onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2025-10-15 23:18:51 +02:00
Code Issues Releases Wiki Activity

see #2367 no need to split iptables rules with option route because it is terminating by default; checking platform in xslt transformation to dtd21 to correctly set action

Browse Source
This commit is contained in:
Vadim Kurland 2011-05-06 18:11:52 -07:00
parent 7f2dbe58e9
commit 61929176e1
11 changed files with 16664 additions and 19318 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/iptlib/PolicyCompiler_ipt.cpp
View File

@ -512,6 +512,10 @@ bool PolicyCompiler_ipt::dropTerminatingTargets::processNext()
* MARK to terminating targets (equivalent) by splitting the rule and
* adding one more rule with target ACCEPT.
*
* Note that target ROUTE is terminating unless parameter "--continue"
* is present. We add "--continue" if action is Continue, otherwise
* the rule does not need to be split and we carry action Accept further.
*
* Call this rule processor at the very end of the chain when all
* splits are done and target is set via "ipt_target"
*/
@ -523,7 +527,7 @@ bool PolicyCompiler_ipt::splitTagClassifyOrRouteIfAction::processNext()
FWOptions *ruleopt = rule->getOptionsObject();
if (ipt_comp->my_table=="mangle" &&
(rule->getTagging() || rule->getClassification() || rule->getRouting()) &&
(rule->getTagging() || rule->getClassification()) &&
rule->getAction() != PolicyRule::Continue)
{
RuleElementSrc *nsrc;

33
src/libfwbuilder/migration/FWObjectDatabase_20.xslt
View File

@ -100,6 +100,8 @@
<xsl:template match="//fwb:PolicyRule[attribute::action='Classify']" mode="copy">
<xsl:variable name="platform" select="../../../fwb:Firewall/@platform"/>
<xsl:variable name="ipt_make_terminating"
select="../../fwb:FirewallOptions/fwb:Option[attribute::name='classify_mark_terminating']"/>
@ -121,16 +123,17 @@
<xsl:element name="PolicyRule" namespace="http://www.fwbuilder.org/1.0/">
<xsl:copy-of select="@id"/>
<xsl:copy-of select="@disabled"/>
<xsl:copy-of select="@position"/>
<xsl:copy-of select="@direction"/>
<xsl:choose>
<xsl:when test="$ipt_make_terminating = 'True'">
<xsl:when test="($ipt_make_terminating = 'True') and ($platform = 'iptables')">
<xsl:attribute name="action">Accept</xsl:attribute>
</xsl:when>
<xsl:when test="$pf_make_terminating = 'True'">
<xsl:when test="($pf_make_terminating = 'True') and ($platform = 'pf')">
<xsl:attribute name="action">Accept</xsl:attribute>
</xsl:when>
<xsl:otherwise>
@ -188,14 +191,38 @@
</xsl:template>
<xsl:template match="//fwb:PolicyRule[attribute::action='Route']" mode="copy">
<xsl:variable name="platform" select="../../../fwb:Firewall/@platform"/>
<!-- Fwbuilder action Route for iptables was terminating by default
but non-terminating if option "ipt_continue" was present and
had value True
-->
<xsl:variable name="ipt_non_terminating"
select="fwb:PolicyRuleOptions/fwb:Option[attribute::name='ipt_continue']"/>
<!-- Fwbuilder action Route was always terminating for PF -->
<xsl:element name="PolicyRule" namespace="http://www.fwbuilder.org/1.0/">
<xsl:copy-of select="@id"/>
<xsl:copy-of select="@disabled"/>
<xsl:copy-of select="@position"/>
<xsl:copy-of select="@direction"/>
<xsl:attribute name="action">Continue</xsl:attribute>
<xsl:choose>
<xsl:when test="($platform = 'iptables') and ($ipt_non_terminating = 'True')">
<xsl:attribute name="action">Continue</xsl:attribute>
</xsl:when>
<xsl:otherwise>
<xsl:attribute name="action">Accept</xsl:attribute>
</xsl:otherwise>
</xsl:choose>
<xsl:copy-of select="@log"/>
<xsl:copy-of select="@comment"/>
<xsl:copy-of select="@group"/>

2500
test/ipt/cluster-tests.fwb
View File

File diff suppressed because it is too large Load Diff

23140
test/ipt/objects-for-regression-tests.fwb
View File

File diff suppressed because it is too large Load Diff

2
test/ipt/rc.firewall.local
View File

@ -4,7 +4,7 @@
#
# Firewall Builder fwb_ipt v4.2.1.ma_1
#
# Generated Fri May 6 15:51:27 2011 PDT by vadim
# Generated Fri May 6 17:49:51 2011 PDT by vadim
#
# files: * rc.firewall.local /etc/rc.d//rc.firewall.local
#

876
test/pf/cluster-tests.fwb
View File

@ -51,9 +51,9 @@
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>
<Option name="use_mac_addr">false</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
@ -69,9 +69,9 @@
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>
<Option name="use_mac_addr">false</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
@ -100,17 +100,17 @@
</ObjectGroup>
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
<CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
</CustomService>
<CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
@ -365,54 +365,54 @@
</ServiceGroup>
<ServiceGroup id="stdid13" name="Custom" comment="" ro="False">
<CustomService id="id3B64EEA8" name="rpc" comment="works in iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m record_rpc</CustomServiceCommand>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id3B64EF4E" name="irc-conn" comment="IRC connection tracker, supports DCC.&#10;Works on iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/&#10;" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m irc</CustomServiceCommand>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id3B64EF50" name="psd" comment="Port scan detector, works only on iptables and requires patch-o-matic &#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m psd --psd-weight-threshold 5 --psd-delay-threshold 10000</CustomServiceCommand>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id3B64EF52" name="string" comment="Matches a string in a whole packet, works in iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m string --string test_pattern</CustomServiceCommand>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id3B64EF54" name="talk" comment="Talk protocol support. Works in iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m talk</CustomServiceCommand>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
</ServiceGroup>
<ServiceGroup id="stdid19" name="TagServices" comment="" ro="False"/>
@ -435,7 +435,7 @@
<FailoverClusterGroup id="id2719X89830" type="vrrp" name="cluster3:vrrp0:members" comment="">
<ClusterGroupOptions>
<Option name="vrrp_secret">vrrp_secret</Option>
<Option name="vrrp_vrid"/>
<Option name="vrrp_vrid"></Option>
</ClusterGroupOptions>
</FailoverClusterGroup>
<StateSyncClusterGroup id="id2762X92940" type="conntrack" name="State Sync Group-1" comment="">
@ -453,18 +453,18 @@
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"/>
<Option name="iface_options"></Option>
<Option name="type">bridge</Option>
<Option name="vlan_id"/>
<Option name="vlan_id"></Option>
</InterfaceOptions>
<Interface id="id10491X48869" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<InterfaceOptions>
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"/>
<Option name="iface_options"></Option>
<Option name="type">ethernet</Option>
<Option name="vlan_id"/>
<Option name="vlan_id"></Option>
</InterfaceOptions>
</Interface>
<Interface id="id10493X48869" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
@ -501,7 +501,7 @@
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"/>
<Option name="iface_options"></Option>
<Option name="type">8021q</Option>
<Option name="vlan_id">100</Option>
</InterfaceOptions>
@ -512,7 +512,7 @@
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"/>
<Option name="iface_options"></Option>
<Option name="type">8021q</Option>
<Option name="vlan_id">101</Option>
</InterfaceOptions>
@ -550,152 +550,145 @@
</NAT>
<Policy id="id2369X75741" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id2913X78273" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id2896X78273" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id2879X78273" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id2862X78273" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="id3F530CC8"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id2845X78273" disabled="False" group="" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id2828X78273" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id2811X78273" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id2371X75741" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
@ -767,150 +760,143 @@
</NAT>
<Policy id="id2780X94039" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3055X14356" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id3054X14356"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="id3068X14356"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id2781X94039" disabled="False" group="" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id2794X94039" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id2806X94039" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id3725X2234" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id2818X94039" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="id3F530CC8"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id2830X94039" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
@ -923,87 +909,81 @@
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"/>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"/>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"/>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="log_level"/>
<Option name="log_prefix"/>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="pf_classify_str"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id2842X94039" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id2854X94039" disabled="False" group="" log="True" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id3087X2234" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
<Option name="stateless">True</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id2881X94039" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
@ -1129,16 +1109,16 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_bonding_interfaces">True</Option>
<Option name="configure_bridge_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
@ -1146,14 +1126,14 @@
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"/>
<Option name="epilog_script"></Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"/>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -1168,11 +1148,11 @@
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -1190,13 +1170,13 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -1252,29 +1232,29 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"/>
<Option name="epilog_script"></Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"/>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -1289,11 +1269,11 @@
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -1311,13 +1291,13 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -1357,28 +1337,28 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"/>
<Option name="epilog_script"></Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"/>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -1393,11 +1373,11 @@
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -1415,13 +1395,13 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -1454,9 +1434,9 @@
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"/>
<Option name="iface_options"></Option>
<Option name="type">ethernet</Option>
<Option name="vlan_id"/>
<Option name="vlan_id"></Option>
</InterfaceOptions>
</Interface>
<Interface id="id4038X2906" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
@ -1474,28 +1454,28 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"/>
<Option name="epilog_script"></Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"/>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -1510,11 +1490,11 @@
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -1532,13 +1512,13 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -1585,9 +1565,9 @@
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"/>
<Option name="iface_options"></Option>
<Option name="type">bonding</Option>
<Option name="vlan_id"/>
<Option name="vlan_id"></Option>
</InterfaceOptions>
<Interface id="id3807X49120" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<InterfaceOptions>
@ -1610,28 +1590,28 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"/>
<Option name="epilog_script"></Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"/>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -1646,11 +1626,11 @@
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -1668,13 +1648,13 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -1981,11 +1961,9 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5954X26920" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2004,11 +1982,9 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id7136X39764" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2027,11 +2003,9 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id7162X39764" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2050,11 +2024,9 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id7149X39764" disabled="False" group="" log="False" position="4" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -2073,11 +2045,9 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id39043X28773" disabled="False" group="" log="False" position="5" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -2096,11 +2066,9 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5942X26920" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -2119,11 +2087,9 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
<Option name="stateless">True</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -2201,11 +2167,9 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
<Option name="stateless">True</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -2280,11 +2244,9 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
<Option name="stateless">True</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id56069X50958" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2303,11 +2265,9 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4808X69263" disabled="False" group="test for interface group" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2328,11 +2288,9 @@
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="pf_classify_str"></Option>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id24679X69263" disabled="False" group="test for interface group" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2352,11 +2310,9 @@
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="pf_classify_str"></Option>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id72694X50958" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2375,11 +2331,9 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id89654X50958" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2399,11 +2353,9 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id106892X50958" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2424,11 +2376,9 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id124525X50958" disabled="False" group="" log="False" position="7" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -2447,11 +2397,9 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id124478X50958" disabled="False" group="" log="False" position="8" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -2471,11 +2419,9 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id124667X50958" disabled="False" group="" log="False" position="9" action="Accept" direction="Outbound" comment="">
<Src neg="False">
@ -2494,11 +2440,9 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id124620X50958" disabled="False" group="" log="False" position="10" action="Accept" direction="Outbound" comment="">
<Src neg="False">
@ -2518,11 +2462,9 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id181105X50958" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2541,11 +2483,9 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id181058X50958" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2565,11 +2505,9 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -2648,11 +2586,9 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"></Option>
<Option name="stateless">True</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -2864,18 +2800,18 @@
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"/>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="ignore_empty_groups">False</Option>
@ -2884,11 +2820,11 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -2908,7 +2844,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"/>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -2948,9 +2884,9 @@
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="sshArgs"/>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="sshArgs"></Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3337X26920" host_OS="openbsd" inactive="False" lastCompiled="1264267285" lastInstalled="0" lastModified="1297119444" platform="pf" version="4.x" name="openbsd-2" comment="" ro="False">
@ -2984,18 +2920,18 @@
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">False</Option>
<Option name="configure_vlan_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"/>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="ignore_empty_groups">False</Option>
@ -3004,11 +2940,11 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -3028,7 +2964,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"/>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -3068,9 +3004,9 @@
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="sshArgs"/>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="sshArgs"></Option>
</FirewallOptions>
</Firewall>
<Firewall id="id7290X42213" host_OS="freebsd" inactive="False" lastCompiled="1296754097" lastInstalled="0" lastModified="1296755154" platform="pf" version="4.x" name="freebsd-1" comment="" ro="False">
@ -3098,18 +3034,18 @@
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"/>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="freebsd_ip_forward">1</Option>
@ -3119,11 +3055,11 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -3143,7 +3079,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"/>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -3183,9 +3119,9 @@
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="sshArgs"/>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="sshArgs"></Option>
</FirewallOptions>
</Firewall>
<Firewall id="id7317X42213" host_OS="freebsd" inactive="False" lastCompiled="1296754097" lastInstalled="0" lastModified="1245802420" platform="pf" version="4.x" name="freebsd-2" comment="" ro="False">
@ -3213,18 +3149,18 @@
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">False</Option>
<Option name="configure_vlan_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"/>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="freebsd_ip_forward">1</Option>
@ -3234,11 +3170,11 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -3258,7 +3194,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"/>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -3298,9 +3234,9 @@
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="sshArgs"/>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="sshArgs"></Option>
</FirewallOptions>
</Firewall>
<Firewall id="id39233X50958" host_OS="openbsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1297119363" platform="pf" version="4.6" name="openbsd-3" comment="" ro="False">
@ -3346,18 +3282,18 @@
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"/>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="ignore_empty_groups">False</Option>
@ -3366,11 +3302,11 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -3390,7 +3326,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"/>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -3430,9 +3366,9 @@
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="sshArgs"/>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="sshArgs"></Option>
</FirewallOptions>
</Firewall>
<Firewall id="id39405X50958" host_OS="openbsd" inactive="False" lastCompiled="1264267285" lastInstalled="0" lastModified="1297119370" platform="pf" version="4.6" name="openbsd-4" comment="" ro="False">
@ -3478,18 +3414,18 @@
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">False</Option>
<Option name="configure_vlan_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"/>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="ignore_empty_groups">False</Option>
@ -3498,11 +3434,11 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -3522,7 +3458,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"/>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -3562,9 +3498,9 @@
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="sshArgs"/>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="sshArgs"></Option>
</FirewallOptions>
</Firewall>
<Firewall id="id200587X1082" host_OS="freebsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1296694652" platform="pf" version="" name="freebsd-1-1" comment="" ro="False">
@ -3592,20 +3528,20 @@
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="conf1_file">pf.conf</Option>
<Option name="conf_file_name_on_firewall"/>
<Option name="conf_file_name_on_firewall"></Option>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"/>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="freebsd_ip_forward">1</Option>
@ -3617,7 +3553,7 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
@ -3642,7 +3578,7 @@
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_modulate_state">False</Option>
<Option name="pf_optimization"/>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -3671,7 +3607,7 @@
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_state_policy"/>
<Option name="pf_state_policy"></Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
@ -3684,10 +3620,10 @@
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="script_name_on_firewall"/>
<Option name="sshArgs"/>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="script_name_on_firewall"></Option>
<Option name="sshArgs"></Option>
</FirewallOptions>
</Firewall>
<Firewall id="id200626X1082" host_OS="freebsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1296694663" platform="pf" version="" name="freebsd-2-1" comment="" ro="False">
@ -3715,20 +3651,20 @@
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="conf1_file">pf.conf</Option>
<Option name="conf_file_name_on_firewall"/>
<Option name="conf_file_name_on_firewall"></Option>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"/>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="freebsd_ip_forward">1</Option>
@ -3740,7 +3676,7 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
@ -3765,7 +3701,7 @@
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_modulate_state">False</Option>
<Option name="pf_optimization"/>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -3794,7 +3730,7 @@
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_state_policy"/>
<Option name="pf_state_policy"></Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
@ -3807,10 +3743,10 @@
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="script_name_on_firewall"/>
<Option name="sshArgs"/>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="script_name_on_firewall"></Option>
<Option name="sshArgs"></Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>

22
test/pf/firewall40-1-routes.conf.orig
View File

@ -12,52 +12,52 @@
#
# Rule routes 0 (fxp0)
# route_through, load balancing random
pass in quick on fxp0 route-to { ( le1 192.0.2.1 ) , ( le1 192.0.2.2 ) , ( le1 192.0.2.3 ) } random inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 0 -- "
pass in quick on fxp0 route-to { ( le1 192.0.2.1 ) , ( le1 192.0.2.2 ) , ( le1 192.0.2.3 ) } random inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 0 -- ACCEPT "
#
# Rule routes 1 (fxp0)
# error: interface is required
pass in quick on fxp0 reply-to { ( 192.0.2.1 ) } random inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 1 -- "
pass in quick on fxp0 reply-to { ( 192.0.2.1 ) } random inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 1 -- ACCEPT "
#
# Rule routes 2 (fxp0)
# error: interface is required
pass in quick on fxp0 dup-to { ( 192.0.2.1 ) } random inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 2 -- "
pass in quick on fxp0 dup-to { ( 192.0.2.1 ) } random inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 2 -- ACCEPT "
#
# Rule routes 3 (fxp0)
# fastroute
pass in quick on fxp0 fastroute inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 3 -- "
pass in quick on fxp0 fastroute inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 3 -- ACCEPT "
#
# Rule routes 4 (fxp0)
# fastroute
pass in quick on fxp0 fastroute inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 4 -- "
pass in quick on fxp0 fastroute inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 4 -- ACCEPT "
#
# Rule routes 5 (fxp0)
# fastroute
pass in quick on fxp0 fastroute inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 5 -- "
pass in quick on fxp0 fastroute inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 5 -- ACCEPT "
#
# Rule routes 6 (fxp0)
# route_through, load balancing none
# error: interface is required
pass in quick on fxp0 route-to { ( 192.0.2.1 ) , ( 192.0.2.2 ) , ( 192.0.2.3 ) } inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 6 -- "
pass in quick on fxp0 route-to { ( 192.0.2.1 ) , ( 192.0.2.2 ) , ( 192.0.2.3 ) } inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 6 -- ACCEPT "
#
# Rule routes 7 (fxp0)
# route_through, load balancing bitmask
# error: interface is required
pass in quick on fxp0 route-to { ( 192.0.2.1 ) , ( 192.0.2.2 ) , ( 192.0.2.3 ) } bitmask inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 7 -- "
pass in quick on fxp0 route-to { ( 192.0.2.1 ) , ( 192.0.2.2 ) , ( 192.0.2.3 ) } bitmask inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 7 -- ACCEPT "
#
# Rule routes 8 (fxp0)
# route_through, load balancing random
# error: interface is required
pass in quick on fxp0 route-to { ( 192.0.2.1 ) , ( 192.0.2.2 ) , ( 192.0.2.3 ) } random inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 8 -- "
pass in quick on fxp0 route-to { ( 192.0.2.1 ) , ( 192.0.2.2 ) , ( 192.0.2.3 ) } random inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 8 -- ACCEPT "
#
# Rule routes 9 (fxp0)
# route_through, load balancing source hash
# error: interface is required
pass in quick on fxp0 route-to { ( 192.0.2.1 ) , ( 192.0.2.2 ) , ( 192.0.2.3 ) } source-hash inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 9 -- "
pass in quick on fxp0 route-to { ( 192.0.2.1 ) , ( 192.0.2.2 ) , ( 192.0.2.3 ) } source-hash inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 9 -- ACCEPT "
#
# Rule routes 10 (fxp0)
# route_through, load balancing round robin
# error: interface is required
pass in quick on fxp0 route-to { ( 192.0.2.1 ) , ( 192.0.2.2 ) , ( 192.0.2.3 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 10 -- "
pass in quick on fxp0 route-to { ( 192.0.2.1 ) , ( 192.0.2.2 ) , ( 192.0.2.3 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 10 -- ACCEPT "
#
# Rule routes 11 (global)
block log quick inet from any to any label "RULE 11 -- DROP "

24
test/pf/firewall40-1.conf.orig
View File

@ -19,31 +19,31 @@ nat on le2 proto {tcp udp icmp} from 192.168.1.0/24 to any -> 192.0.3.1
# firewall40-1:Policy:11: error: Only one router specified with load balancing for rule action Route: 'route_through'
#
# Rule 0 (fxp0)
pass in quick on fxp0 route-to { ( le1 192.0.2.1 ) , ( le1 192.0.2.2 ) , ( le1 192.0.2.3 ) } random inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 0 -- "
pass in quick on fxp0 route-to { ( le1 192.0.2.1 ) , ( le1 192.0.2.2 ) , ( le1 192.0.2.3 ) } random inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 0 -- ACCEPT "
#
# Rule 1 (fxp0)
pass in quick on fxp0 route-to { ( le2 192.0.2.1 ) , ( le2 192.0.2.2 ) , ( le2 192.0.2.3 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 1 -- "
pass in quick on fxp0 route-to { ( le2 192.0.2.1 ) , ( le2 192.0.2.2 ) , ( le2 192.0.2.3 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 1 -- ACCEPT "
#
# Rule 2 (fxp0)
pass in quick on fxp0 route-to { ( le2 192.0.2.1 ) , ( le2 192.0.2.2 ) , ( le2 192.0.2.3 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 2 -- "
pass in quick on fxp0 route-to { ( le2 192.0.2.1 ) , ( le2 192.0.2.2 ) , ( le2 192.0.2.3 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 2 -- ACCEPT "
#
# Rule 3 (fxp0)
pass in quick on fxp0 route-to { ( le1 192.0.2.1 ) , ( le1 192.0.2.2 ) , ( le1 192.0.2.3 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 label "RULE 3 -- "
pass in quick on fxp0 route-to { ( le1 192.0.2.1 ) , ( le1 192.0.2.2 ) , ( le1 192.0.2.3 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 label "RULE 3 -- ACCEPT "
#
# Rule 4 (fxp0)
pass in quick on fxp0 route-to { ( le2 192.0.2.1 ) , ( le2 192.0.2.2 ) , ( le2 192.0.2.3 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 label "RULE 4 -- "
pass in quick on fxp0 route-to { ( le2 192.0.2.1 ) , ( le2 192.0.2.2 ) , ( le2 192.0.2.3 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 label "RULE 4 -- ACCEPT "
#
# Rule 5 (fxp0)
pass in quick on fxp0 route-to { ( le2 192.0.2.1 ) , ( le2 192.0.2.2 ) , ( le2 192.0.2.3 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 label "RULE 5 -- "
pass in quick on fxp0 route-to { ( le2 192.0.2.1 ) , ( le2 192.0.2.2 ) , ( le2 192.0.2.3 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 label "RULE 5 -- ACCEPT "
#
# Rule 6 (fxp0)
pass in quick on fxp0 route-to { ( le1 192.0.2.0/24 ) } random inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 6 -- "
pass in quick on fxp0 route-to { ( le1 192.0.2.0/24 ) } random inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 6 -- ACCEPT "
#
# Rule 7 (fxp0)
pass in quick on fxp0 route-to { ( le2 192.0.2.0/24 ) } source-hash inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 7 -- "
pass in quick on fxp0 route-to { ( le2 192.0.2.0/24 ) } source-hash inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 7 -- ACCEPT "
#
# Rule 8 (fxp0)
pass in quick on fxp0 route-to { ( le2 192.0.2.0/255.255.255.0 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 8 -- "
pass in quick on fxp0 route-to { ( le2 192.0.2.0/255.255.255.0 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 8 -- ACCEPT "
#
# Rule 9 (fxp0)
# this should fail because
@ -54,19 +54,19 @@ pass in quick on fxp0 route-to { ( le2 192.0.2.0/255.255.255.0 ) } round-robin
# to convert errors to warnings
# and make it generate .conf
# file anyway
pass in quick on fxp0 route-to { ( le2 192.0.2.1 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 9 -- "
pass in quick on fxp0 route-to { ( le2 192.0.2.1 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 9 -- ACCEPT "
#
# Rule 10 (fxp0)
# this should fail because
# it has one address for the next
# hop and it is /32.
pass in quick on fxp0 route-to { ( le2 192.0.2.1/32 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 10 -- "
pass in quick on fxp0 route-to { ( le2 192.0.2.1/32 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 10 -- ACCEPT "
#
# Rule 11 (fxp0)
# this should fail because
# it ip address in next hop
# is illegal
pass in quick on fxp0 route-to { ( le2 192.0.300.1/32 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 11 -- "
pass in quick on fxp0 route-to { ( le2 192.0.300.1/32 ) } round-robin inet proto tcp from 192.168.1.0/24 to any port 80 keep state label "RULE 11 -- ACCEPT "
#
# Rule fallback rule
# fallback rule

4
test/pf/firewall40.conf.orig
View File

@ -24,10 +24,10 @@ pass quick on lo0 inet from any to any label "RULE 0 -- ACCEPT "
pass quick on fxp0 inet from 192.168.1.0/24 to 192.168.1.0/24 label "RULE 1 -- ACCEPT "
#
# Rule 2 (fxp0)
pass in quick on fxp0 route-to { ( le1 192.0.2.10 ) } inet proto tcp from 192.168.1.0/24 to any port { 80, 25 } label "RULE 2 -- "
pass in quick on fxp0 route-to { ( le1 192.0.2.10 ) } inet proto tcp from 192.168.1.0/24 to any port { 80, 25 } label "RULE 2 -- ACCEPT "
#
# Rule 3 (fxp0)
pass in quick on fxp0 route-to { ( le2 192.0.3.10 ) } inet proto tcp from 192.168.1.0/24 to any port 22 label "RULE 3 -- "
pass in quick on fxp0 route-to { ( le2 192.0.3.10 ) } inet proto tcp from 192.168.1.0/24 to any port 22 label "RULE 3 -- ACCEPT "
#
# Rule 4 (global)
pass out quick inet from <tbl.r4.s> to any keep state label "RULE 4 -- ACCEPT "

9373
test/pf/objects-for-regression-tests.fwb
View File

File diff suppressed because it is too large Load Diff

2
test/pf/pf_cluster_4_rc.conf.local
View File

@ -3,7 +3,7 @@
#
# Firewall Builder fwb_pf v4.2.1.ma_1
#
# Generated Fri May 6 15:44:13 2011 PDT by vadim
# Generated Fri May 6 18:05:47 2011 PDT by vadim
#
# files: * pf_cluster_4_rc.conf.local /etc/pf_cluster_4_rc.conf.local
# files: pf_cluster_4_pf.conf /etc/pf_cluster_4_pf.conf