name="pf_limit_tables">0</Option>
|
||||
<Option name="pf_modulate_state">False</Option>
|
||||
<Option name="pf_optimization"></Option>
|
||||
<Option name="pf_other_first">0</Option>
|
||||
<Option name="pf_other_multiple">0</Option>
|
||||
<Option name="pf_other_single">0</Option>
|
||||
<Option name="pf_scrub_fragm_crop">False</Option>
|
||||
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
||||
<Option name="pf_scrub_maxmss">1460</Option>
|
||||
<Option name="pf_scrub_minttl">0</Option>
|
||||
<Option name="pf_scrub_no_df">False</Option>
|
||||
<Option name="pf_scrub_random_id">False</Option>
|
||||
<Option name="pf_scrub_reassemble">True</Option>
|
||||
<Option name="pf_scrub_reassemble_tcp">False</Option>
|
||||
<Option name="pf_scrub_use_maxmss">False</Option>
|
||||
<Option name="pf_scrub_use_minttl">False</Option>
|
||||
<Option name="pf_set_adaptive">False</Option>
|
||||
<Option name="pf_set_icmp_error">False</Option>
|
||||
<Option name="pf_set_icmp_first">False</Option>
|
||||
<Option name="pf_set_other_first">False</Option>
|
||||
<Option name="pf_set_other_multiple">False</Option>
|
||||
<Option name="pf_set_other_single">False</Option>
|
||||
<Option name="pf_set_tcp_closed">False</Option>
|
||||
<Option name="pf_set_tcp_closing">False</Option>
|
||||
<Option name="pf_set_tcp_established">False</Option>
|
||||
<Option name="pf_set_tcp_finwait">False</Option>
|
||||
<Option name="pf_set_tcp_first">False</Option>
|
||||
<Option name="pf_set_tcp_opening">False</Option>
|
||||
<Option name="pf_set_udp_first">False</Option>
|
||||
<Option name="pf_set_udp_multiple">False</Option>
|
||||
<Option name="pf_set_udp_single">False</Option>
|
||||
<Option name="pf_state_policy"></Option>
|
||||
<Option name="pf_tcp_closed">0</Option>
|
||||
<Option name="pf_tcp_closing">0</Option>
|
||||
<Option name="pf_tcp_established">0</Option>
|
||||
<Option name="pf_tcp_finwait">0</Option>
|
||||
<Option name="pf_tcp_first">0</Option>
|
||||
<Option name="pf_tcp_opening">0</Option>
|
||||
<Option name="pf_timeout_frag">30</Option>
|
||||
<Option name="pf_timeout_interval">10</Option>
|
||||
<Option name="pf_udp_first">0</Option>
|
||||
<Option name="pf_udp_multiple">0</Option>
|
||||
<Option name="pf_udp_single">0</Option>
|
||||
<Option name="prolog_place">fw_file</Option>
|
||||
<Option name="prolog_script"></Option>
|
||||
<Option name="scpArgs"></Option>
|
||||
<Option name="script_name_on_firewall"></Option>
|
||||
<Option name="sshArgs"></Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
</ObjectGroup>
|
||||
<IntervalGroup id="id1515X69605" name="Time" comment="" ro="False"/>
|
||||
</Library>
|
||||
|
@ -1,6 +1,6 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
|
||||
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1296513757" id="root">
|
||||
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1296687832" id="root">
|
||||
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
|
||||
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
|
||||
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
|
||||
@ -19939,6 +19939,258 @@
|
||||
<Option name="sshArgs"></Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall id="id32878X1082" host_OS="freebsd" inactive="False" lastCompiled="1296677661" lastInstalled="0" lastModified="1296687915" platform="pf" version="" name="firewall-ipv6-3" comment="" ro="False">
|
||||
<NAT id="id33298X1082" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
||||
<RuleSetOptions/>
|
||||
</NAT>
|
||||
<Policy id="id32900X1082" name="Policy_ipv4" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
||||
<PolicyRule id="id32902X1082" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
<Dst neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Dst>
|
||||
<Srv neg="False">
|
||||
<ServiceRef ref="sysid1"/>
|
||||
</Srv>
|
||||
<Itf neg="False">
|
||||
<ObjectRef ref="id32893X1082"/>
|
||||
</Itf>
|
||||
<When neg="False">
|
||||
<IntervalRef ref="sysid2"/>
|
||||
</When>
|
||||
<PolicyRuleOptions>
|
||||
<Option name="stateless">False</Option>
|
||||
</PolicyRuleOptions>
|
||||
</PolicyRule>
|
||||
<RuleSetOptions/>
|
||||
</Policy>
|
||||
<Policy id="id32959X1082" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
|
||||
<PolicyRule id="id32961X1082" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
<Dst neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Dst>
|
||||
<Srv neg="False">
|
||||
<ServiceRef ref="sysid1"/>
|
||||
</Srv>
|
||||
<Itf neg="False">
|
||||
<ObjectRef ref="id32893X1082"/>
|
||||
</Itf>
|
||||
<When neg="False">
|
||||
<IntervalRef ref="sysid2"/>
|
||||
</When>
|
||||
<PolicyRuleOptions>
|
||||
<Option name="stateless">False</Option>
|
||||
</PolicyRuleOptions>
|
||||
</PolicyRule>
|
||||
<RuleSetOptions/>
|
||||
</Policy>
|
||||
<Routing id="id33301X1082" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
||||
<RuleSetOptions/>
|
||||
</Routing>
|
||||
<Interface id="id32886X1082" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="50" unnum="False" unprotected="False" name="ed0" comment="" ro="False">
|
||||
<IPv4 id="id32890X1082" name="firewall-ipv6-3:ed0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
||||
<IPv4 id="id33436X1082" name="firewall-ipv6-3:ed0:ip-1" comment="" ro="False" address="10.10.10.1" netmask="255.255.255.0"/>
|
||||
<IPv4 id="id33467X1082" name="firewall-ipv6-3:ed0:ip-2" comment="" ro="False" address="10.10.10.2" netmask="255.255.255.0"/>
|
||||
<IPv6 id="id32891X1082" name="firewall-ipv6-3:ed0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
||||
<IPv6 id="id33445X1082" name="firewall-ipv6-3:ed0:ipv6" comment="" ro="False" address="2001:db8::1" netmask="64"/>
|
||||
<IPv6 id="id33458X1082" name="firewall-ipv6-3:ed0:ipv6-1" comment="" ro="False" address="2001:db8::2" netmask="64"/>
|
||||
<InterfaceOptions/>
|
||||
</Interface>
|
||||
<Interface id="id32893X1082" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo0" comment="" ro="False">
|
||||
<IPv4 id="id32897X1082" name="firewall-ipv6-3:lo0:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
||||
<IPv6 id="id32898X1082" name="firewall-ipv6-3:lo0:ip6" comment="" ro="False" address="::1" netmask="128"/>
|
||||
<InterfaceOptions/>
|
||||
</Interface>
|
||||
<Interface id="id196213X1082" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="ed1" comment="" ro="False">
|
||||
<InterfaceOptions>
|
||||
<Option name="type">ethernet</Option>
|
||||
</InterfaceOptions>
|
||||
<Interface id="id196239X1082" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan100" comment="" ro="False">
|
||||
<IPv4 id="id196259X1082" name="firewall-ipv6-3:ed1:vlan100:ip" comment="" ro="False" address="172.16.1.1" netmask="255.255.255.240"/>
|
||||
<InterfaceOptions>
|
||||
<Option name="type">8021q</Option>
|
||||
<Option name="vlan_id">100</Option>
|
||||
</InterfaceOptions>
|
||||
</Interface>
|
||||
<Interface id="id196253X1082" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="vlan101" comment="" ro="False">
|
||||
<IPv4 id="id196268X1082" name="firewall-ipv6-3:ed1:vlan101:ip" comment="" ro="False" address="172.16.2.1" netmask="255.255.255.240"/>
|
||||
<InterfaceOptions>
|
||||
<Option name="type">8021q</Option>
|
||||
<Option name="vlan_id">101</Option>
|
||||
</InterfaceOptions>
|
||||
</Interface>
|
||||
</Interface>
|
||||
<Management address="1.1.1.1">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
<FWBDManagement enabled="False" identity="" port="-1"/>
|
||||
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
||||
</Management>
|
||||
<FirewallOptions>
|
||||
<Option name="accept_established">True</Option>
|
||||
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
||||
<Option name="action_on_reject"></Option>
|
||||
<Option name="activationCmd"></Option>
|
||||
<Option name="add_check_state_rule">true</Option>
|
||||
<Option name="admUser"></Option>
|
||||
<Option name="altAddress"></Option>
|
||||
<Option name="bridging_fw">False</Option>
|
||||
<Option name="check_shading">True</Option>
|
||||
<Option name="clamp_mss_to_mtu">False</Option>
|
||||
<Option name="classify_mark_terminating">False</Option>
|
||||
<Option name="cmdline">-xt</Option>
|
||||
<Option name="compiler"></Option>
|
||||
<Option name="conf1_file"></Option>
|
||||
<Option name="conf_file_name_on_firewall"></Option>
|
||||
<Option name="configure_carp_interfaces">True</Option>
|
||||
<Option name="configure_interfaces">True</Option>
|
||||
<Option name="configure_pfsync_interfaces">True</Option>
|
||||
<Option name="configure_vlan_interfaces">True</Option>
|
||||
<Option name="debug">False</Option>
|
||||
<Option name="drop_invalid">False</Option>
|
||||
<Option name="eliminate_duplicates">true</Option>
|
||||
<Option name="enable_ipv6">True</Option>
|
||||
<Option name="epilog_script"></Option>
|
||||
<Option name="fallback_log">False</Option>
|
||||
<Option name="firewall_dir">/etc</Option>
|
||||
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
||||
<Option name="freebsd_ip_forward">1</Option>
|
||||
<Option name="freebsd_ip_redirect"></Option>
|
||||
<Option name="freebsd_ip_sourceroute"></Option>
|
||||
<Option name="freebsd_ipv6_forward">1</Option>
|
||||
<Option name="freebsd_path_ipf"></Option>
|
||||
<Option name="freebsd_path_ipfw"></Option>
|
||||
<Option name="freebsd_path_ipnat"></Option>
|
||||
<Option name="freebsd_path_sysctl"></Option>
|
||||
<Option name="generate_rc_conf_file">True</Option>
|
||||
<Option name="generate_shell_script">False</Option>
|
||||
<Option name="ignore_empty_groups">False</Option>
|
||||
<Option name="in_out_code">True</Option>
|
||||
<Option name="iosacl_add_clear_statements">true</Option>
|
||||
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
||||
<Option name="iosacl_include_comments">true</Option>
|
||||
<Option name="ipv4_6_order">ipv4_first</Option>
|
||||
<Option name="limit_suffix"></Option>
|
||||
<Option name="limit_value">0</Option>
|
||||
<Option name="linux24_ip_forward">1</Option>
|
||||
<Option name="load_modules">True</Option>
|
||||
<Option name="local_nat">False</Option>
|
||||
<Option name="log_all">False</Option>
|
||||
<Option name="log_invalid">False</Option>
|
||||
<Option name="log_ip_opt">False</Option>
|
||||
<Option name="log_level">info</Option>
|
||||
<Option name="log_prefix">RULE %N -- %A </Option>
|
||||
<Option name="log_tcp_opt">False</Option>
|
||||
<Option name="log_tcp_seq">False</Option>
|
||||
<Option name="loopback_interface">lo0</Option>
|
||||
<Option name="macosx_ip_forward">1</Option>
|
||||
<Option name="manage_virtual_addr">True</Option>
|
||||
<Option name="mgmt_addr"></Option>
|
||||
<Option name="mgmt_ssh">False</Option>
|
||||
<Option name="modulate_state">False</Option>
|
||||
<Option name="no_ipv6_default_policy">False</Option>
|
||||
<Option name="openbsd_ip_directed_broadcast"></Option>
|
||||
<Option name="openbsd_ip_forward">1</Option>
|
||||
<Option name="openbsd_ip_redirect"></Option>
|
||||
<Option name="openbsd_ip_sourceroute"></Option>
|
||||
<Option name="openbsd_ipv6_forward">1</Option>
|
||||
<Option name="openbsd_path_pfctl"></Option>
|
||||
<Option name="openbsd_path_sysctl"></Option>
|
||||
<Option name="output_file"></Option>
|
||||
<Option name="pass_all_out">False</Option>
|
||||
<Option name="pf_adaptive_end">0</Option>
|
||||
<Option name="pf_adaptive_start">0</Option>
|
||||
<Option name="pf_do_limit_frags">False</Option>
|
||||
<Option name="pf_do_limit_src_nodes">False</Option>
|
||||
<Option name="pf_do_limit_states">False</Option>
|
||||
<Option name="pf_do_limit_table_entries">False</Option>
|
||||
<Option name="pf_do_limit_tables">False</Option>
|
||||
<Option name="pf_do_scrub">False</Option>
|
||||
<Option name="pf_do_timeout_frag">False</Option>
|
||||
<Option name="pf_do_timeout_interval">False</Option>
|
||||
<Option name="pf_flush_states">False</Option>
|
||||
<Option name="pf_icmp_error">0</Option>
|
||||
<Option name="pf_icmp_first">0</Option>
|
||||
<Option name="pf_limit_frags">5000</Option>
|
||||
<Option name="pf_limit_src_nodes">0</Option>
|
||||
<Option name="pf_limit_states">10000</Option>
|
||||
<Option name="pf_limit_table_entries">0</Option>
|
||||
<Option name="pf_limit_tables">0</Option>
|
||||
<Option name="pf_modulate_state">False</Option>
|
||||
<Option name="pf_optimization"></Option>
|
||||
<Option name="pf_other_first">0</Option>
|
||||
<Option name="pf_other_multiple">0</Option>
|
||||
<Option name="pf_other_single">0</Option>
|
||||
<Option name="pf_scrub_fragm_crop">False</Option>
|
||||
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
||||
<Option name="pf_scrub_maxmss">1460</Option>
|
||||
<Option name="pf_scrub_minttl">0</Option>
|
||||
<Option name="pf_scrub_no_df">False</Option>
|
||||
<Option name="pf_scrub_random_id">False</Option>
|
||||
<Option name="pf_scrub_reassemble">True</Option>
|
||||
<Option name="pf_scrub_reassemble_tcp">False</Option>
|
||||
<Option name="pf_scrub_use_maxmss">False</Option>
|
||||
<Option name="pf_scrub_use_minttl">False</Option>
|
||||
<Option name="pf_set_adaptive">False</Option>
|
||||
<Option name="pf_set_icmp_error">False</Option>
|
||||
<Option name="pf_set_icmp_first">False</Option>
|
||||
<Option name="pf_set_other_first">False</Option>
|
||||
<Option name="pf_set_other_multiple">False</Option>
|
||||
<Option name="pf_set_other_single">False</Option>
|
||||
<Option name="pf_set_tcp_closed">False</Option>
|
||||
<Option name="pf_set_tcp_closing">False</Option>
|
||||
<Option name="pf_set_tcp_established">False</Option>
|
||||
<Option name="pf_set_tcp_finwait">False</Option>
|
||||
<Option name="pf_set_tcp_first">False</Option>
|
||||
<Option name="pf_set_tcp_opening">False</Option>
|
||||
<Option name="pf_set_udp_first">False</Option>
|
||||
<Option name="pf_set_udp_multiple">False</Option>
|
||||
<Option name="pf_set_udp_single">False</Option>
|
||||
<Option name="pf_state_policy"></Option>
|
||||
<Option name="pf_tcp_closed">0</Option>
|
||||
<Option name="pf_tcp_closing">0</Option>
|
||||
<Option name="pf_tcp_established">0</Option>
|
||||
<Option name="pf_tcp_finwait">0</Option>
|
||||
<Option name="pf_tcp_first">0</Option>
|
||||
<Option name="pf_tcp_opening">0</Option>
|
||||
<Option name="pf_timeout_frag">30</Option>
|
||||
<Option name="pf_timeout_interval">10</Option>
|
||||
<Option name="pf_udp_first">0</Option>
|
||||
<Option name="pf_udp_multiple">0</Option>
|
||||
<Option name="pf_udp_single">0</Option>
|
||||
<Option name="pix_add_clear_statements">true</Option>
|
||||
<Option name="pix_assume_fw_part_of_any">true</Option>
|
||||
<Option name="pix_default_logint">300</Option>
|
||||
<Option name="pix_emblem_log_format">false</Option>
|
||||
<Option name="pix_emulate_out_acl">true</Option>
|
||||
<Option name="pix_floodguard">true</Option>
|
||||
<Option name="pix_include_comments">true</Option>
|
||||
<Option name="pix_route_dnat_supported">true</Option>
|
||||
<Option name="pix_rule_syslog_settings">false</Option>
|
||||
<Option name="pix_security_fragguard_supported">true</Option>
|
||||
<Option name="pix_syslog_device_id_supported">false</Option>
|
||||
<Option name="pix_use_acl_remarks">true</Option>
|
||||
<Option name="prolog_place">fw_file</Option>
|
||||
<Option name="prolog_script"></Option>
|
||||
<Option name="prompt1">$ </Option>
|
||||
<Option name="prompt2"> # </Option>
|
||||
<Option name="scpArgs"></Option>
|
||||
<Option name="script_name_on_firewall"></Option>
|
||||
<Option name="solaris_ip_forward">1</Option>
|
||||
<Option name="sshArgs"></Option>
|
||||
<Option name="ulog_cprange">0</Option>
|
||||
<Option name="ulog_nlgroup">1</Option>
|
||||
<Option name="ulog_qthreshold">1</Option>
|
||||
<Option name="use_ULOG">False</Option>
|
||||
<Option name="use_iptables_restore">False</Option>
|
||||
<Option name="use_numeric_log_levels">False</Option>
|
||||
<Option name="verify_interfaces">True</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
</ObjectGroup>
|
||||
<IntervalGroup id="stdid11_1" name="Time" comment="" ro="False"/>
|
||||
</Library>
|
||||
|
Loading…
x
Reference in New Issue
Block a user