onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-20 02:07:23 +01:00
Code Issues Releases Wiki Activity

see #2385 "PF action Classify uses

Browse Source 
wrong parameter". This change fixes a bug introduced in 4.2.0
that affects rules with action Classify in PF firewalls.
This commit is contained in:
Vadim Kurland 2011-05-05 18:50:32 -07:00
parent 71f5faab3d
commit e24a73a560
27 changed files with 22643 additions and 13678 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
VERSION
View File

@ -7,13 +7,13 @@ FWB_MICRO_VERSION=1
# build number is like "nano" version number. I am incrementing build
# number during development cycle
#
BUILD_NUM="3537"
BUILD_NUM="3538"
VERSION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION.$FWB_MICRO_VERSION.$BUILD_NUM"
GENERATION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION"
# Data format version
FWBUILDER_XML_VERSION=19
FWBUILDER_XML_VERSION=20

2
VERSION.h
View File

@ -1,2 +1,2 @@
#define VERSION "4.2.1.3537"
#define VERSION "4.2.1.3538"
#define GENERATION "4.2"

21
doc/ChangeLog
View File

@ -1,3 +1,24 @@
2011-05-05 Vadim Kurland <vadim@netcitadel.com>
* FWObjectDatabase_19.xslt: see #2385 "PF action Classify uses
wrong parameter". This change fixes a bug introduced in 4.2.0
that affects rules with action Classify in PF firewalls.
The bug causes the following problems:
For users who built their rules before v4.2.0:
- rules compile normally, both in the single rule compile and
when the whole firewall is compiled
- if they opened the action of one of such rules in the action
editor, the classification string would look empty
- if they entered new classification string in the editor,
compiler kept using the old one (which they can not see or
change in the editor)
For users who tried to build rules with action Classify with v4.2.0:
- no matter what classification string they enter in the action
dialog, generated code does not use it
2011-05-04 Vadim Kurland <vadim@netcitadel.com>
* FWObjectDatabase_18.xslt: XSLT transformation to upgrade data

2
packaging/fwbuilder-static-qt.spec
View File

@ -3,7 +3,7 @@
%define name fwbuilder
%define version 4.2.1.3537
%define version 4.2.1.3538
%define release 1
%if "%_vendor" == "MandrakeSoft"

2
packaging/fwbuilder.control
View File

@ -4,6 +4,6 @@ Replaces: fwbuilder (<=4.1.1-1), fwbuilder-common, fwbuilder-bsd, fwbuilder-linu
Priority: extra
Section: checkinstall
Maintainer: vadim@fwbuilder.org
Version: 4.2.1.3537-1
Version: 4.2.1.3538-1
Depends: libqt4-gui (>= 4.3.0), libxml2, libxslt1.1, libsnmp | libsnmp15
Description: Firewall Builder GUI and policy compilers

2
packaging/fwbuilder.spec
View File

@ -1,6 +1,6 @@
%define name fwbuilder
%define version 4.2.1.3537
%define version 4.2.1.3538
%define release 1
%if "%_vendor" == "MandrakeSoft"

2
src/libfwbuilder/etc/fwbuilder.dtd
View File

@ -79,7 +79,7 @@
<!ELEMENT FWObjectDatabase (Library*)>
<!ATTLIST FWObjectDatabase
xmlns CDATA #FIXED "http://www.fwbuilder.org/1.0/"
version %STRING; #FIXED "19"
version %STRING; #FIXED "20"
lastModified %NUMBER; #IMPLIED
id ID #REQUIRED
>

73
src/libfwbuilder/migration/FWObjectDatabase_19.xslt Normal file
View File

@ -0,0 +1,73 @@
<!--
FWObjectDatabase_19.xslt 2011-05-05
Author: Vadim Kurland
Description: translates fwbuilder object database from v19 to 20
#2385 copy value of the option "classify_str" to
the option "pf_classify_str" for PF policy rules
with action Classify
-->
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:fwb="http://www.fwbuilder.org/1.0/"
exclude-result-prefixes="fwb">
<xsl:output method="xml" version="1.0"
doctype-system="fwbuilder.dtd" indent="yes" encoding="utf-8"/>
<xsl:template match="*" mode="copy">
<xsl:copy>
<xsl:copy-of select="@*"/>
<xsl:apply-templates mode="copy"/>
</xsl:copy>
</xsl:template>
<xsl:template match="//fwb:PolicyRuleOptions" mode="copy">
<xsl:variable name="classify_str">
<xsl:value-of select="fwb:Option[@name='classify_str']"/>
</xsl:variable>
<xsl:copy-of select="@*"/>
<xsl:choose>
<xsl:when test="fwb:PolicyRuleOptions/fwb:Option[@name='pf_classify_str']">
<xsl:apply-templates mode="copy"/>
</xsl:when>
<xsl:otherwise>
<xsl:element name="PolicyRuleOptions"
namespace="http://www.fwbuilder.org/1.0/">
<xsl:apply-templates mode="copy"/>
<xsl:text>
</xsl:text>
<xsl:element name="Option" namespace="http://www.fwbuilder.org/1.0/">
<xsl:attribute name="name">pf_classify_str</xsl:attribute><xsl:value-of select="$classify_str"/></xsl:element>
<xsl:text>
</xsl:text>
</xsl:element>
</xsl:otherwise>
</xsl:choose>
<xsl:text>
</xsl:text>
</xsl:template>
<xsl:template match="*[attribute::id='root']">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/">
<xsl:attribute name="version">20</xsl:attribute>
<xsl:attribute name="lastModified"><xsl:value-of select="@lastModified"/></xsl:attribute>
<xsl:attribute name="id">root</xsl:attribute>
<xsl:apply-templates select="*" mode="copy"/>
</FWObjectDatabase>
</xsl:template>
</xsl:stylesheet>

1
src/libfwbuilder/migration/migration.pro
View File

@ -93,5 +93,6 @@ target.files = FWObjectDatabase_0.8.7.xslt \
FWObjectDatabase_16.xslt \
FWObjectDatabase_17.xslt \
FWObjectDatabase_18.xslt \
FWObjectDatabase_19.xslt \

35
src/res/help/en_US/release_notes_4.2.1.html
View File

@ -50,6 +50,41 @@
</p>
</li>
<li>
<p>
fixes #2385 "PF action Classify uses wrong parameter". This
change fixes a bug introduced in 4.2.0 that affects rules with
action Classify in PF firewalls. The bug causes the following
problems:
</p>
<p>
For users who built their rules before v4.2.0:
</p>
<p>
<ul>
<li>rules compile normally, both in the single rule compile and
when the whole firewall is compiled</li>
<li>if they opened the action of one of such rules in the action
editor, the classification string would look empty</li>
<li>if they entered new classification string in the editor,
compiler kept using the old one (which they can not see or
change in the editor)</li>
</ul>
</p>
<p>
For users who tried to build rules with action Classify with v4.2.0:
</p>
<p>
<ul>
<li>no matter what classification string they enter in the action
dialog, generated code does not use it</li>
</ul>
</p>
</li>
</ul>

2
src/res/objects_init.xml
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="19" lastModified="1265059184" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1265059184" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/res/templates.xml
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="19" lastModified="1270752748" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1270752748" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

1047
test/iosacl/cluster-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1253911075" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1253911075" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -652,105 +652,120 @@
</NAT>
<Policy id="id3639X95766" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id5954X26920" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id7136X39764" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id7162X39764" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id7149X39764" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id5942X26920" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id3641X95766" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
@ -1348,25 +1363,28 @@
</NAT>
<Policy id="id3816X36775" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4355X56095" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id3818X36775" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
@ -1592,133 +1610,151 @@
</NAT>
<Policy id="id3465X13311" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3466X13311" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id3054X14356"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="id3068X14356"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id3478X13311" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id3433X13311"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3491X13311" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3503X13311" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id3433X13311"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3515X13311" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3527X13311" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3433X13311"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="id3F530CC8"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4369X67939" disabled="False" group="" log="False" position="6" action="Branch" direction="Both" comment="branch rule set is different in members linux-1 and linux-2">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id3433X13311"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="branch_id">id6187X76214</Option>
<Option name="classify_str"/>
@ -1765,25 +1801,28 @@
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id3539X13311" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id3433X13311"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
@ -1807,64 +1846,76 @@
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id3551X13311" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3563X13311" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3575X13311" disabled="False" group="" log="True" position="10" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id3563X13311" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3575X13311" disabled="False" group="" log="True" position="10" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Policy id="id6187X76214" name="to_fw" comment="this is a placeholder ruleset used in branching rule in Policy&#10;Member firewalls linux-1 and linux-2 have their own copy&#10;of the rule set with the same name which is used." ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
@ -1959,133 +2010,151 @@
</NAT>
<Policy id="id4434X28690" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4435X28690" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id3054X14356"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="id3068X14356"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id4447X28690" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id4400X28690"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4460X28690" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4472X28690" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id4400X28690"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4484X28690" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4496X28690" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id4400X28690"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="id3F530CC8"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4508X28690" disabled="False" group="" log="False" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id4400X28690"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
@ -2109,25 +2178,28 @@
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id4520X28690" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id4400X28690"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
@ -2151,64 +2223,76 @@
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id4532X28690" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4544X28690" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4556X28690" disabled="False" group="" log="True" position="10" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id4544X28690" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4556X28690" disabled="False" group="" log="True" position="10" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id4583X28690" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
@ -2312,133 +2396,151 @@
</NAT>
<Policy id="id2780X94039" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3055X14356" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id3054X14356"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="id3068X14356"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id2781X94039" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id2772X94039"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2794X94039" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2806X94039" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id2772X94039"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3725X2234" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2818X94039" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id2772X94039"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="id3F530CC8"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2830X94039" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id2772X94039"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
@ -2462,64 +2564,76 @@
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id2842X94039" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2854X94039" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3087X2234" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id2854X94039" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3087X2234" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id2881X94039" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
@ -2612,133 +2726,151 @@
</NAT>
<Policy id="id3940X13563" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id5257X25627" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id3054X14356"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="id3068X14356"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id5239X25627" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id3937X13563"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5222X25627" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5205X25627" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id3937X13563"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5188X25627" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5171X25627" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3937X13563"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="id3F530CC8"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5154X25627" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id3937X13563"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
@ -2762,64 +2894,76 @@
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id5137X25627" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5120X25627" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5103X25627" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id5120X25627" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5103X25627" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id3942X13563" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
@ -3062,7 +3206,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2896X78273" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3080,7 +3227,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2879X78273" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
@ -3098,7 +3248,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2862X78273" disabled="False" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
@ -3116,7 +3269,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2845X78273" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
@ -3134,7 +3290,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2828X78273" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3152,7 +3311,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2811X78273" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -3170,7 +3332,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -3292,7 +3457,10 @@
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -3478,7 +3646,10 @@
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>

1717
test/iosacl/objects-for-regression-tests.fwb
View File

File diff suppressed because it is too large Load Diff

37
test/ipf/large_policy_test.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False"/>
<Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
<ObjectGroup id="stdid01_1_clusters" name="Clusters" comment="" ro="False"/>
@ -56,7 +56,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3F9AF2C0" disabled="False" log="True" position="1" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -78,7 +81,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3F9A1BF6" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -96,7 +102,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3F9A1BEC" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -114,7 +123,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3F9A1C2E" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -132,7 +144,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3F9A1C96" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -150,7 +165,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3F9A1C3A" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -170,7 +188,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>

663
test/ipf/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1257363322" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1257363322" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -1266,9 +1266,13 @@
<Itf neg="False">
<ObjectRef ref="if-FW-firewall2-eth1"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="pol-firewall2-0" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="Automatically generated rule blocking short fragments">
<Src neg="False">
@ -1288,7 +1292,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="pol-firewall2-1" disabled="False" log="True" position="2" action="Deny" direction="Inbound" comment="Automatically generated anti-spoofing rule">
<Src neg="False">
@ -1309,7 +1316,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3EDC2CC7" disabled="False" log="False" position="3" action="Accept" direction="Inbound" comment="комментарий по-русски">
<Src neg="False">
@ -1327,7 +1337,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B92DFC5" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1342,7 +1355,11 @@
<Itf neg="False">
<ObjectRef ref="if-FW-firewall2-eth0"/>
</Itf>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3C4E4C38" disabled="False" log="True" position="5" action="Deny" direction="Inbound" comment="">
<Src neg="False">
@ -1357,9 +1374,13 @@
<Itf neg="False">
<ObjectRef ref="if-FW-firewall2-eth0"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B58E39D" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -1385,7 +1406,10 @@
<Option name="log_limit_suffix"/>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B6659FC" disabled="False" log="True" position="7" action="Reject" direction="Both" comment="">
<Src neg="False">
@ -1411,7 +1435,10 @@
<Option name="ipf_keep_frags">False</Option>
<Option name="ipf_return_icmp_as_dest">True</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3CE74D81" disabled="False" log="False" position="8" action="Reject" direction="Both" comment="">
<Src neg="False">
@ -1431,7 +1458,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3BF1B45E" disabled="True" log="False" position="9" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1454,7 +1484,10 @@
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3BF1B44E" disabled="True" log="False" position="10" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1477,7 +1510,10 @@
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="pol-firewall2-3" disabled="False" log="False" position="11" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1503,7 +1539,10 @@
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="pol-firewall2-2" disabled="False" log="False" position="12" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1526,7 +1565,10 @@
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="pol-firewall2-4" disabled="False" log="False" position="13" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1550,7 +1592,10 @@
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3CD8770E" disabled="False" log="False" position="14" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1574,7 +1619,10 @@
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3D98E652" disabled="False" log="False" position="15" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1598,7 +1646,10 @@
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3CD87B1E" disabled="False" log="False" position="16" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1622,7 +1673,10 @@
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B58E180" disabled="False" log="True" position="17" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1640,7 +1694,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3EE262C2" disabled="True" log="False" position="18" action="Accept" direction="Both" comment="illegal rule - firewall8 has dynamic interface">
<Src neg="False">
@ -1660,7 +1717,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3EE261FB" disabled="False" log="False" position="19" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1682,7 +1742,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="pol-firewall2-5" disabled="False" log="False" position="20" action="Accept" direction="Both" comment="Automatically generated 'masquerading' rule">
<Src neg="False">
@ -1706,7 +1769,10 @@
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="pol-firewall2-7" disabled="False" log="True" position="21" action="Deny" direction="Both" comment="Automatically generated 'catch all' rule">
<Src neg="False">
@ -1735,7 +1801,10 @@
<Option name="log_limit_suffix"/>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -2174,9 +2243,13 @@
<Itf neg="False">
<ObjectRef ref="id3AF5AA96"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3CD34BEF" disabled="False" log="False" position="1" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -2196,7 +2269,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AF5AAB4" disabled="False" log="True" position="2" action="Deny" direction="Inbound" comment="Anti-spoofing rule">
<Src neg="False">
@ -2212,9 +2288,13 @@
<Itf neg="False">
<ObjectRef ref="id3AF5AA99"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AF5AAAB" disabled="False" log="True" position="3" action="Deny" direction="Outbound" comment="Anti-spoofing rule">
<Src neg="True">
@ -2229,9 +2309,13 @@
<Itf neg="False">
<ObjectRef ref="id3AF5AA99"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3CDDF2FA" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2249,7 +2333,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3CCA26E4" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -2269,7 +2356,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B9AB902" disabled="True" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -2289,7 +2379,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AFC0F90" disabled="False" log="True" position="7" action="Accept" direction="Both" comment="hostF has the same IP address as firewal.">
<Src neg="False">
@ -2307,7 +2400,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B021E10" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="testing negation in the policy rule">
<Src neg="True">
@ -2332,7 +2428,10 @@
<Option name="limit_value">10</Option>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0B4A13" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="True">
@ -2353,7 +2452,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B5535B7" disabled="False" log="True" position="10" action="Deny" direction="Both" comment="">
<Src neg="True">
@ -2374,7 +2476,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B11F63D" disabled="False" log="True" position="11" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -2396,7 +2501,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3CDDF0AA" disabled="False" log="False" position="12" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -2416,7 +2524,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B021E6F" disabled="True" log="True" position="13" action="Deny" direction="Both" comment="testing negation in service field">
<Src neg="False">
@ -2438,7 +2549,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3CCA2CF4" disabled="True" log="True" position="14" action="Accept" direction="Both" comment="testing negation in service field">
<Src neg="False">
@ -2458,7 +2572,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B45739A" disabled="False" log="True" position="15" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -2478,7 +2595,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AF5AAC8" disabled="False" log="False" position="16" action="Accept" direction="Both" comment="'masquerading' rule">
<Src neg="False">
@ -2496,7 +2616,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AF5AAE3" disabled="False" log="True" position="17" action="Deny" direction="Both" comment="'catch all' rule">
<Src neg="False">
@ -2516,7 +2639,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -3238,13 +3364,17 @@
<Itf neg="False">
<ObjectRef ref="id3AFB6706"/>
</Itf>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AFB6710" disabled="False" log="True" position="1" action="Deny" direction="Outbound" comment="Anti-spoofing rule">
<Src neg="True">
@ -3260,13 +3390,17 @@
<Itf neg="False">
<ObjectRef ref="id3AFB6706"/>
</Itf>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AFB66E5" disabled="False" log="True" position="2" action="Deny" direction="Both" comment="block fragments">
<Src neg="False">
@ -3287,7 +3421,10 @@
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C6FD2" disabled="False" log="True" position="3" action="Reject" direction="Both" comment="sends TCP RST and makes custom record in the log">
<Src neg="False">
@ -3313,7 +3450,10 @@
<Option name="limit_value">0</Option>
<Option name="log_prefix">IDENT</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3D333A66" disabled="False" log="True" position="4" action="Reject" direction="Both" comment="sends TCP RST and makes custom record in the log">
<Src neg="False">
@ -3339,7 +3479,10 @@
<Option name="limit_value">0</Option>
<Option name="log_prefix">IDENT</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3D8FF63F" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3358,7 +3501,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3D8FF660" disabled="False" log="False" position="6" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3377,7 +3523,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AFB66EF" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="'masquerading' rule">
<Src neg="False">
@ -3397,7 +3546,10 @@
</When>
<PolicyRuleOptions>
<Option name="id"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3C447B8D" disabled="False" log="True" position="8" action="Accept" direction="Both" comment="host-fw2 has the same address as &#10; one of the firewall's interfaces">
<Src neg="False">
@ -3415,7 +3567,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3C447BCB" disabled="False" log="True" position="9" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3433,7 +3588,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AFB66F9" disabled="False" log="True" position="10" action="Deny" direction="Both" comment="'catch all' rule">
<Src neg="False">
@ -3454,7 +3612,10 @@
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -3875,9 +4036,13 @@
<Itf neg="False">
<ObjectRef ref="id3B0C63E1"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C63EB" disabled="False" log="True" position="1" action="Deny" direction="Outbound" comment="Anti-spoofing rule">
<Src neg="True">
@ -3893,9 +4058,13 @@
<Itf neg="False">
<ObjectRef ref="id3B0C63E1"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B54C977" disabled="False" log="True" position="2" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -3910,9 +4079,13 @@
<Itf neg="False">
<ObjectRef ref="id3B0C63E1"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B54F071" disabled="False" log="True" position="3" action="Deny" direction="Both" comment="">
<Src neg="True">
@ -3927,9 +4100,13 @@
<Itf neg="False">
<ObjectRef ref="id3B0C63E1"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C639F" disabled="False" log="True" position="4" action="Accept" direction="Both" comment="hostF has the same IP address as firewal.">
<Src neg="False">
@ -3949,7 +4126,10 @@
</When>
<PolicyRuleOptions>
<Option name="id"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C63A9" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="testing negation in the policy rule">
<Src neg="True">
@ -3971,7 +4151,10 @@
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C63B4" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="True">
@ -3993,7 +4176,10 @@
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C63BF" disabled="True" log="True" position="7" action="Deny" direction="Both" comment="testing negation in service field">
<Src neg="False">
@ -4016,7 +4202,10 @@
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C63CB" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="'masquerading' rule">
<Src neg="False">
@ -4036,7 +4225,10 @@
</When>
<PolicyRuleOptions>
<Option name="id"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3D85069A" disabled="True" log="True" position="9" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4055,7 +4247,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C63D5" disabled="False" log="True" position="10" action="Deny" direction="Both" comment="'catch all' rule">
<Src neg="False">
@ -4076,7 +4271,10 @@
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -4206,7 +4404,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3CF5B373" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="">
<Src neg="False">
@ -4226,7 +4427,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3C69BF13" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4244,7 +4448,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -4352,7 +4559,11 @@
<Itf neg="False">
<ObjectRef ref="id3AF5A2CB"/>
</Itf>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AFB70C7" disabled="False" log="False" position="1" action="Accept" direction="Inbound" comment="allow everything on loopback">
<Src neg="False">
@ -4367,7 +4578,11 @@
<Itf neg="False">
<ObjectRef ref="id3AFB7090"/>
</Itf>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AFB70CF" disabled="False" log="False" position="2" action="Accept" direction="Outbound" comment="allow everything on loopback">
<Src neg="False">
@ -4382,7 +4597,11 @@
<Itf neg="False">
<ObjectRef ref="id3AFB7090"/>
</Itf>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3BD8ECC6" disabled="False" log="True" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4397,7 +4616,11 @@
<Itf neg="False">
<ObjectRef ref="id3AFB7090"/>
</Itf>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AF5A74B" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="block fragments">
<Src neg="False">
@ -4417,7 +4640,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AF5A73A" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4440,7 +4666,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AF5A757" disabled="False" log="False" position="6" action="Accept" direction="Both" comment="allow all outgoing connections">
<Src neg="False">
@ -4458,7 +4687,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AF5A762" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="'catch all' rule">
<Src neg="False">
@ -4478,7 +4710,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -4791,7 +5026,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3D5822B5" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4809,7 +5047,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3D582294" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4827,7 +5068,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3D58228A" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4845,7 +5089,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3D5822A0" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -4865,7 +5112,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -5185,7 +5435,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3DF3E09E" disabled="False" log="False" position="1" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -5204,7 +5457,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3DF3D16E" disabled="False" log="False" position="2" action="Accept" direction="Inbound" comment="">
<Src neg="True">
@ -5223,7 +5479,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3E5F1BBD" disabled="False" log="False" position="3" action="Accounting" direction="Both" comment="">
<Src neg="False">
@ -5243,7 +5502,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3E5F1BB3" disabled="False" log="True" position="4" action="Accounting" direction="Both" comment="">
<Src neg="False">
@ -5263,7 +5525,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3DF3D12E" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -5281,7 +5546,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3DF3D563" disabled="False" log="False" position="6" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -5299,7 +5567,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3DF3D156" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -5319,7 +5590,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -5397,7 +5671,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3FCA520D" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="True">
@ -5425,7 +5702,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3FCC3AD6" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -5444,7 +5724,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3FCA5217" disabled="False" log="False" position="3" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -5474,7 +5757,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3FCC1E1A" disabled="False" log="False" position="4" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -5500,7 +5786,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3FCC1E4F" disabled="False" log="False" position="5" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -5527,7 +5816,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3FCC1EC3" disabled="False" log="False" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -5554,7 +5846,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3FCA5221" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -5574,7 +5869,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -5681,7 +5979,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3FF5DC56" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -5699,7 +6000,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3FF5DC61" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -5717,7 +6021,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -6019,7 +6326,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id424A96DA" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -6037,7 +6347,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id424A637E" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -6055,7 +6368,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id424A6388" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -6073,7 +6389,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id424A6392" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -6091,7 +6410,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id424A639C" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -6111,7 +6433,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -6301,7 +6626,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43869E9018346" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -6319,7 +6647,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43869E9E18346" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -6337,7 +6668,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43869EAA18346" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -6355,7 +6689,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4386E38318346" disabled="False" log="False" position="4" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -6375,7 +6712,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4386E37718346" disabled="False" log="False" position="5" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -6395,7 +6735,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43867C3018346" disabled="False" log="False" position="6" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -6413,7 +6756,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4386C10D18346" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -6431,7 +6777,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id438728A918346" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -6450,7 +6799,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id438728BA18346" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -6469,7 +6821,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id438728CD18346" disabled="False" log="False" position="10" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -6488,7 +6843,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43867C3C18346" disabled="False" log="True" position="11" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -6508,7 +6866,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -6685,7 +7046,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4388CFEA674" disabled="True" log="True" position="1" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -6705,7 +7069,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4390C25825682" disabled="True" log="True" position="2" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -6725,7 +7092,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4389EDC118346" disabled="True" log="False" position="3" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -6746,7 +7116,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4388CFF8674" disabled="True" log="True" position="4" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -6766,7 +7139,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4388C36F674" disabled="True" log="True" position="5" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -6787,7 +7163,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4388F5A9674" disabled="True" log="False" position="6" action="Accept" direction="Both" comment="">
<Src neg="True">
@ -6806,7 +7185,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4389EEA118346" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -6824,7 +7206,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4389EDCD18346" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -6842,7 +7227,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4389EE3C18346" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -6862,7 +7250,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -7241,7 +7632,10 @@
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
<Option name="tagvalue"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43F7D90631168" disabled="False" log="False" position="1" action="Custom" direction="Inbound" comment="">
<Src neg="True">
@ -7269,7 +7663,10 @@
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
<Option name="tagvalue"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43F7D91731168" disabled="False" log="False" position="2" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -7287,7 +7684,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43F7C98E31168" disabled="False" log="True" position="3" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -7307,7 +7707,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>

598
test/ipfw/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1257365069" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1257365069" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<ICMP6Service id="idE0C27650" code="0" type="1" name="ipv6 dest unreachable" comment="No route to destination" ro="False"/>
<Library id="id40E233F3" color="#FFFFFF" name="West Coast" comment="" ro="False">
@ -766,9 +766,13 @@
<Itf neg="False">
<ObjectRef ref="if-FW-firewall2-eth1"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="pol-firewall2-0" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="Automatically generated rule blocking short fragments">
<Src neg="False">
@ -788,7 +792,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="pol-firewall2-1" disabled="False" log="True" position="2" action="Deny" direction="Inbound" comment="Automatically generated anti-spoofing rule">
<Src neg="False">
@ -809,7 +816,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B92DFC5" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="комментарий по-русски">
<Src neg="False">
@ -824,7 +834,11 @@
<Itf neg="False">
<ObjectRef ref="if-FW-firewall2-eth0"/>
</Itf>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3C4E4C38" disabled="False" log="True" position="4" action="Deny" direction="Inbound" comment="">
<Src neg="False">
@ -839,9 +853,13 @@
<Itf neg="False">
<ObjectRef ref="if-FW-firewall2-eth0"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B58E39D" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -866,7 +884,10 @@
<Option name="log_limit_suffix"/>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id8706X26107" disabled="False" group="" log="True" position="6" action="Reject" direction="Both" comment="">
<Src neg="False">
@ -889,7 +910,10 @@
<Option name="ipf_keep_frags">False</Option>
<Option name="ipf_return_icmp_as_dest">True</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id8686X26107" disabled="False" group="" log="True" position="7" action="Reject" direction="Both" comment="">
<Src neg="False">
@ -912,7 +936,10 @@
<Option name="ipf_keep_frags">False</Option>
<Option name="ipf_return_icmp_as_dest">True</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B6659FC" disabled="False" log="True" position="8" action="Reject" direction="Both" comment="">
<Src neg="False">
@ -938,7 +965,10 @@
<Option name="ipf_keep_frags">False</Option>
<Option name="ipf_return_icmp_as_dest">True</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3CE74D81" disabled="False" log="False" position="9" action="Reject" direction="Both" comment="">
<Src neg="False">
@ -958,7 +988,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3BF1B45E" disabled="True" log="False" position="10" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -981,7 +1014,10 @@
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3BF1B44E" disabled="True" log="False" position="11" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1004,7 +1040,10 @@
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="pol-firewall2-3" disabled="False" log="False" position="12" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1030,7 +1069,10 @@
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="pol-firewall2-2" disabled="False" log="False" position="13" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1053,7 +1095,10 @@
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3D98E652" disabled="False" log="False" position="14" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1077,7 +1122,10 @@
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3CD8770E" disabled="False" log="False" position="15" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1101,7 +1149,10 @@
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3CD87B1E" disabled="False" log="False" position="16" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1125,7 +1176,10 @@
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="pol-firewall2-4" disabled="False" log="False" position="17" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1149,7 +1203,10 @@
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id41D514D2" disabled="False" log="False" position="18" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1176,7 +1233,10 @@
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B58E180" disabled="False" log="True" position="19" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1194,7 +1254,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="pol-firewall2-5" disabled="False" log="False" position="20" action="Accept" direction="Both" comment="Automatically generated 'masquerading' rule">
<Src neg="False">
@ -1218,7 +1281,10 @@
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="pol-firewall2-7" disabled="False" log="True" position="21" action="Deny" direction="Both" comment="Automatically generated 'catch all' rule">
<Src neg="False">
@ -1243,7 +1309,10 @@
<Option name="log_limit_suffix"/>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -1650,9 +1719,13 @@
<Itf neg="False">
<ObjectRef ref="id3AF5AA96"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3CD34BEF" disabled="False" log="False" position="1" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -1672,7 +1745,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AF5AAB4" disabled="False" log="True" position="2" action="Deny" direction="Inbound" comment="Anti-spoofing rule">
<Src neg="False">
@ -1688,9 +1764,13 @@
<Itf neg="False">
<ObjectRef ref="id3AF5AA99"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AF5AAAB" disabled="False" log="True" position="3" action="Deny" direction="Outbound" comment="Anti-spoofing rule">
<Src neg="True">
@ -1705,9 +1785,13 @@
<Itf neg="False">
<ObjectRef ref="id3AF5AA99"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3CDDF2FA" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1725,7 +1809,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3CCA26E4" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -1745,7 +1832,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B9AB902" disabled="True" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -1765,7 +1855,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AFC0F90" disabled="False" log="True" position="7" action="Accept" direction="Both" comment="hostF has the same IP address as firewal.">
<Src neg="False">
@ -1783,7 +1876,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B021E10" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="testing negation in the policy rule">
<Src neg="True">
@ -1808,7 +1904,10 @@
<Option name="limit_value">10</Option>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0B4A13" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="True">
@ -1829,7 +1928,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B5535B7" disabled="False" log="True" position="10" action="Deny" direction="Both" comment="">
<Src neg="True">
@ -1850,7 +1952,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3FB82A69" disabled="False" log="False" position="11" action="Accept" direction="Both" comment="">
<Src neg="True">
@ -1869,7 +1974,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B11F63D" disabled="False" log="True" position="12" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -1891,7 +1999,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3CDDF0AA" disabled="False" log="False" position="13" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -1911,7 +2022,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B021E6F" disabled="True" log="True" position="14" action="Deny" direction="Both" comment="testing negation in service field">
<Src neg="False">
@ -1933,7 +2047,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3CCA2CF4" disabled="True" log="True" position="15" action="Accept" direction="Both" comment="testing negation in service field">
<Src neg="False">
@ -1953,7 +2070,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B45739A" disabled="False" log="True" position="16" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -1973,7 +2093,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AF5AAC8" disabled="False" log="False" position="17" action="Accept" direction="Both" comment="'masquerading' rule">
<Src neg="False">
@ -1991,7 +2114,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AF5AAE3" disabled="False" log="True" position="18" action="Deny" direction="Both" comment="'catch all' rule">
<Src neg="False">
@ -2011,7 +2137,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -2620,7 +2749,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id463FF6C410755" disabled="False" log="False" position="1" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -2640,7 +2772,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4640031510755" disabled="False" log="False" position="2" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -2660,7 +2795,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AFB6708" disabled="False" log="True" position="3" action="Deny" direction="Inbound" comment="Anti-spoofing rule">
<Src neg="False">
@ -2676,13 +2814,17 @@
<Itf neg="False">
<ObjectRef ref="id3AFB6706"/>
</Itf>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AFB6710" disabled="False" log="True" position="4" action="Deny" direction="Outbound" comment="Anti-spoofing rule">
<Src neg="True">
@ -2698,13 +2840,17 @@
<Itf neg="False">
<ObjectRef ref="id3AFB6706"/>
</Itf>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AFB66E5" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="block fragments">
<Src neg="False">
@ -2725,7 +2871,10 @@
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C6FD2" disabled="False" log="True" position="6" action="Reject" direction="Both" comment="sends TCP RST and makes custom record in the log">
<Src neg="False">
@ -2751,7 +2900,10 @@
<Option name="limit_value">0</Option>
<Option name="log_prefix">IDENT</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3D333A66" disabled="False" log="True" position="7" action="Reject" direction="Both" comment="sends TCP RST and makes custom record in the log">
<Src neg="False">
@ -2777,7 +2929,10 @@
<Option name="limit_value">0</Option>
<Option name="log_prefix">IDENT</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3D8FF63F" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2796,7 +2951,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3D8FF660" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2815,7 +2973,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AFB66EF" disabled="False" log="False" position="10" action="Accept" direction="Both" comment="'masquerading' rule">
<Src neg="False">
@ -2835,7 +2996,10 @@
</When>
<PolicyRuleOptions>
<Option name="id"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3C447B8D" disabled="False" log="True" position="11" action="Accept" direction="Both" comment="host-fw2 has the same address as &#10; one of the firewall's interfaces">
<Src neg="False">
@ -2853,7 +3017,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3C447BCB" disabled="False" log="True" position="12" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2871,7 +3038,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AFB66F9" disabled="False" log="True" position="13" action="Deny" direction="Both" comment="'catch all' rule">
<Src neg="False">
@ -2892,7 +3062,10 @@
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -3241,9 +3414,13 @@
<Itf neg="False">
<ObjectRef ref="id3B0C63E1"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C63EB" disabled="False" log="True" position="14" action="Deny" direction="Outbound" comment="Anti-spoofing rule">
<Src neg="True">
@ -3259,9 +3436,13 @@
<Itf neg="False">
<ObjectRef ref="id3B0C63E1"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B54C977" disabled="False" log="True" position="15" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -3276,9 +3457,13 @@
<Itf neg="False">
<ObjectRef ref="id3B0C63E1"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B54F071" disabled="False" log="True" position="16" action="Deny" direction="Both" comment="">
<Src neg="True">
@ -3293,9 +3478,13 @@
<Itf neg="False">
<ObjectRef ref="id3B0C63E1"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C639F" disabled="False" log="True" position="4" action="Accept" direction="Both" comment="hostF has the same IP address as firewal.">
<Src neg="False">
@ -3315,7 +3504,10 @@
</When>
<PolicyRuleOptions>
<Option name="id"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C63A9" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="testing negation in the policy rule">
<Src neg="True">
@ -3337,7 +3529,10 @@
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C63B4" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="True">
@ -3359,7 +3554,10 @@
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C63BF" disabled="True" log="True" position="7" action="Deny" direction="Both" comment="testing negation in service field">
<Src neg="False">
@ -3382,7 +3580,10 @@
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C63CB" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="'masquerading' rule">
<Src neg="False">
@ -3402,7 +3603,10 @@
</When>
<PolicyRuleOptions>
<Option name="id"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3D85069A" disabled="True" log="True" position="9" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3421,7 +3625,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C63D5" disabled="False" log="True" position="10" action="Deny" direction="Both" comment="'catch all' rule">
<Src neg="False">
@ -3442,7 +3649,10 @@
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -3556,7 +3766,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3CF5B373" disabled="False" log="True" position="18" action="Deny" direction="Inbound" comment="">
<Src neg="False">
@ -3576,7 +3789,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3C69BF13" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3594,7 +3810,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -3703,7 +3922,11 @@
<Itf neg="False">
<ObjectRef ref="id3AF5A2CB"/>
</Itf>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AFB70C7" disabled="False" log="False" position="20" action="Accept" direction="Inbound" comment="allow everything on loopback">
<Src neg="False">
@ -3718,7 +3941,11 @@
<Itf neg="False">
<ObjectRef ref="id3AFB7090"/>
</Itf>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AFB70CF" disabled="False" log="False" position="21" action="Accept" direction="Outbound" comment="allow everything on loopback">
<Src neg="False">
@ -3733,7 +3960,11 @@
<Itf neg="False">
<ObjectRef ref="id3AFB7090"/>
</Itf>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3BD8ECC6" disabled="False" log="True" position="22" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3748,7 +3979,11 @@
<Itf neg="False">
<ObjectRef ref="id3AFB7090"/>
</Itf>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AF5A74B" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="block fragments">
<Src neg="False">
@ -3768,7 +4003,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AF5A73A" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3791,7 +4029,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AF5A757" disabled="False" log="False" position="6" action="Accept" direction="Both" comment="allow all outgoing connections">
<Src neg="False">
@ -3809,7 +4050,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3AF5A762" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="'catch all' rule">
<Src neg="False">
@ -3829,7 +4073,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -4143,7 +4390,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3D5822B5" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4161,7 +4411,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3D582294" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4179,7 +4432,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3D58228A" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4197,7 +4453,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3D5822A0" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -4217,7 +4476,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -4506,7 +4768,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3DF3E09E" disabled="False" log="False" position="1" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -4525,7 +4790,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3DF3D16E" disabled="False" log="False" position="2" action="Accept" direction="Inbound" comment="">
<Src neg="True">
@ -4544,7 +4812,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3E5F2E4C" disabled="False" log="False" position="3" action="Accounting" direction="Both" comment="">
<Src neg="False">
@ -4564,7 +4835,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3E5F2E42" disabled="False" log="True" position="4" action="Accounting" direction="Both" comment="">
<Src neg="False">
@ -4584,7 +4858,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3DF3D12E" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4602,7 +4879,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3DF3D563" disabled="False" log="False" position="6" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4620,7 +4900,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3F162CE1" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4641,7 +4924,10 @@
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3DF3D156" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -4661,7 +4947,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -4733,7 +5022,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id41D4F998" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4751,7 +5043,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3E51B0B0" disabled="False" log="True" position="2" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -4772,7 +5067,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3E51B025" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4793,7 +5091,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3E51BD2E" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4814,7 +5115,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3E51B010" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -4834,7 +5138,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -5010,7 +5317,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43869E9018346" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -5028,7 +5338,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43869E9E18346" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -5046,7 +5359,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43869EAA18346" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -5064,7 +5380,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4386E38318346" disabled="False" log="False" position="4" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -5084,7 +5403,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4386E37718346" disabled="False" log="False" position="5" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -5104,7 +5426,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43867C3018346" disabled="False" log="False" position="6" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -5122,7 +5447,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4386C10D18346" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -5140,7 +5468,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id438728A918346" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -5159,7 +5490,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id438728BA18346" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -5178,7 +5512,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id438728CD18346" disabled="False" log="False" position="10" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -5197,7 +5534,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43867C3C18346" disabled="False" log="True" position="11" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -5217,7 +5557,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -5586,7 +5929,10 @@
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
<Option name="tagvalue"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id45275D7A5394" disabled="False" log="False" position="1" action="Custom" direction="Both" comment="rule doing divert to natd (8668) should go before check-state&#10;">
<Src neg="False">
@ -5627,7 +5973,10 @@
<Option name="pf_route_option">Route through</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id452299478881" disabled="False" log="False" position="2" action="Pipe" direction="Both" comment="">
<Src neg="False">
@ -5655,7 +6004,10 @@
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
<Option name="tagvalue"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43F7AC9D23738" disabled="False" log="False" position="3" action="Classify" direction="Both" comment="">
<Src neg="False">
@ -5684,7 +6036,10 @@
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
<Option name="tagvalue"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43F7ACAE23738" disabled="False" log="False" position="4" action="Classify" direction="Both" comment="">
<Src neg="False">
@ -5714,7 +6069,10 @@
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
<Option name="tagvalue"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43F7C4D723738" disabled="False" log="True" position="5" action="Custom" direction="Both" comment="">
<Src neg="False">
@ -5741,7 +6099,10 @@
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
<Option name="tagvalue"/>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43F7AB1B23738" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -5761,7 +6122,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>

743
test/ipt/cluster-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1272731422" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1272731422" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -661,105 +661,120 @@
</NAT>
<Policy id="id3639X95766" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id5954X26920" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id7136X39764" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id7162X39764" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id7149X39764" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id5942X26920" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id3641X95766" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
@ -1106,22 +1121,22 @@
</NAT>
<Policy id="id198815X29313" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id198859X29313" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
@ -1147,8 +1162,11 @@
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id198819X29313" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
@ -1260,22 +1278,22 @@
</Firewall>
<Policy id="id8303X18284" name="to_fw" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id8304X18284" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="hashlimit 20/sec">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
@ -1299,8 +1317,11 @@
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
</Library>
@ -1376,7 +1397,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2896X78273" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1394,7 +1418,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id7697X27234" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1414,7 +1441,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id36344X28692" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="&quot;firewall is part of any&quot; OFF">
<Src neg="False">
@ -1458,7 +1488,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id65013X28692" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="&quot;firewall is part of any&quot; OFF">
<Src neg="False">
@ -1502,7 +1535,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id8117X67022" disabled="False" group="interface group test" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1524,7 +1560,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id39519X67022" disabled="False" group="interface group test" log="False" position="6" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1569,7 +1608,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id103230X67022" disabled="False" group="interface group test" log="False" position="7" action="Accept" direction="Both" comment="&quot;firewall is part of any&quot; OFF">
<Src neg="False">
@ -1615,7 +1657,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id103183X67022" disabled="False" group="interface group test" log="False" position="8" action="Accept" direction="Both" comment="&quot;firewall is part of any&quot; OFF">
<Src neg="False">
@ -1660,7 +1705,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2879X78273" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
@ -1678,7 +1726,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2862X78273" disabled="False" log="True" position="10" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
@ -1696,7 +1747,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2845X78273" disabled="False" log="True" position="11" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
@ -1714,7 +1768,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2828X78273" disabled="False" log="False" position="12" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1732,7 +1789,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2811X78273" disabled="False" log="True" position="13" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -1750,7 +1810,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -1896,7 +1959,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2781X94039" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
@ -1915,7 +1981,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2794X94039" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1933,7 +2002,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2806X94039" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
@ -1951,7 +2023,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3725X2234" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
@ -1969,7 +2044,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2818X94039" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
@ -1987,7 +2065,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2830X94039" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
@ -2029,7 +2110,10 @@
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2842X94039" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2047,7 +2131,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2854X94039" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -2065,7 +2152,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3087X2234" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -2085,7 +2175,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -2269,7 +2362,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3478X13311" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
@ -2288,7 +2384,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3491X13311" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2306,7 +2405,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3503X13311" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
@ -2324,7 +2426,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3515X13311" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
@ -2342,7 +2447,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3527X13311" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
@ -2360,7 +2468,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4369X67939" disabled="False" group="" log="False" position="6" action="Branch" direction="Both" comment="branch rule set is different in members linux-1 and linux-2">
<Src neg="False">
@ -2425,7 +2536,10 @@
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id44836X15667" disabled="False" group="" log="False" position="7" action="Branch" direction="Both" comment="branch rule set is different in members linux-1 and linux-2">
<Src neg="False">
@ -2490,7 +2604,10 @@
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3539X13311" disabled="False" log="False" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -2534,7 +2651,10 @@
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1094903X96143" disabled="False" group="" log="False" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -2578,7 +2698,10 @@
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id997025X96143" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="fw is part of any">
<Src neg="False">
@ -2622,7 +2745,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id97551X96143" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="fw is NOT part of any">
<Src neg="False">
@ -2666,7 +2792,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id143289X96143" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="fw is NOT part of any">
<Src neg="False">
@ -2710,7 +2839,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1946680X96143" disabled="False" group="" log="False" position="13" action="Accept" direction="Outbound" comment="fw is NOT part of any">
<Src neg="False">
@ -2754,7 +2886,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id378955X96143" disabled="False" group="" log="False" position="14" action="Accept" direction="Both" comment="fw is NOT part of any">
<Src neg="False">
@ -2798,7 +2933,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1801407X96143" disabled="False" group="" log="False" position="15" action="Accept" direction="Outbound" comment="fw is NOT part of any">
<Src neg="False">
@ -2842,7 +2980,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id143343X96143" disabled="False" group="" log="False" position="16" action="Accept" direction="Both" comment="fw is NOT part of any">
<Src neg="False">
@ -2886,7 +3027,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2241935X96143" disabled="False" group="" log="False" position="17" action="Accept" direction="Both" comment="fw is NOT part of any">
<Src neg="False">
@ -2930,7 +3074,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2241981X96143" disabled="False" group="" log="False" position="18" action="Accept" direction="Outbound" comment="fw is NOT part of any">
<Src neg="False">
@ -2974,7 +3121,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id8228X45618" disabled="False" group="" log="False" position="19" action="Accept" direction="Inbound" comment="using interface of another cluster in the rule">
<Src neg="False">
@ -2994,7 +3144,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id147047X84105" disabled="False" group="" log="False" position="20" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3014,7 +3167,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3563X13311" disabled="False" log="True" position="21" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -3032,7 +3188,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3575X13311" disabled="False" group="" log="True" position="22" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -3052,7 +3211,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -3165,7 +3327,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5239X25627" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
@ -3184,7 +3349,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5222X25627" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3202,7 +3370,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5205X25627" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
@ -3220,7 +3391,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5188X25627" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
@ -3238,7 +3412,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5171X25627" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
@ -3256,7 +3433,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5154X25627" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
@ -3298,7 +3478,10 @@
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5137X25627" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3316,7 +3499,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5120X25627" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -3334,7 +3520,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5103X25627" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -3354,7 +3543,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -3451,7 +3643,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4447X28690" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
@ -3470,7 +3665,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4460X28690" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3488,7 +3686,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4472X28690" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
@ -3506,7 +3707,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4484X28690" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
@ -3524,7 +3728,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4496X28690" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
@ -3542,7 +3749,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4508X28690" disabled="False" group="" log="False" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -3584,7 +3794,10 @@
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4520X28690" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -3626,7 +3839,10 @@
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4532X28690" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3644,7 +3860,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4544X28690" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -3662,7 +3881,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4556X28690" disabled="False" group="" log="True" position="10" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -3682,7 +3904,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -3828,7 +4053,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5233X20350" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
@ -3847,7 +4075,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5246X20350" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3865,7 +4096,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5258X20350" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
@ -3883,7 +4117,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5270X20350" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
@ -3901,7 +4138,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5282X20350" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
@ -3919,7 +4159,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5294X20350" disabled="False" group="" log="False" position="6" action="Branch" direction="Both" comment="branch rule set is different in members linux-1 and linux-2">
<Src neg="False">
@ -3984,7 +4227,10 @@
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5306X20350" disabled="False" group="" log="False" position="7" action="Branch" direction="Both" comment="branch rule set is different in members linux-1 and linux-2">
<Src neg="False">
@ -4049,7 +4295,10 @@
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5318X20350" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -4091,7 +4340,10 @@
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5330X20350" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4109,7 +4361,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5342X20350" disabled="False" log="True" position="10" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -4127,7 +4382,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5354X20350" disabled="False" group="" log="True" position="11" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -4147,7 +4405,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -4366,7 +4627,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id58771X27834" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4384,7 +4648,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id58783X27834" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
@ -4402,7 +4669,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id58795X27834" disabled="False" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
@ -4420,7 +4690,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id264906X52019" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4438,7 +4711,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id307834X52019" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="fw is part of any and networks">
<Src neg="False">
@ -4482,7 +4758,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id353220X52019" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="fw is NOT part of any and networks">
<Src neg="False">
@ -4526,7 +4805,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id307896X52019" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4544,7 +4826,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id307958X52019" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="fw is part of any">
<Src neg="False">
@ -4588,7 +4873,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id625000X52019" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="fw is not part of any">
<Src neg="False">
@ -4632,7 +4920,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id853234X52019" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="fw is not part of any">
<Src neg="False">
@ -4676,7 +4967,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id308020X52019" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4694,7 +4988,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id58807X27834" disabled="False" log="True" position="12" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
@ -4738,7 +5035,10 @@
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id148160X50472" disabled="False" group="Negation in interface RE" log="False" position="13" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4758,7 +5058,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id200555X50472" disabled="False" group="Negation in interface RE" log="False" position="14" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4779,7 +5082,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id729613X50472" disabled="False" group="Negation in interface RE" log="False" position="15" action="Accept" direction="Both" comment="fw is part of any is OFF">
<Src neg="False">
@ -4823,7 +5129,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id729566X50472" disabled="False" group="Negation in interface RE" log="False" position="16" action="Accept" direction="Both" comment="fw is part of any is OFF">
<Src neg="False">
@ -4868,7 +5177,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id944761X50472" disabled="False" group="Negation in interface RE" log="False" position="17" action="Accept" direction="Inbound" comment="fw is part of any is OFF">
<Src neg="False">
@ -4912,7 +5224,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id944714X50472" disabled="False" group="Negation in interface RE" log="False" position="18" action="Accept" direction="Inbound" comment="fw is part of any is OFF">
<Src neg="False">
@ -4957,7 +5272,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id944903X50472" disabled="False" group="Negation in interface RE" log="False" position="19" action="Accept" direction="Outbound" comment="fw is part of any is OFF">
<Src neg="False">
@ -5001,7 +5319,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id944856X50472" disabled="False" group="Negation in interface RE" log="False" position="20" action="Accept" direction="Outbound" comment="fw is part of any is OFF">
<Src neg="False">
@ -5046,7 +5367,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1440989X50472" disabled="False" group="Negation in interface RE" log="False" position="21" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -5090,7 +5414,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1441036X50472" disabled="False" group="Negation in interface RE" log="False" position="22" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -5135,7 +5462,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1275381X50472" disabled="False" group="Negation in interface RE" log="False" position="23" action="Accept" direction="Both" comment="fw is part of any is OFF">
<Src neg="False">
@ -5179,7 +5509,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1275334X50472" disabled="False" group="Negation in interface RE" log="False" position="24" action="Accept" direction="Both" comment="fw is part of any is OFF">
<Src neg="False">
@ -5224,7 +5557,10 @@
<Option name="log_prefix"/>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -5326,7 +5662,10 @@
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id58450X29313" disabled="False" log="False" position="1" action="Deny" direction="Inbound" comment="">
<Src neg="False">
@ -5346,7 +5685,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -5467,7 +5809,10 @@
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -5641,7 +5986,10 @@
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -6168,7 +6516,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -6620,7 +6971,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id58535X27834" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -6638,7 +6992,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id58547X27834" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
@ -6656,7 +7013,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id58559X27834" disabled="False" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
@ -6674,7 +7034,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id58571X27834" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
@ -6692,7 +7055,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id58583X27834" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -6710,7 +7076,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id58595X27834" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -6728,7 +7097,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -6839,7 +7211,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id58661X27834" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -6857,7 +7232,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id58673X27834" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
@ -6875,7 +7253,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id58685X27834" disabled="False" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
@ -6893,7 +7274,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id58697X27834" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
@ -6911,7 +7295,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id58709X27834" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -6929,7 +7316,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id58721X27834" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -6947,7 +7337,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>

18604
test/ipt/objects-for-regression-tests.fwb
View File

File diff suppressed because it is too large Load Diff

4
test/ipt/rc.firewall.local
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3529
# Firewall Builder fwb_ipt v4.2.1.3538
#
# Generated Tue Apr 19 14:13:40 2011 PDT by vadim
# Generated Thu May 5 18:31:56 2011 PDT by vadim
#
# files: * rc.firewall.local /etc/rc.d//rc.firewall.local
#

899
test/pf/cluster-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1297993801" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1297993801" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -51,9 +51,9 @@
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr">false</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
@ -69,9 +69,9 @@
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr">false</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
@ -100,17 +100,17 @@
</ObjectGroup>
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
<CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
</CustomService>
<CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
@ -365,54 +365,54 @@
</ServiceGroup>
<ServiceGroup id="stdid13" name="Custom" comment="" ro="False">
<CustomService id="id3B64EEA8" name="rpc" comment="works in iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables">-m record_rpc</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
</CustomService>
<CustomService id="id3B64EF4E" name="irc-conn" comment="IRC connection tracker, supports DCC.&#10;Works on iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/&#10;" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables">-m irc</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
</CustomService>
<CustomService id="id3B64EF50" name="psd" comment="Port scan detector, works only on iptables and requires patch-o-matic &#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables">-m psd --psd-weight-threshold 5 --psd-delay-threshold 10000</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
</CustomService>
<CustomService id="id3B64EF52" name="string" comment="Matches a string in a whole packet, works in iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables">-m string --string test_pattern</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
</CustomService>
<CustomService id="id3B64EF54" name="talk" comment="Talk protocol support. Works in iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables">-m talk</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
</CustomService>
</ServiceGroup>
<ServiceGroup id="stdid19" name="TagServices" comment="" ro="False"/>
@ -435,7 +435,7 @@
<FailoverClusterGroup id="id2719X89830" type="vrrp" name="cluster3:vrrp0:members" comment="">
<ClusterGroupOptions>
<Option name="vrrp_secret">vrrp_secret</Option>
<Option name="vrrp_vrid"></Option>
<Option name="vrrp_vrid"/>
</ClusterGroupOptions>
</FailoverClusterGroup>
<StateSyncClusterGroup id="id2762X92940" type="conntrack" name="State Sync Group-1" comment="">
@ -453,18 +453,18 @@
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="iface_options"/>
<Option name="type">bridge</Option>
<Option name="vlan_id"></Option>
<Option name="vlan_id"/>
</InterfaceOptions>
<Interface id="id10491X48869" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<InterfaceOptions>
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="iface_options"/>
<Option name="type">ethernet</Option>
<Option name="vlan_id"></Option>
<Option name="vlan_id"/>
</InterfaceOptions>
</Interface>
<Interface id="id10493X48869" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
@ -501,7 +501,7 @@
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="iface_options"/>
<Option name="type">8021q</Option>
<Option name="vlan_id">100</Option>
</InterfaceOptions>
@ -512,7 +512,7 @@
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="iface_options"/>
<Option name="type">8021q</Option>
<Option name="vlan_id">101</Option>
</InterfaceOptions>
@ -550,131 +550,152 @@
</NAT>
<Policy id="id2369X75741" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id2913X78273" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2896X78273" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2879X78273" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2862X78273" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="id3F530CC8"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2845X78273" disabled="False" group="" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2828X78273" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2811X78273" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id2371X75741" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
@ -746,132 +767,150 @@
</NAT>
<Policy id="id2780X94039" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3055X14356" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id3054X14356"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="id3068X14356"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id2781X94039" disabled="False" group="" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2794X94039" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2806X94039" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3725X2234" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2818X94039" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="id3F530CC8"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2830X94039" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
@ -884,75 +923,87 @@
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_name"/>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_suffix"/>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="log_level"/>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id2842X94039" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2854X94039" disabled="False" group="" log="True" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3087X2234" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
</PolicyRule>
<PolicyRule id="id2854X94039" disabled="False" group="" log="True" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3087X2234" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id2881X94039" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
@ -1078,16 +1129,16 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_bonding_interfaces">True</Option>
<Option name="configure_bridge_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
@ -1095,14 +1146,14 @@
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -1117,11 +1168,11 @@
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -1139,13 +1190,13 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -1201,29 +1252,29 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -1238,11 +1289,11 @@
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -1260,13 +1311,13 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -1306,28 +1357,28 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -1342,11 +1393,11 @@
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -1364,13 +1415,13 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -1403,9 +1454,9 @@
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="iface_options"/>
<Option name="type">ethernet</Option>
<Option name="vlan_id"></Option>
<Option name="vlan_id"/>
</InterfaceOptions>
</Interface>
<Interface id="id4038X2906" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
@ -1423,28 +1474,28 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -1459,11 +1510,11 @@
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -1481,13 +1532,13 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -1534,9 +1585,9 @@
<Option name="iface_disablearp">False</Option>
<Option name="iface_disableboot">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="iface_options"/>
<Option name="type">bonding</Option>
<Option name="vlan_id"></Option>
<Option name="vlan_id"/>
</InterfaceOptions>
<Interface id="id3807X49120" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<InterfaceOptions>
@ -1559,28 +1610,28 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -1595,11 +1646,11 @@
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
@ -1617,13 +1668,13 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -1931,7 +1982,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5954X26920" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1951,7 +2005,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id7136X39764" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1971,7 +2028,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id7162X39764" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1991,7 +2051,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id7149X39764" disabled="False" group="" log="False" position="4" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -2011,7 +2074,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id39043X28773" disabled="False" group="" log="False" position="5" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -2031,7 +2097,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5942X26920" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -2051,7 +2120,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -2130,7 +2202,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -2206,7 +2281,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id56069X50958" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2226,7 +2304,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4808X69263" disabled="False" group="test for interface group" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2248,7 +2329,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id24679X69263" disabled="False" group="test for interface group" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2269,7 +2353,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id72694X50958" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2289,7 +2376,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id89654X50958" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2310,7 +2400,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id106892X50958" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2332,7 +2425,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id124525X50958" disabled="False" group="" log="False" position="7" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -2352,7 +2448,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id124478X50958" disabled="False" group="" log="False" position="8" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -2373,7 +2472,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id124667X50958" disabled="False" group="" log="False" position="9" action="Accept" direction="Outbound" comment="">
<Src neg="False">
@ -2393,7 +2495,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id124620X50958" disabled="False" group="" log="False" position="10" action="Accept" direction="Outbound" comment="">
<Src neg="False">
@ -2414,7 +2519,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id181105X50958" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2434,7 +2542,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id181058X50958" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2455,7 +2566,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -2535,7 +2649,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -2747,18 +2864,18 @@
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="ignore_empty_groups">False</Option>
@ -2767,11 +2884,11 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -2791,7 +2908,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -2831,9 +2948,9 @@
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="sshArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="sshArgs"/>
</FirewallOptions>
</Firewall>
<Firewall id="id3337X26920" host_OS="openbsd" inactive="False" lastCompiled="1264267285" lastInstalled="0" lastModified="1297119444" platform="pf" version="4.x" name="openbsd-2" comment="" ro="False">
@ -2867,18 +2984,18 @@
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">False</Option>
<Option name="configure_vlan_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="ignore_empty_groups">False</Option>
@ -2887,11 +3004,11 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -2911,7 +3028,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -2951,9 +3068,9 @@
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="sshArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="sshArgs"/>
</FirewallOptions>
</Firewall>
<Firewall id="id7290X42213" host_OS="freebsd" inactive="False" lastCompiled="1296754097" lastInstalled="0" lastModified="1296755154" platform="pf" version="4.x" name="freebsd-1" comment="" ro="False">
@ -2981,18 +3098,18 @@
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="freebsd_ip_forward">1</Option>
@ -3002,11 +3119,11 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -3026,7 +3143,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -3066,9 +3183,9 @@
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="sshArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="sshArgs"/>
</FirewallOptions>
</Firewall>
<Firewall id="id7317X42213" host_OS="freebsd" inactive="False" lastCompiled="1296754097" lastInstalled="0" lastModified="1245802420" platform="pf" version="4.x" name="freebsd-2" comment="" ro="False">
@ -3096,18 +3213,18 @@
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">False</Option>
<Option name="configure_vlan_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="freebsd_ip_forward">1</Option>
@ -3117,11 +3234,11 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -3141,7 +3258,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -3181,9 +3298,9 @@
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="sshArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="sshArgs"/>
</FirewallOptions>
</Firewall>
<Firewall id="id39233X50958" host_OS="openbsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1297119363" platform="pf" version="4.6" name="openbsd-3" comment="" ro="False">
@ -3229,18 +3346,18 @@
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="ignore_empty_groups">False</Option>
@ -3249,11 +3366,11 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -3273,7 +3390,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -3313,9 +3430,9 @@
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="sshArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="sshArgs"/>
</FirewallOptions>
</Firewall>
<Firewall id="id39405X50958" host_OS="openbsd" inactive="False" lastCompiled="1264267285" lastInstalled="0" lastModified="1297119370" platform="pf" version="4.6" name="openbsd-4" comment="" ro="False">
@ -3361,18 +3478,18 @@
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">False</Option>
<Option name="configure_vlan_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="ignore_empty_groups">False</Option>
@ -3381,11 +3498,11 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -3405,7 +3522,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -3445,9 +3562,9 @@
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="sshArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="sshArgs"/>
</FirewallOptions>
</Firewall>
<Firewall id="id200587X1082" host_OS="freebsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1296694652" platform="pf" version="" name="freebsd-1-1" comment="" ro="False">
@ -3475,20 +3592,20 @@
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="conf1_file">pf.conf</Option>
<Option name="conf_file_name_on_firewall"></Option>
<Option name="conf_file_name_on_firewall"/>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="freebsd_ip_forward">1</Option>
@ -3500,7 +3617,7 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
@ -3525,7 +3642,7 @@
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_modulate_state">False</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -3554,7 +3671,7 @@
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_state_policy"></Option>
<Option name="pf_state_policy"/>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
@ -3567,10 +3684,10 @@
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="script_name_on_firewall"></Option>
<Option name="sshArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="script_name_on_firewall"/>
<Option name="sshArgs"/>
</FirewallOptions>
</Firewall>
<Firewall id="id200626X1082" host_OS="freebsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1296694663" platform="pf" version="" name="freebsd-2-1" comment="" ro="False">
@ -3598,20 +3715,20 @@
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="conf1_file">pf.conf</Option>
<Option name="conf_file_name_on_firewall"></Option>
<Option name="conf_file_name_on_firewall"/>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="freebsd_ip_forward">1</Option>
@ -3623,7 +3740,7 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
@ -3648,7 +3765,7 @@
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_modulate_state">False</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -3677,7 +3794,7 @@
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_state_policy"></Option>
<Option name="pf_state_policy"/>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
@ -3690,10 +3807,10 @@
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="script_name_on_firewall"></Option>
<Option name="sshArgs"></Option>
<Option name="prolog_script"/>
<Option name="scpArgs"/>
<Option name="script_name_on_firewall"/>
<Option name="sshArgs"/>
</FirewallOptions>
</Firewall>
</ObjectGroup>

6932
test/pf/objects-for-regression-tests.fwb
View File

File diff suppressed because it is too large Load Diff

4
test/pf/pf_cluster_4_rc.conf.local
View File

@ -1,9 +1,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3529
# Firewall Builder fwb_pf v4.2.1.3538
#
# Generated Tue Apr 19 13:31:13 2011 PDT by vadim
# Generated Thu May 5 18:34:18 2011 PDT by vadim
#
# files: * pf_cluster_4_rc.conf.local /etc/pf_cluster_4_rc.conf.local
# files: pf_cluster_4_pf.conf /etc/pf_cluster_4_pf.conf

170
test/pix/cluster-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1269894581" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1269894581" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -423,22 +423,22 @@
</Interface>
<Policy id="id6188X76214" name="to_fw" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id10428X76214" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="hashlimit 10/sec">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
@ -462,28 +462,31 @@
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Policy id="id2274X68642" name="to_fw" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id2275X68642" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="hashlimit 10/sec">
<Src neg="False">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<PolicyRuleOptions>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
@ -507,8 +510,11 @@
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Interface id="id2875X71781" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="Interface" comment="" ro="False">
@ -740,7 +746,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2879X78273" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
@ -758,7 +767,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id17725X59293" disabled="False" group="" log="False" position="2" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -778,7 +790,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id55439X897" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
@ -796,7 +811,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2862X78273" disabled="False" log="True" position="4" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
@ -814,7 +832,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3401X82678" disabled="False" group="test for interface groups" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -836,7 +857,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id20340X82678" disabled="False" group="test for interface groups" log="False" position="6" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -857,7 +881,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id89499X82678" disabled="False" group="test for interface groups" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -879,7 +906,10 @@
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id89452X82678" disabled="False" group="test for interface groups" log="False" position="8" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -900,7 +930,10 @@
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2845X78273" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
@ -918,7 +951,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2828X78273" disabled="False" log="False" position="10" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -936,7 +972,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2811X78273" disabled="False" log="True" position="11" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -954,7 +993,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -1057,7 +1099,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2906X26048" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
@ -1075,7 +1120,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2918X26048" disabled="False" log="True" position="2" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
@ -1093,7 +1141,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2930X26048" disabled="False" log="True" position="3" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
@ -1111,7 +1162,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2942X26048" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1129,7 +1183,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2954X26048" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -1147,7 +1204,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -1248,7 +1308,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id56603X61097" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
@ -1266,7 +1329,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id56615X61097" disabled="False" group="" log="False" position="2" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -1286,7 +1352,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id56627X61097" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
@ -1304,7 +1373,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id56639X61097" disabled="False" log="True" position="4" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
@ -1322,7 +1394,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id56651X61097" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
@ -1340,7 +1415,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id56663X61097" disabled="False" log="False" position="6" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1358,7 +1436,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id56675X61097" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -1376,7 +1457,10 @@
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>

4116
test/pix/objects-for-regression-tests.fwb
View File

File diff suppressed because it is too large Load Diff

2
test/pix/quick-cmp.sh
View File

@ -9,5 +9,5 @@ do
V="$f <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
echo "echo \"$V\" | cut -c1-72"
new_f=$(echo $f | sed 's/.orig//')
echo "$SDIFFCMD $f $new_f"
echo "$DIFFCMD $f $new_f"
done

637
test/procurve_acl/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1273676680" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1273676680" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -623,7 +623,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id46412C3326611" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -644,7 +647,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id46415A0129061" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -666,7 +672,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id25349X82668" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -687,7 +696,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4641356226611" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -708,7 +720,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4641359926611" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -729,7 +744,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id46412F0326611" disabled="False" log="False" position="6" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -750,7 +768,10 @@
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4641357426611" disabled="False" log="False" position="7" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -771,7 +792,10 @@
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4641358626611" disabled="False" log="False" position="8" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -792,7 +816,10 @@
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4641456D29061" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -813,7 +840,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4641457E29061" disabled="False" log="False" position="10" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -834,7 +864,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4641458F29061" disabled="False" log="False" position="11" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -855,7 +888,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id464147C929061" disabled="False" log="False" position="12" action="Accept" direction="Both" comment="interface ethernet1 has address on network 10.10.10.0/24,&#10;therefore net-10.10.10 is behind the router and we do&#10;not need to put rules 12-18 in outbound acl of eth0">
<Src neg="False">
@ -876,7 +912,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id46414A3E29061" disabled="False" log="False" position="13" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -897,7 +936,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id46414A4F29061" disabled="False" log="False" position="14" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -918,7 +960,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id46414A6029061" disabled="False" log="False" position="15" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -939,7 +984,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id46414CEB29061" disabled="False" log="False" position="16" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -960,7 +1008,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4641521829061" disabled="False" log="False" position="17" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -981,7 +1032,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id46415F6729061" disabled="False" log="False" position="18" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1002,7 +1056,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5377X64279" disabled="False" group="" log="False" position="19" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1023,7 +1080,10 @@
<PolicyRuleOptions>
<Option name="color">#7694C0</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id8889X64279" disabled="False" group="" log="False" position="20" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1044,7 +1104,10 @@
<PolicyRuleOptions>
<Option name="color">#7694C0</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5646X48212" disabled="False" group="" log="False" position="21" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -1064,7 +1127,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5801X48212" disabled="False" group="" log="False" position="22" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -1085,7 +1151,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id46412C2726611" disabled="False" log="True" position="23" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -1105,7 +1174,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -1292,7 +1364,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id28332X65694" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1313,7 +1388,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -1336,7 +1414,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id19137X65694" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1356,7 +1437,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id19165X65694" disabled="False" log="True" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1376,7 +1460,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id19194X65694" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1396,7 +1483,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id19226X65694" disabled="False" group="" log="True" position="4" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1416,7 +1506,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id19260X65694" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1436,7 +1529,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id19288X65694" disabled="False" group="" log="True" position="6" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1456,7 +1552,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id19316X65694" disabled="False" log="True" position="7" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -1476,7 +1575,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id19344X65694" disabled="False" log="True" position="8" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1496,7 +1598,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id19372X65694" disabled="False" log="True" position="9" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1516,7 +1621,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id19400X65694" disabled="False" log="True" position="10" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1536,7 +1644,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id24941X65694" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1557,7 +1668,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id7994X97727" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1577,7 +1691,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id9240X97727" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1601,7 +1718,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -1807,7 +1927,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id10526X97727" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1828,7 +1951,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -1851,7 +1977,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id10552X97727" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1871,7 +2000,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id10564X97727" disabled="False" log="True" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1891,7 +2023,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id10576X97727" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1911,7 +2046,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id10588X97727" disabled="False" group="" log="True" position="4" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1931,7 +2069,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id10600X97727" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1951,7 +2092,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id10612X97727" disabled="False" group="" log="True" position="6" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -1971,7 +2115,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id10624X97727" disabled="False" log="True" position="7" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -1991,7 +2138,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id10636X97727" disabled="False" log="True" position="8" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2011,7 +2161,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id10648X97727" disabled="False" log="True" position="9" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2031,7 +2184,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id10660X97727" disabled="False" log="True" position="10" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2051,7 +2207,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id10672X97727" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2072,7 +2231,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id10685X97727" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2092,7 +2254,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id10697X97727" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2116,7 +2281,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -2322,7 +2490,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id12152X53662" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2343,7 +2514,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -2366,7 +2540,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id12202X53662" disabled="False" group="" log="True" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2386,7 +2563,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -2410,7 +2590,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -2616,7 +2799,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4346X40592" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2637,7 +2823,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4358X40592" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2659,7 +2848,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4371X40592" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2680,7 +2872,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4383X40592" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2701,7 +2896,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4395X40592" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2722,7 +2920,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4407X40592" disabled="False" log="False" position="6" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -2743,7 +2944,10 @@
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4419X40592" disabled="False" log="False" position="7" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -2764,7 +2968,10 @@
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4431X40592" disabled="False" log="False" position="8" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -2785,7 +2992,10 @@
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4443X40592" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2806,7 +3016,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4455X40592" disabled="False" log="False" position="10" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2827,7 +3040,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4467X40592" disabled="False" log="False" position="11" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2848,7 +3064,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4479X40592" disabled="False" log="False" position="12" action="Accept" direction="Both" comment="interface ethernet1 has address on network 10.10.10.0/24,&#10;therefore net-10.10.10 is behind the router and we do&#10;not need to put rules 12-18 in outbound acl of eth0">
<Src neg="False">
@ -2869,7 +3088,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4491X40592" disabled="False" log="False" position="13" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2890,7 +3112,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4503X40592" disabled="False" log="False" position="14" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2911,7 +3136,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4515X40592" disabled="False" log="False" position="15" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2932,7 +3160,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4527X40592" disabled="False" log="False" position="16" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2953,7 +3184,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4539X40592" disabled="False" log="False" position="17" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2974,7 +3208,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4551X40592" disabled="False" log="False" position="18" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -2995,7 +3232,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4563X40592" disabled="False" group="" log="False" position="19" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3016,7 +3256,10 @@
<PolicyRuleOptions>
<Option name="color">#7694C0</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4575X40592" disabled="False" group="" log="False" position="20" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3037,7 +3280,10 @@
<PolicyRuleOptions>
<Option name="color">#7694C0</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4587X40592" disabled="False" log="True" position="21" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -3057,7 +3303,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -3225,7 +3474,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4764X40592" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3246,7 +3498,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4776X40592" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3268,7 +3523,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4789X40592" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3289,7 +3547,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4801X40592" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3310,7 +3571,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4813X40592" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3331,7 +3595,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4825X40592" disabled="False" log="False" position="6" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -3352,7 +3619,10 @@
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4837X40592" disabled="False" log="False" position="7" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -3373,7 +3643,10 @@
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4849X40592" disabled="False" log="False" position="8" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -3394,7 +3667,10 @@
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4861X40592" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3415,7 +3691,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4873X40592" disabled="False" log="False" position="10" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3436,7 +3715,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4885X40592" disabled="False" log="False" position="11" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3457,7 +3739,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4897X40592" disabled="False" log="False" position="12" action="Accept" direction="Both" comment="interface ethernet1 has address on network 10.10.10.0/24,&#10;therefore net-10.10.10 is behind the router and we do&#10;not need to put rules 12-18 in outbound acl of eth0">
<Src neg="False">
@ -3478,7 +3763,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4909X40592" disabled="False" log="False" position="13" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3499,7 +3787,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4921X40592" disabled="False" log="False" position="14" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3520,7 +3811,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4933X40592" disabled="False" log="False" position="15" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3541,7 +3835,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4945X40592" disabled="False" log="False" position="16" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3562,7 +3859,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4957X40592" disabled="False" log="False" position="17" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3583,7 +3883,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4969X40592" disabled="False" log="False" position="18" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3604,7 +3907,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4981X40592" disabled="False" group="" log="False" position="19" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3625,7 +3931,10 @@
<PolicyRuleOptions>
<Option name="color">#7694C0</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4993X40592" disabled="False" group="" log="False" position="20" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3646,7 +3955,10 @@
<PolicyRuleOptions>
<Option name="color">#7694C0</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5005X40592" disabled="False" log="True" position="21" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -3666,7 +3978,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
@ -3834,7 +4149,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5612X54035" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3855,7 +4173,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5624X54035" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3877,7 +4198,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5637X54035" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3898,7 +4222,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5649X54035" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3919,7 +4246,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5661X54035" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -3940,7 +4270,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5673X54035" disabled="False" log="False" position="6" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -3961,7 +4294,10 @@
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5685X54035" disabled="False" log="False" position="7" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -3982,7 +4318,10 @@
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5697X54035" disabled="False" log="False" position="8" action="Accept" direction="Inbound" comment="">
<Src neg="False">
@ -4003,7 +4342,10 @@
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5709X54035" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4024,7 +4366,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5721X54035" disabled="False" log="False" position="10" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4045,7 +4390,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5733X54035" disabled="False" log="False" position="11" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4066,7 +4414,10 @@
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5745X54035" disabled="False" log="False" position="12" action="Accept" direction="Both" comment="interface ethernet1 has address on network 10.10.10.0/24,&#10;therefore net-10.10.10 is behind the router and we do&#10;not need to put rules 12-18 in outbound acl of eth0">
<Src neg="False">
@ -4087,7 +4438,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5757X54035" disabled="False" log="False" position="13" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4108,7 +4462,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5769X54035" disabled="False" log="False" position="14" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4129,7 +4486,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5781X54035" disabled="False" log="False" position="15" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4150,7 +4510,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5793X54035" disabled="False" log="False" position="16" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4171,7 +4534,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5805X54035" disabled="False" log="False" position="17" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4192,7 +4558,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5817X54035" disabled="False" log="False" position="18" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4213,7 +4582,10 @@
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5829X54035" disabled="False" group="" log="False" position="19" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4234,7 +4606,10 @@
<PolicyRuleOptions>
<Option name="color">#7694C0</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5841X54035" disabled="False" group="" log="False" position="20" action="Accept" direction="Both" comment="">
<Src neg="False">
@ -4255,7 +4630,10 @@
<PolicyRuleOptions>
<Option name="color">#7694C0</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5853X54035" disabled="False" log="True" position="21" action="Deny" direction="Both" comment="">
<Src neg="False">
@ -4275,7 +4653,10 @@
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
<Option name="pf_classify_str"/>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>