mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-24 04:07:55 +01:00
. Added PF versions 4.0-4.2 and >4.3 to the list. Using keywords nat-anchor and rdr-anchor if PF version is <4.3. Refs #84
This commit is contained in:
Vadim Kurland
parent
a47cd5c817
commit
f78806dcf8
@ -1,7 +1,9 @@
|
||||
2009-10-20 vadim <vadim@vk.crocodile.org>
|
||||
|
||||
* NATCompiler_pf_writers.cpp (PrintRule::processNext): Added
|
||||
support for branching NAT rules for PF.
|
||||
support for branching NAT rules for PF. Compiler generates
|
||||
keyword "anchor" if PF version is 4.3 or later and "nat-anchor"
|
||||
and "rdr-anchor" for earlier versions.
|
||||
|
||||
* platforms.cpp (getActionNameForPlatform): Human-readable names
|
||||
for Policy and NAT rule actions come from the platform .xml
|
||||
|
||||
@ -403,7 +403,8 @@ void getVersionsForPlatform(const QString &platform, std::list<QStringPair> &res
|
||||
res.push_back(QStringPair("","- any -"));
|
||||
res.push_back(QStringPair("3.x", QObject::tr("3.x")));
|
||||
res.push_back(QStringPair("ge_3.7", QObject::tr("3.7 to 3.9")));
|
||||
res.push_back(QStringPair("4.x", QObject::tr("4.x")));
|
||||
res.push_back(QStringPair("4.0", QObject::tr("4.0 to 4.2")));
|
||||
res.push_back(QStringPair("4.3", QObject::tr("4.3 and later")));
|
||||
/* add pf versions here */
|
||||
} else
|
||||
{
|
||||
|
||||
@ -246,7 +246,8 @@ void CompilerDriver_pf::printStaticOptions(QTextStream &file, Firewall* fw)
|
||||
// and generate 'set skip on <ifspec>' commands
|
||||
|
||||
if (fw->getStr("version")=="ge_3.7" ||
|
||||
fw->getStr("version")=="4.x")
|
||||
// fw->getStr("version")=="4.x")
|
||||
XMLTools::version_compare(fw->getStr("version"), "4.0")>=0)
|
||||
{
|
||||
for (list<FWObject*>::iterator i=all_interfaces.begin();
|
||||
i!=all_interfaces.end(); ++i)
|
||||
|
||||
@ -181,7 +181,9 @@ QString CompilerDriver_pf::assembleFwScript(Firewall* fw, bool cluster_member, O
|
||||
if (fw->getStr("platform") == "pf")
|
||||
{
|
||||
script_skeleton.setVariable("pf_flush_states", options->getBool("pf_flush_states"));
|
||||
script_skeleton.setVariable("pf_version_ge_4_x", fw->getStr("version")=="4.x");
|
||||
script_skeleton.setVariable("pf_version_ge_4_x", // fw->getStr("version")=="4.x");
|
||||
XMLTools::version_compare(fw->getStr("version"), "4.0")>=0);
|
||||
|
||||
} else
|
||||
{
|
||||
script_skeleton.setVariable("pf_flush_states", 0);
|
||||
@ -331,6 +333,17 @@ string CompilerDriver_pf::run(const std::string &cluster_id,
|
||||
if (!nat->matchingAddressFamily(policy_af)) continue;
|
||||
|
||||
string ruleset_name = nat->getName();
|
||||
|
||||
if (ruleset_name.find("/*")!=string::npos)
|
||||
{
|
||||
QString err("The name of the policy ruleset %1"
|
||||
" ends with '/*', assuming it is externally"
|
||||
" controlled and skipping it.");
|
||||
warning(fw, nat, NULL,
|
||||
err.arg(ruleset_name.c_str()).toStdString());
|
||||
continue;
|
||||
}
|
||||
|
||||
if (nat->isTop())
|
||||
ruleset_name = "__main__";
|
||||
|
||||
|
||||
@ -348,7 +348,12 @@ namespace fwcompiler {
|
||||
*/
|
||||
class PrintRule : public NATRuleProcessor
|
||||
{
|
||||
protected:
|
||||
void _printAnchorRule(const std::string &anchor_command,
|
||||
const std::string &ruleset_name,
|
||||
const std::string &interface_name,
|
||||
libfwbuilder::NATRule *rule);
|
||||
|
||||
protected:
|
||||
bool init;
|
||||
std::string current_rule_label;
|
||||
|
||||
|
||||
@ -81,6 +81,8 @@ bool NATCompiler_pf::PrintRule::processNext()
|
||||
|
||||
tmp_queue.push_back(rule);
|
||||
|
||||
string version = compiler->fw->getStr("version");
|
||||
|
||||
if (!compiler->inSingleRuleCompileMode())
|
||||
{
|
||||
string rl=rule->getLabel();
|
||||
@ -246,19 +248,16 @@ bool NATCompiler_pf::PrintRule::processNext()
|
||||
// in test mode compiler->abort() does not really abort the program
|
||||
ruleset_name = "UNKNOWN";
|
||||
}
|
||||
compiler->output << "anchor \"" << ruleset_name << "\" ";
|
||||
|
||||
if (iface_name!="") compiler->output << "on " << iface_name << " ";
|
||||
if (!osrv->isAny() || !osrcrel->isAny() || !odstrel->isAny())
|
||||
if (XMLTools::version_compare(version, "4.2")>=0)
|
||||
{
|
||||
_printProtocol(osrv);
|
||||
compiler->output << "from ";
|
||||
_printREAddr( osrcrel );
|
||||
compiler->output << "to ";
|
||||
_printREAddr( odstrel );
|
||||
_printPort(osrv, true);
|
||||
_printAnchorRule("anchor", ruleset_name, iface_name, rule);
|
||||
} else
|
||||
{
|
||||
_printAnchorRule("nat-anchor", ruleset_name, iface_name, rule);
|
||||
_printAnchorRule("rdr-anchor", ruleset_name, iface_name, rule);
|
||||
}
|
||||
compiler->output << endl;
|
||||
|
||||
}
|
||||
break;
|
||||
|
||||
@ -268,6 +267,30 @@ bool NATCompiler_pf::PrintRule::processNext()
|
||||
return true;
|
||||
}
|
||||
|
||||
void NATCompiler_pf::PrintRule::_printAnchorRule(const string &anchor_command,
|
||||
const std::string &ruleset_name,
|
||||
const std::string &interface_name,
|
||||
NATRule *rule)
|
||||
{
|
||||
RuleElementOSrc *osrcrel = rule->getOSrc();
|
||||
RuleElementODst *odstrel = rule->getODst();
|
||||
RuleElementOSrv *osrvrel = rule->getOSrv();
|
||||
Service *osrv = compiler->getFirstOSrv(rule);
|
||||
|
||||
compiler->output << anchor_command << " \"" << ruleset_name << "\" ";
|
||||
if (interface_name!="") compiler->output << "on " << interface_name << " ";
|
||||
if (!osrvrel->isAny() || !osrcrel->isAny() || !odstrel->isAny())
|
||||
{
|
||||
_printProtocol(osrv);
|
||||
compiler->output << "from ";
|
||||
_printREAddr( osrcrel );
|
||||
compiler->output << "to ";
|
||||
_printREAddr( odstrel );
|
||||
_printPort(osrv, true);
|
||||
}
|
||||
compiler->output << endl;
|
||||
}
|
||||
|
||||
void NATCompiler_pf::PrintRule::_printProtocol(Service *srv)
|
||||
{
|
||||
// CustomService returns protocol name starting with v3.0.4
|
||||
|
||||
@ -44,6 +44,7 @@
|
||||
#include "fwbuilder/IPv4.h"
|
||||
#include "fwbuilder/DNSName.h"
|
||||
#include "fwbuilder/AddressTable.h"
|
||||
#include "fwbuilder/XMLTools.h"
|
||||
|
||||
#include <iostream>
|
||||
#if __GNUC__ > 3 || \
|
||||
@ -945,7 +946,8 @@ bool PolicyCompiler_pf::PrintRule::processNext()
|
||||
{
|
||||
// tcp service, no special flag match
|
||||
|
||||
if ( version == "4.x")
|
||||
// if ( version == "4.x")
|
||||
if (XMLTools::version_compare(version, "4.0")>=0)
|
||||
{
|
||||
if (compiler->getCachedFwOpt()->getBool(
|
||||
"accept_new_tcp_with_no_syn") )
|
||||
@ -1005,7 +1007,8 @@ bool PolicyCompiler_pf::PrintRule::processNext()
|
||||
* interface. Adding rule option "Set 'keep state'
|
||||
* explicitly" to cope with this.
|
||||
*/
|
||||
if ( version != "4.x" ||
|
||||
if (XMLTools::version_compare(version, "4.0") < 0 ||
|
||||
//if ( version != "4.x" ||
|
||||
compiler->getCachedFwOpt()->getBool("pf_keep_state"))
|
||||
compiler->output << "keep state ";
|
||||
}
|
||||
@ -1093,7 +1096,8 @@ bool PolicyCompiler_pf::PrintRule::processNext()
|
||||
} else
|
||||
{
|
||||
// stateless rule
|
||||
if ( version == "4.x")
|
||||
if (XMLTools::version_compare(version, "4.0")>=0)
|
||||
//if ( version == "4.x")
|
||||
// v4.x, stateless rule
|
||||
compiler->output << "no state ";
|
||||
}
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
|
||||
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="13" lastModified="1256083160" id="root">
|
||||
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="13" lastModified="1256085763" id="root">
|
||||
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
|
||||
<ICMP6Service id="idE0C27650" code="0" type="1" name="ipv6 dest unreachable" comment="No route to destination" ro="False"/>
|
||||
<Library id="id40E233F3" color="#FFFFFF" name="West Coast" comment="" ro="False">
|
||||
@ -1096,11 +1096,7 @@
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<ObjectRef ref="id34697X75509"/>
|
||||
<ObjectRef ref="net-Internal_net"/>
|
||||
<ObjectRef ref="id19505X46601"/>
|
||||
<ObjectRef ref="sysid0"/>
|
||||
<ObjectRef ref="sysid0"/>
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Library>
|
||||
<Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
|
||||
<ObjectGroup id="stdid01_1_clusters" name="Clusters" comment="" ro="False"/>
|
||||
@ -16128,7 +16124,7 @@
|
||||
<Option name="use_tables">True</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall id="id19494X46601" host_OS="freebsd" inactive="False" lastCompiled="1256083190" lastInstalled="0" lastModified="1256083185" platform="pf" version="4.x" name="firewall21" comment="branching in NAT rules" ro="False">
|
||||
<Firewall id="id19494X46601" host_OS="freebsd" inactive="False" lastCompiled="1256085788" lastInstalled="0" lastModified="1256085759" platform="pf" version="4.0" name="firewall21" comment="branching in NAT rules PF v4.0-4.2" ro="False">
|
||||
<NAT id="id19574X46601" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
||||
<NATRule id="id19575X46601" disabled="False" position="0" action="NATBranch" comment="">
|
||||
<OSrc neg="False">
|
||||
@ -16151,12 +16147,12 @@
|
||||
</TSrv>
|
||||
<NATRuleOptions>
|
||||
<Option name="action_on_reject"></Option>
|
||||
<Option name="branch_id">id28067X46601</Option>
|
||||
<Option name="branch_id">id19696X53465</Option>
|
||||
<Option name="classify_str"></Option>
|
||||
<Option name="custom_str"></Option>
|
||||
<Option name="ipf_route_opt_addr"></Option>
|
||||
<Option name="ipf_route_opt_if"></Option>
|
||||
<Option name="ipf_route_option">route_through</Option>
|
||||
<Option name="ipf_route_option">route_reply_through</Option>
|
||||
<Option name="ipfw_classify_method">2</Option>
|
||||
<Option name="ipfw_pipe_port_num">0</Option>
|
||||
<Option name="ipfw_pipe_queue_num">0</Option>
|
||||
@ -16286,6 +16282,7 @@
|
||||
<NATRuleOptions/>
|
||||
</NATRule>
|
||||
</NAT>
|
||||
<NAT id="id19696X53465" name="ftp-proxy/*" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False"/>
|
||||
<Policy id="id19513X46601" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
||||
<PolicyRule id="id19562X46601" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="">
|
||||
<Src neg="False">
|
||||
@ -16353,6 +16350,280 @@
|
||||
<Option name="inst_cmdline"></Option>
|
||||
<Option name="inst_script"></Option>
|
||||
<Option name="install_script"></Option>
|
||||
<Option name="ipt_mangle_only_rulesets"></Option>
|
||||
<Option name="limit_suffix">/day</Option>
|
||||
<Option name="limit_value">0</Option>
|
||||
<Option name="linux24_ip_forward">0</Option>
|
||||
<Option name="linux24_tcp_fin_timeout">30</Option>
|
||||
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
||||
<Option name="load_modules">False</Option>
|
||||
<Option name="log_all_dropped">False</Option>
|
||||
<Option name="log_ip_opt">False</Option>
|
||||
<Option name="log_level">debug</Option>
|
||||
<Option name="log_limit_suffix">/second</Option>
|
||||
<Option name="log_limit_value">0</Option>
|
||||
<Option name="log_prefix"></Option>
|
||||
<Option name="log_tcp_opt">False</Option>
|
||||
<Option name="log_tcp_seq">False</Option>
|
||||
<Option name="manage_virtual_addr">True</Option>
|
||||
<Option name="modulate_state">False</Option>
|
||||
<Option name="no_iochains_for_any">False</Option>
|
||||
<Option name="no_optimisation">False</Option>
|
||||
<Option name="openbsd_path_pfctl"></Option>
|
||||
<Option name="openbsd_path_sysctl"></Option>
|
||||
<Option name="pass_all_out">False</Option>
|
||||
<Option name="pf_do_scrub">True</Option>
|
||||
<Option name="pf_limit_frags">5000</Option>
|
||||
<Option name="pf_limit_states">10000</Option>
|
||||
<Option name="pf_optimization"></Option>
|
||||
<Option name="pf_scrub_fragm_crop">False</Option>
|
||||
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
||||
<Option name="pf_scrub_maxmss">1460</Option>
|
||||
<Option name="pf_scrub_minttl">1</Option>
|
||||
<Option name="pf_scrub_no_df">False</Option>
|
||||
<Option name="pf_scrub_random_id">False</Option>
|
||||
<Option name="pf_scrub_use_maxmss">False</Option>
|
||||
<Option name="pf_scrub_use_minttl">False</Option>
|
||||
<Option name="pf_timeout_frag">30</Option>
|
||||
<Option name="pf_timeout_interval">10</Option>
|
||||
<Option name="platform">iptables</Option>
|
||||
<Option name="proxy_arp">False</Option>
|
||||
<Option name="script_env_path"></Option>
|
||||
<Option name="snmp_contact"></Option>
|
||||
<Option name="snmp_description"></Option>
|
||||
<Option name="snmp_location"></Option>
|
||||
<Option name="use_ip_tool">False</Option>
|
||||
<Option name="use_numeric_log_levels">False</Option>
|
||||
<Option name="use_tables">True</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall id="id19695X55350" host_OS="freebsd" inactive="False" lastCompiled="1256085789" lastInstalled="0" lastModified="1256085779" platform="pf" version="4.3" name="firewall22" comment="branching in NAT rules PF v4.3 and later" ro="False">
|
||||
<NAT id="id19729X55350" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
||||
<NATRule id="id19730X55350" disabled="False" position="0" action="NATBranch" comment="">
|
||||
<OSrc neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</OSrc>
|
||||
<ODst neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</ODst>
|
||||
<OSrv neg="False">
|
||||
<ServiceRef ref="sysid1"/>
|
||||
</OSrv>
|
||||
<TSrc neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</TSrc>
|
||||
<TDst neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</TDst>
|
||||
<TSrv neg="False">
|
||||
<ServiceRef ref="sysid1"/>
|
||||
</TSrv>
|
||||
<NATRuleOptions>
|
||||
<Option name="action_on_reject"></Option>
|
||||
<Option name="branch_id">id19696X53465</Option>
|
||||
<Option name="classify_str"></Option>
|
||||
<Option name="custom_str"></Option>
|
||||
<Option name="ipf_route_opt_addr"></Option>
|
||||
<Option name="ipf_route_opt_if"></Option>
|
||||
<Option name="ipf_route_option">route_reply_through</Option>
|
||||
<Option name="ipfw_classify_method">2</Option>
|
||||
<Option name="ipfw_pipe_port_num">0</Option>
|
||||
<Option name="ipfw_pipe_queue_num">0</Option>
|
||||
<Option name="ipt_continue">False</Option>
|
||||
<Option name="ipt_gw"></Option>
|
||||
<Option name="ipt_iif"></Option>
|
||||
<Option name="ipt_mark_connections">False</Option>
|
||||
<Option name="ipt_oif"></Option>
|
||||
<Option name="ipt_tee">False</Option>
|
||||
<Option name="pf_fastroute">False</Option>
|
||||
<Option name="pf_route_load_option">none</Option>
|
||||
<Option name="pf_route_opt_addr"></Option>
|
||||
<Option name="pf_route_opt_if"></Option>
|
||||
<Option name="pf_route_option">none</Option>
|
||||
<Option name="rule_name_accounting"></Option>
|
||||
</NATRuleOptions>
|
||||
</NATRule>
|
||||
<NATRule id="id19744X55350" disabled="False" group="" position="1" action="NATBranch" comment="">
|
||||
<OSrc neg="False">
|
||||
<ObjectRef ref="net-Internal_net"/>
|
||||
</OSrc>
|
||||
<ODst neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</ODst>
|
||||
<OSrv neg="False">
|
||||
<ServiceRef ref="sysid1"/>
|
||||
</OSrv>
|
||||
<TSrc neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</TSrc>
|
||||
<TDst neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</TDst>
|
||||
<TSrv neg="False">
|
||||
<ServiceRef ref="sysid1"/>
|
||||
</TSrv>
|
||||
<NATRuleOptions>
|
||||
<Option name="action_on_reject"></Option>
|
||||
<Option name="branch_id">id28067X46601</Option>
|
||||
<Option name="classify_str"></Option>
|
||||
<Option name="custom_str"></Option>
|
||||
<Option name="ipf_route_opt_addr"></Option>
|
||||
<Option name="ipf_route_opt_if"></Option>
|
||||
<Option name="ipf_route_option">route_through</Option>
|
||||
<Option name="ipfw_classify_method">2</Option>
|
||||
<Option name="ipfw_pipe_port_num">0</Option>
|
||||
<Option name="ipfw_pipe_queue_num">0</Option>
|
||||
<Option name="ipt_continue">False</Option>
|
||||
<Option name="ipt_gw"></Option>
|
||||
<Option name="ipt_iif"></Option>
|
||||
<Option name="ipt_mark_connections">False</Option>
|
||||
<Option name="ipt_oif"></Option>
|
||||
<Option name="ipt_tee">False</Option>
|
||||
<Option name="pf_fastroute">False</Option>
|
||||
<Option name="pf_route_load_option">none</Option>
|
||||
<Option name="pf_route_opt_addr"></Option>
|
||||
<Option name="pf_route_opt_if"></Option>
|
||||
<Option name="pf_route_option">none</Option>
|
||||
<Option name="rule_name_accounting"></Option>
|
||||
</NATRuleOptions>
|
||||
</NATRule>
|
||||
<NATRule id="id19758X55350" disabled="False" group="" position="2" action="NATBranch" comment="">
|
||||
<OSrc neg="False">
|
||||
<ObjectRef ref="net-Internal_net"/>
|
||||
</OSrc>
|
||||
<ODst neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</ODst>
|
||||
<OSrv neg="False">
|
||||
<ServiceRef ref="sysid1"/>
|
||||
</OSrv>
|
||||
<TSrc neg="False">
|
||||
<ObjectRef ref="id19706X55350"/>
|
||||
</TSrc>
|
||||
<TDst neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</TDst>
|
||||
<TSrv neg="False">
|
||||
<ServiceRef ref="sysid1"/>
|
||||
</TSrv>
|
||||
<NATRuleOptions>
|
||||
<Option name="action_on_reject"></Option>
|
||||
<Option name="branch_id">id28067X46601</Option>
|
||||
<Option name="classify_str"></Option>
|
||||
<Option name="custom_str"></Option>
|
||||
<Option name="ipf_route_opt_addr"></Option>
|
||||
<Option name="ipf_route_opt_if"></Option>
|
||||
<Option name="ipf_route_option">route_through</Option>
|
||||
<Option name="ipfw_classify_method">2</Option>
|
||||
<Option name="ipfw_pipe_port_num">0</Option>
|
||||
<Option name="ipfw_pipe_queue_num">0</Option>
|
||||
<Option name="ipt_continue">False</Option>
|
||||
<Option name="ipt_gw"></Option>
|
||||
<Option name="ipt_iif"></Option>
|
||||
<Option name="ipt_mark_connections">False</Option>
|
||||
<Option name="ipt_oif"></Option>
|
||||
<Option name="ipt_tee">False</Option>
|
||||
<Option name="pf_fastroute">False</Option>
|
||||
<Option name="pf_route_load_option">none</Option>
|
||||
<Option name="pf_route_opt_addr"></Option>
|
||||
<Option name="pf_route_opt_if"></Option>
|
||||
<Option name="pf_route_option">none</Option>
|
||||
<Option name="rule_name_accounting"></Option>
|
||||
</NATRuleOptions>
|
||||
</NATRule>
|
||||
</NAT>
|
||||
<NAT id="id19772X55350" name="NAT_1" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
||||
<NATRule id="id19773X55350" disabled="False" position="0" action="Translate" comment="">
|
||||
<OSrc neg="False">
|
||||
<ObjectRef ref="net-Internal_net"/>
|
||||
</OSrc>
|
||||
<ODst neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</ODst>
|
||||
<OSrv neg="False">
|
||||
<ServiceRef ref="sysid1"/>
|
||||
</OSrv>
|
||||
<TSrc neg="False">
|
||||
<ObjectRef ref="id19695X55350"/>
|
||||
</TSrc>
|
||||
<TDst neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</TDst>
|
||||
<TSrv neg="False">
|
||||
<ServiceRef ref="sysid1"/>
|
||||
</TSrv>
|
||||
<NATRuleOptions/>
|
||||
</NATRule>
|
||||
</NAT>
|
||||
<NAT id="id19787X55350" name="ftp-proxy/*" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False"/>
|
||||
<Policy id="id19716X55350" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
||||
<PolicyRule id="id19717X55350" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Src>
|
||||
<Dst neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Dst>
|
||||
<Srv neg="False">
|
||||
<ServiceRef ref="sysid1"/>
|
||||
</Srv>
|
||||
<Itf neg="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
</Itf>
|
||||
<When neg="False">
|
||||
<IntervalRef ref="sysid2"/>
|
||||
</When>
|
||||
<PolicyRuleOptions>
|
||||
<Option name="stateless">True</Option>
|
||||
</PolicyRuleOptions>
|
||||
</PolicyRule>
|
||||
</Policy>
|
||||
<Routing id="id19788X55350" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
|
||||
<Interface id="id19701X55350" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="en1" comment="" ro="False">
|
||||
<IPv4 id="id19704X55350" name="firewall22:en1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
<InterfaceOptions/>
|
||||
</Interface>
|
||||
<Interface id="id19706X55350" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="en0" comment="" ro="False">
|
||||
<IPv4 id="id19709X55350" name="firewall22:en0:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
||||
<InterfaceOptions/>
|
||||
</Interface>
|
||||
<Interface id="id19711X55350" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
||||
<IPv4 id="id19714X55350" name="firewall22:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
||||
<InterfaceOptions/>
|
||||
</Interface>
|
||||
<Management address="127.0.0.1">
|
||||
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
||||
<FWBDManagement enabled="True" identity="" port="9999"/>
|
||||
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
||||
</Management>
|
||||
<FirewallOptions>
|
||||
<Option name="accept_established">True</Option>
|
||||
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
||||
<Option name="action_on_reject">ICMP net unreachable</Option>
|
||||
<Option name="check_shading">True</Option>
|
||||
<Option name="clamp_mss_to_mtu">False</Option>
|
||||
<Option name="cmdline"></Option>
|
||||
<Option name="compiler"></Option>
|
||||
<Option name="configure_interfaces">False</Option>
|
||||
<Option name="debug">False</Option>
|
||||
<Option name="dyn_addr">False</Option>
|
||||
<Option name="firewall_dir"></Option>
|
||||
<Option name="firewall_is_part_of_any">True</Option>
|
||||
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
||||
<Option name="freebsd_ip_forward"></Option>
|
||||
<Option name="freebsd_ip_redirect"></Option>
|
||||
<Option name="freebsd_ip_sourceroute"></Option>
|
||||
<Option name="freebsd_ipv6_forward"></Option>
|
||||
<Option name="freebsd_path_ipf"></Option>
|
||||
<Option name="freebsd_path_ipnat"></Option>
|
||||
<Option name="freebsd_path_pfctl">/usr/local/bin/pfctl</Option>
|
||||
<Option name="freebsd_path_sysctl"></Option>
|
||||
<Option name="ignore_empty_groups">False</Option>
|
||||
<Option name="in_out_code">True</Option>
|
||||
<Option name="inst_cmdline"></Option>
|
||||
<Option name="inst_script"></Option>
|
||||
<Option name="install_script"></Option>
|
||||
<Option name="ipt_mangle_only_rulesets"></Option>
|
||||
<Option name="limit_suffix">/day</Option>
|
||||
<Option name="limit_value">0</Option>
|
||||
<Option name="linux24_ip_forward">0</Option>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user