onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-23 03:37:15 +01:00
Code Issues Releases Wiki Activity

* NATCompiler_pf_writers.cpp (PrintRule::processNext): fixes #1401

Browse Source 
nat rules syntax has changed in OpenBSD 4.7. Nat and rdr rules in
4.7 should be implemented using action "match" and keywords
"nat-to" and "rdr-to"

* PolicyCompiler_pf_writers.cpp (PrintRule::_printAction):
fixes #1414: use "match" action for tagging. Policy rules
with action Tag should use pf action "match" instead of "pass"
if version is 4.6 or later.
This commit is contained in:
Vadim Kurland 2010-04-23 04:10:59 +00:00
parent 4d205e259f
commit fdb388659d
7 changed files with 524 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2825
#define BUILD_NUM 2826

12
doc/ChangeLog
View File

@ -1,3 +1,15 @@
2010-04-22 vadim <vadim@vk.crocodile.org>
* NATCompiler_pf_writers.cpp (PrintRule::processNext): fixes #1401
nat rules syntax has changed in OpenBSD 4.7. Nat and rdr rules in
4.7 should be implemented using action "match" and keywords
"nat-to" and "rdr-to"
* PolicyCompiler_pf_writers.cpp (PrintRule::_printAction):
fixes #1414: use "match" action for tagging. Policy rules
with action Tag should use pf action "match" instead of "pass"
if version is 4.6 or later.
2010-04-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertFailoverRule):

3
src/gui/platforms.cpp
View File

@ -426,7 +426,8 @@ void getVersionsForPlatform(const QString &platform, std::list<QStringPair> &res
res.push_back(QStringPair("4.0", QObject::tr("4.0 to 4.2")));
res.push_back(QStringPair("4.3", QObject::tr("4.3")));
res.push_back(QStringPair("4.5", QObject::tr("4.5")));
res.push_back(QStringPair("4.6", QObject::tr("4.6 and later")));
res.push_back(QStringPair("4.6", QObject::tr("4.6")));
res.push_back(QStringPair("4.7", QObject::tr("4.7 and later")));
/* add pf versions here */
} else
{

4
src/pflib/NATCompiler_pf.cpp
View File

@ -157,7 +157,9 @@ bool NATCompiler_pf::NATRuleType::processNext()
if (tsrc->isAny() && tdst->isAny() && tsrv->isAny())
if (tsrc->isAny() && tdst->isAny() &&
(tsrv->isAny() || (tsrv->getId() == osrv->getId()))
)
{
rule->setRuleType(NATRule::NONAT);
return true;

223
src/pflib/NATCompiler_pf_writers.cpp
View File

@ -91,28 +91,28 @@ bool NATCompiler_pf::PrintRule::processNext()
// string err = rule->getStr(".error_msg");
// if (!err.empty()) compiler->output << "# " << err << endl;
RuleElementOSrc *osrcrel=rule->getOSrc();
RuleElementODst *odstrel=rule->getODst();
RuleElementTSrc *tsrcrel=rule->getTSrc();
RuleElementTDst *tdstrel=rule->getTDst();
RuleElementOSrc *osrcrel = rule->getOSrc();
RuleElementODst *odstrel = rule->getODst();
RuleElementTSrc *tsrcrel = rule->getTSrc();
RuleElementTDst *tdstrel = rule->getTDst();
FWObject *osrc, *odst;
osrc = osrcrel->front();
if (osrc && FWReference::cast(osrc)!=NULL)
osrc=FWReference::cast(osrc)->getPointer();
osrc = FWReference::cast(osrc)->getPointer();
odst = odstrel->front();
if (odst && FWReference::cast(odst)!=NULL)
odst=FWReference::cast(odst)->getPointer();
odst = FWReference::cast(odst)->getPointer();
//Address *osrc=compiler->getFirstOSrc(rule); //assert(osrc);
//Address *odst=compiler->getFirstODst(rule); //assert(odst);
Service *osrv=compiler->getFirstOSrv(rule); //assert(osrv);
Service *osrv = compiler->getFirstOSrv(rule); //assert(osrv);
Address *tsrc=compiler->getFirstTSrc(rule); //assert(tsrc);
Address *tdst=compiler->getFirstTDst(rule); //assert(tdst);
Service *tsrv=compiler->getFirstTSrv(rule); //assert(tsrv);
Address *tsrc = compiler->getFirstTSrc(rule); //assert(tsrc);
Address *tdst = compiler->getFirstTDst(rule); //assert(tdst);
Service *tsrv = compiler->getFirstTSrv(rule); //assert(tsrv);
char errstr[1024];
@ -144,77 +144,164 @@ bool NATCompiler_pf::PrintRule::processNext()
switch ( rule->getRuleType() ) {
case NATRule::Continue:
case NATRule::NONAT:
compiler->output << "no nat ";
if (iface_name!="") compiler->output << "on " << iface_name << " ";
_printProtocol(osrv);
compiler->output << "from ";
_printREAddr( osrcrel );
compiler->output << "to ";
_printREAddr( odstrel );
compiler->output << endl;
{
if (XMLTools::version_compare(version, "4.7")>=0)
{
/* I could not find a better way to implement old "no nat"
* behavior with 4.7. They seem to suggest that we should
* implement exceptions to the translations using "pass"
* or "block" actions. At least this is the only way they
* show in examples and there is no "no" keyword anymore.
*/
compiler->output << "pass in quick ";
if (iface_name!="") compiler->output << "on " << iface_name << " ";
_printProtocol(osrv);
compiler->output << "from ";
_printREAddr(osrcrel);
_printSrcPort(osrv);
compiler->output << "to ";
_printREAddr(odstrel);
_printPort(osrv, true);
compiler->output << endl;
} else
{
compiler->output << "no nat ";
if (iface_name!="") compiler->output << "on " << iface_name << " ";
_printProtocol(osrv);
compiler->output << "from ";
_printREAddr(osrcrel);
compiler->output << "to ";
_printREAddr(odstrel);
compiler->output << endl;
compiler->output << "no rdr ";
if (iface_name!="") compiler->output << "on " << iface_name << " ";
_printProtocol(osrv);
compiler->output << "from ";
_printREAddr( osrcrel );
compiler->output << "to ";
_printREAddr( odstrel );
compiler->output << endl;
compiler->output << "no rdr ";
if (iface_name!="") compiler->output << "on " << iface_name << " ";
_printProtocol(osrv);
compiler->output << "from ";
_printREAddr( osrcrel );
compiler->output << "to ";
_printREAddr( odstrel );
compiler->output << endl;
}
break;
}
case NATRule::SNAT:
compiler->output << "nat ";
if (iface_name!="") compiler->output << "on " << iface_name << " ";
_printProtocol(osrv);
compiler->output << "from ";
_printREAddr( osrcrel );
_printSrcPort(osrv);
compiler->output << "to ";
_printREAddr( odstrel );
_printPort( osrv, true );
{
if (XMLTools::version_compare(version, "4.7")>=0)
{
compiler->output << "match out ";
if (iface_name!="") compiler->output << "on " << iface_name << " ";
_printProtocol(osrv);
compiler->output << "from ";
_printREAddr( osrcrel );
_printSrcPort(osrv);
compiler->output << "to ";
_printREAddr( odstrel );
_printPort( osrv, true );
compiler->output << "-> ";
_printREAddr( tsrcrel );
_printSrcPort(tsrv);
_printNATRuleOptions(rule);
compiler->output << "nat-to ";
_printREAddr( tsrcrel );
_printSrcPort(tsrv);
_printNATRuleOptions(rule);
compiler->output << endl;
compiler->output << endl;
} else
{
compiler->output << "nat ";
if (iface_name!="") compiler->output << "on " << iface_name << " ";
_printProtocol(osrv);
compiler->output << "from ";
_printREAddr( osrcrel );
_printSrcPort(osrv);
compiler->output << "to ";
_printREAddr( odstrel );
_printPort( osrv, true );
compiler->output << "-> ";
_printREAddr( tsrcrel );
_printSrcPort(tsrv);
_printNATRuleOptions(rule);
compiler->output << endl;
}
break;
}
case NATRule::DNAT:
case NATRule::LB:
compiler->output << "rdr ";
if (iface_name!="") compiler->output << "on " << iface_name << " ";
_printProtocol(osrv);
compiler->output << "from ";
_printREAddr( osrcrel );
_printSrcPort(osrv);
compiler->output << "to ";
_printREAddr( odstrel );
_printPort(osrv, true);
compiler->output << "-> ";
_printREAddr( tdstrel );
_printPort(tsrv, false);
_printNATRuleOptions(rule);
compiler->output << endl;
{
if (XMLTools::version_compare(version, "4.7")>=0)
{
compiler->output << "match in ";
if (iface_name!="") compiler->output << "on " << iface_name << " ";
_printProtocol(osrv);
compiler->output << "from ";
_printREAddr( osrcrel );
_printSrcPort(osrv); // this is where it is different from NATRule::Redirect
compiler->output << "to ";
_printREAddr( odstrel );
_printPort(osrv, true);
compiler->output << "rdr-to ";
_printREAddr( tdstrel );
_printPort(tsrv, false);
_printNATRuleOptions(rule);
compiler->output << endl;
} else
{
compiler->output << "rdr ";
if (iface_name!="") compiler->output << "on " << iface_name << " ";
_printProtocol(osrv);
compiler->output << "from ";
_printREAddr( osrcrel );
_printSrcPort(osrv); // this is where it is different from NATRule::Redirect
compiler->output << "to ";
_printREAddr( odstrel );
_printPort(osrv, true);
compiler->output << "-> ";
_printREAddr( tdstrel );
_printPort(tsrv, false);
_printNATRuleOptions(rule);
compiler->output << endl;
}
break;
}
case NATRule::Redirect:
compiler->output << "rdr ";
if (iface_name!="") compiler->output << "on " << iface_name << " ";
_printProtocol(osrv);
compiler->output << "from ";
_printREAddr( osrcrel );
compiler->output << "to ";
_printREAddr( odstrel );
_printPort(osrv, true);
compiler->output << "-> ";
_printREAddr( tdstrel );
_printPort(tsrv, false);
_printNATRuleOptions(rule);
compiler->output << endl;
{
if (XMLTools::version_compare(version, "4.7")>=0)
{
compiler->output << "match in ";
if (iface_name!="") compiler->output << "on " << iface_name << " ";
_printProtocol(osrv);
compiler->output << "from ";
_printREAddr( osrcrel );
compiler->output << "to ";
_printREAddr( odstrel );
_printPort(osrv, true);
compiler->output << "rdr-to ";
_printREAddr( tdstrel );
_printPort(tsrv, false);
_printNATRuleOptions(rule);
compiler->output << endl;
} else
{
compiler->output << "rdr ";
if (iface_name!="") compiler->output << "on " << iface_name << " ";
_printProtocol(osrv);
compiler->output << "from ";
_printREAddr( osrcrel );
compiler->output << "to ";
_printREAddr( odstrel );
_printPort(osrv, true);
compiler->output << "-> ";
_printREAddr( tdstrel );
_printPort(tsrv, false);
_printNATRuleOptions(rule);
compiler->output << endl;
}
break;
}
case NATRule::NATBranch:
{

24
src/pflib/PolicyCompiler_pf_writers.cpp
View File

@ -72,11 +72,22 @@ void PolicyCompiler_pf::PrintRule::_printAction(PolicyRule *rule)
{
FWOptions *ruleopt =rule->getOptionsObject();
Service *srv=compiler->getFirstSrv(rule); assert(srv);
string version = compiler->fw->getStr("version");
switch (rule->getAction())
{
case PolicyRule::Accept:
case PolicyRule::Tag:
{
if (XMLTools::version_compare(version, "4.6")>=0)
{
compiler->output << "match ";
}else
{
compiler->output << "pass ";
}
break;
}
case PolicyRule::Accept:
case PolicyRule::Classify:
case PolicyRule::Accounting:
case PolicyRule::Route:
@ -115,8 +126,17 @@ void PolicyCompiler_pf::PrintRule::_printAction(PolicyRule *rule)
}
break;
case PolicyRule::Scrub:
compiler->output << "scrub ";
{
string version = compiler->fw->getStr("version");
if (XMLTools::version_compare(version, "4.7")>=0)
{
compiler->output << "match in all scrub ";
} else
{
compiler->output << "scrub ";
}
break;
}
case PolicyRule::Custom:
compiler->output << ruleopt->getStr("custom_str") << " ";
break;

330
test/pf/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1267754559" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1271990800" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -1502,6 +1502,7 @@
</Firewall>
<IPv4 id="id20241X55531" name="firewall80:en1:ip-1" comment="" ro="False" address="33.33.33.33" netmask="255.255.255.0"/>
<IPv4 id="id20710X27133" name="fw2:eth3:ip" comment="" ro="False" address="22.22.23.23" netmask="255.255.255.0"/>
<IPv4 id="id119356X58767" name="openbsd47:em0:ip-1" comment="" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
</Library>
<Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
<ObjectGroup id="stdid01_1_clusters" name="Clusters" comment="" ro="False"/>
@ -1525,6 +1526,7 @@
<IPv4 id="id79492X23273" name="h-192.168.171.2" comment="Imported from &quot;c3620&quot; 192.168.171.2/255.255.255.255" ro="False" address="192.168.171.2" netmask="255.255.255.255"/>
<IPv4 id="id79522X23273" name="h-10.3.14.201" comment="Imported from &quot;c3620&quot; 10.3.14.201/255.255.255.255" ro="False" address="10.3.14.201" netmask="255.255.255.255"/>
<IPv4 id="id80198X23273" name="a-192.168.1.10" comment="" ro="False" address="192.168.1.10" netmask="0.0.0.0"/>
<IPv4 id="id71290X60336" name="h-10.3.14.41" comment="" ro="False" address="10.3.14.41" netmask="0.0.0.0"/>
</ObjectGroup>
<ObjectGroup id="stdid04_1" name="Groups" comment="" ro="False">
<ObjectGroup id="id3B4572AF" name="group1" comment="" ro="False">
@ -19354,6 +19356,330 @@
<Option name="sshArgs"></Option>
</FirewallOptions>
</Firewall>
<Firewall id="id22021X58767" host_OS="openbsd" inactive="False" lastCompiled="1271995576" lastInstalled="1271995582" lastModified="1271995560" platform="pf" version="4.7" name="openbsd47" comment="syntax of the nat and rdr rules has changed in 4.7&#10;" ro="False">
<NAT id="id22025X58767" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id70699X58767" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="id22061X58767"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id22029X58767"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id22320X62375" disabled="False" group="" position="1" action="Translate" comment="">
<OSrc neg="True">
<ObjectRef ref="id71290X60336"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id22029X58767"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="udp-SNMP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id119361X58767"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id22236X60336" disabled="False" group="" position="2" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="id71290X60336"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id22029X58767"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="udp-SNMP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id119368X58767" disabled="False" group="" position="3" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id22029X58767"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="udp-SNMP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id119361X58767"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id22023X58767" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id71304X61128" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id79551X23273"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id22021X58767"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id22049X58767" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id22061X58767"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id22238X59856" disabled="False" group="" log="False" position="2" action="Tag" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id119361X58767"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">none</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">False</Option>
<Option name="tagobject_id">id43F4556A28869</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id119406X58767" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="udp-SNMP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id22037X58767" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id22027X58767" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id22029X58767" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
<IPv4 id="id22030X58767" name="openbsd47:em0:ip" comment="" ro="False" address="10.3.14.81" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id22031X58767" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="em1" comment="" ro="False">
<IPv4 id="id22032X58767" name="openbsd47:em1:ip" comment="" ro="False" address="10.1.1.81" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"></Option>
<Option name="admUser">root</Option>
<Option name="altAddress"></Option>
<Option name="check_shading">True</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="conf_file_name_on_firewall"></Option>
<Option name="configure_carp_interfaces">False</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">False</Option>
<Option name="configure_vlan_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">true</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr">10.3.14.30</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_src_nodes">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_limit_table_entries">False</Option>
<Option name="pf_do_limit_tables">False</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_flush_states">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_src_nodes">0</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_modulate_state">False</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">True</Option>
<Option name="pf_scrub_random_id">True</Option>
<Option name="pf_scrub_reassemble">False</Option>
<Option name="pf_scrub_reassemble_tcp">True</Option>
<Option name="pf_scrub_use_maxmss">True</Option>
<Option name="pf_scrub_use_minttl">True</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">True</Option>
<Option name="pf_state_policy"></Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">5</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="script_name_on_firewall"></Option>
<Option name="sshArgs"></Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="stdid11_1" name="Time" comment="" ro="False"/>
</Library>
@ -19364,6 +19690,7 @@
<ObjectGroup id="id415276CA" name="Addresses" comment="" ro="False">
<IPv4 id="id4144D59F" name="hst1" comment="" ro="False" address="10.3.14.10" netmask="255.255.255.255"/>
<IPv4 id="id4144D5A0" name="hst2" comment="" ro="False" address="10.3.14.40" netmask="255.255.255.255"/>
<IPv4 id="id119361X58767" name="h-10.1.1.1" comment="" ro="False" address="10.1.1.1" netmask="0.0.0.0"/>
</ObjectGroup>
<ObjectGroup id="id415276CB" name="Groups" comment="" ro="False"/>
<ObjectGroup id="id415276CC" name="Hosts" comment="" ro="False"/>
@ -19371,6 +19698,7 @@
<Network id="id414C5C51" name="n-10.3.14" comment="" ro="False" address="10.3.14.0" netmask="255.255.255.0"/>
<Network id="id414C70BE" name="labnet" comment="" ro="False" address="10.1.1.0" netmask="255.255.255.0"/>
<Network id="id414C7BA7" name="n-10.1.2" comment="" ro="False" address="10.1.2.0" netmask="255.255.255.0"/>
<Network id="id22061X58767" name="net-10.1.1.0" comment="" ro="False" address="10.1.1.0" netmask="255.255.255.0"/>
</ObjectGroup>
<ObjectGroup id="id415276CE" name="Address Ranges" comment="" ro="False"/>
<ObjectGroup id="id4386458B18448" name="DNS Names" comment="" ro="False"/>