onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-18 17:27:20 +01:00
Code Issues Releases Wiki Activity

* PolicyCompiler_PrintRule.cpp: added support for iptables module

Browse Source 
"set" used to generate iptables command for rules with run-time
AddressTable objects. This module is only available in iptables
1.4.1.1 and later, however some embedded platforms do not have it
even though they ship later versions ofiptables (e.g. OpenWRT).
Use of this module is controlled by a checkbox in the iptables 
"advanced" settings dialog which is off by default. This checkbox
becomes disabled when iptables version is set to < 1.4.1.1.
This commit is contained in:
Vadim Kurland 2010-07-23 05:15:05 +00:00
parent 56ce332788
commit e82f770956
13 changed files with 875 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 3133
#define BUILD_NUM 3134

9
doc/ChangeLog
View File

@ -1,5 +1,14 @@
2010-07-22 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp: added support for iptables module
"set" used to generate iptables command for rules with run-time
AddressTable objects. This module is only available in iptables
1.4.1.1 and later, however some embedded platforms do not have it
even though they ship later versions of iptables (e.g. OpenWRT).
Use of this module is controlled by a checkbox in the iptables
"advanced" settings dialog which is off by default. This checkbox
becomes disabled when iptables version is set to < 1.4.1.1.
* newClusterDialog_create.cpp (newClusterDialog::createNewCluster):
fixed #1622 "Crash when configuring cluster". The GUI used to crash
if user created a cluster copying rules of one of the cluster members

22
src/gui/iptAdvancedDialog.cpp
View File

@ -81,13 +81,6 @@ iptAdvancedDialog::iptAdvancedDialog(QWidget *parent,FWObject *o)
qDebug("%s",Resources::getTargetOptionStr(
obj->getStr("host_OS"),"user_can_change_install_dir").c_str());
if (!Resources::getTargetOptionBool(
obj->getStr("host_OS"), "user_can_change_install_dir"))
{
m_dialog->ipt_fw_dir->setEnabled(false);
//fwoptions->setStr("firewall_dir", "");
}
//QString s = fwoptions->getStr("ipv4_6_order")
data.registerOption(m_dialog->ipv4before, fwoptions, "ipv4_6_order", QStringList() << "IPv4 before IPv6" <<"ipv4_first" << "IPv6 before IPv4" << "ipv6_first");
@ -145,6 +138,8 @@ iptAdvancedDialog::iptAdvancedDialog(QWidget *parent,FWObject *o)
data.registerOption(m_dialog-> actionOnReject,
fwoptions,"action_on_reject", slm);
data.registerOption(m_dialog->useModuleSet, fwoptions, "use_m_set");
data.registerOption(m_dialog->mgmt_ssh, fwoptions, "mgmt_ssh");
data.registerOption(m_dialog->mgmt_addr, fwoptions, "mgmt_addr");
data.registerOption(m_dialog->add_mgmt_ssh_rule_when_stoped,
@ -210,6 +205,19 @@ iptAdvancedDialog::iptAdvancedDialog(QWidget *parent,FWObject *o)
data.loadAll();
switchLOG_ULOG();
if (!Resources::getTargetOptionBool(
obj->getStr("host_OS"), "user_can_change_install_dir"))
{
m_dialog->ipt_fw_dir->setEnabled(false);
//fwoptions->setStr("firewall_dir", "");
}
string version = obj->getStr("version");
bool can_use_module_set = (XMLTools::version_compare(version, "1.4.1.1") >= 0);
if (!can_use_module_set)
m_dialog->useModuleSet->setChecked(false);
m_dialog->useModuleSet->setEnabled(can_use_module_set);
m_dialog->tabWidget->setCurrentIndex(0);
}

59
src/gui/iptadvanceddialog_q.ui
View File

@ -100,11 +100,11 @@
<attribute name="title">
<string>Compiler</string>
</attribute>
<layout class="QVBoxLayout" name="verticalLayout_2">
<item>
<layout class="QGridLayout" name="gridLayout_10">
<item row="0" column="0">
<layout class="QGridLayout" name="gridLayout_7"/>
</item>
<item>
<item row="1" column="0" colspan="2">
<layout class="QGridLayout" name="gridLayout_9" columnstretch="5,5,5">
<item row="1" column="0">
<widget class="QLabel" name="compilerLabel">
@ -220,7 +220,7 @@
</item>
</layout>
</item>
<item>
<item row="2" column="0" colspan="2">
<widget class="QLabel" name="label_7">
<property name="text">
<string>If output file name is left blank, the file name is constructed of the firewall object name and extension &quot;.fw&quot;</string>
@ -230,7 +230,7 @@
</property>
</widget>
</item>
<item>
<item row="3" column="0" colspan="2">
<layout class="QGridLayout" name="gridLayout_8" columnstretch="5,5,5">
<item row="0" column="0">
<widget class="QLabel" name="label_2">
@ -273,7 +273,7 @@
</item>
</layout>
</item>
<item>
<item row="4" column="0" colspan="2">
<widget class="QLabel" name="label_4">
<property name="text">
<string>Generated script can be copied to the firewall machine under different name. If this field is left blank, the file name does not change.</string>
@ -283,7 +283,7 @@
</property>
</widget>
</item>
<item>
<item row="5" column="0" colspan="2">
<widget class="Line" name="line4_2">
<property name="frameShape">
<enum>QFrame::HLine</enum>
@ -296,7 +296,7 @@
</property>
</widget>
</item>
<item>
<item row="6" column="0" colspan="2">
<layout class="QGridLayout" name="gridLayout_5">
<item row="0" column="0">
<widget class="QCheckBox" name="assumeFwIsPartOfAny">
@ -350,6 +350,19 @@
</property>
</widget>
</item>
<item row="2" column="0">
<widget class="QCheckBox" name="acceptESTBeforeFirst">
<property name="sizePolicy">
<sizepolicy hsizetype="Minimum" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string>Accept ESTABLISHED and RELATED packets before the first rule</string>
</property>
</widget>
</item>
<item row="2" column="1">
<widget class="QCheckBox" name="localNAT">
<property name="sizePolicy">
@ -468,22 +481,16 @@ packets to IPv6 policies</string>
</property>
</widget>
</item>
<item row="2" column="0">
<widget class="QCheckBox" name="acceptESTBeforeFirst">
<property name="sizePolicy">
<sizepolicy hsizetype="Minimum" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<item row="6" column="0" colspan="2">
<widget class="QCheckBox" name="useModuleSet">
<property name="text">
<string>Accept ESTABLISHED and RELATED packets before the first rule</string>
<string>Use module &quot;set&quot; for run-time Address Table objects (module is only available in iptables v 1.4.1.1 and later)</string>
</property>
</widget>
</item>
</layout>
</item>
<item>
<item row="7" column="0" colspan="2">
<widget class="Line" name="line4">
<property name="frameShape">
<enum>QFrame::HLine</enum>
@ -496,7 +503,7 @@ packets to IPv6 policies</string>
</property>
</widget>
</item>
<item>
<item row="8" column="0" colspan="2">
<layout class="QHBoxLayout" name="horizontalLayout_5">
<item>
<widget class="QCheckBox" name="mgmt_ssh">
@ -536,14 +543,14 @@ packets to IPv6 policies</string>
</item>
</layout>
</item>
<item>
<item row="9" column="0" colspan="2">
<widget class="QCheckBox" name="add_mgmt_ssh_rule_when_stoped">
<property name="text">
<string>Install the rule for ssh access from the management workstation when the firewall is stopped</string>
</property>
</widget>
</item>
<item>
<item row="10" column="1">
<spacer>
<property name="orientation">
<enum>Qt::Vertical</enum>
@ -867,10 +874,10 @@ packets to IPv6 policies</string>
<string>Prolog/Epilog</string>
</attribute>
<layout class="QGridLayout">
<property name="verticalSpacing">
<property name="margin">
<number>6</number>
</property>
<property name="margin">
<property name="verticalSpacing">
<number>6</number>
</property>
<item row="1" column="0">
@ -1001,12 +1008,12 @@ packets to IPv6 policies</string>
<string>Logging</string>
</attribute>
<layout class="QGridLayout">
<property name="verticalSpacing">
<number>6</number>
</property>
<property name="margin">
<number>20</number>
</property>
<property name="verticalSpacing">
<number>6</number>
</property>
<item row="0" column="0" rowspan="5">
<widget class="QGroupBox" name="buttonGroup1">
<property name="title">

1
src/gui/platforms.cpp
View File

@ -404,6 +404,7 @@ void getVersionsForPlatform(const QString &platform, std::list<QStringPair> &res
res.push_back(QStringPair("1.2.9", QObject::tr("1.2.9 to 1.2.11")));
res.push_back(QStringPair("1.3.0", QObject::tr("1.3.x")));
res.push_back(QStringPair("1.4.0", QObject::tr("1.4.0 or later")));
res.push_back(QStringPair("1.4.1.1", QObject::tr("1.4.1.1 or later")));
res.push_back(QStringPair("1.4.3", QObject::tr("1.4.3 or later")));
} else
{

12
src/iptlib/OSConfigurator_linux24.cpp
View File

@ -76,6 +76,11 @@ OSConfigurator_linux24::OSConfigurator_linux24(FWObjectDatabase *_db,
OSConfigurator(_db, fw, ipv6_policy) , os_data(fw->getStr("host_OS"))
{
command_wrappers = new Configlet(fw, "linux24", "run_time_wrappers");
FWOptions* fwopt = fw->getOptionsObject();
string version = fw->getStr("version");
can_use_module_set = (XMLTools::version_compare(version, "1.4.1.1") >= 0 &&
fwopt->getBool("use_m_set"));
}
OSConfigurator_linux24::~OSConfigurator_linux24()
@ -468,7 +473,12 @@ string OSConfigurator_linux24::printRunTimeWrappers(FWObject *rule,
*/
bool wildcard_interface = false;
QString combined_command = addressTableWrapper(rule, command.c_str(), ipv6);
QString combined_command;
if (can_use_module_set)
combined_command = command.c_str();
else
combined_command = addressTableWrapper(rule, command.c_str(), ipv6);
command_wrappers->clear();
command_wrappers->removeComments();

3
src/iptlib/OSConfigurator_linux24.h
View File

@ -48,7 +48,8 @@ namespace fwcompiler {
OSData os_data;
Configlet *command_wrappers;
bool can_use_module_set;
std::map<std::string,std::string> address_table_objects;
// this vector is used to avoid duplication of virtual addresses for nat

28
src/iptlib/PolicyCompiler_PrintRule.cpp
View File

@ -96,13 +96,13 @@ string PolicyCompiler_ipt::PrintRule::_printSingleOptionWithNegation(
ostringstream ostr;
if (XMLTools::version_compare(version, "1.4.3")>=0)
{
ostr << _printSingleObjectNegation(rel);
ostr << _printSingleObjectNegation(rel);
ostr << option << " ";
ostr << arg << " ";
} else
{
ostr << option << " ";
ostr << _printSingleObjectNegation(rel);
ostr << _printSingleObjectNegation(rel);
ostr << arg << " ";
}
return ostr.str();
@ -1109,6 +1109,7 @@ string PolicyCompiler_ipt::PrintRule::_printDstService(RuleElementSrv *rel)
string PolicyCompiler_ipt::PrintRule::_printSrcAddr(RuleElement *rel, Address *o)
{
PolicyCompiler_ipt *ipt_comp=dynamic_cast<PolicyCompiler_ipt*>(compiler);
string res;
if (AddressRange::cast(o)!=NULL)
{
@ -1126,11 +1127,23 @@ string PolicyCompiler_ipt::PrintRule::_printSrcAddr(RuleElement *rel, Address *
return res;
}
MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o);
if (atrt!=NULL && atrt->getSubstitutionTypeName()==AddressTable::TYPENAME &&
ipt_comp->can_use_module_set)
{
string set_match = "--set " + o->getName() + " src";
ostringstream ostr;
ostr << "-m set " << _printSingleOptionWithNegation("", rel, set_match);
return ostr.str();
}
return _printSingleOptionWithNegation(" -s", rel, _printAddr(o));
}
string PolicyCompiler_ipt::PrintRule::_printDstAddr(RuleElement *rel, Address *o)
{
PolicyCompiler_ipt *ipt_comp=dynamic_cast<PolicyCompiler_ipt*>(compiler);
string res;
if (AddressRange::cast(o)!=NULL)
{
@ -1147,6 +1160,17 @@ string PolicyCompiler_ipt::PrintRule::_printDstAddr(RuleElement *rel, Address *
return res;
}
MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o);
if (atrt!=NULL && atrt->getSubstitutionTypeName()==AddressTable::TYPENAME &&
ipt_comp->can_use_module_set)
{
string set_match = "--set " + o->getName() + " dst";
ostringstream ostr;
ostr << "-m set " << _printSingleOptionWithNegation("", rel, set_match);
return ostr.str();
}
return _printSingleOptionWithNegation(" -d", rel, _printAddr(o));
}

31
src/iptlib/PolicyCompiler_ipt.cpp
View File

@ -515,6 +515,11 @@ int PolicyCompiler_ipt::prolog()
n++;
}
string version = fw->getStr("version");
can_use_module_set = (XMLTools::version_compare(version, "1.4.1.1") >= 0 &&
fwopt->getBool("use_m_set"));
actually_used_module_set = false;
return n;
}
@ -1006,12 +1011,23 @@ bool PolicyCompiler_ipt::singleItfNegation::processNext()
bool PolicyCompiler_ipt::singleSrcNegation::processNext()
{
PolicyCompiler_ipt *ipt_comp=dynamic_cast<PolicyCompiler_ipt*>(compiler);
PolicyRule *rule = getNext(); if (rule==NULL) return false;
RuleElementSrc *srcrel = rule->getSrc();
/* ! A B C ACTION */
if (srcrel->getNeg() && srcrel->size()==1)
{
// We call singleSrcNegation before we replace AddressTable
// objects with MultiAddressRunTime objects
FWObject *o = FWReference::getObject(srcrel->front());
if (AddressTable::cast(o) && AddressTable::cast(o)->isRunTime() &&
ipt_comp->can_use_module_set)
{
srcrel->setNeg(false);
srcrel->setBool("single_object_negation", true);
}
Address *src = compiler->getFirstSrc(rule);
// note: src can be NULL if object in this rule element is a group
// or MultiAddress
@ -1029,12 +1045,23 @@ bool PolicyCompiler_ipt::singleSrcNegation::processNext()
bool PolicyCompiler_ipt::singleDstNegation::processNext()
{
PolicyCompiler_ipt *ipt_comp=dynamic_cast<PolicyCompiler_ipt*>(compiler);
PolicyRule *rule = getNext(); if (rule==NULL) return false;
RuleElementDst *dstrel = rule->getDst();
/* A ! B C ACTION */
if (dstrel->getNeg() && dstrel->size()==1)
{
// We call singleSrcNegation before we replace AddressTable
// objects with MultiAddressRunTime objects
FWObject *o = FWReference::getObject(dstrel->front());
if (AddressTable::cast(o) && AddressTable::cast(o)->isRunTime() &&
ipt_comp->can_use_module_set)
{
dstrel->setNeg(false);
dstrel->setBool("single_object_negation", true);
}
Address *dst = compiler->getFirstDst(rule);
if (dst!=NULL && dst->countInetAddresses(true)==1 &&
!compiler->complexMatch(dst, compiler->fw))
@ -2558,7 +2585,6 @@ bool PolicyCompiler_ipt::specialCaseWithFW1::processNext()
bool PolicyCompiler_ipt::specialCaseWithFWInDstAndOutbound::processNext()
{
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
Interface *itf = compiler->getFirstItf(rule);
@ -2922,7 +2948,6 @@ bool PolicyCompiler_ipt::decideOnChainIfSrcFW::processNext()
* with an interface which is a bridge port.
*/
RuleElementItf *itfre = rule->getItf();
Interface *rule_iface = compiler->getFirstItf(rule);
if (rule_iface == NULL || rule_iface->isBridgePort())
{
@ -3022,7 +3047,6 @@ bool PolicyCompiler_ipt::decideOnChainIfDstFW::processNext()
* with an interface which is a bridge port.
*/
RuleElementItf *itfre = rule->getItf();
Interface *rule_iface = compiler->getFirstItf(rule);
if (rule_iface == NULL || rule_iface->isBridgePort())
{
@ -3982,7 +4006,6 @@ bool PolicyCompiler_ipt::processMultiAddressObjectsInRE::processNext()
return true;
}
/*
* iptables does not have target that would do nothing and would not
* terminate processing of the packet (like NOP), so we create a new

2
src/iptlib/PolicyCompiler_ipt.h
View File

@ -66,6 +66,8 @@ protected:
bool have_dynamic_interfaces;
bool have_connmark;
bool have_connmark_in_output;
bool can_use_module_set;
bool actually_used_module_set;
std::string my_table;
std::map<std::string, int> tmp_chain_no;

6
src/pflib/PolicyCompiler_pf.cpp
View File

@ -93,7 +93,11 @@ int PolicyCompiler_pf::prolog()
return PolicyCompiler::prolog();
}
/*
* this is very much like
* Compiler::swapMultiAddressObjectsInRE::processNext() except it also
* registers the table using registerTable()
*/
bool PolicyCompiler_pf::swapAddressTableObjectsInRE::processNext()
{
PolicyCompiler_pf *pf_comp=dynamic_cast<PolicyCompiler_pf*>(compiler);

48
src/res/help/en_US/release_notes_4.1.0.html
View File

@ -302,6 +302,40 @@
</p>
</li>
<li>
<p>
Most dialogs were adjusted to make sure they fit on the screen 1024x768
</p>
</li>
<li>
<p>
fixed #1612 "File/Open should create
new project panel". If user has some unsaved changes in the
default project panel (the one with no associated file) and then
uses File/Open menu to open another data file, the file should
open in a new project panel.
</p>
</li>
<li>
<p>
fixed #1611 "File/New should create new project panel". Like
#1612, open new data file in a new project panel if current
project panel has no data file associated with it but has
unsaved changes.
</p>
</li>
<li>
<p>
fixed #1622 "Crash when configuring cluster". The GUI used to
crash if user created a cluster copying rules of one of the
cluster members while that rule set was opened in the rule set
view.
</p>
</li>
</ul>
@ -473,6 +507,20 @@
</p>
</li>
<li>
<p>
Added support for iptables module "set" used to generate
iptables command for rules with run-time AddressTable
objects. This module is only available in iptables 1.4.1.1 and
later, however some embedded platforms do not have it even
though they ship later versions of iptables (e.g. OpenWRT). Use
of this module is controlled by a checkbox in the iptables
"advanced" settings dialog which is off by default. This
checkbox becomes disabled when iptables version is set to <
1.4.1.1.
</p>
</li>
</ul>

729
test/ipt/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1276800877" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1279853975" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -6671,7 +6671,7 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3AF5AA0A" host_OS="linux24" inactive="False" lastCompiled="1273779948" lastInstalled="1142003872" lastModified="1273779964" platform="iptables" version="" name="firewall1" comment="this object is used to test all kinds of negation in policy and NAT rules" ro="False">
<Firewall id="id3AF5AA0A" host_OS="linux24" inactive="False" lastCompiled="1273779948" lastInstalled="1142003872" lastModified="1279852787" platform="iptables" version="" name="firewall1" comment="this object is used to test all kinds of negation in policy and NAT rules.&#10;Assume firewall is part of any is ON" ro="False">
<NAT id="id3AF5AA0D" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id3C98491C" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -7947,33 +7947,35 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3AF5AAC8" disabled="False" log="False" position="40" action="Accept" direction="Both" comment="'masquerading' rule">
<PolicyRule id="id1515316X29460" disabled="False" group="" log="False" position="40" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3AF5AA0A"/>
</Src>
<Dst neg="True">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id42AB87C6" disabled="False" log="True" position="41" action="Deny" direction="Both" comment="testing combination&#10;of limit and logging">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1515397X29460" disabled="False" group="" log="False" position="41" action="Deny" direction="Both" comment="">
<Src neg="True">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3AF5AA0A"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
@ -7982,16 +7984,7 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix">/second</Option>
<Option name="limit_value">10</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
@ -53360,6 +53353,674 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id56583X26628" host_OS="linux24" inactive="False" lastCompiled="1279850008" lastInstalled="0" lastModified="1279855256" platform="iptables" version="1.4.1.1" name="firewall41-1" comment="testing run time address table objects with module set" ro="False">
<NAT id="id56688X26628" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id56601X26628" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id56614X26628" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id56583X26628"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id44F7056328576"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id1162747X27867" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id56583X26628"/>
</Src>
<Dst neg="True">
<ObjectRef ref="id44F7056328576"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks"></Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3819891X29460" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id56583X26628"/>
</Src>
<Dst neg="True">
<ObjectRef ref="id44F7056328576"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">0</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id56650X26628" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id56583X26628"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id44F7056328576"/>
<ObjectRef ref="id4389EE9118346"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id794173X27867" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id44F7056328576"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id56583X26628"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id1162799X27867" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="True">
<ObjectRef ref="id44F7056328576"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id56583X26628"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3819961X29460" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
<Src neg="True">
<ObjectRef ref="id44F7056328576"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id56583X26628"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">0</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id794220X27867" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id44F7056328576"/>
<ObjectRef ref="id4389EE9118346"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id56583X26628"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id56638X26628" disabled="False" group="" log="False" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id44F7056328576"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id56690X26628" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id56591X26628" dedicated_failover="False" dyn="False" label="ext" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id56594X26628" name="firewall41:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id56596X26628" dedicated_failover="False" dyn="False" label="int" security_level="50" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id56599X26628" name="firewall41:eth1:ip" comment="" ro="False" address="2.2.2.2" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="add_mgmt_ssh_rule_when_stoped">False</Option>
<Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="clear_unknown_interfaces">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_bonding_interfaces">False</Option>
<Option name="configure_bridge_interfaces">False</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_vlan_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">true</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
<Option name="local_nat">False</Option>
<Option name="log_all">False</Option>
<Option name="log_invalid">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"></Option>
<Option name="script_name_on_firewall"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="use_ULOG">False</Option>
<Option name="use_iptables_restore">False</Option>
<Option name="use_m_set">True</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id4374266X29460" host_OS="openwrt" inactive="False" lastCompiled="1279850008" lastInstalled="0" lastModified="1279855986" platform="iptables" version="1.4.3" name="firewall41-2" comment="testing run time address table objects with module set&#10;use module set is turned off&#10;" ro="False">
<NAT id="id4374396X29460" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id4374284X29460" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4374285X29460" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id4374266X29460"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id44F7056328576"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4374297X29460" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id4374266X29460"/>
</Src>
<Dst neg="True">
<ObjectRef ref="id44F7056328576"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks"></Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4374309X29460" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id4374266X29460"/>
</Src>
<Dst neg="True">
<ObjectRef ref="id44F7056328576"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">0</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4374321X29460" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id4374266X29460"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id44F7056328576"/>
<ObjectRef ref="id4389EE9118346"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4374334X29460" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id44F7056328576"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4374266X29460"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4374346X29460" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="True">
<ObjectRef ref="id44F7056328576"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4374266X29460"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4374358X29460" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
<Src neg="True">
<ObjectRef ref="id44F7056328576"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4374266X29460"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">0</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4374370X29460" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id44F7056328576"/>
<ObjectRef ref="id4389EE9118346"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4374266X29460"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4374383X29460" disabled="False" group="" log="False" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id44F7056328576"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id4374398X29460" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id4374274X29460" dedicated_failover="False" dyn="False" label="ext" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id4374277X29460" name="firewall41-2:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id4374279X29460" dedicated_failover="False" dyn="False" label="int" security_level="50" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id4374282X29460" name="firewall41-2:eth1:ip" comment="" ro="False" address="2.2.2.2" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="admUser">root</Option>
<Option name="check_shading">true</Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="firewall_dir">/etc/init.d</Option>
<Option name="firewall_is_part_of_any_and_networks">true</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="in_out_code">true</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
<Option name="local_nat">false</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file">fwbuilder.fw</Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="stdid11_1" name="Time" comment="" ro="False">
<Interval id="id3D6864D0" days_of_week="0,1" from_day="-1" from_hour="1" from_minute="1" from_month="-1" from_weekday="0" from_year="-1" to_day="-1" to_hour="2" to_minute="2" to_month="-1" to_weekday="1" to_year="-1" name="test time 1" comment="" ro="False"/>