onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-22 03:07:20 +01:00
Code Issues Releases Wiki Activity

* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertConntrackRule):

Browse Source 
fixes #1175 "There is no option for unicast on conntrac
sync-group (like heartbeat)". User can now choose between multicast
and unicast for conntrackd communication.
This commit is contained in:
Vadim Kurland 2010-02-07 04:31:52 +00:00
parent 2506e35544
commit e50fcd4beb
7 changed files with 623 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2500
#define BUILD_NUM 2501

5
doc/ChangeLog
View File

@ -1,5 +1,10 @@
2010-02-06 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertConntrackRule):
fixes #1175 "There is no option for unicast on conntrac
sync-group (like heartbeat)". User can now choose between multicast
and unicast for conntrackd communication.
* FWWindow.cpp (FWWindow::showWelcome): fixes #1213 Welcome screen.
When user starts the program for the very first time, it shows
a "Welcome" screen that lists summary of features of fwbuilder and

12
src/gui/conntrackOptionsDialog.cpp
View File

@ -70,6 +70,9 @@ conntrackOptionsDialog::conntrackOptionsDialog(QWidget *parent, FWObject *o)
string port = gropt->getStr("conntrack_port");
if (port.empty()) gropt->setStr("conntrack_port", default_port);
data.registerOption(m_dialog->use_unicast,
gropt,
"conntrack_unicast");
data.registerOption(m_dialog->conntrack_address,
gropt,
"conntrack_address");
@ -78,6 +81,8 @@ conntrackOptionsDialog::conntrackOptionsDialog(QWidget *parent, FWObject *o)
gropt,
"conntrack_port");
data.loadAll();
toggleUseUnicast();
}
conntrackOptionsDialog::~conntrackOptionsDialog()
@ -130,3 +135,10 @@ bool conntrackOptionsDialog::validate()
return true;
}
void conntrackOptionsDialog::toggleUseUnicast()
{
bool onoff = m_dialog->use_unicast->isChecked();
m_dialog->conntrack_address->setEnabled( ! onoff );
m_dialog->conntrack_address_label->setEnabled( ! onoff );
}

1
src/gui/conntrackOptionsDialog.h
View File

@ -53,6 +53,7 @@ private:
protected slots:
virtual void accept();
virtual void reject();
virtual void toggleUseUnicast();
};
#endif // __CONNTRACKOPTIONSDIALOG_H_

135
src/gui/conntrackoptionsdialog_q.ui
View File

@ -1,7 +1,8 @@
<ui version="4.0" >
<?xml version="1.0" encoding="UTF-8"?>
<ui version="4.0">
<class>conntrackOptionsDialog_q</class>
<widget class="QDialog" name="conntrackOptionsDialog_q" >
<property name="geometry" >
<widget class="QDialog" name="conntrackOptionsDialog_q">
<property name="geometry">
<rect>
<x>0</x>
<y>0</y>
@ -9,21 +10,21 @@
<height>276</height>
</rect>
</property>
<property name="windowTitle" >
<property name="windowTitle">
<string>conntrack protocol settings</string>
</property>
<layout class="QGridLayout" >
<item row="1" column="0" >
<layout class="QHBoxLayout" >
<layout class="QGridLayout">
<item row="1" column="0">
<layout class="QHBoxLayout">
<item>
<spacer>
<property name="orientation" >
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType" >
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0" >
<property name="sizeHint" stdset="0">
<size>
<width>151</width>
<height>27</height>
@ -32,83 +33,90 @@
</spacer>
</item>
<item>
<widget class="QPushButton" name="buttonOk" >
<property name="text" >
<widget class="QPushButton" name="buttonOk">
<property name="text">
<string>&amp;OK</string>
</property>
<property name="shortcut" >
<property name="shortcut">
<string/>
</property>
<property name="autoDefault" >
<property name="autoDefault">
<bool>true</bool>
</property>
<property name="default" >
<property name="default">
<bool>true</bool>
</property>
</widget>
</item>
<item>
<widget class="QPushButton" name="buttonCancel" >
<property name="text" >
<widget class="QPushButton" name="buttonCancel">
<property name="text">
<string>&amp;Cancel</string>
</property>
<property name="shortcut" >
<property name="shortcut">
<string/>
</property>
<property name="autoDefault" >
<property name="autoDefault">
<bool>true</bool>
</property>
</widget>
</item>
</layout>
</item>
<item row="0" column="0" >
<widget class="QTabWidget" name="tabWidget" >
<property name="tabShape" >
<item row="0" column="0">
<widget class="QTabWidget" name="tabWidget">
<property name="tabShape">
<enum>QTabWidget::Rounded</enum>
</property>
<property name="currentIndex" >
<property name="currentIndex">
<number>0</number>
</property>
<widget class="QWidget" name="tab" >
<attribute name="title" >
<string>conntrack Parameters</string>
</attribute>
<attribute name="icon" >
<iconset resource="MainRes.qrc" >
<widget class="QWidget" name="tab">
<attribute name="icon">
<iconset>
<normaloff>:/Icons/Options</normaloff>:/Icons/Options</iconset>
</attribute>
<layout class="QGridLayout" name="gridLayout" >
<item row="0" column="0" >
<widget class="QLabel" name="label" >
<property name="text" >
<attribute name="title">
<string>conntrack Parameters</string>
</attribute>
<layout class="QGridLayout" name="gridLayout">
<item row="0" column="0" colspan="3">
<widget class="QCheckBox" name="use_unicast">
<property name="text">
<string>Use unicast address for conntrackd</string>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QLabel" name="conntrack_address_label">
<property name="text">
<string>Address:</string>
</property>
</widget>
</item>
<item row="0" column="1" colspan="2" >
<widget class="QLineEdit" name="conntrack_address" />
<item row="1" column="1" colspan="2">
<widget class="QLineEdit" name="conntrack_address"/>
</item>
<item row="1" column="0" >
<widget class="QLabel" name="label_2" >
<property name="text" >
<item row="2" column="0">
<widget class="QLabel" name="label_2">
<property name="text">
<string>Port number (udp):</string>
</property>
</widget>
</item>
<item row="1" column="1" >
<widget class="QSpinBox" name="conntrack_port" >
<property name="maximum" >
<item row="2" column="1">
<widget class="QSpinBox" name="conntrack_port">
<property name="maximum">
<number>65535</number>
</property>
</widget>
</item>
<item row="1" column="2" >
<spacer name="horizontalSpacer" >
<property name="orientation" >
<item row="2" column="2">
<spacer name="horizontalSpacer">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0" >
<property name="sizeHint" stdset="0">
<size>
<width>117</width>
<height>20</height>
@ -116,12 +124,12 @@
</property>
</spacer>
</item>
<item row="2" column="0" colspan="3" >
<item row="3" column="1">
<spacer>
<property name="orientation" >
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0" >
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>40</height>
@ -135,14 +143,14 @@
</item>
</layout>
</widget>
<layoutdefault spacing="6" margin="11" />
<layoutdefault spacing="6" margin="11"/>
<tabstops>
<tabstop>buttonOk</tabstop>
<tabstop>buttonCancel</tabstop>
<tabstop>tabWidget</tabstop>
</tabstops>
<resources>
<include location="MainRes.qrc" />
<include location="MainRes.qrc"/>
</resources>
<connections>
<connection>
@ -151,11 +159,11 @@
<receiver>conntrackOptionsDialog_q</receiver>
<slot>accept()</slot>
<hints>
<hint type="sourcelabel" >
<hint type="sourcelabel">
<x>316</x>
<y>472</y>
</hint>
<hint type="destinationlabel" >
<hint type="destinationlabel">
<x>20</x>
<y>20</y>
</hint>
@ -167,15 +175,34 @@
<receiver>conntrackOptionsDialog_q</receiver>
<slot>reject()</slot>
<hints>
<hint type="sourcelabel" >
<hint type="sourcelabel">
<x>397</x>
<y>472</y>
</hint>
<hint type="destinationlabel" >
<hint type="destinationlabel">
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
<connection>
<sender>use_unicast</sender>
<signal>clicked()</signal>
<receiver>conntrackOptionsDialog_q</receiver>
<slot>toggleUseUnicast()</slot>
<hints>
<hint type="sourcelabel">
<x>196</x>
<y>50</y>
</hint>
<hint type="destinationlabel">
<x>193</x>
<y>137</y>
</hint>
</hints>
</connection>
</connections>
<slots>
<slot>toggleUseUnicast()</slot>
</slots>
</ui>

84
src/iptlib/PolicyCompiler_ipt.cpp
View File

@ -4697,6 +4697,7 @@ void PolicyCompiler_ipt::insertConntrackRule()
string default_port =
os_res->getResourceStr("/FWBuilderResources/Target/protocols/conntrack/default_port");
bool ucast = state_sync_group->getOptionsObject()->getBool("conntrack_unicast");
string addr = state_sync_group->getOptionsObject()->getStr("conntrack_address");
if (addr.empty()) addr = default_address;
@ -4743,19 +4744,60 @@ void PolicyCompiler_ipt::insertConntrackRule()
}
/* Add automatic rules for CONNTRACK */
addMgmtRule(NULL,
conntrack_dst,
conntrack_srv,
conntrack_iface,
PolicyRule::Inbound,
PolicyRule::Accept, "CONNTRACK");
if (ucast)
{
Interface *fw_iface = NULL;
list<Interface*> other_interfaces;
for (FWObjectTypedChildIterator it =
state_sync_group->findByType(FWObjectReference::TYPENAME);
it != it.end(); ++it)
{
Interface *iface =
Interface::cast(FWObjectReference::getObject(*it));
assert(iface);
if (iface->isChildOf(fw))
{
fw_iface = iface;
} else
{
other_interfaces.push_back(iface);
}
}
foreach(Interface *other_iface, other_interfaces)
{
addMgmtRule(other_iface,
fw,
conntrack_srv,
fw_iface,
PolicyRule::Inbound,
PolicyRule::Accept,
"CONNTRACK");
addMgmtRule(fw,
other_iface,
conntrack_srv,
fw_iface,
PolicyRule::Outbound,
PolicyRule::Accept,
"CONNTRACK");
}
} else
{
addMgmtRule(NULL,
conntrack_dst,
conntrack_srv,
conntrack_iface,
PolicyRule::Inbound,
PolicyRule::Accept,
"CONNTRACK");
addMgmtRule(fw,
conntrack_dst,
conntrack_srv,
conntrack_iface,
PolicyRule::Outbound,
PolicyRule::Accept, "CONNTRACK");
addMgmtRule(fw,
conntrack_dst,
conntrack_srv,
conntrack_iface,
PolicyRule::Outbound,
PolicyRule::Accept,
"CONNTRACK");
}
}
void PolicyCompiler_ipt::insertFailoverRule()
@ -4883,13 +4925,13 @@ void PolicyCompiler_ipt::insertFailoverRule()
assert(other_iface);
if (other_iface->getId() == fw_iface->getId()) continue;
addMgmtRule(other_iface,
fw_iface,
fw,
heartbeat_srv,
fw_iface,
PolicyRule::Inbound,
PolicyRule::Accept,
"heartbeat");
addMgmtRule(fw_iface,
addMgmtRule(fw,
other_iface,
heartbeat_srv,
fw_iface,
@ -4899,13 +4941,19 @@ void PolicyCompiler_ipt::insertFailoverRule()
}
} else
{
addMgmtRule(NULL, heartbeat_dst, heartbeat_srv,
addMgmtRule(NULL,
heartbeat_dst,
heartbeat_srv,
fw_iface,
PolicyRule::Inbound, PolicyRule::Accept,
PolicyRule::Inbound,
PolicyRule::Accept,
"heartbeat");
addMgmtRule(fw, heartbeat_dst, heartbeat_srv,
addMgmtRule(fw,
heartbeat_dst,
heartbeat_srv,
fw_iface,
PolicyRule::Outbound, PolicyRule::Accept,
PolicyRule::Outbound,
PolicyRule::Accept,
"heartbeat");
}
}

461
test/ipt/cluster-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1253911075" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1265516191" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<StateSyncClusterGroup id="id3505X94039" type="conntrack" name="State Sync Group-1" comment="">
<ClusterGroupOptions/>
@ -1196,7 +1196,7 @@
<ClusterGroupOptions/>
</StateSyncClusterGroup>
</Cluster>
<Cluster id="id3433X13311" host_OS="linux24" inactive="False" lastCompiled="1264020601" lastInstalled="0" lastModified="1265006442" platform="iptables" name="heartbeat_cluster_1" comment="This is an example of linux/heartbeat cluster with two policy rule sets. Branching rule in the top policy passes control to rule set to_fw, which is different in member firewalls. See ticket #372 for explanation.&#10;" ro="False">
<Cluster id="id3433X13311" host_OS="linux24" inactive="False" lastCompiled="1265516307" lastInstalled="0" lastModified="1265006442" platform="iptables" name="heartbeat_cluster_1" comment="This is an example of linux/heartbeat cluster with two policy rule sets. Branching rule in the top policy passes control to rule set to_fw, which is different in member firewalls. See ticket #372 for explanation.&#10;" ro="False">
<NAT id="id3587X13311" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id5131X78768" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -2277,6 +2277,459 @@
</ClusterGroupOptions>
</StateSyncClusterGroup>
</Cluster>
<Cluster id="id5184X20350" host_OS="linux24" inactive="False" lastCompiled="1265516308" lastInstalled="0" lastModified="1265516222" platform="iptables" name="heartbeat_cluster_2" comment="This is an example of linux/heartbeat cluster with two policy rule sets. Branching rule in the top policy passes control to rule set to_fw, which is different in member firewalls. See ticket #372 for explanation.&#10;&#10;same as heartbeat_cluster_1 except using unicast for conntrack and heartbeat&#10;" ro="False">
<NAT id="id5369X20350" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id5370X20350" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id5194X20350"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id5384X20350" disabled="False" position="1" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id5184X20350"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id5220X20350" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id5221X20350" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3054X14356"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id3068X14356"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id5194X20350"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5233X20350" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id5184X20350"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id5194X20350"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5246X20350" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id2847X69605"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5258X20350" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id5184X20350"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5270X20350" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id5216X20350"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5282X20350" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id5184X20350"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id3F530CC8"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5294X20350" disabled="False" group="" log="False" position="6" action="Branch" direction="Both" comment="branch rule set is different in members linux-1 and linux-2">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id5184X20350"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_id">id5367X20350</Option>
<Option name="classify_str"></Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="custom_str"></Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_branch_in_mangle">False</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">none</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5306X20350" disabled="False" group="" log="False" position="7" action="Branch" direction="Both" comment="branch rule set is different in members linux-1 and linux-2">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id2735X69605"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_id">id5367X20350</Option>
<Option name="classify_str"></Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="custom_str"></Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_branch_in_mangle">False</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">none</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5318X20350" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id5184X20350"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id5330X20350" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5342X20350" disabled="False" log="True" position="10" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id5354X20350" disabled="False" group="" log="True" position="11" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Policy id="id5367X20350" name="to_fw" comment="this is a placeholder ruleset used in branching rule in Policy&#10;Member firewalls linux-1 and linux-2 have their own copy&#10;of the rule set with the same name which is used." ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
<RuleSetOptions/>
</Policy>
<Routing id="id5399X20350" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RoutingRule id="id5400X20350" disabled="False" metric="0" position="0" comment="">
<RDst neg="False">
<ObjectRef ref="id95767X57559"/>
</RDst>
<RGtw neg="False">
<ObjectRef ref="id98741X57559"/>
</RGtw>
<RItf neg="False">
<ObjectRef ref="id5194X20350"/>
</RItf>
<RoutingRuleOptions/>
</RoutingRule>
<RuleSetOptions/>
</Routing>
<Interface id="id5194X20350" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id5201X20350" name="heartbeat_cluster_2:eth0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.0.0"/>
<InterfaceOptions>
<Option name="enable_stp">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="type">heartbeat</Option>
<Option name="vlan_id">0</Option>
</InterfaceOptions>
<FailoverClusterGroup id="id5203X20350" master_iface="id2843X69605" type="heartbeat" name="heartbeat_cluster_2:eth0:members" comment=" ">
<ObjectRef ref="id2843X69605"/>
<ObjectRef ref="id3117X69605"/>
<ClusterGroupOptions>
<Option name="heartbeat_address">224.0.10.100</Option>
<Option name="heartbeat_port">694</Option>
<Option name="heartbeat_unicast">True</Option>
<Option name="vrrp_secret">not so secret</Option>
<Option name="vrrp_vrid">200</Option>
</ClusterGroupOptions>
</FailoverClusterGroup>
</Interface>
<Interface id="id5207X20350" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id5214X20350" name="heartbeat_cluster_2:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="enable_stp">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="type">heartbeat</Option>
<Option name="vlan_id">0</Option>
</InterfaceOptions>
<FailoverClusterGroup id="id5216X20350" master_iface="id2844X69605" type="none" name="heartbeat_cluster_2:eth1:members" comment=" ">
<ObjectRef ref="id2844X69605"/>
<ObjectRef ref="id3118X69605"/>
<ClusterGroupOptions/>
</FailoverClusterGroup>
</Interface>
<FirewallOptions>
<Option name="ipt_mangle_only_rulesets"></Option>
</FirewallOptions>
<StateSyncClusterGroup id="id5410X20350" master_iface="id2843X69605" type="conntrack" name="heartbeat_cluster_2:members-1" comment="">
<ObjectRef ref="id2843X69605"/>
<ObjectRef ref="id3117X69605"/>
<ClusterGroupOptions>
<Option name="conntrack_address">225.0.0.50</Option>
<Option name="conntrack_port">3781</Option>
<Option name="conntrack_unicast">True</Option>
</ClusterGroupOptions>
</StateSyncClusterGroup>
</Cluster>
</ObjectGroup>
<ObjectGroup id="id1496X69605" name="Objects" comment="" ro="False">
<ObjectGroup id="id1497X69605" name="Addresses" comment="" ro="False">
@ -2308,7 +2761,7 @@
<ServiceGroup id="id1513X69605" name="TagServices" comment="" ro="False"/>
</ServiceGroup>
<ObjectGroup id="id1514X69605" name="Firewalls" comment="" ro="False">
<Firewall id="id2735X69605" host_OS="linux24" inactive="False" lastCompiled="1264020603" lastInstalled="0" lastModified="1251419063" platform="iptables" version="" name="linux-1" comment=" " ro="False">
<Firewall id="id2735X69605" host_OS="linux24" inactive="False" lastCompiled="1265516308" lastInstalled="0" lastModified="1251419063" platform="iptables" version="" name="linux-1" comment=" " ro="False">
<NAT id="id2827X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
@ -2476,7 +2929,7 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3009X69605" host_OS="linux24" inactive="False" lastCompiled="1264020603" lastInstalled="0" lastModified="1251418923" platform="iptables" version="" name="linux-2" comment="" ro="False">
<Firewall id="id3009X69605" host_OS="linux24" inactive="False" lastCompiled="1265516308" lastInstalled="0" lastModified="1251418923" platform="iptables" version="" name="linux-2" comment="" ro="False">
<NAT id="id3101X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>