onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-22 03:07:20 +01:00
Code Issues Releases Wiki Activity

2009-04-15 vadim <vadim@vk.crocodile.org>

Browse Source 
* ipcopAdvancedDialog.cpp (ipcopAdvancedDialog::ipcopAdvancedDialog):
Integration with IPCOP, Endian and OneShield firewall apliances
(all based on linux/iptables). This sets generate file name to
"rc.firewall.local", destination directory on the firewall to
"/etc/rc.d/" and activation command to "/etc/rc.d/rc.firewall
restart".  Provided resource files for ipcop, endian and oneshield
platforms and os define default parameters, including path to
iptables and other command line tools. Generated script performs
minimal environment setting, because everything is supposed to be
set up by the aplpiance itself. Iptables commands are put in the
standard chains INPUT/OUTPUT/FORWARD, with user-defined chans
created as required. At this time policy and NAT rules work. Rules
added by fwbuilder are activated by the standard appliance
firewall script rc.firewall after all IPCOP rules are added and
before all hooks. This means rules created by fwbuilder do not
replace rules added by the appliance, but work together with
those. Prolog and epilog user-defined sections work as
well. Prolog is always added on top of the rules generated by
fwbuilder. Prolog and epilog sections can include any kind of
shell commands, not only iptables rules. Two new firewall
templates are provided: one for IPCOP/Endian firewall with two
interfaces (br0 is GREEN and eth1 is RED) and another for the
appliance with three interfaces (additionally eth2, as ORANGE).

* ipt.cpp (main): implemented feature request #2454447 "Standard
options for startup-script". Script generated by fwbuilder now
accepts standard arguments "start" and "stop". Running the script
with no argument is equivalent to "start" for backwards
compatibility. Running script with argument "stop" resets iptables
tables and chains and sets all to default policy DROP (beware!).
This commit is contained in:
Vadim Kurland 2009-04-15 19:32:34 +00:00
parent f67eb645b8
commit fea4b8a892
96 changed files with 7283 additions and 1017 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
VERSION
View File

@ -2,19 +2,16 @@
# $Id: VERSION,v 1.47 2007/07/21 23:44:19 vkurland Exp $
FWB_MAJOR_VERSION=3
FWB_MINOR_VERSION=0
FWB_MICRO_VERSION=5
VERSION="3.0.5"
SHORTVERSION="305"
FWB_MINOR_VERSION=1
FWB_MICRO_VERSION=0
VERSION="3.1.0"
SHORTVERSION="310"
# RELEASE="1"
RELEASE="b@BUILD_NUM@"
BETA="no"
REQUIRED_LIBFWBUILDER_VERSION="3.0.5"
REQUIRED_LIBFWBUILDER_VERSION="3.1.0"
# current (or major) version number of the library so file
#
LIBFWBUILDER_SOMAJOR=8

2
VERSION.h
View File

@ -1,2 +1,2 @@
#define VERSION "3.0.5"
#define VERSION "3.1.0"
#define RELEASE_NUM ""

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 799
#define BUILD_NUM 801

11
configure.in
View File

@ -26,9 +26,6 @@ AC_SUBST(SHORTVERSION)
AC_SUBST(RELEASE_NUM)
AC_DEFINE_UNQUOTED(RELEASE_NUM, "$RELEASE_NUM", [release_num])
AC_SUBST(REQUIRED_LIBFWBUILDER_VERSION)
AC_SUBST(LIBFWBUILDER_SOMAJOR)
echo "Creating VERSION.h file..."
echo "#define VERSION \"$VERSION\"" > VERSION.h
@ -444,6 +441,7 @@ AC_CONFIG_FILES([ qmake.inc ])
AC_CONFIG_FILES([ src/res/objects_init.xml ])
AC_CONFIG_FILES([ src/res/templates.xml ])
AC_CONFIG_FILES([ src/res/resources.xml ])
AC_CONFIG_FILES([ src/res/os/fwsm_os.xml ])
AC_CONFIG_FILES([ src/res/os/freebsd.xml ])
AC_CONFIG_FILES([ src/res/os/linux24.xml ])
@ -453,7 +451,11 @@ AC_CONFIG_FILES([ src/res/os/openbsd.xml ])
AC_CONFIG_FILES([ src/res/os/pix_os.xml ])
AC_CONFIG_FILES([ src/res/os/ios.xml ])
AC_CONFIG_FILES([ src/res/os/solaris.xml ])
AC_CONFIG_FILES([ src/res/os/ipcop_os.xml ])
AC_CONFIG_FILES([ src/res/os/endian_os.xml ])
AC_CONFIG_FILES([ src/res/os/oneshield_os.xml ])
AC_CONFIG_FILES([ src/res/os/unknown_os.xml ])
AC_CONFIG_FILES([ src/res/platform/fwsm.xml ])
AC_CONFIG_FILES([ src/res/platform/ipf.xml ])
AC_CONFIG_FILES([ src/res/platform/ipfw.xml ])
@ -461,6 +463,9 @@ AC_CONFIG_FILES([ src/res/platform/iptables.xml ])
AC_CONFIG_FILES([ src/res/platform/pf.xml ])
AC_CONFIG_FILES([ src/res/platform/pix.xml ])
AC_CONFIG_FILES([ src/res/platform/iosacl.xml ])
AC_CONFIG_FILES([ src/res/platform/ipcop.xml ])
AC_CONFIG_FILES([ src/res/platform/endian.xml ])
AC_CONFIG_FILES([ src/res/platform/oneshield.xml ])
AC_CONFIG_FILES([ src/res/platform/unknown.xml ])

50
doc/ChangeLog
View File

@ -1,3 +1,53 @@
2009-04-15 vadim <vadim@vk.crocodile.org>
* ipcopAdvancedDialog.cpp (ipcopAdvancedDialog::ipcopAdvancedDialog):
Integration with IPCOP, Endian and OneShield firewall apliances
(all based on linux/iptables). This sets generate file name to
"rc.firewall.local", destination directory on the firewall to
"/etc/rc.d/" and activation command to "/etc/rc.d/rc.firewall
restart". Provided resource files for ipcop, endian and oneshield
platforms and os define default parameters, including path to
iptables and other command line tools. Generated script performs
minimal environment setting, because everything is supposed to be
set up by the aplpiance itself. Iptables commands are put in the
standard chains INPUT/OUTPUT/FORWARD, with user-defined chans
created as required. At this time policy and NAT rules work. Rules
added by fwbuilder are activated by the standard appliance
firewall script rc.firewall after all IPCOP rules are added and
before all hooks. This means rules created by fwbuilder do not
replace rules added by the appliance, but work together with
those. Prolog and epilog user-defined sections work as
well. Prolog is always added on top of the rules generated by
fwbuilder. Prolog and epilog sections can include any kind of
shell commands, not only iptables rules. Two new firewall
templates are provided: one for IPCOP/Endian firewall with two
interfaces (br0 is GREEN and eth1 is RED) and another for the
appliance with three interfaces (additionally eth2, as ORANGE).
* ipt.cpp (main): implemented feature request #2454447 "Standard
options for startup-script". Script generated by fwbuilder now
accepts standard arguments "start" and "stop". Running the script
with no argument is equivalent to "start" for backwards
compatibility. Running script with argument "stop" resets iptables
tables and chains and sets all to default policy DROP (beware!).
2009-04-11 vadim <vadim@vk.crocodile.org>
* platforms.cpp (setPlatform): Firewall platforms are grouped in
the drop-down list that appears in the firewall object dialog and
new firewall creation dialog. Platforms are grouped using XML
element <group> in the platform xml resource file.
* newFirewallDialog.cpp (newFirewallDialog::finishClicked):
remember firewall platform used to create new firewall object
between sessions. Also limit set of host OS shown in the second
combo box to only those supported by chosen firewall platform.
* VERSION: start v3.1.0
* platforms.cpp (setHostOS): fill "hsot OS" drop-down list with
OS names supported for the choosen firewall platform.
2009-04-10 vadim <vadim@vk.crocodile.org>
* ipt.cpp (dumpScript): fixed bug #2356131: "Iptables-restore

24
qmake.inc
View File

@ -11,15 +11,15 @@ SO_VERSION = @LIBFWBUILDER_SOLIB_VERSION@
DEFINES += $$(DEFINES)
LANGUAGE = C++
UI_DIR = ui
MANDIR = /Users/vadim/src/fwbuilder/fwb3-branch-v3/install_root/share/man/
DOCDIR = /Users/vadim/src/fwbuilder/fwb3-branch-v3/install_root/share/doc/fwbuilder-3.0.5
MANDIR = /Users/vadim/src/fwbuilder/fwb3-branch-v3_1/install_root/share/man/
DOCDIR = /Users/vadim/src/fwbuilder/fwb3-branch-v3_1/install_root/share/doc/fwbuilder-3.1.0
HAVE_ANTLR_RUNTIME = 1
HAVE_EXTERNAL_ANTLR = 0
unix {
ANTLR_INCLUDEPATH = /Users/vadim/src/fwbuilder/fwb3-branch-v3/source/fwbuilder/src/
ANTLR_LIBS = /Users/vadim/src/fwbuilder/fwb3-branch-v3/source/fwbuilder/src/antlr/libantlr.a
ANTLR_INCLUDEPATH = /Users/vadim/src/fwbuilder/fwb3-branch-v3_1/source/fwbuilder/src/
ANTLR_LIBS = /Users/vadim/src/fwbuilder/fwb3-branch-v3_1/source/fwbuilder/src/antlr/libantlr.a
FWBPARSER_LIB = ../parsers/libfwbparser.a
}
@ -30,21 +30,21 @@ unix {
MOC_DIR = .moc
OBJECTS_DIR = .obj
PREFIX = /Users/vadim/src/fwbuilder/fwb3-branch-v3/install_root
PREFIX = /Users/vadim/src/fwbuilder/fwb3-branch-v3_1/install_root
exec_prefix = @EXEC_PREFIX@
DESTDIR =
ICONSDIR =
INCLUDEPATH += .. ../.. $$(INCLUDEPATH) /Users/vadim/src/fwbuilder/fwb3-branch-v3/install_root/include/ /Users/vadim/src/fwbuilder/fwb3-branch-v3/install_root/include/fwb-3 /usr/include/libxml2
INCLUDEPATH += .. ../.. $$(INCLUDEPATH) /Users/vadim/src/fwbuilder/fwb3-branch-v3_1/install_root/include/ /Users/vadim/src/fwbuilder/fwb3-branch-v3_1/install_root/include/fwb-3 /usr/include/libxml2
LIBS_FWCOMPILER = -L/Users/vadim/src/fwbuilder/fwb3-branch-v3/install_root/lib -lfwcompiler -lfwbuilder -lxslt -lxml2 -lz -lpthread -licucore -lm -lnetsnmp
LIBS_FWBUILDER = -L/Users/vadim/src/fwbuilder/fwb3-branch-v3/install_root/lib -lfwbuilder -lxslt -lxml2 -lz -lpthread -licucore -lm -lnetsnmp
LIBS_FWCOMPILER = -L/Users/vadim/src/fwbuilder/fwb3-branch-v3_1/install_root/lib -lfwcompiler -lfwbuilder -lxslt -lxml2 -lz -lpthread -licucore -lm -lnetsnmp
LIBS_FWBUILDER = -L/Users/vadim/src/fwbuilder/fwb3-branch-v3_1/install_root/lib -lfwbuilder -lxslt -lxml2 -lz -lpthread -licucore -lm -lnetsnmp
target.path = $$PREFIX/bin
dtd.path = @TEMPLATE_DIR@/
migration.path = @TEMPLATE_DIR@/migration
doc.path = /Users/vadim/src/fwbuilder/fwb3-branch-v3/install_root/share/doc/fwbuilder-3.0.5
datadir.path = /Users/vadim/src/fwbuilder/fwb3-branch-v3/install_root/share/
doc.path = /Users/vadim/src/fwbuilder/fwb3-branch-v3_1/install_root/share/doc/fwbuilder-3.1.0
datadir.path = /Users/vadim/src/fwbuilder/fwb3-branch-v3_1/install_root/share/
# win32:target.path = $$PREFIX/
@ -55,7 +55,7 @@ unix {
res_os.path = ../Resources/os/
res_platform.path = ../Resources/platform/
res_help.path = ../Resources/help/
res_desktop.path = /Users/vadim/src/fwbuilder/fwb3-branch-v3/install_root/share//applications/
res_desktop.path = /Users/vadim/src/fwbuilder/fwb3-branch-v3_1/install_root/share//applications/
INSTALLS += res
INSTALLS += res_os
@ -74,7 +74,7 @@ unix {
}
macx {
PREFIX = /Users/vadim/src/fwbuilder/fwb3-branch-v3/install_root
PREFIX = /Users/vadim/src/fwbuilder/fwb3-branch-v3_1/install_root
}
win32 {

1
src/gui/CustomServiceDialog.cpp
View File

@ -27,6 +27,7 @@
#include "../../config.h"
#include "global.h"
#include "utils.h"
#include "platforms.h"
#include "ProjectPanel.h"
#include "FWBTree.h"

6
src/gui/DialogFactory.cpp
View File

@ -60,6 +60,7 @@
#include "pfAdvancedDialog.h"
#include "pixAdvancedDialog.h"
#include "iosaclAdvancedDialog.h"
#include "ipcopAdvancedDialog.h"
#include "linux24AdvancedDialog.h"
#include "linksysAdvancedDialog.h"
@ -69,6 +70,7 @@
#include "macosxAdvancedDialog.h"
#include "pixosAdvancedDialog.h"
#include "iosAdvancedDialog.h"
#include "ipcoposAdvancedDialog.h"
#include "RuleOptionsDialog.h"
#include "RoutingRuleOptionsDialog.h"
@ -182,7 +184,7 @@ QWidget *DialogFactory::createFWDialog(QWidget *parent,FWObject *o)
if (platform==NULL)
throw FWException((const char*)(QObject::tr("Support module for %1 is not available").arg(o->getStr("platform").c_str()).toLocal8Bit().constData()));
string dlgname=platform->Resources::getResourceStr("/FWBuilderResources/Target/dialog");
string dlgname = platform->Resources::getResourceStr("/FWBuilderResources/Target/dialog");
// string pl=o->getStr("platform");
if (dlgname=="iptables") return new iptAdvancedDialog(parent,o);
@ -191,6 +193,7 @@ QWidget *DialogFactory::createFWDialog(QWidget *parent,FWObject *o)
if (dlgname=="pf") return new pfAdvancedDialog(parent,o);
if (dlgname=="pix") return new pixAdvancedDialog(parent,o);
if (dlgname=="iosacl") return new iosaclAdvancedDialog(parent,o);
if (dlgname=="ipcop") return new ipcopAdvancedDialog(parent,o);
cerr << "Firewall settings dialog for " << dlgname
<< " is not implemented" << endl;
@ -216,6 +219,7 @@ QWidget *DialogFactory::createOSDialog(QWidget *parent,FWObject *o)
if (dlgname=="macosx") return new macosxAdvancedDialog(parent,o);
if (dlgname=="pix_os") return new pixosAdvancedDialog(parent,o);
if (dlgname=="ios") return new iosAdvancedDialog(parent,o);
if (dlgname=="ipcop_os") return new ipcoposAdvancedDialog(parent,o);
cerr << "OS settings dialog for " << dlgname
<< " is not implemented" << endl;

13
src/gui/FWBSettings.cpp
View File

@ -96,6 +96,8 @@ const char* clipComment = SETTINGS_PATH_PREFIX "/UI/ClipComment";
const char* checkUpdates = SETTINGS_PATH_PREFIX "/UI/CheckUpdates";
const char* checkUpdatesProxy = SETTINGS_PATH_PREFIX "/UI/CheckUpdatesProxy";
const char* newFirewallPlatform = SETTINGS_PATH_PREFIX "/Objects/NewFireallPlatform";
FWBSettings::FWBSettings() :
QSettings(QSettings::UserScope, "netcitadel.com", "Firewall Builder")
{
@ -764,3 +766,14 @@ void FWBSettings::setRecentFiles(QStringList &list)
{
return setList("recentFiles", list);
}
QString FWBSettings::getNewFirewallPlatform()
{
return value(newFirewallPlatform).toString();
}
void FWBSettings::setNewFirewallPlatform(const QString &platform)
{
setValue(newFirewallPlatform, platform);
}

4
src/gui/FWBSettings.h
View File

@ -201,6 +201,10 @@ class FWBSettings : public QSettings {
QStringList getRecentFiles();
void setRecentFiles(QStringList &list);
QString getNewFirewallPlatform();
void setNewFirewallPlatform(const QString &platform);
private:
QFont getFontByType(const char*type);
};

69
src/gui/FirewallDialog.cpp
View File

@ -33,6 +33,7 @@
#include "FirewallDialog.h"
#include "DialogFactory.h"
#include "FWWindow.h"
#include "FWBSettings.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/Firewall.h"
@ -40,7 +41,6 @@
#include "fwbuilder/Management.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Resources.h"
#include "FWBSettings.h"
#include <vector>
#include <map>
@ -85,13 +85,14 @@ void FirewallDialog::loadFWObject(FWObject *o)
init = true;
modified = false;
QString platform = obj->getStr("platform").c_str();
/* fill in platform */
setPlatform(m_dialog->platform, obj->getStr("platform").c_str() );
setPlatform(m_dialog->platform, platform);
fillVersion();
/* fill in host OS */
setHostOS(m_dialog->hostOS, obj->getStr("host_OS").c_str() );
setHostOS(m_dialog->hostOS, platform, obj->getStr("host_OS").c_str());
/* ---------------- */
@ -174,13 +175,9 @@ void FirewallDialog::platformChanged()
fillVersion();
changed();
QString so = Resources::platform_res[
readPlatform(m_dialog->platform).toLatin1().constData()
]->getResourceStr("/FWBuilderResources/Target/supported_os").c_str();
if (so.isEmpty()) return;
QString platform = readPlatform(m_dialog->platform);
QString ho = so.section(",",0);
setHostOS( m_dialog->hostOS, ho.toLatin1().constData() );
setHostOS( m_dialog->hostOS, platform, "");
QString pl = readPlatform(m_dialog->platform);
m_dialog->fwAdvanced->setEnabled( pl!="unknown" );
@ -228,38 +225,38 @@ void FirewallDialog::libChanged()
void FirewallDialog::applyChanges()
{
Firewall *s = dynamic_cast<Firewall*>(obj);
Management *mgmt=s->getManagementObject();
Management *mgmt = s->getManagementObject();
assert(mgmt!=NULL);
// FWOptions *opt =s->getOptionsObject();
assert(s!=NULL);
string oldname=obj->getName();
string newname=string(m_dialog->obj_name->text().toUtf8().constData());
string oldplatform=obj->getStr("platform");
string old_name = obj->getName();
string new_name = string(m_dialog->obj_name->text().toUtf8().constData());
string old_platform = obj->getStr("platform");
string old_host_os = obj->getStr("host_OS");
string old_version = obj->getStr("version");
string oldVer=obj->getStr("version");
obj->setName(new_name);
obj->setComment(string(m_dialog->comment->toPlainText().toUtf8().constData()));
obj->setName(newname);
obj->setComment(
string(m_dialog->comment->toPlainText().toUtf8().constData()));
string new_platform = readPlatform(m_dialog->platform).toLatin1().constData();
obj->setStr("platform", new_platform );
string pl = readPlatform(m_dialog->platform).toLatin1().constData();
obj->setStr("platform", pl );
obj->setStr("host_OS",
readHostOS(m_dialog->hostOS).toLatin1().constData());
string new_host_os = readHostOS(m_dialog->hostOS).toLatin1().constData();
obj->setStr("host_OS", new_host_os);
s->setInactive(m_dialog->inactive->isChecked());
saveVersion();
string newVer=obj->getStr("version");
string new_version = obj->getStr("version");
mw->updateObjName(obj,QString::fromUtf8(oldname.c_str()));
mw->updateObjName(obj,QString::fromUtf8(old_name.c_str()));
if (oldplatform!=pl || oldname!=newname || oldVer!=newVer)
if (old_platform!=new_platform || old_host_os!=new_host_os ||
old_name!=new_name || old_version!=new_version)
{
if (fwbdebug)
qDebug("FirewallDialog::applyChanges() scheduling call "
@ -267,15 +264,29 @@ void FirewallDialog::applyChanges()
mw->scheduleRuleSetRedraw();
}
if (oldplatform!=pl)
if (old_platform!=new_platform)
{
if (fwbdebug)
qDebug("FirewallDialog::applyChanges() platform has changed - "
"clear option 'compiler'");
qDebug("FirewallDialog::applyChanges() platform has changed to %s - "
"clear option 'compiler'", new_platform.c_str());
Firewall *s = Firewall::cast(obj);
assert(s!=NULL);
FWOptions *opt =s->getOptionsObject();
opt->setStr("compiler","");
opt->setStr("compiler", "");
// Set default options for the new platform
Resources::setDefaultTargetOptions(new_platform, s);
}
if (old_host_os!=new_host_os)
{
if (fwbdebug)
qDebug("FirewallDialog::applyChanges() host_OS has changed to %s",
new_host_os.c_str());
Firewall *s = Firewall::cast(obj);
assert(s!=NULL);
// Set default options for the new host os
Resources::setDefaultTargetOptions(new_host_os, s);
}
mw->updateLastModifiedTimestampForAllFirewalls(s);

10
src/gui/FirewallInstaller.cpp
View File

@ -325,6 +325,16 @@ QString FirewallInstaller::getDestinationDir()
// need to trim dir because it picks up '\n' and possibly spaces
// from XML element body text formatting
dir = dir.trimmed();
if (fwbdebug)
qDebug("FirewallInstaller::getDestinationDir: "
"optpath=%s "
"destination directory=%s "
"cnf->fwdir=%s",
optpath.c_str(),
dir.toAscii().constData(),
cnf->fwdir.toAscii().constData());
if (dir.isEmpty()) return cnf->fwdir;
if (!dir.endsWith('/')) dir = dir + "/";
return inst_dlg->replaceMacrosInCommand(dir);

6
src/gui/gui.pro
View File

@ -88,6 +88,7 @@ HEADERS += ../../config.h \
TimeDialog.h \
RuleSetView.h \
iptAdvancedDialog.h \
ipcopAdvancedDialog.h \
ipfAdvancedDialog.h \
ipfwAdvancedDialog.h \
pfAdvancedDialog.h \
@ -95,6 +96,7 @@ HEADERS += ../../config.h \
pixosAdvancedDialog.h \
iosaclAdvancedDialog.h \
iosAdvancedDialog.h \
ipcoposAdvancedDialog.h \
linux24AdvancedDialog.h \
linksysAdvancedDialog.h \
freebsdAdvancedDialog.h \
@ -203,6 +205,7 @@ SOURCES += ProjectPanel.cpp \
RuleSetDialog.cpp \
RuleSetView.cpp \
iptAdvancedDialog.cpp \
ipcopAdvancedDialog.cpp \
ipfAdvancedDialog.cpp \
ipfwAdvancedDialog.cpp \
pfAdvancedDialog.cpp \
@ -210,6 +213,7 @@ SOURCES += ProjectPanel.cpp \
pixosAdvancedDialog.cpp \
iosaclAdvancedDialog.cpp \
iosAdvancedDialog.cpp \
ipcoposAdvancedDialog.cpp \
linux24AdvancedDialog.cpp \
linksysAdvancedDialog.cpp \
freebsdAdvancedDialog.cpp \
@ -281,6 +285,8 @@ FORMS = FWBMainWindow_q.ui \
rcsfilepreview_q.ui \
rcsfilesavedialog_q.ui \
iptadvanceddialog_q.ui \
ipcopadvanceddialog_q.ui \
ipcoposadvanceddialog_q.ui \
objectmanipulator_q.ui \
prefsdialog_q.ui \
pixadvanceddialog_q.ui \

28
src/gui/instDialog_ui_ops.cpp
View File

@ -930,6 +930,10 @@ void instDialog::readInstallerOptionsFromFirewallObject(Firewall *fw)
if (fw)
{
fwopt = fw->getOptionsObject();
string platform = cnf.fwobj->getStr("platform");
string host_OS = cnf.fwobj->getStr("host_OS");
cnf.user = fwopt->getStr("admUser").c_str();
QString aaddr = fwopt->getStr("altAddress").c_str();
if (!aaddr.isEmpty()) cnf.maddr = aaddr;
@ -944,8 +948,6 @@ void instDialog::readInstallerOptionsFromFirewallObject(Firewall *fw)
else
cnf.maddr = "";
}
if (fwbdebug) qDebug("management address: %s",
cnf.maddr.toAscii().constData());
/*
* if user requested test run, store firewall script in a temp
* file. Always store it in a temp file on linksys
@ -954,12 +956,12 @@ void instDialog::readInstallerOptionsFromFirewallObject(Firewall *fw)
/* user_can_change_install_dir */
bool uccid = Resources::getTargetOptionBool(
cnf.fwobj->getStr("host_OS"),"user_can_change_install_dir");
host_OS, "user_can_change_install_dir");
if (uccid) s = fwopt->getStr("firewall_dir").c_str();
if (s.isEmpty()) s = Resources::getTargetOptionStr(
cnf.fwobj->getStr("host_OS"), "activation/fwdir").c_str();
host_OS, "activation/fwdir").c_str();
cnf.fwdir = s;
@ -967,7 +969,7 @@ void instDialog::readInstallerOptionsFromFirewallObject(Firewall *fw)
cnf.fwbfile = mw->db()->getFileName().c_str();
cnf.wdir = getFileDir( mw->getRCS()->getFileName() );
cnf.diff_file = QString(cnf.fwobj->getName().c_str())+".diff";
cnf.diff_pgm = Resources::platform_res[cnf.fwobj->getStr("platform")]->
cnf.diff_pgm = Resources::platform_res[platform]->
getResourceStr("/FWBuilderResources/Target/diff").c_str();
cnf.diff_pgm = getPathToBinary(
cnf.diff_pgm.toAscii().constData()).c_str();
@ -979,8 +981,20 @@ void instDialog::readInstallerOptionsFromFirewallObject(Firewall *fw)
cnf.activationCmd = fwopt->getStr("activationCmd").c_str();
cnf.rollbackTimeUnit =
Resources::getTargetOptionStr(cnf.fwobj->getStr("host_OS"),
"activation/timeout_units").c_str();
Resources::getTargetOptionStr(
host_OS, "activation/timeout_units").c_str();
if (fwbdebug)
{
qDebug("platform: %s", platform.c_str());
qDebug("host_OS: %s", host_OS.c_str());
qDebug("user_can_change_install_dir=%d", uccid);
qDebug("firewall_dir='%s'", fwopt->getStr("firewall_dir").c_str());
qDebug("management address: %s", cnf.maddr.toAscii().constData());
qDebug("cnf.fwdir='%s'", cnf.fwdir.toAscii().constData());
qDebug("activationCmd='%s'", cnf.activationCmd.toAscii().constData());
}
}
}

234
src/gui/ipcopAdvancedDialog.cpp Normal file
View File

@ -0,0 +1,234 @@
/*
Firewall Builder
Copyright (C) 2004 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id: ipcopAdvancedDialog.cpp 585 2008-10-09 05:08:41Z vadim $
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "../../config.h"
#include "global.h"
#include "platforms.h"
#include "ipcopAdvancedDialog.h"
#include "SimpleTextEditor.h"
#include "FWWindow.h"
#include "Help.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Resources.h"
#include <qcheckbox.h>
#include <qspinbox.h>
#include <qcombobox.h>
#include <qradiobutton.h>
#include <qlineedit.h>
#include <qstackedwidget.h>
#include <qregexp.h>
#include <qtextedit.h>
using namespace std;
using namespace libfwbuilder;
ipcopAdvancedDialog::~ipcopAdvancedDialog()
{
delete m_dialog;
}
ipcopAdvancedDialog::ipcopAdvancedDialog(QWidget *parent,FWObject *o)
: QDialog(parent)
{
m_dialog = new Ui::ipcopAdvancedDialog_q;
m_dialog->setupUi(this);
obj=o;
QStringList slm;
/*
* Set dialog title dynamically to reflect description set in the
* platform resource file. This is useful because the same dialog
* is used for ipcop, endian and oneshield platforms.
*/
string platform = obj->getStr("platform");
string description = Resources::platform_res[platform]->
getResourceStr("/FWBuilderResources/Target/description");
setWindowTitle(QObject::tr("%1 advanced settings").arg(description.c_str()));
FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject();
assert(fwoptions!=NULL);
Management *mgmt=(Firewall::cast(obj))->getManagementObject();
assert(mgmt!=NULL);
/*
fwoptions->setStr("firewall_dir", "/etc/rc.d/");
fwoptions->setStr("admUser", "admin");
fwoptions->setStr("activationCmd", "/etc/rc.d/rc.firewall");
fwoptions->setStr("output_file", "rc.firewall.local");
*/
//QString s = fwoptions->getStr("ipv4_6_order")
data.registerOption(m_dialog->ipv4before, fwoptions, "ipv4_6_order",
QStringList() << "IPv4 before IPv6"
<<"ipv4_first" << "IPv6 before IPv4" << "ipv6_first");
data.registerOption(m_dialog->logTCPseq, fwoptions, "log_tcp_seq");
data.registerOption(m_dialog->logTCPopt, fwoptions, "log_tcp_opt");
data.registerOption(m_dialog->logIPopt, fwoptions, "log_ip_opt");
data.registerOption(m_dialog->logNumsyslog, fwoptions,
"use_numeric_log_levels");
slm = getLogLevels( platform.c_str());
m_dialog->logLevel->clear();
m_dialog->logLevel->addItems( getScreenNames(slm));
data.registerOption(m_dialog-> logLevel, fwoptions, "log_level", slm);
data.registerOption(m_dialog->useULOG, fwoptions, "use_ULOG");
data.registerOption(m_dialog->cprange, fwoptions, "ulog_cprange");
data.registerOption(m_dialog->qthreshold, fwoptions, "ulog_qthreshold");
data.registerOption(m_dialog->nlgroup, fwoptions, "ulog_nlgroup");
data.registerOption(m_dialog->logprefix, fwoptions, "log_prefix");
slm=getLimitSuffixes( platform.c_str());
m_dialog->logLimitSuffix->clear();
m_dialog->logLimitSuffix->addItems(getScreenNames(slm));
data.registerOption(m_dialog-> logLimitSuffix, fwoptions,
"limit_suffix", slm);
data.registerOption(m_dialog->logLimitVal, fwoptions, "limit_value");
data.registerOption(m_dialog->logAll, fwoptions, "log_all");
data.registerOption(m_dialog->compiler, fwoptions, "compiler");
data.registerOption(m_dialog->compilerArgs, fwoptions, "cmdline");
data.registerOption(m_dialog->outputFileName, fwoptions, "output_file");
data.registerOption(m_dialog->assumeFwIsPartOfAny,
fwoptions, "firewall_is_part_of_any_and_networks");
data.registerOption(m_dialog->acceptSessions,
fwoptions, "accept_new_tcp_with_no_syn");
data.registerOption(m_dialog->bridge, fwoptions, "bridging_fw");
data.registerOption(m_dialog->shadowing, fwoptions, "check_shading");
data.registerOption(m_dialog->emptyGroups, fwoptions,
"ignore_empty_groups");
data.registerOption(m_dialog->localNAT, fwoptions, "local_nat");
data.registerOption(m_dialog->makeTagClassifyTerminating,
fwoptions, "classify_mark_terminating");
slm=getActionsOnReject( platform.c_str());
m_dialog->actionOnReject->clear();
m_dialog->actionOnReject->addItems(getScreenNames(slm));
data.registerOption(m_dialog-> actionOnReject,
fwoptions,"action_on_reject", slm);
data.registerOption(m_dialog->mgmt_ssh, fwoptions, "mgmt_ssh");
data.registerOption(m_dialog->mgmt_addr, fwoptions, "mgmt_addr");
data.registerOption(m_dialog->iptDebug, fwoptions, "debug");
data.registerOption(m_dialog->verifyInterfaces, fwoptions, "verify_interfaces");
data.registerOption(m_dialog->ipt_fw_dir, fwoptions, "firewall_dir");
data.registerOption(m_dialog->ipt_user, fwoptions, "admUser");
data.registerOption(m_dialog->altAddress, fwoptions, "altAddress");
data.registerOption(m_dialog->sshArgs, fwoptions, "sshArgs");
data.registerOption( m_dialog->scpArgs, fwoptions, "scpArgs");
data.registerOption(m_dialog->activationCmd, fwoptions, "activationCmd");
PolicyInstallScript *pis = mgmt->getPolicyInstallScript();
m_dialog->installScript->setText( pis->getCommand().c_str());
m_dialog->installScriptArgs->setText( pis->getArguments().c_str());
/* page "Prolog/Epilog" */
data.registerOption(m_dialog->prolog_script, fwoptions, "prolog_script");
data.registerOption(m_dialog->epilog_script, fwoptions, "epilog_script");
data.loadAll();
switchLOG_ULOG();
}
void ipcopAdvancedDialog::switchLOG_ULOG()
{
m_dialog->useLOG->setChecked(!m_dialog->useULOG->isChecked());
if (m_dialog->useLOG->isChecked())
m_dialog->logTargetStack->setCurrentIndex(0);
else
m_dialog->logTargetStack->setCurrentIndex(1);
}
/*
* store all data in the object
*/
void ipcopAdvancedDialog::accept()
{
FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject();
assert(fwoptions!=NULL);
Management *mgmt=(Firewall::cast(obj))->getManagementObject();
assert(mgmt!=NULL);
data.saveAll();
/********************* data for fwbd and install script **************/
PolicyInstallScript *pis = mgmt->getPolicyInstallScript();
// find first interface marked as "management"
const InetAddr *mgmt_addr = Firewall::cast(obj)->getManagementAddress();
if (mgmt_addr)
mgmt->setAddress(*mgmt_addr);
pis->setCommand( m_dialog->installScript->text().toLatin1().constData());
pis->setArguments( m_dialog->installScriptArgs->text().toLatin1().constData());
mw->updateLastModifiedTimestampForAllFirewalls(obj);
QDialog::accept();
}
void ipcopAdvancedDialog::reject()
{
QDialog::reject();
}
void ipcopAdvancedDialog::editProlog()
{
SimpleTextEditor edt(this,
m_dialog->prolog_script->toPlainText(),
true, tr( "Script Editor" ));
if ( edt.exec() == QDialog::Accepted )
m_dialog->prolog_script->setText( edt.text());
}
void ipcopAdvancedDialog::editEpilog()
{
SimpleTextEditor edt(this,
m_dialog->epilog_script->toPlainText(),
true, tr( "Script Editor" ));
if ( edt.exec() == QDialog::Accepted )
m_dialog->epilog_script->setText( edt.text());
}
void ipcopAdvancedDialog::help()
{
Help *h = new Help(this, "ipcopAdvancedDialog", "Firewall platform: IPCOP");
h->show();
QString tab_title = m_dialog->tabWidget->tabText(
m_dialog->tabWidget->currentIndex());
h->scrollToAnchor(tab_title.replace('/', '-').replace(' ', '-').toLower());
}

64
src/gui/ipcopAdvancedDialog.h Normal file
View File

@ -0,0 +1,64 @@
/*
Firewall Builder
Copyright (C) 2004 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id: ipcopAdvancedDialog.h 441 2008-08-03 02:24:37Z vadim $
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __IPCOPADVANCEDDIALOG_H_
#define __IPCOPADVANCEDDIALOG_H_
#include <ui_ipcopadvanceddialog_q.h>
#include "DialogData.h"
namespace libfwbuilder {
class FWObject;
};
class ipcopAdvancedDialog : public QDialog
{
Q_OBJECT
libfwbuilder::FWObject *obj;
DialogData data;
Ui::ipcopAdvancedDialog_q *m_dialog;
public:
ipcopAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o);
~ipcopAdvancedDialog();
protected slots:
virtual void accept();
virtual void reject();
virtual void help();
virtual void editProlog();
virtual void editEpilog();
public slots:
virtual void switchLOG_ULOG();
};
#endif // __IPCOPADVANCEDDIALOG_H

1422
src/gui/ipcopadvanceddialog_q.ui Normal file
View File

@ -0,0 +1,1422 @@
<ui version="4.0" >
<class>ipcopAdvancedDialog_q</class>
<widget class="QDialog" name="ipcopAdvancedDialog_q" >
<property name="enabled" >
<bool>true</bool>
</property>
<property name="geometry" >
<rect>
<x>0</x>
<y>0</y>
<width>671</width>
<height>710</height>
</rect>
</property>
<property name="sizePolicy" >
<sizepolicy vsizetype="Preferred" hsizetype="Preferred" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="windowTitle" >
<string>ipcop advanced settings</string>
</property>
<property name="sizeGripEnabled" >
<bool>false</bool>
</property>
<layout class="QGridLayout" >
<item row="0" column="0" >
<widget class="QTabWidget" name="tabWidget" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Expanding" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="currentIndex" >
<number>0</number>
</property>
<widget class="QWidget" name="tab0" >
<attribute name="title" >
<string>Compiler</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_4" >
<property name="leftMargin" >
<number>12</number>
</property>
<property name="rightMargin" >
<number>12</number>
</property>
<property name="bottomMargin" >
<number>12</number>
</property>
<item row="0" column="0" colspan="2" >
<widget class="QLabel" name="compilerLabel" >
<property name="text" >
<string>Compiler:</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="0" column="2" >
<widget class="QLineEdit" name="compiler" >
<property name="maximumSize" >
<size>
<width>32767</width>
<height>22</height>
</size>
</property>
</widget>
</item>
<item row="1" column="0" colspan="2" >
<widget class="QLabel" name="compilerArgsLabel" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Preferred" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text" >
<string>Command line options for the compiler:</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="1" column="2" >
<widget class="QLineEdit" name="compilerArgs" >
<property name="maximumSize" >
<size>
<width>32767</width>
<height>22</height>
</size>
</property>
</widget>
</item>
<item row="2" column="0" colspan="2" >
<widget class="QLabel" name="textLabel1_5" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Preferred" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text" >
<string>Output file name (if left blank, the file name is constructed of the firewall object name and extension ".fw")</string>
</property>
<property name="alignment" >
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="2" column="2" >
<widget class="QLineEdit" name="outputFileName" >
<property name="maximumSize" >
<size>
<width>32767</width>
<height>22</height>
</size>
</property>
<property name="text" >
<string>rc.firewall.local</string>
</property>
<property name="readOnly" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="3" column="0" colspan="3" >
<widget class="Line" name="line4_2" >
<property name="frameShape" >
<enum>QFrame::HLine</enum>
</property>
<property name="frameShadow" >
<enum>QFrame::Sunken</enum>
</property>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
</widget>
</item>
<item row="4" column="0" >
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Maximum</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>30</width>
<height>150</height>
</size>
</property>
</spacer>
</item>
<item row="4" column="1" colspan="2" >
<layout class="QVBoxLayout" name="verticalLayout" >
<item>
<widget class="QCheckBox" name="assumeFwIsPartOfAny" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text" >
<string>Assume firewall is part of 'any'</string>
</property>
</widget>
</item>
<item>
<widget class="QCheckBox" name="acceptSessions" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text" >
<string>Accept TCP sessions opened prior to firewall restart</string>
</property>
</widget>
</item>
<item>
<widget class="QCheckBox" name="bridge" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text" >
<string>Bridging firewall</string>
</property>
</widget>
</item>
<item>
<widget class="QCheckBox" name="shadowing" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text" >
<string>Detect shadowing in policy rules</string>
</property>
</widget>
</item>
<item>
<widget class="QCheckBox" name="emptyGroups" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text" >
<string>Ignore empty groups in rules</string>
</property>
</widget>
</item>
<item>
<widget class="QCheckBox" name="localNAT" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text" >
<string>Enable support for NAT of locally originated connections</string>
</property>
</widget>
</item>
<item>
<widget class="QCheckBox" name="makeTagClassifyTerminating" >
<property name="text" >
<string>Make Tag and Classify actions terminating</string>
</property>
</widget>
</item>
<item>
<layout class="QHBoxLayout" name="horizontalLayout_3" >
<item>
<widget class="QLabel" name="textLabel9" >
<property name="text" >
<string>Default action on 'Reject':</string>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item>
<widget class="QComboBox" name="actionOnReject" />
</item>
<item>
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>72</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
</layout>
</item>
</layout>
</item>
<item row="5" column="0" colspan="3" >
<widget class="Line" name="line4" >
<property name="frameShape" >
<enum>QFrame::HLine</enum>
</property>
<property name="frameShadow" >
<enum>QFrame::Sunken</enum>
</property>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
</widget>
</item>
<item row="6" column="0" >
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Fixed</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>30</width>
<height>50</height>
</size>
</property>
</spacer>
</item>
<item row="6" column="1" >
<widget class="QCheckBox" name="mgmt_ssh" >
<property name="text" >
<string>Always permit ssh access from
the management workstation
with this address:</string>
</property>
</widget>
</item>
<item row="6" column="2" >
<widget class="QLineEdit" name="mgmt_addr" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="maximumSize" >
<size>
<width>32767</width>
<height>32767</height>
</size>
</property>
</widget>
</item>
<item row="7" column="1" >
<spacer>
<property name="orientation" >
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
<widget class="QWidget" name="tab1" >
<attribute name="title" >
<string>Installer</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_3" >
<item row="0" column="0" >
<widget class="QGroupBox" name="groupBox2" >
<property name="title" >
<string>Built-in installer</string>
</property>
<layout class="QGridLayout" name="gridLayout" >
<item row="0" column="0" >
<widget class="QLabel" name="label556" >
<property name="text" >
<string>Directory on the firewall where script should be installed</string>
</property>
<property name="alignment" >
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="0" column="1" >
<widget class="QLineEdit" name="ipt_fw_dir" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Fixed" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize" >
<size>
<width>250</width>
<height>0</height>
</size>
</property>
<property name="text" >
<string>/etc/rc.d/</string>
</property>
<property name="cursorPosition" >
<number>0</number>
</property>
<property name="readOnly" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="1" column="0" >
<widget class="QLabel" name="textLabel1_2" >
<property name="text" >
<string>User name used to authenticate to the firewall (leave this empty if you use putty session):</string>
</property>
<property name="alignment" >
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="1" column="1" >
<widget class="QLineEdit" name="ipt_user" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Fixed" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize" >
<size>
<width>250</width>
<height>0</height>
</size>
</property>
<property name="text" >
<string>admin</string>
</property>
<property name="cursorPosition" >
<number>0</number>
</property>
<property name="readOnly" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="2" column="0" >
<widget class="QLabel" name="textLabel1_3" >
<property name="text" >
<string>Alternative name or address used to communicate with the firewall (also putty session name on Windows)</string>
</property>
<property name="alignment" >
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop</set>
</property>
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="2" column="1" >
<widget class="QLineEdit" name="altAddress" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Fixed" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize" >
<size>
<width>250</width>
<height>0</height>
</size>
</property>
</widget>
</item>
<item row="3" column="0" >
<widget class="QLabel" name="textLabel1_4" >
<property name="text" >
<string>A command that installer should execute on the firewall in order to activate the policy (if this field is blank, installer runs firewall script in the directory specified above; it uses sudo if user name is not 'root')</string>
</property>
<property name="alignment" >
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="3" column="1" >
<widget class="QLineEdit" name="activationCmd" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Fixed" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize" >
<size>
<width>250</width>
<height>0</height>
</size>
</property>
<property name="text" >
<string>/etc/rc.d/rc.firewall</string>
</property>
<property name="cursorPosition" >
<number>0</number>
</property>
<property name="readOnly" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="4" column="0" colspan="2" >
<layout class="QHBoxLayout" >
<item>
<widget class="QLabel" name="textLabel1_7" >
<property name="text" >
<string>Additional command line parameters for ssh</string>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item>
<widget class="QLineEdit" name="sshArgs" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize" >
<size>
<width>300</width>
<height>0</height>
</size>
</property>
</widget>
</item>
</layout>
</item>
<item row="5" column="0" colspan="2" >
<layout class="QHBoxLayout" name="_2" >
<item>
<widget class="QLabel" name="textLabel1_8" >
<property name="text" >
<string>Additional command line parameters for scp</string>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item>
<widget class="QLineEdit" name="scpArgs" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize" >
<size>
<width>300</width>
<height>0</height>
</size>
</property>
</widget>
</item>
</layout>
</item>
</layout>
</widget>
</item>
<item row="1" column="0" >
<widget class="QGroupBox" name="groupBox1" >
<property name="title" >
<string>External install script</string>
</property>
<layout class="QGridLayout" name="gridLayout_2" >
<item row="0" column="0" >
<layout class="QHBoxLayout" name="horizontalLayout" >
<item>
<widget class="QLabel" name="textLabel5_2" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Preferred" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text" >
<string>Policy install script (using built-in installer if this field is blank):</string>
</property>
<property name="alignment" >
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item>
<widget class="QLineEdit" name="installScript" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Fixed" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize" >
<size>
<width>300</width>
<height>0</height>
</size>
</property>
</widget>
</item>
</layout>
</item>
<item row="1" column="0" >
<layout class="QHBoxLayout" name="horizontalLayout_2" >
<item>
<widget class="QLabel" name="textLabel6_2" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Preferred" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text" >
<string>Command line options for the script:</string>
</property>
<property name="alignment" >
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item>
<widget class="QLineEdit" name="installScriptArgs" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Fixed" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize" >
<size>
<width>300</width>
<height>0</height>
</size>
</property>
</widget>
</item>
</layout>
</item>
</layout>
</widget>
</item>
<item row="2" column="0" >
<spacer>
<property name="orientation" >
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>100</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
<widget class="QWidget" name="tab2" >
<attribute name="title" >
<string>Prolog/Epilog</string>
</attribute>
<layout class="QGridLayout" >
<property name="margin" >
<number>6</number>
</property>
<item row="1" column="0" >
<widget class="QGroupBox" name="frame147" >
<property name="title" >
<string/>
</property>
<layout class="QGridLayout" >
<property name="margin" >
<number>6</number>
</property>
<item row="2" column="1" >
<widget class="QPushButton" name="edit_epilog_button" >
<property name="text" >
<string>Edit</string>
</property>
</widget>
</item>
<item row="2" column="0" >
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="1" column="0" colspan="2" >
<widget class="QTextEdit" name="epilog_script" />
</item>
<item row="0" column="0" colspan="2" >
<widget class="QLabel" name="textLabel2_2_2" >
<property name="text" >
<string>The following commands will be added verbatim after generated configuration</string>
</property>
<property name="alignment" >
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
</layout>
</widget>
</item>
<item row="0" column="0" >
<widget class="QGroupBox" name="frame146" >
<property name="title" >
<string/>
</property>
<layout class="QGridLayout" >
<property name="margin" >
<number>6</number>
</property>
<item row="0" column="0" colspan="2" >
<widget class="QLabel" name="textLabel2_2" >
<property name="text" >
<string>The following commands will be added verbatim on top of generated configuration</string>
</property>
<property name="alignment" >
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="1" column="0" colspan="2" >
<widget class="QTextEdit" name="prolog_script" />
</item>
<item row="2" column="1" >
<widget class="QPushButton" name="edit_prolog_button" >
<property name="text" >
<string>Edit</string>
</property>
</widget>
</item>
<item row="2" column="0" >
<spacer name="horizontalSpacer" >
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
</item>
</layout>
</widget>
<widget class="QWidget" name="tab3" >
<attribute name="title" >
<string>Logging</string>
</attribute>
<layout class="QGridLayout" >
<property name="margin" >
<number>20</number>
</property>
<item rowspan="5" row="0" column="0" >
<widget class="QGroupBox" name="buttonGroup1" >
<property name="title" >
<string/>
</property>
<layout class="QGridLayout" >
<property name="margin" >
<number>6</number>
</property>
<item row="0" column="1" >
<widget class="QRadioButton" name="useULOG" >
<property name="text" >
<string>use ULOG</string>
</property>
</widget>
</item>
<item row="0" column="0" >
<widget class="QRadioButton" name="useLOG" >
<property name="text" >
<string>use LOG</string>
</property>
</widget>
</item>
<item row="1" column="0" colspan="2" >
<widget class="QStackedWidget" name="logTargetStack" >
<property name="currentIndex" >
<number>0</number>
</property>
<widget class="QWidget" name="WStackPage0" >
<layout class="QGridLayout" >
<property name="margin" >
<number>0</number>
</property>
<property name="spacing" >
<number>10</number>
</property>
<item row="0" column="0" colspan="2" >
<widget class="QCheckBox" name="logTCPseq" >
<property name="text" >
<string>log TCP seq. numbers</string>
</property>
</widget>
</item>
<item row="2" column="0" colspan="2" >
<widget class="QCheckBox" name="logIPopt" >
<property name="text" >
<string>log IP options</string>
</property>
</widget>
</item>
<item row="3" column="0" colspan="2" >
<widget class="QCheckBox" name="logNumsyslog" >
<property name="text" >
<string>use numeric syslog levels</string>
</property>
</widget>
</item>
<item row="4" column="0" >
<widget class="QLabel" name="textLabel1" >
<property name="text" >
<string>Log level:</string>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="4" column="1" >
<widget class="QComboBox" name="logLevel" />
</item>
<item row="1" column="0" colspan="2" >
<widget class="QCheckBox" name="logTCPopt" >
<property name="text" >
<string>log TCP options</string>
</property>
</widget>
</item>
</layout>
</widget>
<widget class="QWidget" name="WStackPage1" >
<layout class="QGridLayout" >
<property name="margin" >
<number>0</number>
</property>
<property name="spacing" >
<number>10</number>
</property>
<item row="0" column="1" >
<widget class="QSpinBox" name="cprange" >
<property name="maximum" >
<number>1500</number>
</property>
</widget>
</item>
<item row="0" column="0" >
<widget class="QLabel" name="textLabel2" >
<property name="text" >
<string>cprange</string>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="1" column="1" >
<widget class="QSpinBox" name="qthreshold" >
<property name="minimum" >
<number>1</number>
</property>
</widget>
</item>
<item row="1" column="0" >
<widget class="QLabel" name="textLabel3" >
<property name="text" >
<string>queue threshold:</string>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="2" column="0" >
<widget class="QLabel" name="textLabel4" >
<property name="text" >
<string>netlink group:</string>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="2" column="1" >
<widget class="QSpinBox" name="nlgroup" >
<property name="minimum" >
<number>1</number>
</property>
<property name="maximum" >
<number>32</number>
</property>
</widget>
</item>
<item row="3" column="0" >
<spacer>
<property name="orientation" >
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>16</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
</widget>
</item>
</layout>
</widget>
</item>
<item rowspan="6" row="0" column="1" >
<widget class="Line" name="line1" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Minimum" hsizetype="Fixed" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="frameShape" >
<enum>QFrame::VLine</enum>
</property>
<property name="frameShadow" >
<enum>QFrame::Sunken</enum>
</property>
<property name="orientation" >
<enum>Qt::Vertical</enum>
</property>
</widget>
</item>
<item row="0" column="2" >
<widget class="QLabel" name="textLabel5" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Preferred" hsizetype="Preferred" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text" >
<string>Log prefix:</string>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="0" column="3" colspan="3" >
<widget class="QLineEdit" name="logprefix" >
<property name="maxLength" >
<number>32</number>
</property>
</widget>
</item>
<item row="2" column="2" colspan="2" >
<widget class="QLabel" name="textLabel6" >
<property name="text" >
<string>Logging limit:</string>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="2" column="4" >
<widget class="QSpinBox" name="logLimitVal" >
<property name="maximum" >
<number>10000</number>
</property>
</widget>
</item>
<item row="2" column="5" >
<widget class="QComboBox" name="logLimitSuffix" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Preferred" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
</widget>
</item>
<item row="3" column="2" colspan="4" >
<widget class="QCheckBox" name="logAll" >
<property name="text" >
<string>Activate logging in all rules
(overrides rule options, use for debugging)</string>
</property>
</widget>
</item>
<item rowspan="2" row="4" column="4" >
<spacer>
<property name="orientation" >
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>40</height>
</size>
</property>
</spacer>
</item>
<item row="5" column="0" >
<spacer>
<property name="orientation" >
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>16</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
<widget class="QWidget" name="tab4" >
<attribute name="title" >
<string>Script</string>
</attribute>
<layout class="QGridLayout" >
<property name="margin" >
<number>6</number>
</property>
<item row="0" column="0" colspan="3" >
<widget class="QLabel" name="textLabel8" >
<property name="text" >
<string>These options enable auxiliary sections in the generated shell script.</string>
</property>
<property name="alignment" >
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="3" column="2" >
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::MinimumExpanding</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item rowspan="4" row="1" column="0" >
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Maximum</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>30</width>
<height>120</height>
</size>
</property>
</spacer>
</item>
<item row="3" column="1" >
<widget class="QCheckBox" name="iptDebug" >
<property name="text" >
<string>Turn debugging on in generated script</string>
</property>
</widget>
</item>
<item row="5" column="1" >
<spacer>
<property name="orientation" >
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>200</height>
</size>
</property>
</spacer>
</item>
<item row="2" column="1" >
<widget class="QCheckBox" name="verifyInterfaces" >
<property name="text" >
<string>Verify interfaces before loading firewall policy</string>
</property>
</widget>
</item>
</layout>
</widget>
<widget class="QWidget" name="tab" >
<attribute name="title" >
<string>IPv6</string>
</attribute>
<layout class="QGridLayout" >
<item row="1" column="0" >
<widget class="QLabel" name="label" >
<property name="text" >
<string>The order in which ipv4 and ipv6 rules should be generated:</string>
</property>
</widget>
</item>
<item row="2" column="0" >
<widget class="QComboBox" name="ipv4before" >
<item>
<property name="text" >
<string>IPv4 before IPv6</string>
</property>
</item>
<item>
<property name="text" >
<string>IPv6 before IPv4</string>
</property>
</item>
</widget>
</item>
<item row="3" column="0" >
<spacer>
<property name="orientation" >
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>40</height>
</size>
</property>
</spacer>
</item>
<item row="1" column="1" >
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
</widget>
</item>
<item row="1" column="0" >
<layout class="QHBoxLayout" >
<item>
<widget class="QPushButton" name="buttonHelp" >
<property name="text" >
<string>Help</string>
</property>
</widget>
</item>
<item>
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>351</width>
<height>27</height>
</size>
</property>
</spacer>
</item>
<item>
<widget class="QPushButton" name="buttonOk" >
<property name="text" >
<string>&amp;OK</string>
</property>
<property name="shortcut" >
<string/>
</property>
<property name="autoDefault" >
<bool>true</bool>
</property>
<property name="default" >
<bool>true</bool>
</property>
</widget>
</item>
<item>
<widget class="QPushButton" name="buttonCancel" >
<property name="text" >
<string>&amp;Cancel</string>
</property>
<property name="shortcut" >
<string/>
</property>
<property name="autoDefault" >
<bool>true</bool>
</property>
</widget>
</item>
</layout>
</item>
</layout>
</widget>
<layoutdefault spacing="6" margin="11" />
<tabstops>
<tabstop>tabWidget</tabstop>
<tabstop>compiler</tabstop>
<tabstop>compilerArgs</tabstop>
<tabstop>outputFileName</tabstop>
<tabstop>assumeFwIsPartOfAny</tabstop>
<tabstop>acceptSessions</tabstop>
<tabstop>bridge</tabstop>
<tabstop>shadowing</tabstop>
<tabstop>emptyGroups</tabstop>
<tabstop>localNAT</tabstop>
<tabstop>makeTagClassifyTerminating</tabstop>
<tabstop>actionOnReject</tabstop>
<tabstop>mgmt_ssh</tabstop>
<tabstop>mgmt_addr</tabstop>
<tabstop>buttonOk</tabstop>
<tabstop>buttonCancel</tabstop>
<tabstop>ipt_fw_dir</tabstop>
<tabstop>ipt_user</tabstop>
<tabstop>altAddress</tabstop>
<tabstop>activationCmd</tabstop>
<tabstop>sshArgs</tabstop>
<tabstop>installScript</tabstop>
<tabstop>installScriptArgs</tabstop>
<tabstop>prolog_script</tabstop>
<tabstop>edit_prolog_button</tabstop>
<tabstop>epilog_script</tabstop>
<tabstop>edit_epilog_button</tabstop>
<tabstop>useLOG</tabstop>
<tabstop>useULOG</tabstop>
<tabstop>logTCPseq</tabstop>
<tabstop>logTCPopt</tabstop>
<tabstop>logIPopt</tabstop>
<tabstop>logNumsyslog</tabstop>
<tabstop>logLevel</tabstop>
<tabstop>logprefix</tabstop>
<tabstop>logLimitVal</tabstop>
<tabstop>logLimitSuffix</tabstop>
<tabstop>logAll</tabstop>
<tabstop>verifyInterfaces</tabstop>
<tabstop>iptDebug</tabstop>
<tabstop>ipv4before</tabstop>
<tabstop>cprange</tabstop>
<tabstop>nlgroup</tabstop>
<tabstop>qthreshold</tabstop>
</tabstops>
<resources/>
<connections>
<connection>
<sender>buttonOk</sender>
<signal>clicked()</signal>
<receiver>ipcopAdvancedDialog_q</receiver>
<slot>accept()</slot>
<hints>
<hint type="sourcelabel" >
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel" >
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
<connection>
<sender>buttonCancel</sender>
<signal>clicked()</signal>
<receiver>ipcopAdvancedDialog_q</receiver>
<slot>reject()</slot>
<hints>
<hint type="sourcelabel" >
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel" >
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
<connection>
<sender>useLOG</sender>
<signal>toggled(bool)</signal>
<receiver>ipcopAdvancedDialog_q</receiver>
<slot>switchLOG_ULOG()</slot>
<hints>
<hint type="sourcelabel" >
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel" >
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
<connection>
<sender>edit_prolog_button</sender>
<signal>clicked()</signal>
<receiver>ipcopAdvancedDialog_q</receiver>
<slot>editProlog()</slot>
<hints>
<hint type="sourcelabel" >
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel" >
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
<connection>
<sender>edit_epilog_button</sender>
<signal>clicked()</signal>
<receiver>ipcopAdvancedDialog_q</receiver>
<slot>editEpilog()</slot>
<hints>
<hint type="sourcelabel" >
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel" >
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
<connection>
<sender>buttonHelp</sender>
<signal>clicked()</signal>
<receiver>ipcopAdvancedDialog_q</receiver>
<slot>help()</slot>
<hints>
<hint type="sourcelabel" >
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel" >
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
</connections>
</ui>

201
src/gui/ipcoposAdvancedDialog.cpp Normal file
View File

@ -0,0 +1,201 @@
/*
Firewall Builder
Copyright (C) 2004 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id: ipcoposAdvancedDialog.cpp 454 2008-08-06 15:50:49Z vadim $
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "../../config.h"
#include "global.h"
#include "platforms.h"
#include "ipcoposAdvancedDialog.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Resources.h"
#include <qcheckbox.h>
#include <qspinbox.h>
#include <qcombobox.h>
#include <qradiobutton.h>
#include <qlineedit.h>
#include <qstackedwidget.h>
#include <qregexp.h>
#include "FWWindow.h"
#include "Help.h"
using namespace std;
using namespace libfwbuilder;
ipcoposAdvancedDialog::~ipcoposAdvancedDialog()
{
delete m_dialog;
}
ipcoposAdvancedDialog::ipcoposAdvancedDialog(QWidget *parent,FWObject *o)
: QDialog(parent)
{
m_dialog = new Ui::ipcoposAdvancedDialog_q;
m_dialog->setupUi(this);
obj=o;
string host_os = obj->getStr("host_OS");
string description = Resources::os_res[host_os]->
getResourceStr("/FWBuilderResources/Target/description");
setWindowTitle(QObject::tr("%1 advanced settings").arg(description.c_str()));
FWOptions *fwopt=(Firewall::cast(obj))->getOptionsObject();
assert(fwopt!=NULL);
Management *mgmt=(Firewall::cast(obj))->getManagementObject();
assert(mgmt!=NULL);
QStringList threeStateMapping;
threeStateMapping.push_back(QObject::tr("No change"));
threeStateMapping.push_back("");
threeStateMapping.push_back(QObject::tr("On"));
threeStateMapping.push_back("1");
threeStateMapping.push_back(QObject::tr("Off"));
threeStateMapping.push_back("0");
data.registerOption( m_dialog->linux24_log_martians,
fwopt,
"linux24_log_martians", threeStateMapping);
data.registerOption( m_dialog->linux24_accept_redirects,
fwopt,
"linux24_accept_redirects", threeStateMapping);
data.registerOption( m_dialog->linux24_icmp_echo_ignore_all,
fwopt,
"linux24_icmp_echo_ignore_all", threeStateMapping);
data.registerOption( m_dialog->linux24_icmp_echo_ignore_broadcasts,
fwopt,
"linux24_icmp_echo_ignore_broadcasts",
threeStateMapping);
data.registerOption( m_dialog->linux24_icmp_ignore_bogus_error_responses,
fwopt,
"linux24_icmp_ignore_bogus_error_responses",
threeStateMapping);
data.registerOption( m_dialog->linux24_ip_dynaddr,
fwopt,
"linux24_ip_dynaddr", threeStateMapping);
data.registerOption( m_dialog->linux24_rp_filter,
fwopt,
"linux24_rp_filter", threeStateMapping);
data.registerOption( m_dialog->linux24_accept_source_route,
fwopt,
"linux24_accept_source_route", threeStateMapping);
data.registerOption( m_dialog->linux24_ip_forward,
fwopt,
"linux24_ip_forward", threeStateMapping);
data.registerOption( m_dialog->linux24_ipv6_forward,
fwopt,
"linux24_ipv6_forward", threeStateMapping);
data.registerOption( m_dialog->linux24_tcp_fin_timeout,
fwopt,
"linux24_tcp_fin_timeout" );
data.registerOption( m_dialog->linux24_tcp_keepalive_interval,
fwopt,
"linux24_tcp_keepalive_interval");
data.registerOption( m_dialog->linux24_tcp_window_scaling,
fwopt,
"linux24_tcp_window_scaling", threeStateMapping);
data.registerOption( m_dialog->linux24_tcp_sack,
fwopt,
"linux24_tcp_sack", threeStateMapping);
data.registerOption( m_dialog->linux24_tcp_fack,
fwopt,
"linux24_tcp_fack", threeStateMapping);
data.registerOption( m_dialog->linux24_tcp_ecn,
fwopt,
"linux24_tcp_ecn", threeStateMapping);
data.registerOption( m_dialog->linux24_tcp_syncookies,
fwopt,
"linux24_tcp_syncookies", threeStateMapping);
data.registerOption( m_dialog->linux24_tcp_timestamps,
fwopt,
"linux24_tcp_timestamps", threeStateMapping);
data.registerOption( m_dialog->linux24_path_iptables,
fwopt,
"linux24_path_iptables" );
data.registerOption( m_dialog->linux24_path_ip6tables,
fwopt,
"linux24_path_ip6tables" );
data.registerOption( m_dialog->linux24_path_ip,
fwopt,
"linux24_path_ip");
data.registerOption( m_dialog->linux24_path_lsmod,
fwopt,
"linux24_path_lsmod");
data.registerOption( m_dialog->linux24_path_logger,
fwopt,
"linux24_path_logger");
data.registerOption( m_dialog->linux24_path_modprobe,
fwopt,
"linux24_path_modprobe");
data.registerOption( m_dialog->linux24_path_iptables_restore,
fwopt,
"linux24_path_iptables_restore");
data.registerOption( m_dialog->linux24_path_ip6tables_restore,
fwopt,
"linux24_path_ip6tables_restore");
data.loadAll();
}
/*
* store all data in the object
*/
void ipcoposAdvancedDialog::accept()
{
FWOptions *fwopt=(Firewall::cast(obj))->getOptionsObject();
assert(fwopt!=NULL);
Management *mgmt=(Firewall::cast(obj))->getManagementObject();
assert(mgmt!=NULL);
data.saveAll();
mw->updateLastModifiedTimestampForAllFirewalls(obj);
QDialog::accept();
}
void ipcoposAdvancedDialog::reject()
{
QDialog::reject();
}
void ipcoposAdvancedDialog::help()
{
Help *h = new Help(this, "ipcoposAdvancedDialog", "Host type IPCOP");
h->show();
QString tab_title = m_dialog->tabWidget->tabText(
m_dialog->tabWidget->currentIndex());
h->scrollToAnchor(tab_title.replace('/', '-').replace(' ', '-').toLower());
}

60
src/gui/ipcoposAdvancedDialog.h Normal file
View File

@ -0,0 +1,60 @@
/*
Firewall Builder
Copyright (C) 2004 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id: ipcoposAdvancedDialog.h 438 2008-08-02 20:33:06Z vadim $
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __IPCOPOSADVANCEDDIALOG_H_
#define __IPCOPOSADVANCEDDIALOG_H_
#include <ui_ipcoposadvanceddialog_q.h>
#include "DialogData.h"
#include <QDialog>
namespace libfwbuilder {
class FWObject;
};
class ipcoposAdvancedDialog : public QDialog
{
Q_OBJECT
libfwbuilder::FWObject *obj;
DialogData data;
Ui::ipcoposAdvancedDialog_q *m_dialog;
public:
ipcoposAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o);
~ipcoposAdvancedDialog();
protected slots:
virtual void accept();
virtual void reject();
virtual void help();
};
#endif // __IPCOPOSADVANCEDDIALOG_H

1088
src/gui/ipcoposadvanceddialog_q.ui Normal file
View File

@ -0,0 +1,1088 @@
<ui version="4.0" >
<class>ipcoposAdvancedDialog_q</class>
<widget class="QDialog" name="ipcoposAdvancedDialog_q" >
<property name="geometry" >
<rect>
<x>0</x>
<y>0</y>
<width>448</width>
<height>480</height>
</rect>
</property>
<property name="windowTitle" >
<string>IPCOP: advanced settings</string>
</property>
<layout class="QGridLayout" >
<item row="0" column="0" >
<widget class="QTabWidget" name="tabWidget" >
<property name="tabShape" >
<enum>QTabWidget::Rounded</enum>
</property>
<property name="currentIndex" >
<number>0</number>
</property>
<widget class="QWidget" name="tab0" >
<attribute name="title" >
<string>Options</string>
</attribute>
<layout class="QGridLayout" >
<item row="0" column="0" colspan="2" >
<spacer>
<property name="orientation" >
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Fixed</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="1" column="0" colspan="2" >
<widget class="QLabel" name="label368" >
<property name="text" >
<string>IPv4 Packet forwarding</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="1" column="2" >
<widget class="QComboBox" name="linux24_ip_forward" >
<item>
<property name="text" >
<string>No change</string>
</property>
</item>
<item>
<property name="text" >
<string>On</string>
</property>
</item>
<item>
<property name="text" >
<string>Off</string>
</property>
</item>
</widget>
</item>
<item rowspan="7" row="1" column="3" >
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>40</width>
<height>150</height>
</size>
</property>
</spacer>
</item>
<item row="2" column="0" colspan="2" >
<widget class="QLabel" name="label368_2" >
<property name="text" >
<string>IPv6 Packet forwarding</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="2" column="2" >
<widget class="QComboBox" name="linux24_ipv6_forward" >
<item>
<property name="text" >
<string>No change</string>
</property>
</item>
<item>
<property name="text" >
<string>On</string>
</property>
</item>
<item>
<property name="text" >
<string>Off</string>
</property>
</item>
</widget>
</item>
<item row="3" column="0" colspan="2" >
<widget class="QLabel" name="label369" >
<property name="text" >
<string>Kernel anti-spoofing protection</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="3" column="2" >
<widget class="QComboBox" name="linux24_rp_filter" >
<item>
<property name="text" >
<string>No change</string>
</property>
</item>
<item>
<property name="text" >
<string>On</string>
</property>
</item>
<item>
<property name="text" >
<string>Off</string>
</property>
</item>
</widget>
</item>
<item row="4" column="0" colspan="2" >
<widget class="QLabel" name="label370" >
<property name="text" >
<string>Ignore broadcast pings</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="4" column="2" >
<widget class="QComboBox" name="linux24_icmp_echo_ignore_broadcasts" >
<item>
<property name="text" >
<string>No change</string>
</property>
</item>
<item>
<property name="text" >
<string>On</string>
</property>
</item>
<item>
<property name="text" >
<string>Off</string>
</property>
</item>
</widget>
</item>
<item row="5" column="0" colspan="2" >
<widget class="QLabel" name="label386" >
<property name="text" >
<string>Ignore all pings</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="5" column="2" >
<widget class="QComboBox" name="linux24_icmp_echo_ignore_all" >
<item>
<property name="text" >
<string>No change</string>
</property>
</item>
<item>
<property name="text" >
<string>On</string>
</property>
</item>
<item>
<property name="text" >
<string>Off</string>
</property>
</item>
</widget>
</item>
<item row="6" column="0" colspan="2" >
<widget class="QLabel" name="label371" >
<property name="text" >
<string>Accept source route</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="6" column="2" >
<widget class="QComboBox" name="linux24_accept_source_route" >
<item>
<property name="text" >
<string>No change</string>
</property>
</item>
<item>
<property name="text" >
<string>On</string>
</property>
</item>
<item>
<property name="text" >
<string>Off</string>
</property>
</item>
</widget>
</item>
<item row="7" column="0" colspan="2" >
<widget class="QLabel" name="label373" >
<property name="text" >
<string>Accept ICMP redirects</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="7" column="2" >
<widget class="QComboBox" name="linux24_accept_redirects" >
<item>
<property name="text" >
<string>No change</string>
</property>
</item>
<item>
<property name="text" >
<string>On</string>
</property>
</item>
<item>
<property name="text" >
<string>Off</string>
</property>
</item>
</widget>
</item>
<item row="8" column="0" colspan="2" >
<widget class="QLabel" name="label374" >
<property name="text" >
<string>Ignore bogus ICMP errors</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="8" column="2" >
<widget class="QComboBox" name="linux24_icmp_ignore_bogus_error_responses" >
<item>
<property name="text" >
<string>No change</string>
</property>
</item>
<item>
<property name="text" >
<string>On</string>
</property>
</item>
<item>
<property name="text" >
<string>Off</string>
</property>
</item>
</widget>
</item>
<item row="9" column="0" colspan="2" >
<widget class="QLabel" name="label375" >
<property name="text" >
<string>Allow dynamic addresses</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="9" column="2" >
<widget class="QComboBox" name="linux24_ip_dynaddr" >
<item>
<property name="text" >
<string>No change</string>
</property>
</item>
<item>
<property name="text" >
<string>On</string>
</property>
</item>
<item>
<property name="text" >
<string>Off</string>
</property>
</item>
</widget>
</item>
<item row="10" column="0" >
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Fixed</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>141</width>
<height>21</height>
</size>
</property>
</spacer>
</item>
<item row="10" column="1" >
<widget class="QLabel" name="label380" >
<property name="text" >
<string>Log martians</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="10" column="2" >
<widget class="QComboBox" name="linux24_log_martians" >
<property name="whatsThis" >
<string comment="whats this comment" >whats this text</string>
</property>
<item>
<property name="text" >
<string>No change</string>
</property>
</item>
<item>
<property name="text" >
<string>On</string>
</property>
</item>
<item>
<property name="text" >
<string>Off</string>
</property>
</item>
</widget>
</item>
<item row="11" column="2" >
<spacer>
<property name="orientation" >
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>93</width>
<height>21</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
<widget class="QWidget" name="tab1" >
<attribute name="title" >
<string>TCP</string>
</attribute>
<layout class="QGridLayout" >
<property name="margin" >
<number>6</number>
</property>
<property name="spacing" >
<number>6</number>
</property>
<item row="1" column="0" colspan="4" >
<widget class="QLabel" name="network_tab_txt2" >
<property name="text" >
<string>These parameters make sense for connections to or from the firewall host</string>
</property>
<property name="alignment" >
<set>Qt::AlignCenter</set>
</property>
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="0" column="1" >
<spacer>
<property name="orientation" >
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Fixed</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="10" column="2" >
<spacer>
<property name="orientation" >
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>30</height>
</size>
</property>
</spacer>
</item>
<item rowspan="3" row="2" column="3" >
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>100</width>
<height>50</height>
</size>
</property>
</spacer>
</item>
<item row="10" column="0" >
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Fixed</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>150</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="2" column="1" colspan="2" >
<widget class="QSpinBox" name="linux24_tcp_fin_timeout" >
<property name="minimum" >
<number>0</number>
</property>
<property name="maximum" >
<number>1000</number>
</property>
<property name="value" >
<number>30</number>
</property>
</widget>
</item>
<item row="3" column="1" colspan="2" >
<widget class="QSpinBox" name="linux24_tcp_keepalive_interval" >
<property name="minimum" >
<number>0</number>
</property>
<property name="maximum" >
<number>10000</number>
</property>
<property name="value" >
<number>1800</number>
</property>
</widget>
</item>
<item row="4" column="1" colspan="2" >
<widget class="QComboBox" name="linux24_tcp_window_scaling" >
<item>
<property name="text" >
<string>No change</string>
</property>
</item>
<item>
<property name="text" >
<string>On</string>
</property>
</item>
<item>
<property name="text" >
<string>Off</string>
</property>
</item>
</widget>
</item>
<item row="5" column="1" colspan="2" >
<widget class="QComboBox" name="linux24_tcp_sack" >
<item>
<property name="text" >
<string>No change</string>
</property>
</item>
<item>
<property name="text" >
<string>On</string>
</property>
</item>
<item>
<property name="text" >
<string>Off</string>
</property>
</item>
</widget>
</item>
<item row="6" column="1" colspan="2" >
<widget class="QComboBox" name="linux24_tcp_fack" >
<item>
<property name="text" >
<string>No change</string>
</property>
</item>
<item>
<property name="text" >
<string>On</string>
</property>
</item>
<item>
<property name="text" >
<string>Off</string>
</property>
</item>
</widget>
</item>
<item row="7" column="1" colspan="2" >
<widget class="QComboBox" name="linux24_tcp_ecn" >
<item>
<property name="text" >
<string>No change</string>
</property>
</item>
<item>
<property name="text" >
<string>On</string>
</property>
</item>
<item>
<property name="text" >
<string>Off</string>
</property>
</item>
</widget>
</item>
<item row="8" column="1" colspan="2" >
<widget class="QComboBox" name="linux24_tcp_syncookies" >
<item>
<property name="text" >
<string>No change</string>
</property>
</item>
<item>
<property name="text" >
<string>On</string>
</property>
</item>
<item>
<property name="text" >
<string>Off</string>
</property>
</item>
</widget>
</item>
<item row="9" column="1" colspan="2" >
<widget class="QComboBox" name="linux24_tcp_timestamps" >
<item>
<property name="text" >
<string>No change</string>
</property>
</item>
<item>
<property name="text" >
<string>On</string>
</property>
</item>
<item>
<property name="text" >
<string>Off</string>
</property>
</item>
</widget>
</item>
<item row="5" column="0" >
<widget class="QLabel" name="label379" >
<property name="text" >
<string>TCP sack</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="4" column="0" >
<widget class="QLabel" name="label378" >
<property name="text" >
<string>TCP window scaling</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="7" column="0" >
<widget class="QLabel" name="label383" >
<property name="text" >
<string>TCP ECN</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="8" column="0" >
<widget class="QLabel" name="label372" >
<property name="text" >
<string>TCP SYN cookies</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="3" column="0" >
<widget class="QLabel" name="label377" >
<property name="text" >
<string>TCP keepalive time (sec)</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="6" column="0" >
<widget class="QLabel" name="label384" >
<property name="text" >
<string>TCP fack</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="9" column="0" >
<widget class="QLabel" name="label385" >
<property name="text" >
<string>TCP timestamps</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="2" column="0" >
<widget class="QLabel" name="label376" >
<property name="text" >
<string>TCP FIN timeout (sec)</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
</layout>
</widget>
<widget class="QWidget" name="tab2" >
<attribute name="title" >
<string>Path</string>
</attribute>
<layout class="QGridLayout" >
<item row="0" column="1" >
<spacer>
<property name="orientation" >
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Fixed</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="1" column="0" colspan="3" >
<widget class="QLabel" name="label456" >
<property name="text" >
<string>Specify directory path and a file name for each utility on your firewall machine. Leave these empty if you want to use default values.</string>
</property>
<property name="alignment" >
<set>Qt::AlignCenter</set>
</property>
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="2" column="0" >
<widget class="QLabel" name="label453" >
<property name="text" >
<string>iptables:</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="2" column="1" colspan="2" >
<widget class="QLineEdit" name="linux24_path_iptables" />
</item>
<item row="3" column="0" >
<widget class="QLabel" name="label" >
<property name="layoutDirection" >
<enum>Qt::RightToLeft</enum>
</property>
<property name="text" >
<string>:ip6tables</string>
</property>
</widget>
</item>
<item row="3" column="1" colspan="2" >
<widget class="QLineEdit" name="linux24_path_ip6tables" />
</item>
<item row="4" column="0" >
<widget class="QLabel" name="label454" >
<property name="text" >
<string>ip:</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="4" column="1" colspan="2" >
<widget class="QLineEdit" name="linux24_path_ip" />
</item>
<item row="5" column="0" >
<widget class="QLabel" name="label455" >
<property name="text" >
<string>logger:</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="5" column="1" colspan="2" >
<widget class="QLineEdit" name="linux24_path_logger" />
</item>
<item row="6" column="0" >
<widget class="QLabel" name="label458" >
<property name="text" >
<string>modprobe:</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="6" column="1" colspan="2" >
<widget class="QLineEdit" name="linux24_path_modprobe" />
</item>
<item row="7" column="0" >
<widget class="QLabel" name="label459" >
<property name="text" >
<string>lsmod</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="7" column="1" colspan="2" >
<widget class="QLineEdit" name="linux24_path_lsmod" />
</item>
<item row="8" column="0" >
<widget class="QLabel" name="label453_2" >
<property name="text" >
<string>iptables-restore:</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="8" column="1" colspan="2" >
<widget class="QLineEdit" name="linux24_path_iptables_restore" />
</item>
<item row="9" column="0" >
<widget class="QLabel" name="label_2" >
<property name="layoutDirection" >
<enum>Qt::RightToLeft</enum>
</property>
<property name="text" >
<string>:ip6tables-restore</string>
</property>
</widget>
</item>
<item row="9" column="1" colspan="2" >
<widget class="QLineEdit" name="linux24_path_ip6tables_restore" />
</item>
<item row="10" column="0" >
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Fixed</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>150</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="10" column="2" >
<spacer>
<property name="orientation" >
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>60</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
</widget>
</item>
<item row="1" column="0" >
<layout class="QHBoxLayout" >
<item>
<widget class="QPushButton" name="buttonHelp" >
<property name="text" >
<string>Help</string>
</property>
</widget>
</item>
<item>
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>151</width>
<height>27</height>
</size>
</property>
</spacer>
</item>
<item>
<widget class="QPushButton" name="buttonOk" >
<property name="text" >
<string>&amp;OK</string>
</property>
<property name="shortcut" >
<string/>
</property>
<property name="autoDefault" >
<bool>true</bool>
</property>
<property name="default" >
<bool>true</bool>
</property>
</widget>
</item>
<item>
<widget class="QPushButton" name="buttonCancel" >
<property name="text" >
<string>&amp;Cancel</string>
</property>
<property name="shortcut" >
<string/>
</property>
<property name="autoDefault" >
<bool>true</bool>
</property>
</widget>
</item>
</layout>
</item>
</layout>
</widget>
<layoutdefault spacing="6" margin="11" />
<tabstops>
<tabstop>linux24_ip_forward</tabstop>
<tabstop>linux24_ipv6_forward</tabstop>
<tabstop>linux24_rp_filter</tabstop>
<tabstop>linux24_icmp_echo_ignore_broadcasts</tabstop>
<tabstop>linux24_icmp_echo_ignore_all</tabstop>
<tabstop>linux24_accept_source_route</tabstop>
<tabstop>linux24_accept_redirects</tabstop>
<tabstop>linux24_icmp_ignore_bogus_error_responses</tabstop>
<tabstop>linux24_ip_dynaddr</tabstop>
<tabstop>linux24_log_martians</tabstop>
<tabstop>buttonOk</tabstop>
<tabstop>buttonCancel</tabstop>
<tabstop>linux24_tcp_fin_timeout</tabstop>
<tabstop>linux24_tcp_keepalive_interval</tabstop>
<tabstop>linux24_tcp_window_scaling</tabstop>
<tabstop>linux24_tcp_sack</tabstop>
<tabstop>linux24_tcp_fack</tabstop>
<tabstop>linux24_tcp_ecn</tabstop>
<tabstop>linux24_tcp_syncookies</tabstop>
<tabstop>linux24_tcp_timestamps</tabstop>
<tabstop>linux24_path_iptables</tabstop>
<tabstop>linux24_path_ip6tables</tabstop>
<tabstop>linux24_path_ip</tabstop>
<tabstop>linux24_path_logger</tabstop>
<tabstop>linux24_path_modprobe</tabstop>
<tabstop>linux24_path_lsmod</tabstop>
<tabstop>linux24_path_iptables_restore</tabstop>
<tabstop>linux24_path_ip6tables_restore</tabstop>
<tabstop>tabWidget</tabstop>
</tabstops>
<resources/>
<connections>
<connection>
<sender>buttonCancel</sender>
<signal>clicked()</signal>
<receiver>ipcoposAdvancedDialog_q</receiver>
<slot>reject()</slot>
<hints>
<hint type="sourcelabel" >
<x>395</x>
<y>447</y>
</hint>
<hint type="destinationlabel" >
<x>223</x>
<y>239</y>
</hint>
</hints>
</connection>
<connection>
<sender>buttonOk</sender>
<signal>clicked()</signal>
<receiver>ipcoposAdvancedDialog_q</receiver>
<slot>accept()</slot>
<hints>
<hint type="sourcelabel" >
<x>314</x>
<y>447</y>
</hint>
<hint type="destinationlabel" >
<x>223</x>
<y>239</y>
</hint>
</hints>
</connection>
<connection>
<sender>buttonHelp</sender>
<signal>clicked()</signal>
<receiver>ipcoposAdvancedDialog_q</receiver>
<slot>help()</slot>
<hints>
<hint type="sourcelabel" >
<x>47</x>
<y>447</y>
</hint>
<hint type="destinationlabel" >
<x>223</x>
<y>239</y>
</hint>
</hints>
</connection>
</connections>
<slots>
<slot>help()</slot>
</slots>
</ui>

5
src/gui/iptAdvancedDialog.cpp
View File

@ -61,6 +61,11 @@ iptAdvancedDialog::iptAdvancedDialog(QWidget *parent,FWObject *o)
obj=o;
QStringList slm;
string platform = obj->getStr("platform");
string description = Resources::platform_res[platform]->
getResourceStr("/FWBuilderResources/Target/description");
setWindowTitle(QObject::tr("%1 advanced settings").arg(description.c_str()));
FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject();
assert(fwoptions!=NULL);

6
src/gui/linux24AdvancedDialog.cpp
View File

@ -31,6 +31,7 @@
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Resources.h"
#include <qcheckbox.h>
#include <qspinbox.h>
@ -58,6 +59,11 @@ linux24AdvancedDialog::linux24AdvancedDialog(QWidget *parent,FWObject *o)
m_dialog->setupUi(this);
obj=o;
string host_os = obj->getStr("host_OS");
string description = Resources::os_res[host_os]->
getResourceStr("/FWBuilderResources/Target/description");
setWindowTitle(QObject::tr("%1 advanced settings").arg(description.c_str()));
FWOptions *fwopt=(Firewall::cast(obj))->getOptionsObject();
assert(fwopt!=NULL);

103
src/gui/newFirewallDialog.cpp
View File

@ -33,6 +33,7 @@
#include "FWWindow.h"
#include "ObjConflictResolutionDialog.h"
#include "upgradePredicate.h"
#include "FWBSettings.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/Firewall.h"
@ -74,20 +75,25 @@ newFirewallDialog::newFirewallDialog() : QDialog()
m_dialog = new Ui::newFirewallDialog_q;
m_dialog->setupUi(this);
possible_inside_interface_labels.push_back("inside");
possible_inside_interface_labels.push_back("GREEN");
possible_inside_interface_labels.push_back("green");
possible_outside_interface_labels.push_back("outside");
possible_outside_interface_labels.push_back("RED");
possible_outside_interface_labels.push_back("red");
possible_dmz_interface_labels.push_back("dmz");
possible_dmz_interface_labels.push_back("ORANGE");
possible_dmz_interface_labels.push_back("orange");
setControlWidgets(this, m_dialog->stackedWidget,
m_dialog->nextButton,
m_dialog->finishButton,
m_dialog->backButton,
m_dialog->cancelButton,
m_dialog->titleLabel);
/*connect( m_dialog->nextButton, SIGNAL( clicked() ),
this, SLOT( nextClicked() ));
connect( m_dialog->backButton, SIGNAL( clicked() ),
this, SLOT( backClicked() ));
connect( m_dialog->finishButton, SIGNAL( clicked() ),
this, SLOT( finishClicked() ));
connect( m_dialog->cancelButton, SIGNAL( clicked() ),
this, SLOT( cancelClicked() ));*/
nfw = NULL;
tmpldb = NULL;
@ -104,13 +110,23 @@ newFirewallDialog::newFirewallDialog() : QDialog()
m_dialog->templaterFilePath->setText(tempfname.c_str());
m_dialog->templaterFrame->setVisible(false);
/* fill in platform */
setPlatform(m_dialog->platform, "" );
/* fill in platform. Since iptables is the most popular, start with
* it.
*/
QString new_fw_platform = st->getNewFirewallPlatform();
/* fill in host OS */
setHostOS(m_dialog->hostOS, "" );
/* if new_fw_platform is empty, the drop-down list will have empty
* item which will be current. This is so only on the first run of
* the program because it remembers chosen platform and uses it on
* subsequent runs.
*/
setPlatform(m_dialog->platform, new_fw_platform);
/* fill in host OS */
setHostOS(m_dialog->hostOS, readPlatform(m_dialog->platform), "");
setNextEnabled( 0, false );
/*for (int i=0; i<pageCount(); ++i)
setHelpEnabled( i, false );*/
@ -170,7 +186,7 @@ void newFirewallDialog::changed()
if (p==0)
{
setNextEnabled( p, !m_dialog->obj_name->text().isEmpty() );
setHostOS(m_dialog->hostOS, readPlatform(m_dialog->platform), "");
}
if (p==1)
@ -543,21 +559,29 @@ void newFirewallDialog::templateSelected(QListWidgetItem *itm)
for (FWObject::iterator i=ll.begin(); i!=ll.end(); i++)
{
Interface *intf = Interface::cast( *i );
if (intf->getLabel()=="outside")
if (std::find(possible_outside_interface_labels.begin(),
possible_outside_interface_labels.end(),
intf->getLabel()) != possible_outside_interface_labels.end())
{
haveOutside=true;
m_dialog->intfOutsideLine->show();
m_dialog->intfOutsideText->show();
fillInterfaceData(intf,m_dialog->intfOutsideText);
}
if (intf->getLabel()=="inside")
if (std::find(possible_inside_interface_labels.begin(),
possible_inside_interface_labels.end(),
intf->getLabel()) != possible_inside_interface_labels.end())
{
haveInside=true;
m_dialog->intfInsideLine->show();
m_dialog->intfInsideText->show();
fillInterfaceData(intf,m_dialog->intfInsideText);
}
if (intf->getLabel()=="dmz")
if (std::find(possible_dmz_interface_labels.begin(),
possible_dmz_interface_labels.end(),
intf->getLabel()) != possible_dmz_interface_labels.end())
{
haveDMZ=true;
m_dialog->intfDMZLine->show();
@ -791,6 +815,11 @@ void newFirewallDialog::cancelClicked()
void newFirewallDialog::finishClicked()
{
int p = currentPage();
string platform = readPlatform(m_dialog->platform).toAscii().constData();
string host_os = readHostOS(m_dialog->hostOS).toAscii().constData();
st->setNewFirewallPlatform(platform.c_str());
if (p==2) fillInterfaceSLList();
@ -811,21 +840,15 @@ void newFirewallDialog::finishClicked()
return;
}
map<string,string> platforms = Resources::getPlatforms();
map<string,string>::iterator i;
for (i=platforms.begin(); i!=platforms.end(); i++)
Resources::setDefaultTargetOptions(i->first, Firewall::cast(no) );
map<string,string> OSs = Resources::getOS();
for (i=OSs.begin(); i!=OSs.end(); i++)
Resources::setDefaultTargetOptions(i->first, Firewall::cast(no) );
no->setStr("platform",
readPlatform(m_dialog->platform).toLatin1().constData() );
no->setStr("host_OS",
readHostOS(m_dialog->hostOS).toLatin1().constData() );
nfw=Firewall::cast(no);
no->setStr("platform", platform);
Resources::setDefaultTargetOptions(platform , nfw);
no->setStr("host_OS", host_os);
Resources::setDefaultTargetOptions(host_os , nfw);
} else
{
// Create from interface list (obtained either manually or via snmp)
@ -839,22 +862,14 @@ void newFirewallDialog::finishClicked()
return;
}
map<string,string> platforms = Resources::getPlatforms();
map<string,string>::iterator i;
for (i=platforms.begin(); i!=platforms.end(); i++)
Resources::setDefaultTargetOptions( i->first , Firewall::cast(o) );
map<string,string> OSs = Resources::getOS();
for (i=OSs.begin(); i!=OSs.end(); i++)
Resources::setDefaultTargetOptions( i->first , Firewall::cast(o) );
o->setStr("platform",
readPlatform(m_dialog->platform).toLatin1().constData() );
o->setStr("host_OS",
readHostOS(m_dialog->hostOS).toLatin1().constData() );
nfw = Firewall::cast(o);
o->setStr("platform", platform);
Resources::setDefaultTargetOptions(platform , nfw);
o->setStr("host_OS", host_os);
Resources::setDefaultTargetOptions(host_os , nfw);
/* create interfaces */
int itm_index = 0;

4
src/gui/newFirewallDialog.h
View File

@ -63,6 +63,10 @@ class newFirewallDialog : public QDialog, public FakeWizard
std::map<QListWidgetItem*, libfwbuilder::FWObject*> templates;
bool unloadTemplatesLib;
bool getInterfacesBusy;
std::list<std::string> possible_inside_interface_labels;
std::list<std::string> possible_outside_interface_labels;
std::list<std::string> possible_dmz_interface_labels;
void adjustSL(QTreeWidgetItem *itm1);
void fillInterfaceData(libfwbuilder::Interface *intf, QTextBrowser *qte);

179
src/gui/platforms.cpp
View File

@ -28,8 +28,9 @@
#include "platforms.h"
#include <qobject.h>
#include <qstringlist.h>
#include <QObject>
#include <QStringList>
#include <QComboBox>
#include "fwbuilder/Firewall.h"
#include "fwbuilder/FWOptions.h"
@ -43,8 +44,8 @@
using namespace std;
using namespace libfwbuilder;
QStringList emptyList;
QStringList emptyList;
QStringList logLevels;
QStringList logFacilities;
QStringList actionsOnReject;
@ -643,3 +644,175 @@ QString getReadableRuleElementName(const string &rule_element_type_name)
return QString();
}
QMap<QString,QString> getAllPlatforms()
{
QMap<QString,QString> res;
map<string,string> platforms = Resources::getPlatforms();
map<string,string>::iterator i;
for (i=platforms.begin(); i!=platforms.end(); i++)
res[ i->first.c_str() ] = i->second.c_str();
return res;
}
QMap<QString,QString> getAllOS()
{
QMap<QString,QString> res;
map<string,string> OSs = Resources::getOS();
map<string,string>::iterator i;
for (i=OSs.begin(); i!=OSs.end(); i++)
res[ i->first.c_str() ] = i->second.c_str();
return res;
}
QString readPlatform(QComboBox *platform)
{
return platform->itemData(platform->currentIndex()).toString();
}
QString readHostOS(QComboBox *hostOS)
{
return hostOS->itemData(hostOS->currentIndex()).toString();
}
/*
* Fill combobox widget <platform> with items that exist in resources.
* If second argument is not an empty string, make corresponding item current.
* If it is an empty string, add an empty item on top to the combo box and make
* it current.
*/
void setPlatform(QComboBox *platform, const QString &pl)
{
platform->clear();
// platforms maps platform name (pix) to readable name (Cisco PIX)
QMap<QString,QString> platforms = getAllPlatforms();
QMap<QString,QString>::iterator i;
// platform_mapping maps key (<group>.<platform name>) to pair
// <group>, <platform name>
QMap<QString, QPair<QString, QString> > platform_mapping;
QStringList platform_keys;
for (i=platforms.begin(); i!=platforms.end(); i++)
{
QString group =
Resources::platform_res[i.key().toLatin1().constData()]->
getResourceStr("/FWBuilderResources/Target/group").c_str();
QString key = group + "." + i.key();
platform_mapping[key] = QPair<QString,QString>(group, i.key());
platform_keys.push_back(key);
}
qSort(platform_keys);
QStringList::iterator iter;
int ind = 0;
int cp = 0;
if (pl.isEmpty())
{
platform->addItem("", "");
cp++;
}
QString current_group = "";
for (iter=platform_keys.begin(); iter!=platform_keys.end(); iter++)
{
if (fwbdebug) qDebug(iter->toLatin1().constData());
QString group = platform_mapping[*iter].first;
QString platform_name = platform_mapping[*iter].second;
if (group != current_group)
{
current_group = group;
//platform->addItem(group, "");
platform->insertSeparator(cp);
cp++;
}
platform->addItem(platforms[platform_name], platform_name);
// note that if pl is "", then no real platform name will match it
// and ind will remain 0, which makes the top item in the combobox current.
if ( pl == platform_name ) ind = cp;
cp++;
}
platform->setCurrentIndex( ind );
}
/*
* Fill in "host os" combo box with list of os supported for the given
* platform and make current host os item current.
*
* If platform == "", then use all known host OS but also add
* empty item on top of the combobox and make that item current.
* If os == "", make the first OS in the list current.
*/
void setHostOS(QComboBox *hostOS, const QString &platform, const QString &os)
{
hostOS->clear();
QStringList supported_os_list;
if (!platform.isEmpty())
{
QString supported_os =
Resources::platform_res[platform.toLatin1().constData()]->
getResourceStr("/FWBuilderResources/Target/supported_os").c_str();
if (fwbdebug)
qDebug("supported_os %s", supported_os.toLatin1().constData());
if (supported_os.isEmpty())
{
// something is broken, we have no supported host OS for
// this platform. Just add os to the combo box and return
if (fwbdebug)
qDebug("No supported host OS for platform %s",
platform.toLatin1().constData());
hostOS->addItem(os, os);
hostOS->setCurrentIndex(0);
return;
}
supported_os_list = supported_os.split(",");
int cp = 0;
int ind = 0;
QMap<QString,QString> OSs = getAllOS();
QStringList::iterator os_iter;
for (os_iter=supported_os_list.begin();
os_iter!=supported_os_list.end(); ++os_iter)
{
QString os_code = *os_iter;
hostOS->addItem( OSs[os_code], os_code);
if ( os == os_code ) ind = cp;
cp++;
}
hostOS->setCurrentIndex( ind );
return;
}
// platform is empty
int cp = 0;
int ind = 0;
hostOS->addItem("", "");
cp++;
QMap<QString,QString> OSs = getAllOS();
QMap<QString,QString>::iterator i;
for (i=OSs.begin(); i!=OSs.end(); i++)
{
hostOS->addItem( i.value(), i.key() );
if ( os == i.key() ) ind = cp;
cp++;
}
hostOS->setCurrentIndex( ind );
}

14
src/gui/platforms.h
View File

@ -115,5 +115,19 @@ bool getStatelessFlagForAction(libfwbuilder::PolicyRule *rule);
QString getReadableRuleElementName(const std::string &rule_element_type_name);
/*
* convenience method that calls Resourcess::getPlatforms() and
* converts the result to QMap<QString,QString>
*/
QMap<QString,QString> getAllPlatforms();
QMap<QString,QString> getAllOS();
QString readPlatform(QComboBox *platform);
QString readHostOS(QComboBox *hostOS);
void setPlatform(QComboBox *platform, const QString &pl);
void setHostOS(QComboBox *hostOS, const QString &platform, const QString &os);
#endif

80
src/gui/utils.cpp
View File

@ -73,15 +73,6 @@ using namespace std;
using namespace libfwbuilder;
class mapValEQPredicate {
string descr;
public:
mapValEQPredicate(const string &d) { descr=d; }
bool operator()(pair<string,string> _d) { return (descr == _d.second); }
};
QAction* addPopupMenuItem(QObject *res,
QMenu* menu,
const QString &resourceIconPath,
@ -310,77 +301,6 @@ QString getFileDir(const QString &file)
return dir;
}
QMap<QString,QString> getAllPlatforms()
{
QMap<QString,QString> res;
map<string,string> platforms = Resources::getPlatforms();
map<string,string>::iterator i;
for (i=platforms.begin(); i!=platforms.end(); i++)
res[ i->first.c_str() ] = i->second.c_str();
return res;
}
QMap<QString,QString> getAllOS()
{
QMap<QString,QString> res;
map<string,string> OSs = Resources::getOS();
map<string,string>::iterator i;
for (i=OSs.begin(); i!=OSs.end(); i++)
res[ i->first.c_str() ] = i->second.c_str();
return res;
}
QString readPlatform(QComboBox *platform)
{
map<string,string> platforms = Resources::getPlatforms();
map<string,string>::iterator i1 = std::find_if( platforms.begin(), platforms.end(),
mapValEQPredicate(static_cast<const char*>(platform->currentText().toLatin1())));
return (*i1).first.c_str();
}
void setPlatform(QComboBox *platform,const QString &pl)
{
platform->clear();
int cp=0;
QMap<QString,QString> platforms = getAllPlatforms();
QMap<QString,QString>::iterator i;
int ind=0;
for (i=platforms.begin(); i!=platforms.end(); i++,cp++)
{
platform->addItem( i.value() );
if ( pl == i.key() ) ind = cp;
}
platform->setCurrentIndex( ind );
}
QString readHostOS(QComboBox *hostOS)
{
map<string,string> OSs = Resources::getOS();
map<string,string>::iterator i2 = std::find_if( OSs.begin(), OSs.end(),
mapValEQPredicate(static_cast<const char*>(hostOS->currentText().toLatin1())));
return (*i2).first.c_str();
}
void setHostOS(QComboBox *hostOS,const QString &os)
{
hostOS->clear();
int cp=0;
QMap<QString,QString> OSs = getAllOS();
QMap<QString,QString>::iterator i;
int ind=0;
for (i=OSs.begin(); i!=OSs.end(); i++,cp++)
{
hostOS->addItem( i.value() );
if ( os == i.key() ) ind = cp;
}
hostOS->setCurrentIndex( ind );
}
void setDisabledPalette(QWidget *w)
{
QPalette pal=w->palette();

14
src/gui/utils.h
View File

@ -110,20 +110,6 @@ extern QString quoteString(const QString &str);
extern QString getUserName();
extern QString getFileDir(const QString &file);
/*
* convenience method that calls Resourcess::getPlatforms() and
* converts the result to QMap<QString,QString>
*/
extern QMap<QString,QString> getAllPlatforms();
extern QMap<QString,QString> getAllOS();
extern QString readPlatform(QComboBox *platform);
extern QString readHostOS(QComboBox *hostOS);
extern void setPlatform(QComboBox *platform,const QString &pl);
extern void setHostOS(QComboBox *hostOS,const QString &os);
extern void loadIcon(QPixmap &pm, libfwbuilder::FWObject *obj);
extern void setDisabledPalette(QWidget *w);

57
src/ipt/MangleTableCompiler_ipcop.h Normal file
View File

@ -0,0 +1,57 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id: MangleTableCompiler_ipt.h 752 2009-01-30 04:54:03Z vadim $
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __MANGLETABLECOMPILER_IPCOP_HH
#define __MANGLETABLECOMPILER_IPCOP_HH
#include <fwbuilder/libfwbuilder-config.h>
#include "MangleTableCompiler_ipt.h"
#include <map>
#include <string>
namespace fwcompiler {
class MangleTableCompiler_ipcop : public MangleTableCompiler_ipt {
protected:
virtual std::string myPlatformName() { return "ipcop"; };
public:
MangleTableCompiler_ipcop(libfwbuilder::FWObjectDatabase *_db,
const std::string &fwname,
bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf,
std::map<const std::string, bool> *m_n_cmd_map
) :
MangleTableCompiler_ipt(_db, fwname, ipv6_policy, _oscnf, m_n_cmd_map) {}
};
}
#endif

5
src/ipt/NATCompiler_PrintRule.cpp
View File

@ -716,11 +716,6 @@ string NATCompiler_ipt::PrintRule::_declareTable()
return "";
}
string NATCompiler_ipt::PrintRule::_flushAndSetDefaultPolicy()
{
return "";
}
string NATCompiler_ipt::PrintRule::_commit()
{
return "";

9
src/ipt/NATCompiler_PrintRuleIptRst.cpp
View File

@ -132,15 +132,6 @@ string NATCompiler_ipt::PrintRuleIptRst::_declareTable()
return res.str();
}
string NATCompiler_ipt::PrintRuleIptRst::_flushAndSetDefaultPolicy()
{
ostringstream res;
res << ":PREROUTING ACCEPT [0:0]" << endl;
res << ":POSTROUTING ACCEPT [0:0]" << endl;
res << ":OUTPUT ACCEPT [0:0]" << endl;
return res.str();
}
string NATCompiler_ipt::PrintRuleIptRst::_commit()
{
return "COMMIT\n";

9
src/ipt/NATCompiler_PrintRuleIptRstEcho.cpp
View File

@ -99,15 +99,6 @@ string NATCompiler_ipt::PrintRuleIptRstEcho::_declareTable()
return res.str();
}
string NATCompiler_ipt::PrintRuleIptRstEcho::_flushAndSetDefaultPolicy()
{
ostringstream res;
res << "echo :PREROUTING ACCEPT [0:0]" << endl;
res << "echo :POSTROUTING ACCEPT [0:0]" << endl;
res << "echo :OUTPUT ACCEPT [0:0]" << endl;
return res.str();
}
string NATCompiler_ipt::PrintRuleIptRstEcho::_commit()
{
return "echo COMMIT\n";

58
src/ipt/NATCompiler_ipcop.h Normal file
View File

@ -0,0 +1,58 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id: NATCompiler_ipt.h 752 2009-01-30 04:54:03Z vadim $
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __NATCOMPILER_IPCOP_HH__
#define __NATCOMPILER_IPCOP_HH__
#include <fwbuilder/libfwbuilder-config.h>
#include "NATCompiler_ipt.h"
#include <map>
#include <string>
namespace fwcompiler {
class NATCompiler_ipcop : public NATCompiler_ipt {
protected:
virtual std::string myPlatformName() { return "ipcop"; };
public:
NATCompiler_ipcop(libfwbuilder::FWObjectDatabase *_db,
const std::string &fwname,
bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf,
std::map<const std::string, bool> *m_n_commands_map) :
NATCompiler_ipt(_db, fwname, ipv6_policy, _oscnf, m_n_commands_map) {}
};
}
#endif

23
src/ipt/NATCompiler_ipt.cpp
View File

@ -30,6 +30,7 @@
#include "fwcompiler/OSConfigurator.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/AddressRange.h"
@ -162,8 +163,20 @@ string NATCompiler_ipt::debugPrintRule(Rule *r)
}
void NATCompiler_ipt::verifyPlatform()
{
string family = Resources::platform_res[fw->getStr("platform")]->
getResourceStr("/FWBuilderResources/Target/family");
if (family != myPlatformName())
abort("Unsupported platform " + fw->getStr("platform") +
" (family " + family + ")");
}
int NATCompiler_ipt::prolog()
{
verifyPlatform();
// initialize counters for the standard chains
for (list<string>::const_iterator i =
NATCompiler_ipt::getStandardChains().begin();
@ -172,7 +185,7 @@ int NATCompiler_ipt::prolog()
chain_usage_counter[*i] = 1;
}
int n=NATCompiler::prolog();
int n = NATCompiler::prolog();
if ( n>0 )
{
@ -2384,11 +2397,11 @@ string NATCompiler_ipt::flushAndSetDefaultPolicy()
{
string res="";
/* printRule may be null if there are no NAT rules and we never ran compile() */
if (printRule!=NULL)
if (fwopt->getBool("use_iptables_restore"))
{
//res += printRule->_declareTable();
res += printRule->_flushAndSetDefaultPolicy();
res += "echo :PREROUTING ACCEPT [0:0]\n";
res += "echo :POSTROUTING ACCEPT [0:0]\n";
res += "echo :OUTPUT ACCEPT [0:0]\n";
}
return res;

4
src/ipt/NATCompiler_ipt.h
View File

@ -517,7 +517,6 @@ namespace fwcompiler {
public:
PrintRule(const std::string &name);
virtual std::string _declareTable();
virtual std::string _flushAndSetDefaultPolicy();
virtual std::string _commit();
virtual std::string _quote(const std::string &s);
virtual bool processNext();
@ -535,7 +534,6 @@ namespace fwcompiler {
PrintRuleIptRst(const std::string &name) : PrintRule(name) {};
virtual std::string _declareTable();
virtual std::string _flushAndSetDefaultPolicy();
virtual std::string _commit();
virtual std::string _quote(const std::string &s);
virtual bool processNext();
@ -552,7 +550,6 @@ namespace fwcompiler {
PrintRuleIptRstEcho(const std::string &name) : PrintRuleIptRst(name) {};
virtual std::string _declareTable();
virtual std::string _flushAndSetDefaultPolicy();
virtual std::string _commit();
virtual std::string _quote(const std::string &s);
virtual bool processNext();
@ -577,6 +574,7 @@ namespace fwcompiler {
}
virtual void verifyPlatform();
virtual int prolog();
virtual void compile();
virtual void epilog();

95
src/ipt/OSConfigurator_ipcop.cpp Normal file
View File

@ -0,0 +1,95 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id: OSConfigurator_linux24.cpp 756 2009-02-06 00:58:01Z vadim $
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "config.h"
#include "OSConfigurator_ipcop.h"
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
string OSConfigurator_ipcop::myPlatformName() { return "ipcop"; }
OSConfigurator_ipcop::OSConfigurator_ipcop(FWObjectDatabase *_db,
const string &fwname,
bool ipv6_policy) :
OSConfigurator_linux24(_db, fwname, ipv6_policy)
{
}
void OSConfigurator_ipcop::processFirewallOptions()
{
}
void OSConfigurator_ipcop::addVirtualAddressForNAT(const Network*)
{
}
void OSConfigurator_ipcop::addVirtualAddressForNAT(const Address*)
{
}
void OSConfigurator_ipcop::printCommandsToAddVirtualAddressesForNAT()
{
}
void OSConfigurator_ipcop::printChecksForRunTimeMultiAddress()
{
}
void OSConfigurator_ipcop::configureInterfaces()
{
}
int OSConfigurator_ipcop::prolog()
{
return 0;
}
string OSConfigurator_ipcop::printShellFunctions(bool f)
{
return OSConfigurator_linux24::printShellFunctions(f);
}
string OSConfigurator_ipcop::printPathForAllTools(const string &os)
{
return OSConfigurator_linux24::printPathForAllTools(os);
}
void OSConfigurator_ipcop::generateCodeForProtocolHandlers(bool)
{
}
string OSConfigurator_ipcop::printIPForwardingCommands(bool )
{
return "";
}
void OSConfigurator_ipcop::epilog()
{
}

65
src/ipt/OSConfigurator_ipcop.h Normal file
View File

@ -0,0 +1,65 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id: OSConfigurator_linux24.h 752 2009-01-30 04:54:03Z vadim $
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef _OSNETWORKCONFIGURATOR_IPCOP_HH
#define _OSNETWORKCONFIGURATOR_IPCOP_HH
#include "config.h"
#include "OSConfigurator_linux24.h"
#include "OSData.h"
namespace fwcompiler {
class OSConfigurator_ipcop : public OSConfigurator_linux24 {
public:
virtual ~OSConfigurator_ipcop() {};
OSConfigurator_ipcop(libfwbuilder::FWObjectDatabase *_db,
const std::string &fwname, bool ipv6_policy);
virtual std::string myPlatformName();
virtual int prolog();
virtual void epilog();
virtual void processFirewallOptions();
virtual void generateCodeForProtocolHandlers(bool have_nat);
virtual void addVirtualAddressForNAT(const libfwbuilder::Address *addr);
virtual void addVirtualAddressForNAT(const libfwbuilder::Network *nw);
virtual void printChecksForRunTimeMultiAddress();
virtual std::string printShellFunctions(bool no_comment);
virtual std::string printPathForAllTools(const std::string &os);
virtual std::string printIPForwardingCommands(bool no_comment);
virtual void configureInterfaces();
virtual void printCommandsToAddVirtualAddressesForNAT();
};
}
#endif

232
src/ipt/OSConfigurator_linux24.cpp
View File

@ -85,31 +85,11 @@ void OSConfigurator_linux24::processFirewallOptions()
string s;
int i;
/*
* check if all interfaces configured for the firewall are present
*/
if (options->getBool("verify_interfaces"))
{
list<FWObject*> l2=fw->getByType(Interface::TYPENAME);
if ( ! l2.empty() )
{
output << endl;
output << "INTERFACES=\"";
for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
{
Interface *iface=Interface::cast(*i);
if (iface->getName().find("*")==string::npos)
output << iface->getName() << " ";
}
output << "\"" << endl;
output << "for i in $INTERFACES ; do" << endl;
output << " $IP link show \"$i\" > /dev/null 2>&1 || {" << endl;
output << " log \"Interface $i does not exist\"" << endl;
output << " exit 1" << endl;
output << " }" << endl;
output << "done" << endl;
output << endl;
}
output << "verify_interfaces" << endl;
}
/*
@ -125,70 +105,70 @@ void OSConfigurator_linux24::processFirewallOptions()
s=options->getStr("linux24_ip_dynaddr");
if (!s.empty())
output << "echo " << s << " > /proc/sys/net/ipv4/ip_dynaddr\n\n";
output << "echo " << s << " > /proc/sys/net/ipv4/ip_dynaddr\n";
s=options->getStr("linux24_rp_filter");
if (!s.empty())
output << "echo " << s << " > /proc/sys/net/ipv4/conf/all/rp_filter\n\n";
output << "echo " << s << " > /proc/sys/net/ipv4/conf/all/rp_filter\n";
s=options->getStr("linux24_accept_source_route");
if (!s.empty())
output << "echo " << s << " > /proc/sys/net/ipv4/conf/all/accept_source_route\n\n";
output << "echo " << s << " > /proc/sys/net/ipv4/conf/all/accept_source_route\n";
s=options->getStr("linux24_accept_redirects");
if (!s.empty())
output << "echo " << s << " > /proc/sys/net/ipv4/conf/all/accept_redirects\n\n";
output << "echo " << s << " > /proc/sys/net/ipv4/conf/all/accept_redirects\n";
s=options->getStr("linux24_log_martians");
if (!s.empty())
output << "echo " << s << " > /proc/sys/net/ipv4/conf/all/log_martians\n\n";
output << "echo " << s << " > /proc/sys/net/ipv4/conf/all/log_martians\n";
s=options->getStr("linux24_icmp_echo_ignore_broadcasts");
if (!s.empty())
output << "echo " << s << " > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n\n";
output << "echo " << s << " > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n";
s=options->getStr("linux24_icmp_echo_ignore_all");
if (!s.empty())
output << "echo " << s << " > /proc/sys/net/ipv4/icmp_echo_ignore_all\n\n";
output << "echo " << s << " > /proc/sys/net/ipv4/icmp_echo_ignore_all\n";
s=options->getStr("linux24_icmp_ignore_bogus_error_responses");
if (!s.empty())
output << "echo " << s << " > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses\n\n";
output << "echo " << s << " > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses\n";
if ( (i=options->getInt("linux24_tcp_fin_timeout"))>0 )
output << "echo " << i << " > /proc/sys/net/ipv4/tcp_fin_timeout\n\n";
output << "echo " << i << " > /proc/sys/net/ipv4/tcp_fin_timeout\n";
if ( (i=options->getInt("linux24_tcp_keepalive_interval"))>0 )
output << "echo " << i << " > /proc/sys/net/ipv4/tcp_keepalive_intvl\n\n";
output << "echo " << i << " > /proc/sys/net/ipv4/tcp_keepalive_intvl\n";
s=options->getStr("linux24_tcp_window_scaling");
if (!s.empty())
output << "echo " << s << " > /proc/sys/net/ipv4/tcp_window_scaling\n\n";
output << "echo " << s << " > /proc/sys/net/ipv4/tcp_window_scaling\n";
s=options->getStr("linux24_tcp_sack");
if (!s.empty())
output << "echo " << s << " > /proc/sys/net/ipv4/tcp_sack\n\n";
output << "echo " << s << " > /proc/sys/net/ipv4/tcp_sack\n";
s=options->getStr("linux24_tcp_fack");
if (!s.empty())
output << "echo " << s << " > /proc/sys/net/ipv4/tcp_fack\n\n";
output << "echo " << s << " > /proc/sys/net/ipv4/tcp_fack\n";
s=options->getStr("linux24_tcp_syncookies");
if (!s.empty())
output << "echo " << s << " > /proc/sys/net/ipv4/tcp_syncookies\n\n";
output << "echo " << s << " > /proc/sys/net/ipv4/tcp_syncookies\n";
s=options->getStr("linux24_tcp_ecn");
if (!s.empty())
output << "echo " << s << " > /proc/sys/net/ipv4/tcp_ecn\n\n";
output << "echo " << s << " > /proc/sys/net/ipv4/tcp_ecn\n";
s=options->getStr("linux24_tcp_timestamps");
if (!s.empty())
output << "echo " << s << " > /proc/sys/net/ipv4/tcp_timestamps\n\n";
output << "echo " << s << " > /proc/sys/net/ipv4/tcp_timestamps\n";
output << endl;
@ -307,6 +287,7 @@ void OSConfigurator_linux24::registerMultiAddressObject(MultiAddressRunTime *at)
void OSConfigurator_linux24::printChecksForRunTimeMultiAddress()
{
output << endl;
output << "# Using " << address_table_objects.size() << " address table files" << endl;
map<string,string>::iterator i;
@ -565,8 +546,7 @@ string OSConfigurator_linux24::printShellFunctions(bool )
str << endl;
str << "# increment ip address" << endl;
str << "incaddr()" << endl;
str << "{" << endl;
str << "incaddr() {" << endl;
str << " n1=$4" << endl;
str << " n2=$3" << endl;
str << " n3=$2" << endl;
@ -584,6 +564,113 @@ string OSConfigurator_linux24::printShellFunctions(bool )
str << "}" << endl;
str << endl;
/* check if package iproute2 is installed, but do this only if
* we really need /usr/sbin/ip
*/
if (options->getBool("verify_interfaces") ||
options->getBool("manage_virtual_addr") ||
options->getBool("configure_interfaces") )
{
str << "check_tools() {" << endl;
str << " if $IP link ls >/dev/null 2>&1; then" << endl;
str << " echo;" << endl;
str << " else" << endl;
str << " echo \"iproute not found\"" << endl;
str << " exit 1" << endl;
str << " fi" << endl;
str << "}" << endl;
str << endl;
}
/*
* Generate commands to reset all tables and chains and set
* default policy
*/
str << "reset_iptables_v4() {" << endl;
str << " $IPTABLES -P OUTPUT DROP" << endl;
str << " $IPTABLES -P INPUT DROP" << endl;
str << " $IPTABLES -P FORWARD DROP" << endl;
str << "\n\
cat /proc/net/ip_tables_names | while read table; do\n\
$IPTABLES -t $table -L -n | while read c chain rest; do\n\
if test \"X$c\" = \"XChain\" ; then\n\
$IPTABLES -t $table -F $chain\n\
fi\n\
done\n\
$IPTABLES -t $table -X\n\
done\n";
str << "}" << endl;
str << endl;
str << "reset_iptables_v6() {" << endl;
str << " $IP6TABLES -P OUTPUT DROP" << endl;
str << " $IP6TABLES -P INPUT DROP" << endl;
str << " $IP6TABLES -P FORWARD DROP" << endl;
str << "\n\
cat /proc/net/ip6_tables_names | while read table; do\n\
$IP6TABLES -t $table -L -n | while read c chain rest; do\n\
if test \"X$c\" = \"XChain\" ; then\n\
$IP6TABLES -t $table -F $chain\n\
fi\n\
done\n\
$IP6TABLES -t $table -X\n\
done\n";
str << "}" << endl;
str << endl;
std::string sed_command = "sed -e 's/^.*\\///' -e 's/\\([^\\.]\\)\\..*/\\1/'";
str << "load_modules() {" << endl;
str << " HAVE_NAT=$1" << endl;
str << " MODULES_DIR=\"/lib/modules/`uname -r`/kernel/net/\"" << endl;
str << " MODULES=`find $MODULES_DIR -name '*conntrack*'|" << sed_command << "`" << endl;
str << " test -n \"$HAVE_NAT\" && {" << endl;
str << " MODULES=\"$MODULES `find $MODULES_DIR -name '*nat*'|" << sed_command << "`\"" << endl;
str << " }" << endl;
str << " for module in $MODULES; do " << endl;
str << " if $LSMOD | grep ${module} >/dev/null; then continue; fi" << endl;
str << " $MODPROBE ${module} || exit 1 " << endl;
str << " done" << endl;
str << "}" << endl;
str << endl;
/*
* check if all interfaces configured for the firewall are present
*/
if (options->getBool("verify_interfaces"))
{
list<FWObject*> l2=fw->getByType(Interface::TYPENAME);
if ( ! l2.empty() )
{
str << endl;
str << "verify_interfaces() {" << endl;
str << " INTERFACES=\"";
for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
{
Interface *iface=Interface::cast(*i);
if (iface->getName().find("*")==string::npos)
str << iface->getName() << " ";
}
str << "\"" << endl;
str << " for i in $INTERFACES ; do" << endl;
str << " $IP link show \"$i\" > /dev/null 2>&1 || {" << endl;
str << " log \"Interface $i does not exist\"" << endl;
str << " exit 1" << endl;
str << " }" << endl;
str << " done" << endl;
str << "}" << endl;
str << endl;
}
}
return str.str();
}
string OSConfigurator_linux24::printPrologEpilogFunctions(bool )
{
ostringstream str;
str << endl;
str << "prolog_commands() {" << endl;
str << "echo \"Running prolog script\"" << endl;
@ -603,22 +690,6 @@ string OSConfigurator_linux24::printShellFunctions(bool )
str << "}" << endl;
str << endl;
/* check if package iproute2 is installed, but do this only if
* we really need /usr/sbin/ip
*/
if (options->getBool("verify_interfaces") ||
options->getBool("manage_virtual_addr") ||
options->getBool("configure_interfaces") )
{
str << "if $IP link ls >/dev/null 2>&1; then" << endl;
str << " echo;" << endl;
str << "else" << endl;
str << " echo \"iproute not found\"" << endl;
str << " exit 1" << endl;
str << "fi" << endl;
str << endl;
}
return str.str();
}
@ -626,42 +697,42 @@ string OSConfigurator_linux24::printPathForAllTools(const string &os)
{
string res;
FWOptions* options=fw->getOptionsObject();
FWOptions* options = fw->getOptionsObject();
string s, path_lsmod, path_modprobe, path_iptables, path_ip6tables;
string path_iptables_restore, path_ip6tables_restore, path_ip, path_logger;
s=options->getStr("linux24_path_lsmod");
if (!s.empty()) path_lsmod=s;
else path_lsmod=os_data.getPathForTool(os,OSData::LSMOD);
else path_lsmod=os_data.getPathForTool(os, OSData::LSMOD);
s=options->getStr("linux24_path_modprobe");
if (!s.empty()) path_modprobe=s;
else path_modprobe=os_data.getPathForTool(os,OSData::MODPROBE);
else path_modprobe=os_data.getPathForTool(os, OSData::MODPROBE);
s=options->getStr("linux24_path_iptables");
if (!s.empty()) path_iptables=s;
else path_iptables=os_data.getPathForTool(os,OSData::IPTABLES);
else path_iptables=os_data.getPathForTool(os, OSData::IPTABLES);
s=options->getStr("linux24_path_ip6tables");
if (!s.empty()) path_ip6tables=s;
else path_ip6tables=os_data.getPathForTool(os,OSData::IP6TABLES);
else path_ip6tables=os_data.getPathForTool(os, OSData::IP6TABLES);
s=options->getStr("linux24_path_iptables_restore");
if (!s.empty()) path_iptables_restore=s;
else path_iptables_restore=os_data.getPathForTool(os,OSData::IPTABLES_RESTORE);
else path_iptables_restore=os_data.getPathForTool(os, OSData::IPTABLES_RESTORE);
s=options->getStr("linux24_path_ip6tables_restore");
if (!s.empty()) path_ip6tables_restore=s;
else path_ip6tables_restore=os_data.getPathForTool(os,OSData::IP6TABLES_RESTORE);
else path_ip6tables_restore=os_data.getPathForTool(os, OSData::IP6TABLES_RESTORE);
s=options->getStr("linux24_path_ip");
if (!s.empty()) path_ip=s;
else path_ip=os_data.getPathForTool(os,OSData::IP);
else path_ip=os_data.getPathForTool(os, OSData::IP);
s=options->getStr("linux24_path_logger");
if (!s.empty()) path_logger=s;
else path_logger=os_data.getPathForTool(os,OSData::LOGGER);
else path_logger=os_data.getPathForTool(os, OSData::LOGGER);
res += "LSMOD=\"" +path_lsmod+"\"\n";
@ -679,30 +750,17 @@ string OSConfigurator_linux24::printPathForAllTools(const string &os)
void OSConfigurator_linux24::generateCodeForProtocolHandlers(bool have_nat)
{
FWOptions* options=fw->getOptionsObject();
bool nomod=Resources::os_res[fw->getStr("host_OS")]->Resources::getResourceBool("/FWBuilderResources/Target/options/suppress_modules");
FWOptions* options = fw->getOptionsObject();
bool nomod = Resources::os_res[fw->getStr("host_OS")]->Resources::getResourceBool("/FWBuilderResources/Target/options/suppress_modules");
/* there is no need to load modules on linksys */
if (options->getBool("load_modules") && !nomod)
{
std::string sed_command = "sed -e 's/^.*\\///' -e 's/\\([^\\.]\\)\\..*/\\1/'";
output << endl;
output << "MODULES_DIR=\"/lib/modules/`uname -r`/kernel/net/\"" << endl;
output << "MODULES=`find $MODULES_DIR -name '*conntrack*'|" << sed_command << "`" << endl;
if (have_nat)
{
output << "MODULES=\"$MODULES `find $MODULES_DIR -name '*nat*'|" << sed_command << "`\"" << endl;
}
output << "for module in $MODULES; do " << endl;
output << " if $LSMOD | grep ${module} >/dev/null; then continue; fi" << endl;
output << " $MODPROBE ${module} || exit 1 " << endl;
output << "done" << endl;
output << endl;
output << endl;
output << "load_modules ";
if (have_nat) output << "\"with_nat\"";
else output << "\"\"";
output << endl;
output << endl;
}
}
@ -826,7 +884,7 @@ string OSConfigurator_linux24::printIPForwardingCommands(bool )
{
if (s=="1" || s=="On" || s=="on") s="1";
else s="0";
str << "echo " << s << " > /proc/sys/net/ipv4/ip_forward\n\n";
str << "echo " << s << " > /proc/sys/net/ipv4/ip_forward\n";
}
s = options->getStr("linux24_ipv6_forward");
@ -835,11 +893,11 @@ string OSConfigurator_linux24::printIPForwardingCommands(bool )
if (s=="1" || s=="On" || s=="on") s="1";
else s="0";
str << "echo "
<< s << " > /proc/sys/net/ipv6/conf/all/forwarding\n\n";
<< s << " > /proc/sys/net/ipv6/conf/all/forwarding\n";
}
// else
// str << "echo \"$FWD\" > /proc/sys/net/ipv4/ip_forward\n\n";
// str << "echo \"$FWD\" > /proc/sys/net/ipv4/ip_forward\n";
} catch (FWException ex)
{

22
src/ipt/OSConfigurator_linux24.h
View File

@ -66,17 +66,17 @@ namespace fwcompiler {
virtual void addVirtualAddressForNAT(const libfwbuilder::Address *addr);
virtual void addVirtualAddressForNAT(const libfwbuilder::Network *nw);
void registerMultiAddressObject(libfwbuilder::MultiAddressRunTime *at);
void printChecksForRunTimeMultiAddress();
std::string printShellFunctions(bool no_comment);
std::string printPathForAllTools(const std::string &os);
std::string printIPForwardingCommands(bool no_comment);
void configureInterfaces();
void printCommandsToAddVirtualAddressesForNAT();
std::string printRunTimeWrappers(libfwbuilder::FWObject *rule,
const std::string &command,
bool ipv6=false);
virtual void registerMultiAddressObject(libfwbuilder::MultiAddressRunTime *at);
virtual void printChecksForRunTimeMultiAddress();
virtual std::string printShellFunctions(bool no_comment);
virtual std::string printPrologEpilogFunctions(bool no_comment);
virtual std::string printPathForAllTools(const std::string &os);
virtual std::string printIPForwardingCommands(bool no_comment);
virtual void configureInterfaces();
virtual void printCommandsToAddVirtualAddressesForNAT();
virtual std::string printRunTimeWrappers(libfwbuilder::FWObject *rule,
const std::string &command,
bool ipv6=false);
};
};

5
src/ipt/OSData.cpp
View File

@ -26,10 +26,12 @@
#include "OSData.h"
#include "fwbuilder/Resources.h"
#include <iostream>
using namespace std;
string OSData::getPathForTool(const string &distro,tools t)
string OSData::getPathForTool(const string &distro, tools t)
{
string r="/FWBuilderResources/Target/tools/"+distro+"/";
@ -47,6 +49,7 @@ string OSData::getPathForTool(const string &distro,tools t)
case IP: r+="path_ip"; break;
case LOGGER: r+="path_logger"; break;
}
return Resources::os_res[host_os]->getResourceStr(r);
}

54
src/ipt/PolicyCompiler_PrintRule.cpp
View File

@ -1486,60 +1486,6 @@ string PolicyCompiler_ipt::PrintRule::_declareTable()
return "";
}
string PolicyCompiler_ipt::PrintRule::_flushAndSetDefaultPolicy()
{
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
ostringstream res;
if (!ipt_comp->ipv6)
{
res << "$IPTABLES -P OUTPUT DROP" << endl;
res << "$IPTABLES -P INPUT DROP" << endl;
res << "$IPTABLES -P FORWARD DROP" << endl;
/*
* need to flush all tables and chains before setting up any rules
*/
res << "\n\
cat /proc/net/ip_tables_names | while read table; do\n\
$IPTABLES -t $table -L -n | while read c chain rest; do\n\
if test \"X$c\" = \"XChain\" ; then\n\
$IPTABLES -t $table -F $chain\n\
fi\n\
done\n\
$IPTABLES -t $table -X\n\
done\n";
res << endl;
res << endl;
}
if (ipt_comp->ipv6)
{
/*
* test if ip6tables is installed and if it works. It may be installed
* on the system but fail because ipv6 is not compiled into the
* kernel.
*/
res << "$IP6TABLES -P OUTPUT DROP" << endl;
res << "$IP6TABLES -P INPUT DROP" << endl;
res << "$IP6TABLES -P FORWARD DROP" << endl;
res << "\n\
cat /proc/net/ip6_tables_names | while read table; do\n\
$IP6TABLES -t $table -L -n | while read c chain rest; do\n\
if test \"X$c\" = \"XChain\" ; then\n\
$IP6TABLES -t $table -F $chain\n\
fi\n\
done\n\
$IP6TABLES -t $table -X\n\
done\n";
res << endl;
res << endl;
}
return res.str();
}
string PolicyCompiler_ipt::PrintRule::_commit()
{
return "";

11
src/ipt/PolicyCompiler_PrintRuleIptRst.cpp
View File

@ -137,17 +137,6 @@ string PolicyCompiler_ipt::PrintRuleIptRst::_declareTable()
return res.str();
}
string PolicyCompiler_ipt::PrintRuleIptRst::_flushAndSetDefaultPolicy()
{
ostringstream res;
res << ":INPUT DROP [0:0]" << endl;
res << ":FORWARD DROP [0:0]" << endl;
res << ":OUTPUT DROP [0:0]" << endl;
return res.str();
}
string PolicyCompiler_ipt::PrintRuleIptRst::_commit()
{
return "COMMIT\n";

11
src/ipt/PolicyCompiler_PrintRuleIptRstEcho.cpp
View File

@ -103,17 +103,6 @@ string PolicyCompiler_ipt::PrintRuleIptRstEcho::_declareTable()
return res.str();
}
string PolicyCompiler_ipt::PrintRuleIptRstEcho::_flushAndSetDefaultPolicy()
{
ostringstream res;
res << "echo :INPUT DROP [0:0]" << endl;
res << "echo :FORWARD DROP [0:0]" << endl;
res << "echo :OUTPUT DROP [0:0]" << endl;
return res.str();
}
string PolicyCompiler_ipt::PrintRuleIptRstEcho::_commit()
{
return "echo COMMIT\n";

60
src/ipt/PolicyCompiler_ipcop.h Normal file
View File

@ -0,0 +1,60 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id: PolicyCompiler_ipt.h 752 2009-01-30 04:54:03Z vadim $
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __POLICYCOMPILER_IPCOP_HH__
#define __POLICYCOMPILER_IPCOP_HH__
#include <fwbuilder/libfwbuilder-config.h>
#include "PolicyCompiler_ipt.h"
#include <map>
#include <string>
namespace fwcompiler {
class PolicyCompiler_ipcop : public PolicyCompiler_ipt {
protected:
virtual std::string myPlatformName() { return "ipcop"; }
public:
PolicyCompiler_ipcop(libfwbuilder::FWObjectDatabase *_db,
const std::string &fwname,
bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf,
std::map<const std::string, bool> *m_n_commands_map
) :
PolicyCompiler_ipt(_db, fwname, ipv6_policy, _oscnf, m_n_commands_map) {}
};
}
#endif

30
src/ipt/PolicyCompiler_ipt.cpp
View File

@ -28,6 +28,7 @@
#include "PolicyCompiler_ipt.h"
#include "OSConfigurator_linux24.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/IPService.h"
@ -416,10 +417,19 @@ void PolicyCompiler_ipt::registerRuleSetChain(const std::string &chain_name)
chain_usage_counter[chain_name] = 1;
}
void PolicyCompiler_ipt::verifyPlatform()
{
string family = Resources::platform_res[fw->getStr("platform")]->
getResourceStr("/FWBuilderResources/Target/family");
if (family != myPlatformName())
abort("Unsupported platform " + fw->getStr("platform") +
" (family " + family + ")");
}
int PolicyCompiler_ipt::prolog()
{
if (fw->getStr("platform")!="iptables")
abort(_("Unsupported platform ") + fw->getStr("platform") );
verifyPlatform();
int n = PolicyCompiler::prolog();
@ -4366,12 +4376,18 @@ PolicyCompiler_ipt::PrintRule* PolicyCompiler_ipt::createPrintRuleProcessor()
string PolicyCompiler_ipt::flushAndSetDefaultPolicy()
{
string res="";
createPrintRuleProcessor();
//res += printRule->_declareTable();
res += printRule->_flushAndSetDefaultPolicy();
string res = "";
if (fwopt->getBool("use_iptables_restore"))
{
res += "echo :INPUT DROP [0:0]\n";
res += "echo :FORWARD DROP [0:0]\n";
res += "echo :OUTPUT DROP [0:0]\n";
} else
{
if (!ipv6) res += "reset_iptables_v4\n\n";
else res += "reset_iptables_v6\n\n";
}
return res;
}

5
src/ipt/PolicyCompiler_ipt.h
View File

@ -920,7 +920,6 @@ namespace fwcompiler {
virtual std::string _printGlobalLogParameters();
virtual std::string _printOptionalGlobalRules();
virtual std::string _declareTable();
virtual std::string _flushAndSetDefaultPolicy();
virtual std::string _clampTcpToMssRule();
virtual std::string _commit();
virtual std::string _quote(const std::string &s);
@ -945,7 +944,6 @@ namespace fwcompiler {
public:
PrintRuleIptRst(const std::string &name) : PrintRule(name) {};
virtual std::string _declareTable();
virtual std::string _flushAndSetDefaultPolicy();
virtual std::string _commit();
virtual std::string _quote(const std::string &s);
@ -962,7 +960,6 @@ namespace fwcompiler {
public:
PrintRuleIptRstEcho(const std::string &name) : PrintRuleIptRst(name) {};
virtual std::string _declareTable();
virtual std::string _flushAndSetDefaultPolicy();
virtual std::string _commit();
virtual std::string _quote(const std::string &s);
@ -1000,7 +997,7 @@ namespace fwcompiler {
minus_n_commands = m_n_commands_map;
}
virtual void verifyPlatform();
virtual int prolog();
virtual void compile();
virtual void epilog();

55
src/ipt/RoutingCompiler_ipcop.h Normal file
View File

@ -0,0 +1,55 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id: OSConfigurator_linux24.h 752 2009-01-30 04:54:03Z vadim $
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __ROUTINGCOMPILER_IPCOP_HH__
#define __ROUTINGCOMPILER_IPCOP_HH__
#include <fwbuilder/libfwbuilder-config.h>
#include "RoutingCompiler_ipt.h"
namespace fwcompiler {
class RoutingCompiler_ipcop : public RoutingCompiler_ipt {
protected:
virtual std::string myPlatformName() { return "ipcop"; };
public:
RoutingCompiler_ipcop(libfwbuilder::FWObjectDatabase *_db,
const std::string &fwname, bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf) :
RoutingCompiler_ipt(_db, fwname, ipv6_policy, _oscnf) {}
};
}
#endif

16
src/ipt/RoutingCompiler_ipt.cpp
View File

@ -30,6 +30,7 @@
#include "RoutingCompiler_ipt.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/Routing.h"
@ -64,13 +65,22 @@ static std::map<std::string,int> tmp_chain_no;
string RoutingCompiler_ipt::myPlatformName() { return "iptables"; }
void RoutingCompiler_ipt::verifyPlatform()
{
//TODO: Routing based on the 'ip' command is independent from iptables
string family = Resources::platform_res[fw->getStr("platform")]->
getResourceStr("/FWBuilderResources/Target/family");
if (family != myPlatformName())
abort("Unsupported platform " + fw->getStr("platform") +
" (family " + family + ")");
}
int RoutingCompiler_ipt::prolog()
{
int n = RoutingCompiler::prolog();
//TODO: Routing based on the 'ip' command is independent from iptables
if (fw->getStr("platform")!="iptables")
abort(_("Unsupported platform ") + fw->getStr("platform") );
verifyPlatform();
return n;
}

1
src/ipt/RoutingCompiler_ipt.h
View File

@ -180,6 +180,7 @@ namespace fwcompiler {
}
virtual void verifyPlatform();
virtual int prolog();
virtual void compile();
virtual void epilog();

353
src/ipt/ipt.cpp
View File

@ -51,6 +51,7 @@
#include <ctype.h>
#include <assert.h>
#include <cstring>
#include <iomanip>
#include "PolicyCompiler_ipt.h"
#include "MangleTableCompiler_ipt.h"
@ -58,6 +59,12 @@
#include "RoutingCompiler_ipt.h"
#include "OSConfigurator_linux24.h"
#include "PolicyCompiler_ipcop.h"
#include "MangleTableCompiler_ipcop.h"
#include "NATCompiler_ipcop.h"
#include "RoutingCompiler_ipcop.h"
#include "OSConfigurator_ipcop.h"
#include "fwcompiler/Preprocessor.h"
#include "fwbuilder/Resources.h"
@ -113,6 +120,7 @@ static bool fw_by_id = false;
FWObjectDatabase *objdb = NULL;
bool prolog_done = false;
bool epilog_done = false;
static map<string,RuleSet*> branches;
@ -139,6 +147,22 @@ class UpgradePredicate: public XMLTools::UpgradePredicate
}
};
/*
* Add indentation to each line in txt
*/
string indent(int n_spaces, const string &txt)
{
ostringstream output;
istringstream str(txt);
char line[4096];
while (!str.eof())
{
str.getline(line, sizeof(line));
output << std::setw(n_spaces) << std::setfill(' ') << " " << line << endl;
}
return output.str();
}
void assignRuleSetChain(RuleSet *ruleset)
{
string branch_name = ruleset->getName();
@ -311,6 +335,12 @@ bool processPolicyRuleSet(
bool have_connmark_in_output = false;
bool empty_output = true;
string prolog_place = fw->getOptionsObject()->getStr("prolog_place");
string platform = fw->getStr("platform");
bool flush_and_set_default_policy = Resources::getTargetCapabilityBool(
platform, "flush_and_set_default_policy");
string platform_family = Resources::platform_res[platform]->
getResourceStr("/FWBuilderResources/Target/family");
Policy *policy = Policy::cast(ruleset);
assignRuleSetChain(policy);
@ -320,27 +350,35 @@ bool processPolicyRuleSet(
bool ipv6_policy = (policy_af == AF_INET6);
MangleTableCompiler_ipt m(
objdb , fwobjectname.toUtf8().constData(),
ipv6_policy , oscnf,
&minus_n_commands_mangle );
MangleTableCompiler_ipt *mangle_compiler;
if (platform_family == "ipcop")
mangle_compiler = new MangleTableCompiler_ipcop(
objdb , fwobjectname.toUtf8().constData(),
ipv6_policy , oscnf,
&minus_n_commands_mangle );
else
mangle_compiler = new MangleTableCompiler_ipt(
objdb , fwobjectname.toUtf8().constData(),
ipv6_policy , oscnf,
&minus_n_commands_mangle );
if (!policy->isTop())
m.registerRuleSetChain(branch_name);
mangle_compiler->registerRuleSetChain(branch_name);
m.setSourceRuleSet( policy );
m.setRuleSetName(branch_name);
mangle_compiler->setSourceRuleSet( policy );
mangle_compiler->setRuleSetName(branch_name);
m.setDebugLevel( dl );
m.setDebugRule( drp );
m.setVerbose( (bool)(verbose) );
m.setHaveDynamicInterfaces(have_dynamic_interfaces);
if (test_mode) m.setTestMode();
mangle_compiler->setDebugLevel( dl );
mangle_compiler->setDebugRule( drp );
mangle_compiler->setVerbose( (bool)(verbose) );
mangle_compiler->setHaveDynamicInterfaces(have_dynamic_interfaces);
if (test_mode) mangle_compiler->setTestMode();
if ( (mangle_rules_count = m.prolog()) > 0 )
if ( (mangle_rules_count = mangle_compiler->prolog()) > 0 )
{
m.compile();
m.epilog();
mangle_compiler->compile();
mangle_compiler->epilog();
// We need to generate automatic rules in mangle
// table (-j CONNMARK --restore-mark) if CONNMARK
@ -353,16 +391,19 @@ bool processPolicyRuleSet(
// later if either of these flags is true after
// all rulesets have been processed.
have_connmark |= m.haveConnMarkRules();
have_connmark_in_output |= m.haveConnMarkRulesInOutput();
have_connmark |= mangle_compiler->haveConnMarkRules();
have_connmark_in_output |= mangle_compiler->haveConnMarkRulesInOutput();
long m_str_pos = mangle_table_stream.tellp();
if (policy->isTop())
{
ostringstream tmp;
tmp << m.flushAndSetDefaultPolicy();
tmp << m.printAutomaticRules();
if (flush_and_set_default_policy)
tmp << mangle_compiler->flushAndSetDefaultPolicy();
tmp << mangle_compiler->printAutomaticRules();
if (tmp.tellp() > 0)
{
@ -373,16 +414,16 @@ bool processPolicyRuleSet(
}
}
if (m.getCompiledScriptLength() > 0)
if (mangle_compiler->getCompiledScriptLength() > 0)
{
ostringstream tmp;
if (m.haveErrorsAndWarnings())
if (mangle_compiler->haveErrorsAndWarnings())
{
tmp << "# Policy compiler errors and warnings:" << "\n";
tmp << m.getErrors("# ");
tmp << mangle_compiler->getErrors("# ");
}
tmp << m.getCompiledScript();
tmp << mangle_compiler->getCompiledScript();
if (tmp.tellp() > 0)
{
@ -399,37 +440,44 @@ bool processPolicyRuleSet(
}
}
PolicyCompiler_ipt c(
objdb,fwobjectname.toUtf8().constData(), ipv6_policy, oscnf,
&minus_n_commands_filter);
PolicyCompiler_ipt *policy_compiler;
if (platform_family == "ipcop")
policy_compiler = new PolicyCompiler_ipcop(
objdb,fwobjectname.toUtf8().constData(), ipv6_policy, oscnf,
&minus_n_commands_filter);
else
policy_compiler = new PolicyCompiler_ipt(
objdb,fwobjectname.toUtf8().constData(), ipv6_policy, oscnf,
&minus_n_commands_filter);
if (!policy->isTop())
c.registerRuleSetChain(branch_name);
policy_compiler->registerRuleSetChain(branch_name);
c.setSourceRuleSet( policy );
c.setRuleSetName(branch_name);
policy_compiler->setSourceRuleSet( policy );
policy_compiler->setRuleSetName(branch_name);
c.setDebugLevel( dl );
c.setDebugRule( drp );
c.setVerbose( (bool)(verbose) );
c.setHaveDynamicInterfaces(have_dynamic_interfaces);
if (test_mode) c.setTestMode();
policy_compiler->setDebugLevel( dl );
policy_compiler->setDebugRule( drp );
policy_compiler->setVerbose( (bool)(verbose) );
policy_compiler->setHaveDynamicInterfaces(have_dynamic_interfaces);
if (test_mode) policy_compiler->setTestMode();
if ( (policy_rules_count=c.prolog()) > 0 )
if ( (policy_rules_count=policy_compiler->prolog()) > 0 )
{
c.compile();
c.epilog();
policy_compiler->compile();
policy_compiler->epilog();
if (c.getCompiledScriptLength() > 0)
if (policy_compiler->getCompiledScriptLength() > 0)
{
ostringstream tmp;
if (c.haveErrorsAndWarnings())
if (policy_compiler->haveErrorsAndWarnings())
{
tmp << "# Policy compiler errors and warnings:" << "\n";
tmp << c.getErrors("# ");
tmp << policy_compiler->getErrors("# ");
}
tmp << c.getCompiledScript();
tmp << policy_compiler->getCompiledScript();
if (tmp.tellp() > 0)
{
@ -455,16 +503,17 @@ bool processPolicyRuleSet(
{
ostringstream tmp;
tmp << c.flushAndSetDefaultPolicy();
if (flush_and_set_default_policy)
tmp << policy_compiler->flushAndSetDefaultPolicy();
if (!prolog_done && prolog_place == "after_flush" &&
!fw->getOptionsObject()->getBool("use_iptables_restore"))
{
tmp << "prolog_commands" << endl << endl;
tmp << "prolog_commands" << endl;
prolog_done = true;
}
tmp << c.printAutomaticRules();
tmp << policy_compiler->printAutomaticRules();
if (tmp.tellp() > 0)
{
@ -785,25 +834,61 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
string pfctl_dbg=(debug)?"-v":"";
OSConfigurator_linux24 *oscnf = NULL;
string family = Resources::os_res[
fw->getStr("host_OS")]->Resources::getResourceStr(
"/FWBuilderResources/Target/family");
string fw_version = fw->getStr("version");
if (fw_version.empty()) fw_version = "(any version)";
string platform = fw->getStr("platform");
string host_os = fw->getStr("host_OS");
if ( family=="linux24" )
string platform_family = Resources::platform_res[platform]->
getResourceStr("/FWBuilderResources/Target/family");
string os_family = Resources::os_res[host_os]->
getResourceStr("/FWBuilderResources/Target/family");
bool supports_prolog_epilog = Resources::getTargetCapabilityBool(
platform, "supports_prolog_epilog");
if (!supports_prolog_epilog)
{
prolog_done = true;
epilog_done = true;
}
string os_variant = DISTRO;
bool flush_and_set_default_policy = Resources::getTargetCapabilityBool(
platform, "flush_and_set_default_policy");
/* minimal sanity checking */
if (platform_family == "ipcop")
{
os_variant = "ipcop";
// can't use iptables-restore with ipcop
fw->getOptionsObject()->setBool("use_iptables_restore", false);
// ipcop has its own iptables commands that accept packets
// in states ESTABLISHED,RELATED
fw->getOptionsObject()->setBool("accept_established", false);
}
if (os_family == "ipcop")
oscnf = new OSConfigurator_ipcop(
objdb , fwobjectname.toUtf8().constData(), false);
if (os_family == "linux24")
oscnf = new OSConfigurator_linux24(
objdb , fwobjectname.toUtf8().constData(), false);
if (oscnf==NULL)
throw FWException(_("Unrecognized host OS ")+fw->getStr("host_OS")+" (family "+family+")");
throw FWException("Unrecognized host OS " +
fw->getStr("host_OS") +
" (family " + os_family+")");
/* do not put comment in the script if it is intended for linksys */
bool nocomm = Resources::os_res[fw->getStr("host_OS")]->
Resources::getResourceBool(
"/FWBuilderResources/Target/options/suppress_comments");
oscnf->prolog();
list<FWObject*> all_policies = fw->getByType(Policy::TYPENAME);
@ -812,6 +897,7 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
int nat_rules_count = 0;
int routing_rules_count = 0;
bool have_nat = false;
bool have_ipv6 = false;
// track chains in each table separately. Can we have the same
// chain in filter and mangle tables ? Would it be the same
@ -823,7 +909,6 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
std::map<const std::string, bool> minus_n_commands_mangle;
std::map<const std::string, bool> minus_n_commands_nat;
vector<int> ipv4_6_runs;
string generated_script;
@ -848,8 +933,7 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
if (ipv4_run) ipv4_6_runs.push_back(AF_INET);
}
for (vector<int>::iterator i=ipv4_6_runs.begin();
i!=ipv4_6_runs.end(); ++i)
for (vector<int>::iterator i=ipv4_6_runs.begin(); i!=ipv4_6_runs.end(); ++i)
{
int policy_af = *i;
bool ipv6_policy = (policy_af == AF_INET6);
@ -916,46 +1000,56 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
// compile NAT rules before policy rules because policy
// compiler needs to know the number of virtual addresses
// being created for NAT
NATCompiler_ipt n(
objdb, fwobjectname.toUtf8().constData(), ipv6_policy,
oscnf, &minus_n_commands_nat);
n.setSourceRuleSet( nat );
n.setRuleSetName(branch_name);
NATCompiler_ipt *nat_compiler;
n.setDebugLevel( dl );
n.setDebugRule( drn );
n.setVerbose( (bool)(verbose) );
n.setHaveDynamicInterfaces(have_dynamic_interfaces);
if (test_mode) n.setTestMode();
if (platform_family == "ipcop")
nat_compiler = new NATCompiler_ipcop(
objdb, fwobjectname.toUtf8().constData(), ipv6_policy,
oscnf, &minus_n_commands_nat);
else
nat_compiler = new NATCompiler_ipt(
objdb, fwobjectname.toUtf8().constData(), ipv6_policy,
oscnf, &minus_n_commands_nat);
if ( (nat_rules_count=n.prolog()) > 0 )
nat_compiler->setSourceRuleSet( nat );
nat_compiler->setRuleSetName(branch_name);
nat_compiler->setDebugLevel( dl );
nat_compiler->setDebugRule( drn );
nat_compiler->setVerbose( (bool)(verbose) );
nat_compiler->setHaveDynamicInterfaces(have_dynamic_interfaces);
if (test_mode) nat_compiler->setTestMode();
if ( (nat_rules_count=nat_compiler->prolog()) > 0 )
{
n.compile();
n.epilog();
nat_compiler->compile();
nat_compiler->epilog();
}
have_nat = (have_nat || (nat_rules_count > 0));
if (n.getCompiledScriptLength() > 0)
if (nat_compiler->getCompiledScriptLength() > 0)
{
nat_rules_stream << "# ================ Table 'nat', "
<< " rule set "
<< branch_name << "\n";
if (n.haveErrorsAndWarnings())
if (nat_compiler->haveErrorsAndWarnings())
{
nat_rules_stream << "# NAT compiler errors and "
<< "warnings:\n";
nat_rules_stream << n.getErrors("# ");
nat_rules_stream << nat_compiler->getErrors("# ");
}
if (nat->isTop())
{
nat_rules_stream << n.flushAndSetDefaultPolicy();
nat_rules_stream << n.printAutomaticRules();
if (flush_and_set_default_policy)
nat_rules_stream << nat_compiler->flushAndSetDefaultPolicy();
nat_rules_stream << nat_compiler->printAutomaticRules();
}
nat_rules_stream << n.getCompiledScript();
nat_rules_stream << nat_compiler->getCompiledScript();
nat_rules_stream << "\n";
empty_output = false;
}
@ -983,6 +1077,7 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
{
if (ipv6_policy)
{
have_ipv6 = true;
generated_script += "\n\n";
generated_script += "# ================ IPv6\n";
generated_script += "\n\n";
@ -1002,22 +1097,27 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
ipv6_policy);
}
RoutingCompiler_ipt r(
objdb , fwobjectname.toUtf8().constData() , false, oscnf );
RoutingCompiler_ipt *routing_compiler;
r.setDebugLevel( dl );
r.setDebugRule( drp );
r.setVerbose( verbose );
if (test_mode) r.setTestMode();
if (platform_family == "ipcop")
routing_compiler = new RoutingCompiler_ipcop(
objdb , fwobjectname.toUtf8().constData() , false, oscnf );
else
routing_compiler = new RoutingCompiler_ipt(
objdb , fwobjectname.toUtf8().constData() , false, oscnf );
if ( (routing_rules_count=r.prolog()) > 0 )
routing_compiler->setDebugLevel( dl );
routing_compiler->setDebugRule( drp );
routing_compiler->setVerbose( verbose );
if (test_mode) routing_compiler->setTestMode();
if ( (routing_rules_count=routing_compiler->prolog()) > 0 )
{
r.compile();
r.epilog();
routing_compiler->compile();
routing_compiler->epilog();
}
oscnf->generateCodeForProtocolHandlers(have_nat);
oscnf->printChecksForRunTimeMultiAddress();
oscnf->processFirewallOptions();
oscnf->configureInterfaces();
@ -1079,7 +1179,7 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
<< fw_file_info.fileName() << "\n";
script << "#" << "\n";
script << "#" << "\n";
script << "# Compiled for iptables " << fw_version << "\n";
script << "# Compiled for " << platform << " " << fw_version << "\n";
script << "#" << "\n";
if ( !nocomm )
{
@ -1102,14 +1202,37 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
script << "export PATH" << "\n";
script << "\n";
/*
* print definitions for variables IPTABLES, IP, LOGGER. Some day we may
* add a choice of distro in the GUI. Right now paths are either default
* for a given distro, or custom strings entered by user in the GUI and stored
* in firewall options.
*/
script << oscnf->printPathForAllTools(DISTRO);
/*
* print definitions for variables IPTABLES, IP, LOGGER. Some
* day we may add a choice of os_variant in the GUI. Right now
* paths are either default for a given os_variant, or custom
* strings entered by user in the GUI and stored in firewall
* options.
*/
script << oscnf->printPathForAllTools(os_variant);
script << oscnf->printShellFunctions(nocomm);
if (supports_prolog_epilog)
script << oscnf->printPrologEpilogFunctions(nocomm);
/*
* All functions have been defined.
* Actual script begins here
*/
script << "# See how we were called." << endl;
script << "# For backwards compatibility missing argument is equivalent to 'start'" << endl;
script << endl;
script << "test -z \"$1\" && {" << endl;
script << " $0 start" << endl;
script << " exit $?" << endl;
script << "}" << endl;
script << endl;
script << "case \"$1\" in" << endl;
script << " start)" << endl;
script << endl;
script << " " << "check_tools" << endl;
string prolog_place = fw->getOptionsObject()->getStr("prolog_place");
if (prolog_place == "") prolog_place="top";
@ -1125,28 +1248,30 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
(prolog_place == "after_flush" &&
fw->getOptionsObject()->getBool("use_iptables_restore"))))
{
script << "prolog_commands" << endl << endl;
script << " prolog_commands" << endl;
prolog_done = true;
}
script << oscnf->getCompiledScript();
script << indent(2, oscnf->getCompiledScript());
script << "\n";
if (!prolog_done && prolog_place == "after_interfaces")
{
script << "prolog_commands" << endl << endl;
script << " prolog_commands" << endl;
prolog_done = true;
}
script << "log '";
if (omit_timestamp)
if (platform_family != "ipcop")
{
script << _("Activating firewall script");
} else
{
script << _("Activating firewall script generated ")
<< timestr << " " << _(" by ")
script << " log '";
if (omit_timestamp)
{
script << _("Activating firewall script");
} else
{
script << _("Activating firewall script generated ")
<< timestr << " " << _(" by ")
/* timezone removed because of bug #1205665 - sometimes timezone name
* has "'" in it which confuses shell and causes an error (for
* instance French daylight savings time is "Paris, Madrid (heure
@ -1154,22 +1279,21 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
*
* << timestr << " " << tzname[stm->tm_isdst] << _(" by ")
*/
<< user_name;
<< user_name;
}
script << "'" << endl;
script << endl;
}
script << "'" << endl;
script << endl;
script << generated_script;
script << r.getCompiledScript();
script << oscnf->getCompiledScript();
script << indent(2, generated_script);
script << indent(2, routing_compiler->getCompiledScript());
script << indent(2, oscnf->getCompiledScript());
script << endl;
script << "epilog_commands" << endl;
if (!epilog_done) script << " epilog_commands" << endl;
script << oscnf->printIPForwardingCommands(nocomm);
script << indent(2, oscnf->printIPForwardingCommands(nocomm));
script << endl;
// no need to do this because we now abort the script if
@ -1182,6 +1306,15 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
script << endl;
script << " ;;" << endl;
script << endl;
script << "stop)" << endl;
script << " reset_iptables_v4" << endl;
if (have_ipv6) script << " reset_iptables_v6" << endl;
script << " ;;" << endl;
script << "esac" << endl;
script << endl;
QFile fw_file(fw_file_name);
if (fw_file.open(QIODevice::WriteOnly))
{

38
src/ipt/ipt.pro
View File

@ -4,30 +4,36 @@ include(../../qmake.inc)
#
#
SOURCES = ipt.cpp \
OSConfigurator_linux24.cpp \
OSData.cpp \
combinedAddress.cpp \
PolicyCompiler_ipt.cpp \
PolicyCompiler_PrintRule.cpp \
PolicyCompiler_PrintRuleIptRst.cpp \
PolicyCompiler_PrintRuleIptRstEcho.cpp \
PolicyCompiler_ipt_optimizer.cpp \
NATCompiler_ipt.cpp \
MangleTableCompiler_ipt.cpp \
NATCompiler_PrintRule.cpp \
NATCompiler_PrintRuleIptRst.cpp \
NATCompiler_PrintRuleIptRstEcho.cpp \
MangleTableCompiler_ipt.cpp \
NATCompiler_ipt.cpp \
OSConfigurator_ipcop.cpp \
OSConfigurator_linux24.cpp \
OSData.cpp \
PolicyCompiler_PrintRule.cpp \
PolicyCompiler_PrintRuleIptRst.cpp \
PolicyCompiler_PrintRuleIptRstEcho.cpp \
PolicyCompiler_ipt.cpp \
PolicyCompiler_ipt_optimizer.cpp \
RoutingCompiler_ipt.cpp \
RoutingCompiler_ipt_writers.cpp
RoutingCompiler_ipt_writers.cpp \
combinedAddress.cpp
HEADERS = ../../config.h \
combinedAddress.h \
PolicyCompiler_ipt.h \
NATCompiler_ipt.h \
MangleTableCompiler_ipcop.h \
MangleTableCompiler_ipt.h \
RoutingCompiler_ipt.h \
NATCompiler_ipcop.h \
NATCompiler_ipt.h \
OSConfigurator_ipcop.h \
OSConfigurator_linux24.h \
OSData.h
OSData.h \
PolicyCompiler_ipcop.h \
PolicyCompiler_ipt.h \
RoutingCompiler_ipcop.h \
RoutingCompiler_ipt.h \
combinedAddress.h
!win32 {
QMAKE_COPY = ../../install.sh -m 0755 -s

411
src/res/help/ipcopAdvancedDialog_en_US.html Normal file
View File

@ -0,0 +1,411 @@
<h2>iptables settings</h2>
Most of the iptables options can be found in the man page iptables(1) or
online on the project web site at <a href="http://www.netfilter.org">http://www.netfilter.org</a>
<a name="compiler">
<hr>
<h2>Tab Compiler</h2>
<p>
<h3>Compiler</h3>
<p>
Full path to the policy compiler executable. Use this if you do not
want to use standard Firewall Builder policy compiler that comes
with the package or if you want to wrap compiler in a script.
<h3>Command line options for the compiler</h3>
<p>
Additional command line options for the policy compiler.
<h3>Output file name</h3>
<p>
Specify the name of the generated iptable script. If left blank, the
file name is constructed from the firewall object name and extension
".fw".
<h3>Assume firewall is part of 'any'</h3>
<p>
On some firewall platforms there is a difference in the
configuration command used to control access through the firewall
versus the command that controls access to the firewall itself. For
example, in iptables, packets headed for the firewall machine should
be inspected in the INPUT chain, while packets going through the
firewall are inspected in the FORWARD chain. If this option is ON,
the compiler generates code for both FORWARD and INPUT chains if it
sees any as the destination of the policy rule. In other words, it
assumes that the firewall is part of any, and packets may either
go to or through the firewall. If this option is off, the compiler
only generates code for the FORWARD chain. Compiler treats any in
the source of the rule in a similar way, generating code either for
the OUTPUT and FORWARD, or only for the FORWARD chain.
<h3>Accept TCP sessions opened prior to firewall restart</h3>
<p>
If this option is ON, the firewall will accept TCP sessions opened
before the firewall software has been activated. These sessions are
special because the firewall never saw their initiation phase. If
this option is on, the firewall creates an entry in the state table
when it sees a packet that apparently belongs to the unknown TCP
session.
<h3>Accept ESTABLISHED and RELATED packets before the first rule</h3>
<p>
This option generates an implicit rule to accept ESTABLISHED
and RELATED packets before the very first rule specified in the
GUI. This helps to reduce the size of the policy script generated
by the policy compiler. ESTABLISHED packets are basically
reply packets coming back from the server to the client. Iptables
keeps state information about each TCP session opened through
the firewall and thus can detect and permit these kind of packets
automatically. RELATED packets belong to another stream
somehow associated with the initial stream opened through the
firewall. FTP protocol is a good example of this situation. FTP
uses two TCP sessions: command channel and data channel.
You do not need to add a special rule for the data channel to
your policy because iptables understands when it needs to
permit packets that belong to the data channel that has been
created per request sent via a known command channel. This
option is ON by default. If for some reason you do not want to
have an implicit rule to permit these types of packets on top of
all the rules defined in the GUI, you should uncheck this option.
Remember that in this case you need to add a rule to permit
these types of packets yourself. You can use the Custom Service
object named ESTABLISHED in this rule. This service object
can be found in the Standard object tree.
<h3>Drop packets that are associated with no known connection</h3>
<p>
Add rule on top of the policy to match packets in state "INVALID"
and drop them. This is implemented using iptables module state with
option "--state INVALID". Additional checkbox makes generated script
drop and log such packets.
<h3>Bridging firewall</h3>
<p>
This option changes algorithms used by the policy compiler and makes
it generate script for a bridging firewall. A bridging firewall treats
broadcast packets differently, never uses INPUT and OUTPUT chains,
and has some other differences.
<h3>Detect shadowing in policy rules</h3>
<p>
Rule shadowing happens when a certain rule is a superset of a
subsequent rule and any packets potentially matched by the
subsequent rule have already been matched by the prior rule. For
example, if rule #1 uses the network object for the source and rule
#2 uses the host object located on that network for the source, rule
#1 shadows rule #2 because any packet matched by #1 will never be
matched by #2. This may be important if, say, rule #1 permits and #2
denies access to the same destination. If rule #1 shadows rule #2,
then rule #2 will never fire. This situation is most often an error;
the compiler can detect it and abort processing of the policy with
an appropriate error message.
<h3>Ignore empty groups in rules</h3>
<p>
Compiler supports special case when empty group is used in the
policy rule and there are no other objects in the same rule
element. Depending on the state of this option, it generates
iptables commands as follows:
<p>
<ul>
<li>OFF: Compiler treats such case as an error and stops
processing. This is because group with no objects is equivalent
to an empty rule element ("source" or "destination"), but empty
rule element is normally considered to be equal to "any". To
avoid errors this may cause, compiler considers this situation
an error.</li>
<li>ON: A group with no objects in it never matches any packets,
thus rendering the rule useless. When this option is turned on,
compiler just throws such rule away.</li>
</ul>
<p>
This is useful when one needs to control access to/from a group of
hosts which may change and sometimes becomes empty. When this
option is turned on, compiler will automatically disable the rule
if the group becomes empty. Group contents can be managed manually
or by a script using fwbedit command line tool.
<h3>Enable support for NAT of locally originated connections</h3>
<p>
By default sessions initiated by the firewall are not considered
subject to NAT and NAT rules are not placed in the OUTPUT
chain. However if this option is checked, compiler finds NAT rules
that can match sessions initiated by the firewall and places them in
the OUTPUT chain as well.
<h3>Clamp MSS to MTU</h3>
<p>
This adds a rule on top of the policy with iptables target TCPMSS
and option --clamp-mss-to-pmtu which automatically clamps MSS value
to (path_MTU - 40). This iptables rule is added only if ip
forwarding is turned on in the host settings dialog. since ip
forwarding for ipv4 and ipv6 can be configured separately, rules
with target TCPMSS for iptables and ip6tables are also added
separately if corresponding ip forwarding setting is
enabled. Finally, this target is only available in ip6tables
starting with version 1.3.8 and compiler will not add it to the
generated script if version is set to less than "1.4.x" in the
firewall object dialog.
<h3>Make Tag and Classify actions terminating</h3>
<p>
Normally, iptables targets MARK and CLASSIFY are not
terminating. This means iptables sets mark on the packet but does
not stop inspeaction process and other rules still inspect the same
packet. Fwbuilder policy compiler can emulate terminating behavior
for these rules if this checkbox is checked.
<h3>Default action on "Reject"</h3>
<p>
This defines what kind of ICMP message will be send back to the
sender if packet matches rule with action "Reject".
<h3>Always permit ssh access from the management station with given address</h3>
<p>
When this option is checked, compiler adds rules to permit ssh
access to the firewall from the specified address block. Rules are
placed at the very beginning of the policy to amke sure ssh access
is permitted even if there is an error in the policy which otherwise
would block it. Added rules permit packets that match both NEW and
ESTABLISHED states to avoid breaking ssh sessions that were already
established.
<a name="installer">
<hr>
<h2>Tab Installer</h2>
<p>
<h3>Directory on the firewall where script should be installed</h3>
<p>
Installer will try to put generated script in /etc on the firewall,
unless this option specify different location
<h3>User name used to authenticate to the firewall</h3>
<p>
This can be root or any regular user name. See "How to use built-in policy installer" on the web site at <a href="http://www.fwbuilder.org/guides/firewall_builder_howtos.html">http://www.fwbuilder.org/guides/firewall_builder_howtos.html</a>
<h3>Alternative name or address used to communicate with the firewall</h3>
<p>
Normally installer uses address of the interface marked as
"management" to communicate with the firewall. Note that installer
uses IP address rather than run DNS query for its name. You can
specify different IP address in this option if necessary.
<h3>Command that installer should execute on the firewall to activate the policy</h3>
<p>
If this option is blank, installer copies script produces by the
policy compiler to the firewall and executes it there. If this
option defines different command, installer copies generated script
and then runs this command.
<h3>Additional command line parameters to ssh</h3>
<p>
This can be useful if you want to use alternative port for the ssh
session to the firewall. Just put "-p PORT" here and this option
will be appended to the ssh command line.
<h3>External policy install script</h3>
<p>
Put the full path to your own installer script here if you have one.
<h3>Command line options for the script</h3>
<p>
Command line options to the external installer script go here.
<a name="prolog-epilog">
<hr>
<h2>Tab Prolog/Epilog</h2>
<p>
<h3>Prolog section</h3>
<p>
Add commands that you want compiler to insert into generated script
here. Prolog section is added at the beginning of the script, before
generated iptables commands. Note that generated iptables script is
just a shell script, so commands you place in the Prolog and Epilog
sections should be valid bourne shell commands.
<h3>Epilog section</h3>
<p>
Epilog commands are added at the bottom of generated script, after
iptables commands.
<a name="logging">
<hr>
<h3>Tab Logging</h3>
<p>
<h3>use LOG</h3>
<p>
Use target LOG for logging
<h3>log TCP seq. numbers</h3>
<p>
<i>Available if target <b>LOG</b> is used for logging</i>. Log TCP sequence
numbers. This is a security risk if the log is readable by users.
<h3>log TCP options</h3>
<p>
<i>Available if target <b>LOG</b> is used for logging</i>. Log options from
the TCP packet header.
<h3>log IP options</h3>
<p>
<i>Available if target <b>LOG</b> is used for logging</i>. Log options from
the IP packet header.
<h3>Use numeric syslog levels</h3>
<p>
<i>Available if target <b>LOG</b> is used for logging</i>. Use numeric log
levels instead of the names "debug", "info" etc. This option was
added long time ago because of a bug in iptables and probably is not
relevant any more.
<h3>Log level</h3>
<p>
<i>Available if target <b>LOG</b> is used for logging</i>. This option
refers to the syslog log level and is used with firewalls that
support logging via the syslog protocol. Here is the list of the
standard log levels: debug, info, notice, warning, error ,
crit and alert'
<h3>queue threshold</h3>
<p>
<i>Available if target <b>ULOG</b> is used for logging</i> Number of packet
to queue inside kernel. Setting this value to, e.g. 10 accumulates
ten packets inside the kernel and transmits them as one netlink
multipart message to userspace. Default is 1 (for backwards
compatibility).
<h3>netlink group</h3>
<p>
<i>Available if target <b>ULOG</b> is used for logging</i> This specifies
the netlink group (1-32) to which the packet is sent. Default value
is 1.
<h3>Log prefix</h3>
<p>
Log records will be prefixed with a string you enter in this option.
Firewall Builder supports the following macros in the log prefix that
are expanded at the compile time:
<p>
<ul>
<li>%N rule number in the GUI. </li>
<li>%A rule action </li>
<li>%I interface the rule is associated with </li>
<li>%C (iptables only) iptables chain that this rule generated
code for. </li>
</ul>
</p>
<h3>Logging limit</h3>
<p>
Generated iptables rules use module "limit" to limit amout of log
data they produce. You can limit logging to a given number of log
records per unit of time.
<h3>Activate logging in all rules</h3>
<p>
This makes all rules log, regardless of whether a rule requested
logging or not. This may be useful for debugging but produces a lot
of syslog data and should be used carefully.
<a name="script-options">
<hr>
<h3>Tab Script Options</h3>
<p>
<h3>Verify interfaces before loading firewall policy</h3>
<p>
this option makes compiler add commands to check if all interfaces
defined in the firewall object in the GUI really exist on the
firewall machine. Generated policy is probably going to be incorrect
and won't load because of iptables errors if it was generated for an
interface that does not really exist.
<h3>Turn debugging on in generated script</h3>
<p>
This option makes the generated firewall script print all commands
when it is executed. To do this, compiler adds "-x" to the shell
command line at the top of the script.
<a name="ipv6">
<hr>
<h3>Tab IPv6</h3>
<p>
<h3>Order in which IPv4 and IPv6 rules should be generated</h3>
<p>
Compiler can place ipv6 policies before or after ipv4 rules. This
option controls the order.

187
src/res/help/ipcoposAdvancedDialog_en_US.html Normal file
View File

@ -0,0 +1,187 @@
<h2>Linux 2.4/2.6 kernel settings</h2>
All of these parameters are controlled either with <b>sysctl</b>
command line tool or via <b>/proc</b> file system. See file
<b>ip-sysctl.txt</b> for description of these parameters, and more.
The file can be found online for example here
<ul>
<li><a href="http://iptables-tutorial.frozentux.net/other/ip-sysctl.txt">
http://iptables-tutorial.frozentux.net/other/ip-sysctl.txt</a></li>
<li><a href="http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.kernel.obscure.html">http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.kernel.obscure.html</a></li>
</ul>
<p>
IPv6 related kernel settings are documented here:
<ul>
<li><a href="http://tldp.org/HOWTO/Linux+IPv6-HOWTO/chapter-kernel-settings.html">http://tldp.org/HOWTO/Linux+IPv6-HOWTO/chapter-kernel-settings.html</a></li>
</ul>
<hr>
<h2>Tab Options</h2>
<p>
<h3>IPv4 Packet Forwarding</h3>
<p>
Enable IPv4 forwarding between all interfaces
<h3>IPv6 Packet Forwarding</h3>
<p>
Enable IPv6 forwarding between all interfaces
<h3>Kernel anti-spoofing protection</h3>
<p>
<i>/proc/sys/net/ipv4/conf/all/rp_filter</i>
<p>
<ul>
<li>1 - do source validation by reversed path, as specified in RFC1812
Recommended option for single homed hosts and stub network
routers. Could cause troubles for complicated (not loop free)
networks running a slow unreliable protocol (sort of RIP),
or using static routes.
</li>
<li>0 - No source validation.
</li>
</ul>
<h3>Ignore broadcast pings</h3>
<p>
<i> /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts</i>
<p>
If set to true, then the kernel will ignore ICMP echo requests sent to
broadcast/multicast addresses.
<h3>Accept source route</h3>
<p>
Accept packets with SRR option.
<h3>Accept ICMP redirects</h3>
<p>
Accept ICMP Redirects.
<h3>Ignore bogus ICMP errors</h3>
<p>
<i> /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses</i>
<p>
Some routers violate RFC 1122 by sending bogus responses to broadcast
frames. Such violations are normally logged via a kernel warning. If
this is set to TRUE, the kernel will not give such warnings, which
will avoid log file clutter.
<h3>Allow dynamic addresses</h3>
<p>
<i>/proc/sys/net/ipv4/ip_dynaddr</i>
<p>
If set, enables support for dynamic addresses.
<h3>Log martians</h3>
<p>
Log and drop "Martian" packets. A "Martian" packet is one for which
the host does not have a route back to the source IP address (it
apparently dropped in from Mars).
<hr>
<h2>Tab TCP</h2>
<p>
<h3>TCP FIN timeout</h3>
<p>
<i> /proc/sys/net/ipv4/tcp_fin_timeout</i>
<p>
Time to hold socket in state FIN-WAIT-2, if it was closed by our
side. Peer can be broken and never close its side, or even died
unexpectedly. Default value is 60sec. Usual value used in 2.2 was 180
seconds, you may restore it, but remember that if your machine is even
underloaded WEB server, you risk to overflow memory with kilotons of
dead sockets, FIN-WAIT-2 sockets are less dangerous than FIN-WAIT-1,
because they eat maximum 1.5K of memory, but they tend to live longer.
<h3>TCP keepalive time</h3>
<p>
<i>/proc/sys/net/ipv4/tcp_keepalive_intvl</i>
<p>
How often TCP sends out keepalive messages when keepalive is enabled.
Default: 2hours.
<h3>TCP window scaling</h3>
<p>
<i>/proc/sys/net/ipv4/tcp_window_scaling</i>
<p>
Enable window scaling as defined in RFC1323.
<h3>TCP sack</h3>
<p>
<i>/proc/sys/net/ipv4/tcp_sack</i>
<p>
Enable select acknowledgments (SACKS).
<h3>TCP fack</h3>
<p>
<i>/proc/sys/net/ipv4/tcp_fack</i>
<p>
Enable FACK congestion avoidance and fast restransmission.
The value is not used, if tcp_sack is not enabled.
<h3>TCP ECN</h3>
<p>
<i>/proc/sys/net/ipv4/tcp_ecn</i>
<p>
Enable Explicit Congestion Notification in TCP.
<h3>TCP SYN cookies</h3>
<p>
<i>/proc/sys/net/ipv4/tcp_syncookies</i>
<p>
Only valid when the kernel was compiled with CONFIG_SYNCOOKIES
Send out syncookies when the syn backlog queue of a socket
overflows. This is to prevent against the common 'syn flood attack'
Default: FALSE
<p>
Note, that syncookies is fallback facility.
It MUST NOT be used to help highly loaded servers to stand
against legal connection rate. If you see synflood warnings
in your logs, but investigation shows that they occur
because of overload with legal connections, you should tune
another parameters until this warning disappear.
See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.
<p>
syncookies seriously violate TCP protocol, do not allow
to use TCP extensions, can result in serious degradation
of some services (f.e. SMTP relaying), visible not by you,
but your clients and relays, contacting you. While you see
synflood warnings in logs not being really flooded, your server
is seriously misconfigured.
<h3>TCP timestamps</h3>
<p>
<i>/proc/sys/net/ipv4/tcp_timestamps</i>
<p>
Enable timestamps as defined in RFC1323.
<hr>
<h2>Tab Path</h2>
<p>
In this tab you can set path to the system command line tools used
by generated iptables script. Use these if tools you expect to use
are located in non-standard directories (such as "/usr/local/bin",
"/use/local/sbin" etc.) Leave these blank if tools you expect to use
are in standard system directories.

115
src/res/os/endian_os.xml Normal file
View File

@ -0,0 +1,115 @@
<?xml version="1.0"?> <!-- -*- mode: xml; -*- -->
<FWBuilderResources version="3.1.0">
<Target name="endian_os">
<description>Endian Firewall Appliance</description>
<family>ipcop</family>
<dialog>ipcop_os</dialog>
<options>
<user_can_change_install_dir>false</user_can_change_install_dir>
<default>
<linux24_ip_forward>1</linux24_ip_forward>
<loopback_interface>lo</loopback_interface>
</default>
<activation>
<fwdir>/etc/rc.d</fwdir>
<fwdir_test>/tmp</fwdir_test>
<timeout_units>min</timeout_units>
<reg_user>
<run>
<copy>
%FWDIR%
</copy>
<compression>
</compression>
<no_compression>
echo '%FWBPROMPT%';
chmod +x %FWDIR%/%FWSCRIPT%;
sudo -S %FWDIR%/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_compression>
</run>
<test>
<copy>
%FWDIR%/tmp
</copy>
<rollback>
echo '%FWBPROMPT%';
echo 'sudo -S /sbin/shutdown -r +%RBTIMEOUT%'|batch;
chmod +x %FWDIR%/tmp/%FWSCRIPT%;
sudo -S %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</rollback>
<no_rollback>
echo '%FWBPROMPT%';
chmod +x %FWDIR%/tmp/%FWSCRIPT%;
sudo -S %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_rollback>
</test>
</reg_user>
<root>
<run>
<copy>
%FWDIR%
</copy>
<compression>
</compression>
<no_compression>
echo '%FWBPROMPT%';
sh %FWDIR%/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_compression>
</run>
<test>
<copy>
%FWDIR%/tmp
</copy>
<rollback>
echo '%FWBPROMPT%';
echo '/sbin/shutdown -r +%RBTIMEOUT%'|batch;
sh %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</rollback>
<no_rollback>
echo '%FWBPROMPT%';
sh %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_rollback>
</test>
</root>
</activation>
<!-- set to True if you want to suppress comments in the generated script -->
<suppress_comments>False</suppress_comments>
<!-- set to True if you do not need the script to load kernel modules -->
<suppress_modules>True</suppress_modules>
</options>
<capabilities>
<supports_routing>True</supports_routing>
</capabilities>
<tools>
<ipcop>
<path_lsmod>/sbin/lsmod</path_lsmod>
<path_modprobe>/sbin/modprobe</path_modprobe>
<path_iptables>/sbin/iptables</path_iptables>
<path_ip6tables>/sbin/ip6tables</path_ip6tables>
<path_iptables_restore>/sbin/iptables-restore</path_iptables_restore>
<path_ip6tables_restore>/sbin/ip6tables-restore</path_ip6tables_restore>
<path_ip>/sbin/ip</path_ip>
<path_logger>/usr/bin/logger</path_logger>
<path_expect>/usr/bin/expect</path_expect>
</ipcop>
</tools>
</Target>
</FWBuilderResources>

115
src/res/os/endian_os.xml.in Normal file
View File

@ -0,0 +1,115 @@
<?xml version="1.0"?> <!-- -*- mode: xml; -*- -->
<FWBuilderResources version="@VERSION@">
<Target name="endian_os">
<description>Endian Firewall Appliance</description>
<family>ipcop</family>
<dialog>ipcop_os</dialog>
<options>
<user_can_change_install_dir>false</user_can_change_install_dir>
<default>
<linux24_ip_forward>1</linux24_ip_forward>
<loopback_interface>lo</loopback_interface>
</default>
<activation>
<fwdir>/etc/rc.d</fwdir>
<fwdir_test>/tmp</fwdir_test>
<timeout_units>min</timeout_units>
<reg_user>
<run>
<copy>
%FWDIR%
</copy>
<compression>
</compression>
<no_compression>
echo '%FWBPROMPT%';
chmod +x %FWDIR%/%FWSCRIPT%;
sudo -S %FWDIR%/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_compression>
</run>
<test>
<copy>
%FWDIR%/tmp
</copy>
<rollback>
echo '%FWBPROMPT%';
echo 'sudo -S /sbin/shutdown -r +%RBTIMEOUT%'|batch;
chmod +x %FWDIR%/tmp/%FWSCRIPT%;
sudo -S %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</rollback>
<no_rollback>
echo '%FWBPROMPT%';
chmod +x %FWDIR%/tmp/%FWSCRIPT%;
sudo -S %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_rollback>
</test>
</reg_user>
<root>
<run>
<copy>
%FWDIR%
</copy>
<compression>
</compression>
<no_compression>
echo '%FWBPROMPT%';
sh %FWDIR%/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_compression>
</run>
<test>
<copy>
%FWDIR%/tmp
</copy>
<rollback>
echo '%FWBPROMPT%';
echo '/sbin/shutdown -r +%RBTIMEOUT%'|batch;
sh %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</rollback>
<no_rollback>
echo '%FWBPROMPT%';
sh %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_rollback>
</test>
</root>
</activation>
<!-- set to True if you want to suppress comments in the generated script -->
<suppress_comments>False</suppress_comments>
<!-- set to True if you do not need the script to load kernel modules -->
<suppress_modules>True</suppress_modules>
</options>
<capabilities>
<supports_routing>True</supports_routing>
</capabilities>
<tools>
<ipcop>
<path_lsmod>/sbin/lsmod</path_lsmod>
<path_modprobe>/sbin/modprobe</path_modprobe>
<path_iptables>/sbin/iptables</path_iptables>
<path_ip6tables>/sbin/ip6tables</path_ip6tables>
<path_iptables_restore>/sbin/iptables-restore</path_iptables_restore>
<path_ip6tables_restore>/sbin/ip6tables-restore</path_ip6tables_restore>
<path_ip>/sbin/ip</path_ip>
<path_logger>/usr/bin/logger</path_logger>
<path_expect>/usr/bin/expect</path_expect>
</ipcop>
</tools>
</Target>
</FWBuilderResources>

2
src/res/os/freebsd.xml
View File

@ -1,5 +1,5 @@
<?xml version="1.0"?> <!-- -*- mode: xml; -*- -->
<FWBuilderResources version="3.0.5">
<FWBuilderResources version="3.1.0">
<Target name="freebsd">
<description>FreeBSD</description>
<family>freebsd</family>

2
src/res/os/fwsm_os.xml
View File

@ -1,5 +1,5 @@
<?xml version="1.0"?> <!-- -*- mode: xml; -*- -->
<FWBuilderResources version="3.0.5-">
<FWBuilderResources version="3.1.0-">
<Target name="pix_os">
<description>Cisco FWSM</description>
<compiler>fwb_pix</compiler>

2
src/res/os/ios.xml
View File

@ -1,5 +1,5 @@
<?xml version="1.0"?> <!-- -*- mode: xml; -*- -->
<FWBuilderResources version="3.0.5-">
<FWBuilderResources version="3.1.0-">
<Target name="ios">
<description>Cisco IOS</description>
<compiler>fwb_iosacl</compiler>

116
src/res/os/ipcop_os.xml Normal file
View File

@ -0,0 +1,116 @@
<?xml version="1.0"?> <!-- -*- mode: xml; -*- -->
<FWBuilderResources version="3.1.0">
<Target name="ipcop_os">
<description>IPCOP Firewall Appliance</description>
<family>ipcop</family>
<dialog>ipcop_os</dialog>
<options>
<user_can_change_install_dir>false</user_can_change_install_dir>
<default>
<linux24_ip_forward>1</linux24_ip_forward>
<loopback_interface>lo</loopback_interface>
</default>
<activation>
<fwdir>/etc/rc.d</fwdir>
<fwdir_test>/tmp</fwdir_test>
<timeout_units>min</timeout_units>
<reg_user>
<run>
<copy>
%FWDIR%
</copy>
<compression>
</compression>
<no_compression>
echo '%FWBPROMPT%';
chmod +x %FWDIR%/%FWSCRIPT%;
sudo -S %FWDIR%/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_compression>
</run>
<test>
<copy>
%FWDIR%/tmp
</copy>
<rollback>
echo '%FWBPROMPT%';
echo 'sudo -S /sbin/shutdown -r +%RBTIMEOUT%'|batch;
chmod +x %FWDIR%/tmp/%FWSCRIPT%;
sudo -S %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</rollback>
<no_rollback>
echo '%FWBPROMPT%';
chmod +x %FWDIR%/tmp/%FWSCRIPT%;
sudo -S %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_rollback>
</test>
</reg_user>
<root>
<run>
<copy>
%FWDIR%
</copy>
<compression>
</compression>
<no_compression>
echo '%FWBPROMPT%';
sh %FWDIR%/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_compression>
</run>
<test>
<copy>
%FWDIR%/tmp
</copy>
<rollback>
echo '%FWBPROMPT%';
echo '/sbin/shutdown -r +%RBTIMEOUT%'|batch;
sh %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</rollback>
<no_rollback>
echo '%FWBPROMPT%';
sh %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_rollback>
</test>
</root>
</activation>
<!-- set to True if you want to suppress comments in the generated script -->
<suppress_comments>False</suppress_comments>
<!-- set to True if you do not need the script to load kernel modules -->
<suppress_modules>True</suppress_modules>
</options>
<capabilities>
<supports_routing>True</supports_routing>
</capabilities>
<tools>
<ipcop>
<path_lsmod>/sbin/lsmod</path_lsmod>
<path_modprobe>/sbin/modprobe</path_modprobe>
<path_iptables>/sbin/iptables</path_iptables>
<path_ip6tables>/sbin/ip6tables</path_ip6tables>
<path_iptables_restore>/sbin/iptables-restore</path_iptables_restore>
<path_ip6tables_restore>/sbin/ip6tables-restore</path_ip6tables_restore>
<path_ip>/sbin/ip</path_ip>
<path_logger>/usr/bin/logger</path_logger>
<path_expect>/usr/bin/expect</path_expect>
</ipcop>
</tools>
</Target>
</FWBuilderResources>

116
src/res/os/ipcop_os.xml.in Normal file
View File

@ -0,0 +1,116 @@
<?xml version="1.0"?> <!-- -*- mode: xml; -*- -->
<FWBuilderResources version="@VERSION@">
<Target name="ipcop_os">
<description>IPCOP Firewall Appliance</description>
<family>ipcop</family>
<dialog>ipcop_os</dialog>
<options>
<user_can_change_install_dir>false</user_can_change_install_dir>
<default>
<linux24_ip_forward>1</linux24_ip_forward>
<loopback_interface>lo</loopback_interface>
</default>
<activation>
<fwdir>/etc/rc.d</fwdir>
<fwdir_test>/tmp</fwdir_test>
<timeout_units>min</timeout_units>
<reg_user>
<run>
<copy>
%FWDIR%
</copy>
<compression>
</compression>
<no_compression>
echo '%FWBPROMPT%';
chmod +x %FWDIR%/%FWSCRIPT%;
sudo -S %FWDIR%/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_compression>
</run>
<test>
<copy>
%FWDIR%/tmp
</copy>
<rollback>
echo '%FWBPROMPT%';
echo 'sudo -S /sbin/shutdown -r +%RBTIMEOUT%'|batch;
chmod +x %FWDIR%/tmp/%FWSCRIPT%;
sudo -S %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</rollback>
<no_rollback>
echo '%FWBPROMPT%';
chmod +x %FWDIR%/tmp/%FWSCRIPT%;
sudo -S %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_rollback>
</test>
</reg_user>
<root>
<run>
<copy>
%FWDIR%
</copy>
<compression>
</compression>
<no_compression>
echo '%FWBPROMPT%';
sh %FWDIR%/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_compression>
</run>
<test>
<copy>
%FWDIR%/tmp
</copy>
<rollback>
echo '%FWBPROMPT%';
echo '/sbin/shutdown -r +%RBTIMEOUT%'|batch;
sh %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</rollback>
<no_rollback>
echo '%FWBPROMPT%';
sh %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_rollback>
</test>
</root>
</activation>
<!-- set to True if you want to suppress comments in the generated script -->
<suppress_comments>False</suppress_comments>
<!-- set to True if you do not need the script to load kernel modules -->
<suppress_modules>True</suppress_modules>
</options>
<capabilities>
<supports_routing>True</supports_routing>
</capabilities>
<tools>
<ipcop>
<path_lsmod>/sbin/lsmod</path_lsmod>
<path_modprobe>/sbin/modprobe</path_modprobe>
<path_iptables>/sbin/iptables</path_iptables>
<path_ip6tables>/sbin/ip6tables</path_ip6tables>
<path_iptables_restore>/sbin/iptables-restore</path_iptables_restore>
<path_ip6tables_restore>/sbin/ip6tables-restore</path_ip6tables_restore>
<path_ip>/sbin/ip</path_ip>
<path_logger>/usr/bin/logger</path_logger>
<path_expect>/usr/bin/expect</path_expect>
</ipcop>
</tools>
</Target>
</FWBuilderResources>

2
src/res/os/linksys.xml
View File

@ -1,5 +1,5 @@
<?xml version="1.0"?> <!-- -*- mode: xml; -*- -->
<FWBuilderResources version="3.0.5">
<FWBuilderResources version="3.1.0">
<Target name="linksys">
<description>Linksys/Sveasoft</description>
<family>linux24</family>

2
src/res/os/linux24.xml
View File

@ -1,5 +1,5 @@
<?xml version="1.0"?> <!-- -*- mode: xml; -*- -->
<FWBuilderResources version="3.0.5">
<FWBuilderResources version="3.1.0">
<Target name="linux24">
<description>Linux 2.4/2.6</description>
<family>linux24</family>

2
src/res/os/macosx.xml
View File

@ -1,5 +1,5 @@
<?xml version="1.0"?> <!-- -*- mode: xml; -*- -->
<FWBuilderResources version="3.0.5">
<FWBuilderResources version="3.1.0">
<Target name="macosx">
<description>Mac OS X</description>
<family>macosx</family>

115
src/res/os/oneshield_os.xml Normal file
View File

@ -0,0 +1,115 @@
<?xml version="1.0"?> <!-- -*- mode: xml; -*- -->
<FWBuilderResources version="3.1.0">
<Target name="oneshield_os">
<description>OneShield Firewall Appliance</description>
<family>ipcop</family>
<dialog>ipcop_os</dialog>
<options>
<user_can_change_install_dir>false</user_can_change_install_dir>
<default>
<linux24_ip_forward>1</linux24_ip_forward>
<loopback_interface>lo</loopback_interface>
</default>
<activation>
<fwdir>/etc/rc.d</fwdir>
<fwdir_test>/tmp</fwdir_test>
<timeout_units>min</timeout_units>
<reg_user>
<run>
<copy>
%FWDIR%
</copy>
<compression>
</compression>
<no_compression>
echo '%FWBPROMPT%';
chmod +x %FWDIR%/%FWSCRIPT%;
sudo -S %FWDIR%/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_compression>
</run>
<test>
<copy>
%FWDIR%/tmp
</copy>
<rollback>
echo '%FWBPROMPT%';
echo 'sudo -S /sbin/shutdown -r +%RBTIMEOUT%'|batch;
chmod +x %FWDIR%/tmp/%FWSCRIPT%;
sudo -S %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</rollback>
<no_rollback>
echo '%FWBPROMPT%';
chmod +x %FWDIR%/tmp/%FWSCRIPT%;
sudo -S %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_rollback>
</test>
</reg_user>
<root>
<run>
<copy>
%FWDIR%
</copy>
<compression>
</compression>
<no_compression>
echo '%FWBPROMPT%';
sh %FWDIR%/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_compression>
</run>
<test>
<copy>
%FWDIR%/tmp
</copy>
<rollback>
echo '%FWBPROMPT%';
echo '/sbin/shutdown -r +%RBTIMEOUT%'|batch;
sh %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</rollback>
<no_rollback>
echo '%FWBPROMPT%';
sh %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_rollback>
</test>
</root>
</activation>
<!-- set to True if you want to suppress comments in the generated script -->
<suppress_comments>False</suppress_comments>
<!-- set to True if you do not need the script to load kernel modules -->
<suppress_modules>True</suppress_modules>
</options>
<capabilities>
<supports_routing>True</supports_routing>
</capabilities>
<tools>
<ipcop>
<path_lsmod>/sbin/lsmod</path_lsmod>
<path_modprobe>/sbin/modprobe</path_modprobe>
<path_iptables>/sbin/iptables</path_iptables>
<path_ip6tables>/sbin/ip6tables</path_ip6tables>
<path_iptables_restore>/sbin/iptables-restore</path_iptables_restore>
<path_ip6tables_restore>/sbin/ip6tables-restore</path_ip6tables_restore>
<path_ip>/sbin/ip</path_ip>
<path_logger>/usr/bin/logger</path_logger>
<path_expect>/usr/bin/expect</path_expect>
</ipcop>
</tools>
</Target>
</FWBuilderResources>

115
src/res/os/oneshield_os.xml.in Normal file
View File

@ -0,0 +1,115 @@
<?xml version="1.0"?> <!-- -*- mode: xml; -*- -->
<FWBuilderResources version="@VERSION@">
<Target name="oneshield_os">
<description>OneShield Firewall Appliance</description>
<family>ipcop</family>
<dialog>ipcop_os</dialog>
<options>
<user_can_change_install_dir>false</user_can_change_install_dir>
<default>
<linux24_ip_forward>1</linux24_ip_forward>
<loopback_interface>lo</loopback_interface>
</default>
<activation>
<fwdir>/etc/rc.d</fwdir>
<fwdir_test>/tmp</fwdir_test>
<timeout_units>min</timeout_units>
<reg_user>
<run>
<copy>
%FWDIR%
</copy>
<compression>
</compression>
<no_compression>
echo '%FWBPROMPT%';
chmod +x %FWDIR%/%FWSCRIPT%;
sudo -S %FWDIR%/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_compression>
</run>
<test>
<copy>
%FWDIR%/tmp
</copy>
<rollback>
echo '%FWBPROMPT%';
echo 'sudo -S /sbin/shutdown -r +%RBTIMEOUT%'|batch;
chmod +x %FWDIR%/tmp/%FWSCRIPT%;
sudo -S %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</rollback>
<no_rollback>
echo '%FWBPROMPT%';
chmod +x %FWDIR%/tmp/%FWSCRIPT%;
sudo -S %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_rollback>
</test>
</reg_user>
<root>
<run>
<copy>
%FWDIR%
</copy>
<compression>
</compression>
<no_compression>
echo '%FWBPROMPT%';
sh %FWDIR%/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_compression>
</run>
<test>
<copy>
%FWDIR%/tmp
</copy>
<rollback>
echo '%FWBPROMPT%';
echo '/sbin/shutdown -r +%RBTIMEOUT%'|batch;
sh %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</rollback>
<no_rollback>
echo '%FWBPROMPT%';
sh %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</no_rollback>
</test>
</root>
</activation>
<!-- set to True if you want to suppress comments in the generated script -->
<suppress_comments>False</suppress_comments>
<!-- set to True if you do not need the script to load kernel modules -->
<suppress_modules>True</suppress_modules>
</options>
<capabilities>
<supports_routing>True</supports_routing>
</capabilities>
<tools>
<ipcop>
<path_lsmod>/sbin/lsmod</path_lsmod>
<path_modprobe>/sbin/modprobe</path_modprobe>
<path_iptables>/sbin/iptables</path_iptables>
<path_ip6tables>/sbin/ip6tables</path_ip6tables>
<path_iptables_restore>/sbin/iptables-restore</path_iptables_restore>
<path_ip6tables_restore>/sbin/ip6tables-restore</path_ip6tables_restore>
<path_ip>/sbin/ip</path_ip>
<path_logger>/usr/bin/logger</path_logger>
<path_expect>/usr/bin/expect</path_expect>
</ipcop>
</tools>
</Target>
</FWBuilderResources>

2
src/res/os/openbsd.xml
View File

@ -1,5 +1,5 @@
<?xml version="1.0"?> <!-- -*- mode: xml; -*- -->
<FWBuilderResources version="3.0.5">
<FWBuilderResources version="3.1.0">
<Target name="openbsd">
<description>OpenBSD</description>
<family>openbsd</family>

2
src/res/os/pix_os.xml
View File

@ -1,5 +1,5 @@
<?xml version="1.0"?> <!-- -*- mode: xml; -*- -->
<FWBuilderResources version="3.0.5-">
<FWBuilderResources version="3.1.0-">
<Target name="pix_os">
<description>Cisco PIX</description>
<compiler>fwb_pix</compiler>

2
src/res/os/solaris.xml
View File

@ -1,5 +1,5 @@
<?xml version="1.0"?> <!-- -*- mode: xml; -*- -->
<FWBuilderResources version="3.0.5">
<FWBuilderResources version="3.1.0">
<Target name="solaris">
<description>Solaris</description>
<family>solaris</family>

24
src/res/os/unknown_os.xml
View File

@ -1,5 +1,5 @@
<?xml version="1.0"?> <!-- -*- mode: xml; -*- -->
<FWBuilderResources version="3.0.5">
<FWBuilderResources version="3.1.0">
<Target name="unknown_os">
<description>Unknown</description>
<family>unknown</family>
@ -97,16 +97,18 @@ sh /tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</capabilities>
<tools>
<path_lsmod>/sbin/lsmod</path_lsmod>
<path_modprobe>/sbin/modprobe</path_modprobe>
<path_iptables>/sbin/iptables</path_iptables>
<path_ip>/sbin/ip</path_ip>
<path_logger>/usr/bin/logger</path_logger>
<path_expect>/usr/bin/expect</path_expect>
<path_ipfw>/sbin/ipfw</path_ipfw>
<path_ipf>/sbin/ipf</path_ipf>
<path_ipnat>/sbin/ipnat</path_ipnat>
<path_sysctl>/sbin/sysctl</path_sysctl>
<Unknown>
<path_lsmod>/sbin/lsmod</path_lsmod>
<path_modprobe>/sbin/modprobe</path_modprobe>
<path_iptables>/sbin/iptables</path_iptables>
<path_ip>/sbin/ip</path_ip>
<path_logger>/usr/bin/logger</path_logger>
<path_expect>/usr/bin/expect</path_expect>
<path_ipfw>/sbin/ipfw</path_ipfw>
<path_ipf>/sbin/ipf</path_ipf>
<path_ipnat>/sbin/ipnat</path_ipnat>
<path_sysctl>/sbin/sysctl</path_sysctl>
</Unknown>
</tools>
</Target>

22
src/res/os/unknown_os.xml.in
View File

@ -97,16 +97,18 @@ sh /tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
</capabilities>
<tools>
<path_lsmod>/sbin/lsmod</path_lsmod>
<path_modprobe>/sbin/modprobe</path_modprobe>
<path_iptables>/sbin/iptables</path_iptables>
<path_ip>/sbin/ip</path_ip>
<path_logger>/usr/bin/logger</path_logger>
<path_expect>/usr/bin/expect</path_expect>
<path_ipfw>/sbin/ipfw</path_ipfw>
<path_ipf>/sbin/ipf</path_ipf>
<path_ipnat>/sbin/ipnat</path_ipnat>
<path_sysctl>/sbin/sysctl</path_sysctl>
<Unknown>
<path_lsmod>/sbin/lsmod</path_lsmod>
<path_modprobe>/sbin/modprobe</path_modprobe>
<path_iptables>/sbin/iptables</path_iptables>
<path_ip>/sbin/ip</path_ip>
<path_logger>/usr/bin/logger</path_logger>
<path_expect>/usr/bin/expect</path_expect>
<path_ipfw>/sbin/ipfw</path_ipfw>
<path_ipf>/sbin/ipf</path_ipf>
<path_ipnat>/sbin/ipnat</path_ipnat>
<path_sysctl>/sbin/sysctl</path_sysctl>
</Unknown>
</tools>
</Target>

101
src/res/platform/endian.xml Normal file
View File

@ -0,0 +1,101 @@
<?xml version="1.0"?>
<FWBuilderResources version="3.1.0">
<Target name="endian">
<description>Endian Firewall Apliance (iptables)</description>
<group>Appliances</group>
<compiler>fwb_ipt</compiler>
<dialog>ipcop</dialog>
<supported_os>endian_os</supported_os>
<family>ipcop</family>
<options>
<default>
<load_modules>true</load_modules>
<verify_interfaces>true</verify_interfaces>
<firewall_is_part_of_any_and_networks>true</firewall_is_part_of_any_and_networks>
<accept_new_tcp_with_no_syn>true</accept_new_tcp_with_no_syn>
<accept_established>true</accept_established>
<configure_interfaces>true</configure_interfaces>
<manage_virtual_addr>true</manage_virtual_addr>
<log_level>info</log_level>
<log_prefix>RULE %N -- %A </log_prefix>
<ulog_nlgroup>1</ulog_nlgroup>
<limit_value>0</limit_value>
<check_shading>true</check_shading>
<verify_interfaces>true</verify_interfaces>
<local_nat>false</local_nat>
<!-- defaults for ipcop -->
<firewall_dir>/etc/rc.d/</firewall_dir>
<output_file>rc.firewall.local</output_file>
<admUser>root</admUser>
<activationCmd>/etc/rc.d/rc.firewall restart</activationCmd>
<linux24_ip_forward></linux24_ip_forward>
<linux24_ipv6_forward></linux24_ipv6_forward>
</default>
</options>
<capabilities>
<negation_in_interface_policy>True</negation_in_interface_policy>
<negation_in_policy>True</negation_in_policy>
<negation_in_nat>True</negation_in_nat>
<logging_in_policy>True</logging_in_policy>
<options_in_policy>True</options_in_policy>
<supports_nat>True</supports_nat>
<supports_time>True</supports_time>
<supports_accounting>True</supports_accounting>
<supports_routing_itf>True</supports_routing_itf>
<security_levels>False</security_levels>
<network_zones>False</network_zones>
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<flush_and_set_default_policy>False</flush_and_set_default_policy>
<actions>
<Accept>
<supported>True</supported>
<parameter>None</parameter>
</Accept>
<Deny>
<supported>True</supported>
<parameter>None</parameter>
</Deny>
<Reject>
<supported>True</supported>
<parameter>Reject</parameter>
</Reject>
<Accounting>
<supported>True</supported>
<parameter>AccountingStr</parameter>
</Accounting>
<Tag>
<supported>True</supported>
<parameter>TagInt</parameter>
</Tag>
<Pipe>
<supported>True</supported>
<parameter>None</parameter>
</Pipe>
<Classify>
<supported>True</supported>
<parameter>ClassifyStr</parameter>
</Classify>
<Custom>
<supported>True</supported>
<parameter>CustomStr</parameter>
</Custom>
<Branch>
<supported>True</supported>
<parameter>BranchChain</parameter>
</Branch>
<Route>
<supported>True</supported>
<parameter>RouteIPT</parameter>
</Route>
<Continue>
<supported>True</supported>
<parameter>None</parameter>
</Continue>
</actions>
</capabilities>
</Target>
</FWBuilderResources>

101
src/res/platform/endian.xml.in Normal file
View File

@ -0,0 +1,101 @@
<?xml version="1.0"?>
<FWBuilderResources version="@VERSION@">
<Target name="endian">
<description>Endian Firewall Apliance (iptables)</description>
<group>Appliances</group>
<compiler>fwb_ipt</compiler>
<dialog>ipcop</dialog>
<supported_os>endian_os</supported_os>
<family>ipcop</family>
<options>
<default>
<load_modules>true</load_modules>
<verify_interfaces>true</verify_interfaces>
<firewall_is_part_of_any_and_networks>true</firewall_is_part_of_any_and_networks>
<accept_new_tcp_with_no_syn>true</accept_new_tcp_with_no_syn>
<accept_established>true</accept_established>
<configure_interfaces>true</configure_interfaces>
<manage_virtual_addr>true</manage_virtual_addr>
<log_level>info</log_level>
<log_prefix>RULE %N -- %A </log_prefix>
<ulog_nlgroup>1</ulog_nlgroup>
<limit_value>0</limit_value>
<check_shading>true</check_shading>
<verify_interfaces>true</verify_interfaces>
<local_nat>false</local_nat>
<!-- defaults for ipcop -->
<firewall_dir>/etc/rc.d/</firewall_dir>
<output_file>rc.firewall.local</output_file>
<admUser>root</admUser>
<activationCmd>/etc/rc.d/rc.firewall restart</activationCmd>
<linux24_ip_forward></linux24_ip_forward>
<linux24_ipv6_forward></linux24_ipv6_forward>
</default>
</options>
<capabilities>
<negation_in_interface_policy>True</negation_in_interface_policy>
<negation_in_policy>True</negation_in_policy>
<negation_in_nat>True</negation_in_nat>
<logging_in_policy>True</logging_in_policy>
<options_in_policy>True</options_in_policy>
<supports_nat>True</supports_nat>
<supports_time>True</supports_time>
<supports_accounting>True</supports_accounting>
<supports_routing_itf>True</supports_routing_itf>
<security_levels>False</security_levels>
<network_zones>False</network_zones>
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<flush_and_set_default_policy>False</flush_and_set_default_policy>
<actions>
<Accept>
<supported>True</supported>
<parameter>None</parameter>
</Accept>
<Deny>
<supported>True</supported>
<parameter>None</parameter>
</Deny>
<Reject>
<supported>True</supported>
<parameter>Reject</parameter>
</Reject>
<Accounting>
<supported>True</supported>
<parameter>AccountingStr</parameter>
</Accounting>
<Tag>
<supported>True</supported>
<parameter>TagInt</parameter>
</Tag>
<Pipe>
<supported>True</supported>
<parameter>None</parameter>
</Pipe>
<Classify>
<supported>True</supported>
<parameter>ClassifyStr</parameter>
</Classify>
<Custom>
<supported>True</supported>
<parameter>CustomStr</parameter>
</Custom>
<Branch>
<supported>True</supported>
<parameter>BranchChain</parameter>
</Branch>
<Route>
<supported>True</supported>
<parameter>RouteIPT</parameter>
</Route>
<Continue>
<supported>True</supported>
<parameter>None</parameter>
</Continue>
</actions>
</capabilities>
</Target>
</FWBuilderResources>

6
src/res/platform/fwsm.xml
View File

@ -1,7 +1,8 @@
<?xml version="1.0"?>
<FWBuilderResources version="3.0.5-">
<FWBuilderResources version="3.1.0-">
<Target name="FWSM">
<description>FWSM</description>
<description>Cisco FWSM</description>
<group>Cisco</group>
<compiler>fwb_pix</compiler>
<dialog>pix</dialog>
<installer>fwb_inst_pix</installer>
@ -129,6 +130,7 @@ nameif %in %il security%sl
<security_levels>True</security_levels>
<network_zones>True</network_zones>
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<actions>
<Accept>
<supported>True</supported>

4
src/res/platform/fwsm.xml.in
View File

@ -1,7 +1,8 @@
<?xml version="1.0"?>
<FWBuilderResources version="@VERSION@-@RELEASE_NUM@">
<Target name="FWSM">
<description>FWSM</description>
<description>Cisco FWSM</description>
<group>Cisco</group>
<compiler>fwb_pix</compiler>
<dialog>pix</dialog>
<installer>fwb_inst_pix</installer>
@ -129,6 +130,7 @@ nameif %in %il security%sl
<security_levels>True</security_levels>
<network_zones>True</network_zones>
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<actions>
<Accept>
<supported>True</supported>

6
src/res/platform/iosacl.xml
View File

@ -1,7 +1,8 @@
<?xml version="1.0"?>
<FWBuilderResources version="3.0.5-">
<FWBuilderResources version="3.1.0-">
<Target name="iosacl">
<description>IOS ACL</description>
<description>Cisco IOS ACL</description>
<group>Cisco</group>
<compiler>fwb_iosacl</compiler>
<dialog>iosacl</dialog>
<installer>fwb_inst_iosacl</installer>
@ -52,6 +53,7 @@ interface %in
<security_levels>False</security_levels>
<network_zones>False</network_zones>
<unprotected_interfaces>True</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<actions>
<Accept>
<supported>True</supported>

4
src/res/platform/iosacl.xml.in
View File

@ -1,7 +1,8 @@
<?xml version="1.0"?>
<FWBuilderResources version="@VERSION@-@RELEASE_NUM@">
<Target name="iosacl">
<description>IOS ACL</description>
<description>Cisco IOS ACL</description>
<group>Cisco</group>
<compiler>fwb_iosacl</compiler>
<dialog>iosacl</dialog>
<installer>fwb_inst_iosacl</installer>
@ -52,6 +53,7 @@ interface %in
<security_levels>False</security_levels>
<network_zones>False</network_zones>
<unprotected_interfaces>True</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<actions>
<Accept>
<supported>True</supported>

101
src/res/platform/ipcop.xml Normal file
View File

@ -0,0 +1,101 @@
<?xml version="1.0"?>
<FWBuilderResources version="3.1.0">
<Target name="endian">
<description>IPCOP Firewall Apliance (iptables)</description>
<group>Appliances</group>
<compiler>fwb_ipt</compiler>
<dialog>ipcop</dialog>
<supported_os>ipcop_os</supported_os>
<family>ipcop</family>
<options>
<default>
<load_modules>true</load_modules>
<verify_interfaces>true</verify_interfaces>
<firewall_is_part_of_any_and_networks>true</firewall_is_part_of_any_and_networks>
<accept_new_tcp_with_no_syn>true</accept_new_tcp_with_no_syn>
<accept_established>true</accept_established>
<configure_interfaces>true</configure_interfaces>
<manage_virtual_addr>true</manage_virtual_addr>
<log_level>info</log_level>
<log_prefix>RULE %N -- %A </log_prefix>
<ulog_nlgroup>1</ulog_nlgroup>
<limit_value>0</limit_value>
<check_shading>true</check_shading>
<verify_interfaces>true</verify_interfaces>
<local_nat>false</local_nat>
<!-- defaults for ipcop -->
<firewall_dir>/etc/rc.d/</firewall_dir>
<output_file>rc.firewall.local</output_file>
<admUser>root</admUser>
<activationCmd>/etc/rc.d/rc.firewall restart</activationCmd>
<linux24_ip_forward></linux24_ip_forward>
<linux24_ipv6_forward></linux24_ipv6_forward>
</default>
</options>
<capabilities>
<negation_in_interface_policy>True</negation_in_interface_policy>
<negation_in_policy>True</negation_in_policy>
<negation_in_nat>True</negation_in_nat>
<logging_in_policy>True</logging_in_policy>
<options_in_policy>True</options_in_policy>
<supports_nat>True</supports_nat>
<supports_time>True</supports_time>
<supports_accounting>True</supports_accounting>
<supports_routing_itf>True</supports_routing_itf>
<security_levels>False</security_levels>
<network_zones>False</network_zones>
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<flush_and_set_default_policy>False</flush_and_set_default_policy>
<actions>
<Accept>
<supported>True</supported>
<parameter>None</parameter>
</Accept>
<Deny>
<supported>True</supported>
<parameter>None</parameter>
</Deny>
<Reject>
<supported>True</supported>
<parameter>Reject</parameter>
</Reject>
<Accounting>
<supported>True</supported>
<parameter>AccountingStr</parameter>
</Accounting>
<Tag>
<supported>True</supported>
<parameter>TagInt</parameter>
</Tag>
<Pipe>
<supported>True</supported>
<parameter>None</parameter>
</Pipe>
<Classify>
<supported>True</supported>
<parameter>ClassifyStr</parameter>
</Classify>
<Custom>
<supported>True</supported>
<parameter>CustomStr</parameter>
</Custom>
<Branch>
<supported>True</supported>
<parameter>BranchChain</parameter>
</Branch>
<Route>
<supported>True</supported>
<parameter>RouteIPT</parameter>
</Route>
<Continue>
<supported>True</supported>
<parameter>None</parameter>
</Continue>
</actions>
</capabilities>
</Target>
</FWBuilderResources>

101
src/res/platform/ipcop.xml.in Normal file
View File

@ -0,0 +1,101 @@
<?xml version="1.0"?>
<FWBuilderResources version="@VERSION@">
<Target name="endian">
<description>IPCOP Firewall Apliance (iptables)</description>
<group>Appliances</group>
<compiler>fwb_ipt</compiler>
<dialog>ipcop</dialog>
<supported_os>ipcop_os</supported_os>
<family>ipcop</family>
<options>
<default>
<load_modules>true</load_modules>
<verify_interfaces>true</verify_interfaces>
<firewall_is_part_of_any_and_networks>true</firewall_is_part_of_any_and_networks>
<accept_new_tcp_with_no_syn>true</accept_new_tcp_with_no_syn>
<accept_established>true</accept_established>
<configure_interfaces>true</configure_interfaces>
<manage_virtual_addr>true</manage_virtual_addr>
<log_level>info</log_level>
<log_prefix>RULE %N -- %A </log_prefix>
<ulog_nlgroup>1</ulog_nlgroup>
<limit_value>0</limit_value>
<check_shading>true</check_shading>
<verify_interfaces>true</verify_interfaces>
<local_nat>false</local_nat>
<!-- defaults for ipcop -->
<firewall_dir>/etc/rc.d/</firewall_dir>
<output_file>rc.firewall.local</output_file>
<admUser>root</admUser>
<activationCmd>/etc/rc.d/rc.firewall restart</activationCmd>
<linux24_ip_forward></linux24_ip_forward>
<linux24_ipv6_forward></linux24_ipv6_forward>
</default>
</options>
<capabilities>
<negation_in_interface_policy>True</negation_in_interface_policy>
<negation_in_policy>True</negation_in_policy>
<negation_in_nat>True</negation_in_nat>
<logging_in_policy>True</logging_in_policy>
<options_in_policy>True</options_in_policy>
<supports_nat>True</supports_nat>
<supports_time>True</supports_time>
<supports_accounting>True</supports_accounting>
<supports_routing_itf>True</supports_routing_itf>
<security_levels>False</security_levels>
<network_zones>False</network_zones>
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<flush_and_set_default_policy>False</flush_and_set_default_policy>
<actions>
<Accept>
<supported>True</supported>
<parameter>None</parameter>
</Accept>
<Deny>
<supported>True</supported>
<parameter>None</parameter>
</Deny>
<Reject>
<supported>True</supported>
<parameter>Reject</parameter>
</Reject>
<Accounting>
<supported>True</supported>
<parameter>AccountingStr</parameter>
</Accounting>
<Tag>
<supported>True</supported>
<parameter>TagInt</parameter>
</Tag>
<Pipe>
<supported>True</supported>
<parameter>None</parameter>
</Pipe>
<Classify>
<supported>True</supported>
<parameter>ClassifyStr</parameter>
</Classify>
<Custom>
<supported>True</supported>
<parameter>CustomStr</parameter>
</Custom>
<Branch>
<supported>True</supported>
<parameter>BranchChain</parameter>
</Branch>
<Route>
<supported>True</supported>
<parameter>RouteIPT</parameter>
</Route>
<Continue>
<supported>True</supported>
<parameter>None</parameter>
</Continue>
</actions>
</capabilities>
</Target>
</FWBuilderResources>

4
src/res/platform/ipf.xml
View File

@ -1,7 +1,8 @@
<?xml version="1.0"?>
<FWBuilderResources version="3.0.5">
<FWBuilderResources version="3.1.0">
<Target name="ipf">
<description>ipfilter</description>
<group>Open Source Firewalls</group>
<compiler>fwb_ipf</compiler>
<dialog>ipf</dialog>
<supported_os>freebsd,solaris</supported_os>
@ -33,6 +34,7 @@
<security_levels>False</security_levels>
<network_zones>False</network_zones>
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<actions>
<Accept>
<supported>True</supported>

2
src/res/platform/ipf.xml.in
View File

@ -2,6 +2,7 @@
<FWBuilderResources version="@VERSION@">
<Target name="ipf">
<description>ipfilter</description>
<group>Open Source Firewalls</group>
<compiler>fwb_ipf</compiler>
<dialog>ipf</dialog>
<supported_os>freebsd,solaris</supported_os>
@ -33,6 +34,7 @@
<security_levels>False</security_levels>
<network_zones>False</network_zones>
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<actions>
<Accept>
<supported>True</supported>

4
src/res/platform/ipfw.xml
View File

@ -1,7 +1,8 @@
<?xml version="1.0"?>
<FWBuilderResources version="3.0.5">
<FWBuilderResources version="3.1.0">
<Target name="ipfw">
<description>ipfw</description>
<group>Open Source Firewalls</group>
<compiler>fwb_ipfw</compiler>
<dialog>ipfw</dialog>
<supported_os>freebsd,macosx</supported_os>
@ -31,6 +32,7 @@
<security_levels>False</security_levels>
<network_zones>False</network_zones>
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<actions>
<Accept>
<supported>True</supported>

2
src/res/platform/ipfw.xml.in
View File

@ -2,6 +2,7 @@
<FWBuilderResources version="@VERSION@">
<Target name="ipfw">
<description>ipfw</description>
<group>Open Source Firewalls</group>
<compiler>fwb_ipfw</compiler>
<dialog>ipfw</dialog>
<supported_os>freebsd,macosx</supported_os>
@ -31,6 +32,7 @@
<security_levels>False</security_levels>
<network_zones>False</network_zones>
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<actions>
<Accept>
<supported>True</supported>

11
src/res/platform/iptables.xml
View File

@ -1,10 +1,15 @@
<?xml version="1.0"?>
<FWBuilderResources version="3.0.5">
<FWBuilderResources version="3.1.0">
<Target name="iptables">
<description>iptables</description>
<group>Open Source Firewalls</group>
<compiler>fwb_ipt</compiler>
<dialog>iptables</dialog>
<supported_os>linux24</supported_os>
<!-- maintian order of supported os names to make them appear in the dialog
in the right order
-->
<supported_os>linux24,linksys</supported_os>
<family>iptables</family>
<options>
<default>
@ -38,6 +43,8 @@
<security_levels>False</security_levels>
<network_zones>False</network_zones>
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<flush_and_set_default_policy>True</flush_and_set_default_policy>
<actions>
<Accept>
<supported>True</supported>

9
src/res/platform/iptables.xml.in
View File

@ -2,9 +2,14 @@
<FWBuilderResources version="@VERSION@">
<Target name="iptables">
<description>iptables</description>
<group>Open Source Firewalls</group>
<compiler>fwb_ipt</compiler>
<dialog>iptables</dialog>
<supported_os>linux24</supported_os>
<!-- maintian order of supported os names to make them appear in the dialog
in the right order
-->
<supported_os>linux24,linksys</supported_os>
<family>iptables</family>
<options>
<default>
@ -38,6 +43,8 @@
<security_levels>False</security_levels>
<network_zones>False</network_zones>
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<flush_and_set_default_policy>True</flush_and_set_default_policy>
<actions>
<Accept>
<supported>True</supported>

101
src/res/platform/oneshield.xml Normal file
View File

@ -0,0 +1,101 @@
<?xml version="1.0"?>
<FWBuilderResources version="3.1.0">
<Target name="endian">
<description>OneShield Firewall Apliance (iptables)</description>
<group>Appliances</group>
<compiler>fwb_ipt</compiler>
<dialog>ipcop</dialog>
<supported_os>oneshield_os</supported_os>
<family>ipcop</family>
<options>
<default>
<load_modules>true</load_modules>
<verify_interfaces>true</verify_interfaces>
<firewall_is_part_of_any_and_networks>true</firewall_is_part_of_any_and_networks>
<accept_new_tcp_with_no_syn>true</accept_new_tcp_with_no_syn>
<accept_established>true</accept_established>
<configure_interfaces>true</configure_interfaces>
<manage_virtual_addr>true</manage_virtual_addr>
<log_level>info</log_level>
<log_prefix>RULE %N -- %A </log_prefix>
<ulog_nlgroup>1</ulog_nlgroup>
<limit_value>0</limit_value>
<check_shading>true</check_shading>
<verify_interfaces>true</verify_interfaces>
<local_nat>false</local_nat>
<!-- defaults for ipcop -->
<firewall_dir>/etc/rc.d/</firewall_dir>
<output_file>rc.firewall.local</output_file>
<admUser>root</admUser>
<activationCmd>/etc/rc.d/rc.firewall restart</activationCmd>
<linux24_ip_forward></linux24_ip_forward>
<linux24_ipv6_forward></linux24_ipv6_forward>
</default>
</options>
<capabilities>
<negation_in_interface_policy>True</negation_in_interface_policy>
<negation_in_policy>True</negation_in_policy>
<negation_in_nat>True</negation_in_nat>
<logging_in_policy>True</logging_in_policy>
<options_in_policy>True</options_in_policy>
<supports_nat>True</supports_nat>
<supports_time>True</supports_time>
<supports_accounting>True</supports_accounting>
<supports_routing_itf>True</supports_routing_itf>
<security_levels>False</security_levels>
<network_zones>False</network_zones>
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<flush_and_set_default_policy>False</flush_and_set_default_policy>
<actions>
<Accept>
<supported>True</supported>
<parameter>None</parameter>
</Accept>
<Deny>
<supported>True</supported>
<parameter>None</parameter>
</Deny>
<Reject>
<supported>True</supported>
<parameter>Reject</parameter>
</Reject>
<Accounting>
<supported>True</supported>
<parameter>AccountingStr</parameter>
</Accounting>
<Tag>
<supported>True</supported>
<parameter>TagInt</parameter>
</Tag>
<Pipe>
<supported>True</supported>
<parameter>None</parameter>
</Pipe>
<Classify>
<supported>True</supported>
<parameter>ClassifyStr</parameter>
</Classify>
<Custom>
<supported>True</supported>
<parameter>CustomStr</parameter>
</Custom>
<Branch>
<supported>True</supported>
<parameter>BranchChain</parameter>
</Branch>
<Route>
<supported>True</supported>
<parameter>RouteIPT</parameter>
</Route>
<Continue>
<supported>True</supported>
<parameter>None</parameter>
</Continue>
</actions>
</capabilities>
</Target>
</FWBuilderResources>

101
src/res/platform/oneshield.xml.in Normal file
View File

@ -0,0 +1,101 @@
<?xml version="1.0"?>
<FWBuilderResources version="@VERSION@">
<Target name="endian">
<description>OneShield Firewall Apliance (iptables)</description>
<group>Appliances</group>
<compiler>fwb_ipt</compiler>
<dialog>ipcop</dialog>
<supported_os>oneshield_os</supported_os>
<family>ipcop</family>
<options>
<default>
<load_modules>true</load_modules>
<verify_interfaces>true</verify_interfaces>
<firewall_is_part_of_any_and_networks>true</firewall_is_part_of_any_and_networks>
<accept_new_tcp_with_no_syn>true</accept_new_tcp_with_no_syn>
<accept_established>true</accept_established>
<configure_interfaces>true</configure_interfaces>
<manage_virtual_addr>true</manage_virtual_addr>
<log_level>info</log_level>
<log_prefix>RULE %N -- %A </log_prefix>
<ulog_nlgroup>1</ulog_nlgroup>
<limit_value>0</limit_value>
<check_shading>true</check_shading>
<verify_interfaces>true</verify_interfaces>
<local_nat>false</local_nat>
<!-- defaults for ipcop -->
<firewall_dir>/etc/rc.d/</firewall_dir>
<output_file>rc.firewall.local</output_file>
<admUser>root</admUser>
<activationCmd>/etc/rc.d/rc.firewall restart</activationCmd>
<linux24_ip_forward></linux24_ip_forward>
<linux24_ipv6_forward></linux24_ipv6_forward>
</default>
</options>
<capabilities>
<negation_in_interface_policy>True</negation_in_interface_policy>
<negation_in_policy>True</negation_in_policy>
<negation_in_nat>True</negation_in_nat>
<logging_in_policy>True</logging_in_policy>
<options_in_policy>True</options_in_policy>
<supports_nat>True</supports_nat>
<supports_time>True</supports_time>
<supports_accounting>True</supports_accounting>
<supports_routing_itf>True</supports_routing_itf>
<security_levels>False</security_levels>
<network_zones>False</network_zones>
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<flush_and_set_default_policy>False</flush_and_set_default_policy>
<actions>
<Accept>
<supported>True</supported>
<parameter>None</parameter>
</Accept>
<Deny>
<supported>True</supported>
<parameter>None</parameter>
</Deny>
<Reject>
<supported>True</supported>
<parameter>Reject</parameter>
</Reject>
<Accounting>
<supported>True</supported>
<parameter>AccountingStr</parameter>
</Accounting>
<Tag>
<supported>True</supported>
<parameter>TagInt</parameter>
</Tag>
<Pipe>
<supported>True</supported>
<parameter>None</parameter>
</Pipe>
<Classify>
<supported>True</supported>
<parameter>ClassifyStr</parameter>
</Classify>
<Custom>
<supported>True</supported>
<parameter>CustomStr</parameter>
</Custom>
<Branch>
<supported>True</supported>
<parameter>BranchChain</parameter>
</Branch>
<Route>
<supported>True</supported>
<parameter>RouteIPT</parameter>
</Route>
<Continue>
<supported>True</supported>
<parameter>None</parameter>
</Continue>
</actions>
</capabilities>
</Target>
</FWBuilderResources>

4
src/res/platform/pf.xml
View File

@ -1,7 +1,8 @@
<?xml version="1.0"?>
<FWBuilderResources version="3.0.5">
<FWBuilderResources version="3.1.0">
<Target name="pf">
<description>PF</description>
<group>Open Source Firewalls</group>
<compiler>fwb_pf</compiler>
<dialog>pf</dialog>
<supported_os>openbsd,freebsd</supported_os>
@ -36,6 +37,7 @@
<security_levels>False</security_levels>
<network_zones>False</network_zones>
<unprotected_interfaces>True</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<actions>
<Accept>
<supported>True</supported>

2
src/res/platform/pf.xml.in
View File

@ -2,6 +2,7 @@
<FWBuilderResources version="@VERSION@">
<Target name="pf">
<description>PF</description>
<group>Open Source Firewalls</group>
<compiler>fwb_pf</compiler>
<dialog>pf</dialog>
<supported_os>openbsd,freebsd</supported_os>
@ -36,6 +37,7 @@
<security_levels>False</security_levels>
<network_zones>False</network_zones>
<unprotected_interfaces>True</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<actions>
<Accept>
<supported>True</supported>

6
src/res/platform/pix.xml
View File

@ -1,7 +1,8 @@
<?xml version="1.0"?>
<FWBuilderResources version="3.0.5-">
<FWBuilderResources version="3.1.0-">
<Target name="pix">
<description>PIX</description>
<description>Cisco ASA (PIX)</description>
<group>Cisco</group>
<compiler>fwb_pix</compiler>
<dialog>pix</dialog>
<installer>fwb_inst_pix</installer>
@ -400,6 +401,7 @@ exit
<security_levels>True</security_levels>
<network_zones>True</network_zones>
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<actions>
<Accept>
<supported>True</supported>

4
src/res/platform/pix.xml.in
View File

@ -1,7 +1,8 @@
<?xml version="1.0"?>
<FWBuilderResources version="@VERSION@-@RELEASE_NUM@">
<Target name="pix">
<description>PIX</description>
<description>Cisco ASA (PIX)</description>
<group>Cisco</group>
<compiler>fwb_pix</compiler>
<dialog>pix</dialog>
<installer>fwb_inst_pix</installer>
@ -400,6 +401,7 @@ exit
<security_levels>True</security_levels>
<network_zones>True</network_zones>
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<actions>
<Accept>
<supported>True</supported>

4
src/res/platform/unknown.xml
View File

@ -1,7 +1,8 @@
<?xml version="1.0"?>
<FWBuilderResources version="3.0.5">
<FWBuilderResources version="3.1.0">
<Target name="unknown">
<description>Unknown</description>
<group>Unknown</group>
<compiler></compiler>
<dialog>unknown</dialog>
<supported_os>unknown</supported_os>
@ -23,6 +24,7 @@
<security_levels>False</security_levels>
<network_zones>False</network_zones>
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>False</supports_prolog_epilog>
<actions>
<Accept>
<supported>True</supported>

2
src/res/platform/unknown.xml.in
View File

@ -2,6 +2,7 @@
<FWBuilderResources version="@VERSION@">
<Target name="unknown">
<description>Unknown</description>
<group>Unknown</group>
<compiler></compiler>
<dialog>unknown</dialog>
<supported_os>unknown</supported_os>
@ -23,6 +24,7 @@
<security_levels>False</security_levels>
<network_zones>False</network_zones>
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>False</supports_prolog_epilog>
<actions>
<Accept>
<supported>True</supported>

2
src/res/resources.xml
View File

@ -1,5 +1,5 @@
<?xml version="1.0"?>
<FWBuilderResources version="3.0.5">
<FWBuilderResources version="3.1.0">
<Paths>
<Icndir>@PACKAGE_PIXMAPS_DIR@</Icndir>
</Paths>

544
src/res/templates.xml
View File

@ -1,22 +1,17 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="10" lastModified="1215463063" id="root">
<Library id="sysid99" name="Deleted Objects" ro="False">
<ICMP6Service id="idE0C27650" name="ipv6 dest unreachable" comment="No route to destination" code="0" type="1"/>
<Interface id="id4699503D32343" name="Null0" bridgeport="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id4699503E32343" name="c36xx:Null0:ip" address="0.0.0.0" netmask="255.255.255.255"/>
</Interface>
</Library>
<Library id="syslib100" name="Firewall Templates" comment="Template objects that can be used to generate typical firewall configurations" color="#ffb4b4" ro="True">
<ObjectGroup id="id4070BB9B" name="Objects">
<ObjectGroup id="id4070BB9B_og_ats_1" name="Address Tables"/>
<ObjectGroup id="id4070BB9B_og_dnsn_1" name="DNS Names"/>
<ObjectGroup id="id4070BB9C" name="Addresses"/>
<ObjectGroup id="id4070BB9D" name="Groups"/>
<ObjectGroup id="id4070BB9E" name="Hosts">
<Host id="id40CBF1A5" name="PC with 1 interface" comment="This object represents a PC with a single network interface">
<Interface id="id40CBF1A7" name="eth0" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id40CBF1A9" name="pc:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="10" lastModified="1239820101" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False"/>
<Library id="syslib100" color="#ffb4b4" name="Firewall Templates" comment="Template objects that can be used to generate typical firewall configurations" ro="True">
<ObjectGroup id="id4070BB9B" name="Objects" comment="" ro="False">
<ObjectGroup id="id4070BB9B_og_ats_1" name="Address Tables" comment="" ro="False"/>
<ObjectGroup id="id4070BB9B_og_dnsn_1" name="DNS Names" comment="" ro="False"/>
<ObjectGroup id="id4070BB9C" name="Addresses" comment="" ro="False"/>
<ObjectGroup id="id4070BB9D" name="Groups" comment="" ro="False"/>
<ObjectGroup id="id4070BB9E" name="Hosts" comment="" ro="False">
<Host id="id40CBF1A5" name="PC with 1 interface" comment="This object represents a PC with a single network interface" ro="False">
<Interface id="id40CBF1A7" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id40CBF1A9" name="pc:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -27,12 +22,12 @@
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host id="id40CBF1AC" name="PC with 2 interfaces" comment="This object represents a PC with two network interfaces">
<Interface id="id40CBF1AE" name="eth0" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id40CBF1B0" name="pc:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
<Host id="id40CBF1AC" name="PC with 2 interfaces" comment="This object represents a PC with two network interfaces" ro="False">
<Interface id="id40CBF1AE" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id40CBF1B0" name="pc:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id40CBF1B1" name="eth1" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id40CBF1B3" name="pc:eth1:ip" address="192.168.2.1" netmask="255.255.255.0"/>
<Interface id="id40CBF1B1" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id40CBF1B3" name="pc:eth1:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -43,12 +38,12 @@
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host id="id40CBF1C8" name="Router with 2 interfaces" comment="This object represents a router with two interfaces. You may need to change interface names if your router uses different naming scheme.">
<Interface id="id40CBF1CB" name="FastEthernet 0/0" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id40CBF1CD" name="rtr:FE0/0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
<Host id="id40CBF1C8" name="Router with 2 interfaces" comment="This object represents a router with two interfaces. You may need to change interface names if your router uses different naming scheme." ro="False">
<Interface id="id40CBF1CB" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="FastEthernet 0/0" comment="" ro="False">
<IPv4 id="id40CBF1CD" name="rtr:FE0/0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id40CBF1CE" name="FastEthernet 0/1" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id40CBF1D0" name="rtr:FE0/1:ip" address="192.168.2.1" netmask="255.255.255.0"/>
<Interface id="id40CBF1CE" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="FastEthernet 0/1" comment="" ro="False">
<IPv4 id="id40CBF1D0" name="rtr:FE0/1:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -60,23 +55,23 @@
</HostOptions>
</Host>
</ObjectGroup>
<ObjectGroup id="id4070BB9F" name="Networks"/>
<ObjectGroup id="id4070BBA0" name="Address Ranges"/>
<ObjectGroup id="id4070BB9F" name="Networks" comment="" ro="False"/>
<ObjectGroup id="id4070BBA0" name="Address Ranges" comment="" ro="False"/>
</ObjectGroup>
<ServiceGroup id="id4070BBA1" name="Services">
<ServiceGroup id="id4070BBA1_userservices" name="Users"/>
<ServiceGroup id="id4070BBA1_og_tag_1" name="TagServices"/>
<ServiceGroup id="id4070BBA2" name="Groups"/>
<ServiceGroup id="id4070BBA3" name="ICMP"/>
<ServiceGroup id="id4070BBA4" name="IP"/>
<ServiceGroup id="id4070BBA5" name="TCP"/>
<ServiceGroup id="id4070BBA6" name="UDP"/>
<ServiceGroup id="id4070BBA7" name="Custom"/>
<ServiceGroup id="id4070BBA1" name="Services" comment="" ro="False">
<ServiceGroup id="id4070BBA1_userservices" name="Users" comment="" ro="False"/>
<ServiceGroup id="id4070BBA1_og_tag_1" name="TagServices" comment="" ro="False"/>
<ServiceGroup id="id4070BBA2" name="Groups" comment="" ro="False"/>
<ServiceGroup id="id4070BBA3" name="ICMP" comment="" ro="False"/>
<ServiceGroup id="id4070BBA4" name="IP" comment="" ro="False"/>
<ServiceGroup id="id4070BBA5" name="TCP" comment="" ro="False"/>
<ServiceGroup id="id4070BBA6" name="UDP" comment="" ro="False"/>
<ServiceGroup id="id4070BBA7" name="Custom" comment="" ro="False"/>
</ServiceGroup>
<ObjectGroup id="id4070BBA8" name="Firewalls">
<Firewall id="id40708A6A" name="fw template 1" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" host_OS="unknown_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" ro="False" version="">
<NAT id="id40708A6E" name="NAT" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id4070BFF5" disabled="False" position="0">
<ObjectGroup id="id4070BBA8" name="Firewalls" comment="" ro="False">
<Firewall id="id40708A6A" host_OS="unknown_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" version="" name="fw template 1" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
<NAT id="id40708A6E" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id4070BFF5" disabled="False" position="0" comment="">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
@ -98,8 +93,8 @@
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id40708A6D" name="Policy" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4070BFE9" comment="anti spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="0">
<Policy id="id40708A6D" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4070BFE9" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id40708A6A"/>
<ObjectRef ref="id3DC75CE7-1"/>
@ -118,7 +113,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4094092C" action="Accept" direction="Both" disabled="False" log="False" position="1">
<PolicyRule id="id4094092C" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -136,7 +131,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40941C75" comment="SSH Access to firewall is permitted&#10;only from internal network" action="Accept" disabled="False" log="False" position="2">
<PolicyRule id="id40941C75" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -154,7 +149,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40941D2E" comment="Firewall uses one of the machines&#10;on internal network for DNS" action="Accept" disabled="False" log="True" position="3">
<PolicyRule id="id40941D2E" disabled="False" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id40708A6A"/>
</Src>
@ -172,7 +167,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40941CB8" comment="All other attempts to connect to&#10;the firewall are denied and logged" action="Deny" disabled="False" log="True" position="4">
<PolicyRule id="id40941CB8" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -190,7 +185,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4070BFDE" action="Accept" disabled="False" log="False" position="5">
<PolicyRule id="id4070BFDE" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -208,7 +203,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40708A71" action="Deny" disabled="False" log="True" position="6">
<PolicyRule id="id40708A71" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -227,13 +222,13 @@
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id40708A6A-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id4070BFD8" name="eth0" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False"/>
<Interface id="id4070BFDA" name="eth1" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id4070BFDC" name="ip" address="192.168.1.1" netmask="255.255.255.0"/>
<Routing id="id40708A6A-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id4070BFD8" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False"/>
<Interface id="id4070BFDA" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id4070BFDC" name="ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id40940929" name="lo" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id4094092B" name="lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
<Interface id="id40940929" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id4094092B" name="lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -280,9 +275,9 @@
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id40941E8C" name="fw template 2" comment="Similar to fw 1, but the firewall is used as DHCP and DNS server for internal network.&#10;This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall can send DNS queries to servers out on the Internet. Another rule permits DNS queries from internal network to the firewall. Special rules permit DHCP requests from internal network and replies sent by the firewall." host_OS="unknown_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" ro="False" version="">
<NAT id="id40941E91" name="NAT" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id40941E92" disabled="False" position="0">
<Firewall id="id40941E8C" host_OS="unknown_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" version="" name="fw template 2" comment="Similar to fw 1, but the firewall is used as DHCP and DNS server for internal network.&#10;This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall can send DNS queries to servers out on the Internet. Another rule permits DNS queries from internal network to the firewall. Special rules permit DHCP requests from internal network and replies sent by the firewall." ro="False">
<NAT id="id40941E91" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id40941E92" disabled="False" position="0" comment="">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
@ -304,8 +299,8 @@
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id40941EA0" name="Policy" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id40941ED5" comment="anti spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="2">
<Policy id="id40941EA0" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id40941ED5" disabled="False" log="True" position="2" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id40941E8C"/>
<ObjectRef ref="id3DC75CE7-1"/>
@ -324,7 +319,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40941EE6" action="Accept" direction="Both" disabled="False" log="False" position="3">
<PolicyRule id="id40941EE6" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -342,7 +337,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40941EA1" comment="SSH Access to firewall is permitted&#10;only from internal network&#10;Also firewall serves DNS for internal&#10;network" action="Accept" disabled="False" log="False" position="2">
<PolicyRule id="id40941EA1" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network&#10;Also firewall serves DNS for internal&#10;network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -361,7 +356,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40942038" comment="DHCP requests are permitted&#10;from internal network" action="Accept" disabled="False" log="False" position="3">
<PolicyRule id="id40942038" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="DHCP requests are permitted&#10;from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id3F6D115D"/>
@ -381,7 +376,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4094204A" comment="DHCP replies" action="Accept" disabled="False" log="False" position="4">
<PolicyRule id="id4094204A" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="DHCP replies">
<Src neg="False">
<ObjectRef ref="id40941E8C"/>
</Src>
@ -399,7 +394,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40941EAB" comment="Firewall should be able to send&#10;DNS queries to the Internet" action="Accept" disabled="False" log="True" position="5">
<PolicyRule id="id40941EAB" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall should be able to send&#10;DNS queries to the Internet">
<Src neg="False">
<ObjectRef ref="id40941E8C"/>
</Src>
@ -417,7 +412,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40941EB5" comment="All other attempts to connect to&#10;the firewall are denied and logged" action="Deny" disabled="False" log="True" position="6">
<PolicyRule id="id40941EB5" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -435,7 +430,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40941EBF" action="Accept" disabled="False" log="False" position="7">
<PolicyRule id="id40941EBF" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -453,7 +448,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40941EC9" action="Deny" disabled="False" log="True" position="8">
<PolicyRule id="id40941EC9" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -472,13 +467,13 @@
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id40941E8C-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id40941ED3" name="eth0" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False"/>
<Interface id="id40941EE0" name="eth1" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id40941EE1" name="ip" address="192.168.1.1" netmask="255.255.255.0"/>
<Routing id="id40941E8C-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id40941ED3" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False"/>
<Interface id="id40941EE0" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id40941EE1" name="ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id40941EE3" name="lo" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id40941EE4" name="lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
<Interface id="id40941EE3" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id40941EE4" name="lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -525,9 +520,9 @@
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id40986AFE" name="fw template 3" comment="This firewall has three interfaces. Eth0 faces outside and has a static routable address; eth1 faces inside; eth2 is connected to DMZ subnet.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0, DMZ is 192.168.2.0/255.255.255.0. Since DMZ used private IP address, it needs NAT. There is a mail relay host located on DMZ (object 'server on dmz'). Policy rules permit SMTP connections to it from the Internet and allow this server to connect to a host on internal network 'internal server'. All other access from DMZ to internal net is denied. To provide access to the mail relay its private address is mapped to firewall's outside interface address by NAT rule #1." host_OS="freebsd" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" ro="False" version="">
<NAT id="id40986B03" name="NAT" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id40987169" comment="no need to translate&#10;between DMZ and &#10;internal net" disabled="False" position="0">
<Firewall id="id40986AFE" host_OS="freebsd" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" version="" name="fw template 3" comment="This firewall has three interfaces. Eth0 faces outside and has a static routable address; eth1 faces inside; eth2 is connected to DMZ subnet.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0, DMZ is 192.168.2.0/255.255.255.0. Since DMZ used private IP address, it needs NAT. There is a mail relay host located on DMZ (object 'server on dmz'). Policy rules permit SMTP connections to it from the Internet and allow this server to connect to a host on internal network 'internal server'. All other access from DMZ to internal net is denied. To provide access to the mail relay its private address is mapped to firewall's outside interface address by NAT rule #1." ro="False">
<NAT id="id40986B03" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id40987169" disabled="False" position="0" comment="no need to translate&#10;between DMZ and &#10;internal net">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-2"/>
</OSrc>
@ -548,7 +543,7 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id40986B04" comment="Translate source address&#10;for outgoing connections" disabled="False" position="1">
<NATRule id="id40986B04" disabled="False" position="1" comment="Translate source address&#10;for outgoing connections">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id3DC75CE7-2"/>
@ -570,7 +565,7 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id40986E4B" disabled="False" position="2">
<NATRule id="id40986E4B" disabled="False" position="2" comment="">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
@ -592,8 +587,8 @@
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id40986B12" name="Policy" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id40986B47" comment="anti spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="4">
<Policy id="id40986B12" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id40986B47" disabled="False" log="True" position="4" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id40986AFE"/>
<ObjectRef ref="id3DC75CE7-1"/>
@ -613,7 +608,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40986B58" action="Accept" direction="Both" disabled="False" log="False" position="5">
<PolicyRule id="id40986B58" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -631,7 +626,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40986B13" comment="SSH Access to firewall is permitted&#10;only from internal network" action="Accept" disabled="False" log="False" position="2">
<PolicyRule id="id40986B13" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -649,7 +644,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40986B1D" comment="Firewall uses one of the machines&#10;on internal network for DNS" action="Accept" disabled="False" log="False" position="3">
<PolicyRule id="id40986B1D" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id40986AFE"/>
</Src>
@ -667,7 +662,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40986B27" comment="All other attempts to connect to&#10;the firewall are denied and logged" action="Deny" disabled="False" log="True" position="4">
<PolicyRule id="id40986B27" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -685,7 +680,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40986E5C" comment="Quickly reject attempts to connect&#10;to ident server to avoid SMTP delays" action="Reject" disabled="False" log="False" position="5">
<PolicyRule id="id40986E5C" disabled="False" log="False" position="5" action="Reject" direction="Both" comment="Quickly reject attempts to connect&#10;to ident server to avoid SMTP delays">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -703,7 +698,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40986E16" comment="Mail relay on DMZ can accept&#10;connections from hosts on the&#10;Internet" action="Accept" disabled="False" log="False" position="6">
<PolicyRule id="id40986E16" disabled="False" log="False" position="6" action="Accept" direction="Both" comment="Mail relay on DMZ can accept&#10;connections from hosts on the&#10;Internet">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -721,7 +716,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40986EE1" comment="this rule permits a mail relay&#10;located on DMZ to connect&#10;to internal mail server" action="Accept" disabled="False" log="False" position="7">
<PolicyRule id="id40986EE1" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="this rule permits a mail relay&#10;located on DMZ to connect&#10;to internal mail server">
<Src neg="False">
<ObjectRef ref="id3D84EECF"/>
</Src>
@ -739,7 +734,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40987009" comment="Mail relay needs DNS and can&#10;connect to mail servers on the&#10;Internet" action="Accept" disabled="False" log="False" position="8">
<PolicyRule id="id40987009" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="Mail relay needs DNS and can&#10;connect to mail servers on the&#10;Internet">
<Src neg="False">
<ObjectRef ref="id3D84EECF"/>
</Src>
@ -758,7 +753,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40986B79" comment="All other access from DMZ to&#10;internal net is denied" action="Deny" disabled="False" log="True" position="9">
<PolicyRule id="id40986B79" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="All other access from DMZ to&#10;internal net is denied">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-2"/>
</Src>
@ -776,7 +771,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40986B31" comment="This permits access from internal net&#10;to the Internet and DMZ" action="Accept" disabled="False" log="False" position="10">
<PolicyRule id="id40986B31" disabled="False" log="False" position="10" action="Accept" direction="Both" comment="This permits access from internal net&#10;to the Internet and DMZ">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -794,7 +789,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40986B3B" action="Deny" disabled="False" log="True" position="11">
<PolicyRule id="id40986B3B" disabled="False" log="True" position="11" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -813,18 +808,18 @@
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id40986AFE-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id40986B45" name="eth0" bridgeport="False" dyn="False" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id40986E5B" name="fw 3:eth0:ip" comment="This is a test address, change it to your real one" address="192.0.2.1" netmask="255.255.255.0"/>
<Routing id="id40986AFE-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id40986B45" bridgeport="False" dyn="False" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id40986E5B" name="fw 3:eth0:ip" comment="This is a test address, change it to your real one" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id40986B52" name="eth1" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id40986B53" name="ip" address="192.168.1.1" netmask="255.255.255.0"/>
<Interface id="id40986B52" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id40986B53" name="ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id40986B55" name="lo" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id40986B56" name="lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
<Interface id="id40986B55" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id40986B56" name="lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Interface id="id40986B67" name="eth2" bridgeport="False" dyn="False" label="dmz" mgmt="False" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id40986B69" name="ip" address="192.168.2.1" netmask="255.255.255.0"/>
<Interface id="id40986B67" bridgeport="False" dyn="False" label="dmz" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id40986B69" name="ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -871,10 +866,10 @@
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id409878E4" name="host fw template 1" comment="This is an example of a firewall protecting a host ( a server or a workstation). Only SSH access to the host is permitted. Host has dynamic address." host_OS="unknown_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" ro="False" version="">
<NAT id="id409878E9" name="NAT" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id409878F8" name="Policy" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4098792D" comment="anti spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="6">
<Firewall id="id409878E4" host_OS="unknown_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" version="" name="host fw template 1" comment="This is an example of a firewall protecting a host ( a server or a workstation). Only SSH access to the host is permitted. Host has dynamic address." ro="False">
<NAT id="id409878E9" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id409878F8" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4098792D" disabled="False" log="True" position="6" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id409878E4"/>
</Src>
@ -892,7 +887,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4098793E" action="Accept" direction="Both" disabled="False" log="False" position="7">
<PolicyRule id="id4098793E" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -910,7 +905,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id409878F9" comment="SSH Access to the host; useful ICMP&#10;types; ping request" action="Accept" disabled="False" log="False" position="2">
<PolicyRule id="id409878F9" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to the host; useful ICMP&#10;types; ping request">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -930,7 +925,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40987917" action="Accept" disabled="False" log="False" position="3">
<PolicyRule id="id40987917" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id409878E4"/>
</Src>
@ -948,7 +943,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40987921" action="Deny" disabled="False" log="True" position="4">
<PolicyRule id="id40987921" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -967,10 +962,10 @@
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id409878E4-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id4098792B" name="eth0" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False"/>
<Interface id="id4098793B" name="lo" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id4098793C" name="lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
<Routing id="id409878E4-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id4098792B" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False"/>
<Interface id="id4098793B" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id4098793C" name="lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -1013,9 +1008,9 @@
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id41293477" name="linksys firewall" comment="This firewall is based on Linksys appliance running Sveasoft firmware; it has two interfaces. Interface vlan1 faces outside and has a dynamic address; br0 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH or HTTP. The firewall uses name servers supplied by the ISP for DNS. Special rule blocks DHCP requests on external interface without logging to reduce noise in the log.&#10;&#10;Internal network is configured with address 192.168.1.0/255.255.255.0" host_OS="linksys" lastCompiled="0" lastInstalled="0" lastModified="0" platform="iptables" ro="False" version="">
<NAT id="id412934D3" name="NAT" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id412934D4" disabled="False" position="0">
<Firewall id="id41293477" host_OS="linksys" lastCompiled="0" lastInstalled="0" lastModified="0" platform="iptables" version="" name="linksys firewall" comment="This firewall is based on Linksys appliance running Sveasoft firmware; it has two interfaces. Interface vlan1 faces outside and has a dynamic address; br0 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH or HTTP. The firewall uses name servers supplied by the ISP for DNS. Special rule blocks DHCP requests on external interface without logging to reduce noise in the log.&#10;&#10;Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
<NAT id="id412934D3" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id412934D4" disabled="False" position="0" comment="">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
@ -1037,8 +1032,8 @@
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id4129347C" name="Policy" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id412934E4" comment="anti spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="8">
<Policy id="id4129347C" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id412934E4" disabled="False" log="True" position="8" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id41293477"/>
<ObjectRef ref="id3DC75CE7-1"/>
@ -1057,7 +1052,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id412934F5" action="Accept" direction="Both" disabled="False" log="False" position="9">
<PolicyRule id="id412934F5" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1075,7 +1070,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4129347D" action="Deny" disabled="False" log="False" position="2">
<PolicyRule id="id4129347D" disabled="False" log="False" position="2" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1093,7 +1088,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id41293488" comment="SSH Access to firewall is permitted&#10;only from internal network" action="Accept" disabled="False" log="False" position="3">
<PolicyRule id="id41293488" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1115,7 +1110,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id41293496" comment="need this rule for ping and traceroute" action="Accept" disabled="False" log="False" position="4">
<PolicyRule id="id41293496" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="need this rule for ping and traceroute">
<Src neg="False">
<ObjectRef ref="id41293477"/>
</Src>
@ -1144,7 +1139,7 @@
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id412934A1" action="Accept" disabled="False" log="False" position="5">
<PolicyRule id="id412934A1" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id41293477"/>
</Src>
@ -1162,7 +1157,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id412934AB" comment="All other attempts to connect to&#10;the firewall are denied and logged" action="Deny" disabled="False" log="True" position="6">
<PolicyRule id="id412934AB" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1180,7 +1175,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id412934B5" action="Accept" disabled="False" log="False" position="7">
<PolicyRule id="id412934B5" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1198,7 +1193,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id412934BF" action="Accept" disabled="False" log="False" position="8">
<PolicyRule id="id412934BF" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1216,7 +1211,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id412934C9" action="Deny" disabled="False" log="True" position="9">
<PolicyRule id="id412934C9" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1235,13 +1230,13 @@
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id41293477-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id412934E2" name="vlan1" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False"/>
<Interface id="id412934EF" name="br0" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id412934F0" name="linksys firewall:br0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
<Routing id="id41293477-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id412934E2" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan1" comment="" ro="False"/>
<Interface id="id412934EF" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False" name="br0" comment="" ro="False">
<IPv4 id="id412934F0" name="linksys firewall:br0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id412934F2" name="lo" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id412934F3" name="linksys firewall:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
<Interface id="id412934F2" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id412934F3" name="linksys firewall:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="192.168.1.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -1340,10 +1335,10 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id4129355E" name="web server" host_OS="linux24" lastCompiled="0" lastInstalled="0" lastModified="0" platform="iptables" ro="False" version="">
<NAT id="id41293598" name="NAT" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id41293563" name="Policy" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4129359C" action="Deny" direction="Inbound" disabled="False" log="True" position="10">
<Firewall id="id4129355E" host_OS="linux24" lastCompiled="0" lastInstalled="0" lastModified="0" platform="iptables" version="" name="web server" comment="" ro="False">
<NAT id="id41293598" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id41293563" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4129359C" disabled="False" log="True" position="10" action="Deny" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="id4129355E"/>
</Src>
@ -1361,7 +1356,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id412935A9" action="Accept" direction="Both" disabled="False" log="False" position="11">
<PolicyRule id="id412935A9" disabled="False" log="False" position="11" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1379,7 +1374,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id41293564" action="Accept" disabled="False" log="False" position="2">
<PolicyRule id="id41293564" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1399,7 +1394,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id41293570" comment="server needs DNS to back-resolve clients IPs.&#10;Even if it does not log host names during its&#10;normal operations, statistics scripts such as&#10;webalizer need it for reporting." action="Accept" disabled="False" log="False" position="3">
<PolicyRule id="id41293570" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="server needs DNS to back-resolve clients IPs.&#10;Even if it does not log host names during its&#10;normal operations, statistics scripts such as&#10;webalizer need it for reporting.">
<Src neg="False">
<ObjectRef ref="id4129355E"/>
</Src>
@ -1417,7 +1412,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4129357A" comment="this rule allows the server to send&#10;statistics and reports via email. Disable&#10;this rule if you do not need it." action="Accept" disabled="False" log="False" position="4">
<PolicyRule id="id4129357A" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="this rule allows the server to send&#10;statistics and reports via email. Disable&#10;this rule if you do not need it.">
<Src neg="False">
<ObjectRef ref="id4129355E"/>
</Src>
@ -1435,7 +1430,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id41293584" comment="this rejects auth (ident) queries that remote&#10;mail relays may send to this server when it&#10;tries to send email out." action="Reject" disabled="False" log="False" position="5">
<PolicyRule id="id41293584" disabled="False" log="False" position="5" action="Reject" direction="Both" comment="this rejects auth (ident) queries that remote&#10;mail relays may send to this server when it&#10;tries to send email out.">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1453,7 +1448,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4129358E" action="Deny" disabled="False" log="True" position="6">
<PolicyRule id="id4129358E" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1472,12 +1467,12 @@
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id4129355E-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id41293599" name="eth0" bridgeport="False" dyn="False" label="outside" mgmt="True" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id4129359A" name="web server:eth0:ip" address="192.168.1.10" netmask="255.255.255.0"/>
<Routing id="id4129355E-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id41293599" bridgeport="False" dyn="False" label="outside" mgmt="True" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id4129359A" name="web server:eth0:ip" comment="" ro="False" address="192.168.1.10" netmask="255.255.255.0"/>
</Interface>
<Interface id="id412935A6" name="lo" bridgeport="False" dyn="False" label="loopback" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id412935A7" name="web server:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
<Interface id="id412935A6" bridgeport="False" dyn="False" label="loopback" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id412935A7" name="web server:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="192.168.1.10">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -1536,10 +1531,10 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id4699503132343" name="c36xx" comment="An example of Cisco router" host_OS="ios" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1184450093" platform="iosacl" ro="False" version="12.x">
<NAT id="id4699503532343" name="NAT" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id4699503432343" name="Policy" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id46995E2832343" comment="anti-spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="0">
<Firewall id="id4699503132343" host_OS="ios" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1184450093" platform="iosacl" version="12.x" name="c36xx" comment="An example of Cisco router" ro="False">
<NAT id="id4699503532343" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id4699503432343" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id46995E2832343" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti-spoofing rule">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id4699503132343"/>
@ -1560,7 +1555,7 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id469954CB32343" action="Accept" direction="Inbound" disabled="False" log="False" position="1">
<PolicyRule id="id469954CB32343" disabled="False" log="False" position="1" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1580,7 +1575,7 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id469954DA32343" action="Deny" direction="Both" disabled="False" log="True" position="2">
<PolicyRule id="id469954DA32343" disabled="False" log="True" position="2" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1600,7 +1595,7 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id469954B332343" action="Deny" direction="Both" disabled="False" log="True" position="3">
<PolicyRule id="id469954B332343" disabled="False" log="True" position="3" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1621,18 +1616,18 @@
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id4699503632343" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id4699503732343" name="Ethernet1/0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id4699503832343" name="c36xx:Ethernet1/0:ip" address="192.0.2.1" netmask="255.255.255.0"/>
<Routing id="id4699503632343" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id4699503732343" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="Ethernet1/0" comment="" ro="False">
<IPv4 id="id4699503832343" name="c36xx:Ethernet1/0:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id4699503932343" name="Ethernet1/1" bridgeport="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False">
<IPv4 id="id4699503A32343" name="c36xx:Ethernet1/1:ip" comment="Configure IP address and netmask for this interface" address="0.0.0.0" netmask="0.0.0.0"/>
<Interface id="id4699503932343" bridgeport="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="Ethernet1/1" comment="" ro="False">
<IPv4 id="id4699503A32343" name="c36xx:Ethernet1/1:ip" comment="Configure IP address and netmask for this interface" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
</Interface>
<Interface id="id4699503B32343" name="FastEthernet0/0" bridgeport="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id4699503C32343" name="c36xx:FastEthernet0/0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
<Interface id="id4699503B32343" bridgeport="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="FastEthernet0/0" comment="" ro="False">
<IPv4 id="id4699503C32343" name="c36xx:FastEthernet0/0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id4699503F32343" name="Serial1/0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id4699504032343" name="c36xx:Serial1/0:ip" comment="Configure IP address and netmask for this interface" address="0.0.0.0" netmask="0.0.0.0"/>
<Interface id="id4699503F32343" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="Serial1/0" comment="" ro="False">
<IPv4 id="id4699504032343" name="c36xx:Serial1/0:ip" comment="Configure IP address and netmask for this interface" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
</Interface>
<Management address="192.168.1.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -1710,23 +1705,152 @@
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3836X47925" host_OS="endian_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1239820196" platform="endian" version="" name="IPCOP or Endian appliance (2 interfaces)" comment="Endian firewall appliance, 2 interfaces:&#10;br0 is GREEN&#10;eth1 is RED&#10;Do not forget to change IP addresses to &#10;match your firewall." ro="False">
<NAT id="id3840X47925" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id3839X47925" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id3841X47925" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id3842X47925" bridgeport="False" dyn="False" label="GREEN" mgmt="True" security_level="100" unnum="False" unprotected="False" name="br0" comment="" ro="False">
<IPv4 id="id3843X47925" name="br0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id3844X47925" bridgeport="False" dyn="False" label="RED" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id3845X47925" name="eth1:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="activationCmd">/etc/rc.d/rc.firewall restart</Option>
<Option name="admUser">root</Option>
<Option name="check_shading">true</Option>
<Option name="comment"> defaults for ipcop </Option>
<Option name="configure_interfaces">true</Option>
<Option name="firewall_dir">/etc/rc.d/</Option>
<Option name="firewall_is_part_of_any_and_networks">true</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_accept_redirects"></Option>
<Option name="linux24_accept_source_route"></Option>
<Option name="linux24_icmp_echo_ignore_all"></Option>
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
<Option name="linux24_ip_dynaddr"></Option>
<Option name="linux24_ip_forward"></Option>
<Option name="linux24_ipv6_forward"></Option>
<Option name="linux24_log_martians"></Option>
<Option name="linux24_path_ip"></Option>
<Option name="linux24_path_ip6tables"></Option>
<Option name="linux24_path_ip6tables_restore"></Option>
<Option name="linux24_path_iptables"></Option>
<Option name="linux24_path_iptables_restore"></Option>
<Option name="linux24_path_logger"></Option>
<Option name="linux24_path_lsmod"></Option>
<Option name="linux24_path_modprobe"></Option>
<Option name="linux24_rp_filter"></Option>
<Option name="linux24_tcp_ecn"></Option>
<Option name="linux24_tcp_fack"></Option>
<Option name="linux24_tcp_fin_timeout">0</Option>
<Option name="linux24_tcp_keepalive_interval">0</Option>
<Option name="linux24_tcp_sack"></Option>
<Option name="linux24_tcp_syncookies"></Option>
<Option name="linux24_tcp_timestamps"></Option>
<Option name="linux24_tcp_window_scaling"></Option>
<Option name="load_modules">true</Option>
<Option name="local_nat">false</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="output_file">rc.firewall.local</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3872X48257" host_OS="endian_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1239820203" platform="endian" version="" name="IPCOP or Endian appliance (3 interfaces)" comment="Endian firewall appliance, 3 interfaces:&#10;br0 is GREEN&#10;eth1 is RED&#10;eth2 is ORANGE&#10;Do not forget to change IP addresses to &#10;match your firewall." ro="False">
<NAT id="id3879X48257" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id3878X48257" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id3880X48257" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id3881X48257" bridgeport="False" dyn="False" label="GREEN" mgmt="True" security_level="100" unnum="False" unprotected="False" name="br0" comment="" ro="False">
<IPv4 id="id3883X48257" name="br0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id3884X48257" bridgeport="False" dyn="False" label="RED" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id3886X48257" name="eth1:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id4907X48257" bridgeport="False" dyn="False" label="ORANGE" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id4908X48257" name="eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="activationCmd">/etc/rc.d/rc.firewall restart</Option>
<Option name="admUser">root</Option>
<Option name="check_shading">true</Option>
<Option name="comment"> defaults for ipcop </Option>
<Option name="configure_interfaces">true</Option>
<Option name="firewall_dir">/etc/rc.d/</Option>
<Option name="firewall_is_part_of_any_and_networks">true</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_accept_redirects"></Option>
<Option name="linux24_accept_source_route"></Option>
<Option name="linux24_icmp_echo_ignore_all"></Option>
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
<Option name="linux24_ip_dynaddr"></Option>
<Option name="linux24_ip_forward"></Option>
<Option name="linux24_ipv6_forward"></Option>
<Option name="linux24_log_martians"></Option>
<Option name="linux24_path_ip"></Option>
<Option name="linux24_path_ip6tables"></Option>
<Option name="linux24_path_ip6tables_restore"></Option>
<Option name="linux24_path_iptables"></Option>
<Option name="linux24_path_iptables_restore"></Option>
<Option name="linux24_path_logger"></Option>
<Option name="linux24_path_lsmod"></Option>
<Option name="linux24_path_modprobe"></Option>
<Option name="linux24_rp_filter"></Option>
<Option name="linux24_tcp_ecn"></Option>
<Option name="linux24_tcp_fack"></Option>
<Option name="linux24_tcp_fin_timeout">0</Option>
<Option name="linux24_tcp_keepalive_interval">0</Option>
<Option name="linux24_tcp_sack"></Option>
<Option name="linux24_tcp_syncookies"></Option>
<Option name="linux24_tcp_timestamps"></Option>
<Option name="linux24_tcp_window_scaling"></Option>
<Option name="load_modules">true</Option>
<Option name="local_nat">false</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="output_file">rc.firewall.local</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="id4070BBA9" name="Time"/>
<IntervalGroup id="id4070BBA9" name="Time" comment="" ro="False"/>
</Library>
<Library id="syslib000" name="Standard" comment="Standard objects" color="#d4f8ff" ro="True">
<ObjectGroup id="stdid01" name="Objects">
<ObjectGroup id="stdid03" name="Networks">
<Network id="id3DC75CE7-1" name="net-192.168.1.0" comment="192.168.1.0/24 - Address often used for home and small office networks.&#10;" address="192.168.1.0" netmask="255.255.255.0"/>
<Network id="id3DC75CE7-2" name="net-192.168.2.0" comment="192.168.2.0/24 - Address often used for home and small office networks.&#10;" address="192.168.2.0" netmask="255.255.255.0"/>
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<ObjectGroup id="stdid01" name="Objects" comment="" ro="False">
<ObjectGroup id="stdid03" name="Networks" comment="" ro="False">
<Network id="id3DC75CE7-1" name="net-192.168.1.0" comment="192.168.1.0/24 - Address often used for home and small office networks.&#10;" ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
<Network id="id3DC75CE7-2" name="net-192.168.2.0" comment="192.168.2.0/24 - Address often used for home and small office networks.&#10;" ro="False" address="192.168.2.0" netmask="255.255.255.0"/>
</ObjectGroup>
<ObjectGroup id="stdid15" name="Address Ranges">
<AddressRange id="id3F6D115D" name="old-broadcast" start_address="0.0.0.0" end_address="0.0.0.0"/>
<AddressRange id="id3F6D115C" name="broadcast" start_address="255.255.255.255" end_address="255.255.255.255"/>
<ObjectGroup id="stdid15" name="Address Ranges" comment="" ro="False">
<AddressRange id="id3F6D115D" name="old-broadcast" comment="" ro="False" start_address="0.0.0.0" end_address="0.0.0.0"/>
<AddressRange id="id3F6D115C" name="broadcast" comment="" ro="False" start_address="255.255.255.255" end_address="255.255.255.255"/>
</ObjectGroup>
<ObjectGroup id="stdid02" name="Hosts">
<Host id="id3D84EECE" name="internal server" comment="This host is used in examples and template objects">
<Interface id="id3D84EED2" name="eth0" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3D84EED3" name="ip" address="192.168.1.10" netmask="255.255.255.0"/>
<ObjectGroup id="stdid02" name="Hosts" comment="" ro="False">
<Host id="id3D84EECE" name="internal server" comment="This host is used in examples and template objects" ro="False">
<Interface id="id3D84EED2" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3D84EED3" name="ip" comment="" ro="False" address="192.168.1.10" netmask="255.255.255.0"/>
</Interface>
<Management address="192.168.1.10">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -1741,9 +1865,9 @@
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host id="id3D84EECF" name="server on dmz" comment="This host is used in examples and template objects">
<Interface id="id3D84EEE3" name="eth0" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3D84EEE4" name="ip" address="192.168.2.10" netmask="255.255.255.0"/>
<Host id="id3D84EECF" name="server on dmz" comment="This host is used in examples and template objects" ro="False">
<Interface id="id3D84EEE3" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3D84EEE4" name="ip" comment="" ro="False" address="192.168.2.10" netmask="255.255.255.0"/>
</Interface>
<Management address="192.168.2.10">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -1760,54 +1884,54 @@
</Host>
</ObjectGroup>
</ObjectGroup>
<AnyNetwork id="sysid0" name="Any" comment="Any Network" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" name="Any" comment="Any IP Service" protocol_num="0"/>
<AnyInterval id="sysid2" name="Any" comment="Any Interval" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1"/>
<ServiceGroup id="stdid05" name="Services">
<ServiceGroup id="stdid09" name="TCP">
<TCPService id="tcp-SSH" name="ssh" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/>
<TCPService id="tcp-Auth" name="auth" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="113" dst_range_end="113"/>
<TCPService id="tcp-SMTP" name="smtp" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="25" dst_range_end="25"/>
<TCPService id="tcp-HTTP" name="http" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="80" dst_range_end="80"/>
<TCPService id="tcp-DNS" name="domain" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
<TCPService id="id41291784" name="upnp" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="5000" dst_range_end="5000"/>
<TCPService id="id41291785" name="upnp-5431" comment="Although UPnP specification say it should use TCP port 5000, Linksys running Sveasoft firmware listens on port 5431" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="5431" dst_range_end="5431"/>
<TCPService id="id412Z18A9" name="icslap" comment="Sometimes this protocol is called icslap, but Microsoft does not call it that and just says that DSPP uses port 2869 in Windows XP SP2" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="2869" dst_range_end="2869"/>
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
<AnyInterval id="sysid2" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1" name="Any" comment="Any Interval" ro="False"/>
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
<ServiceGroup id="stdid09" name="TCP" comment="" ro="False">
<TCPService id="tcp-SSH" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ssh" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/>
<TCPService id="tcp-Auth" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="auth" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="113" dst_range_end="113"/>
<TCPService id="tcp-SMTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="smtp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="25" dst_range_end="25"/>
<TCPService id="tcp-HTTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="http" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="80" dst_range_end="80"/>
<TCPService id="tcp-DNS" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="domain" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
<TCPService id="id41291784" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="upnp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5000" dst_range_end="5000"/>
<TCPService id="id41291785" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="upnp-5431" comment="Although UPnP specification say it should use TCP port 5000, Linksys running Sveasoft firmware listens on port 5431" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5431" dst_range_end="5431"/>
<TCPService id="id412Z18A9" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="icslap" comment="Sometimes this protocol is called icslap, but Microsoft does not call it that and just says that DSPP uses port 2869 in Windows XP SP2" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2869" dst_range_end="2869"/>
</ServiceGroup>
<ServiceGroup id="stdid10" name="Groups">
<ServiceGroup id="id3F530CC8" name="DNS">
<ServiceGroup id="stdid10" name="Groups" comment="" ro="False">
<ServiceGroup id="id3F530CC8" name="DNS" comment="" ro="False">
<ServiceRef ref="udp-DNS"/>
<ServiceRef ref="tcp-DNS"/>
</ServiceGroup>
<ServiceGroup id="sg-DHCP" name="DHCP">
<ServiceGroup id="sg-DHCP" name="DHCP" comment="" ro="False">
<ServiceRef ref="udp-bootpc"/>
<ServiceRef ref="udp-bootps"/>
</ServiceGroup>
<ServiceGroup id="sg-Useful_ICMP" name="Useful_ICMP">
<ServiceGroup id="sg-Useful_ICMP" name="Useful_ICMP" comment="" ro="False">
<ServiceRef ref="icmp-Time_exceeded"/>
<ServiceRef ref="icmp-Time_exceeded_in_transit"/>
<ServiceRef ref="icmp-ping_reply"/>
<ServiceRef ref="icmp-Unreachables"/>
</ServiceGroup>
<ServiceGroup id="id41291786" name="UPnP">
<ServiceGroup id="id41291786" name="UPnP" comment="" ro="False">
<ServiceRef ref="id41291784"/>
<ServiceRef ref="id41291785"/>
<ServiceRef ref="id41291783"/>
<ServiceRef ref="id412Z18A9"/>
</ServiceGroup>
</ServiceGroup>
<ServiceGroup id="stdid07" name="ICMP">
<ICMPService id="icmp-ping_request" name="ping request" code="0" type="8"/>
<ICMPService id="icmp-ping_reply" name="ping reply" code="0" type="0"/>
<ICMPService id="icmp-Time_exceeded" name="time exceeded" comment="ICMP messages of this type are needed for traceroute" code="0" type="11"/>
<ICMPService id="icmp-Unreachables" name="all ICMP unreachables" code="-1" type="3"/>
<ICMPService id="icmp-Time_exceeded_in_transit" name="time exceeded in transit" code="1" type="11"/>
<ServiceGroup id="stdid07" name="ICMP" comment="" ro="False">
<ICMPService id="icmp-ping_request" code="0" type="8" name="ping request" comment="" ro="False"/>
<ICMPService id="icmp-ping_reply" code="0" type="0" name="ping reply" comment="" ro="False"/>
<ICMPService id="icmp-Time_exceeded" code="0" type="11" name="time exceeded" comment="ICMP messages of this type are needed for traceroute" ro="False"/>
<ICMPService id="icmp-Unreachables" code="-1" type="3" name="all ICMP unreachables" comment="" ro="False"/>
<ICMPService id="icmp-Time_exceeded_in_transit" code="1" type="11" name="time exceeded in transit" comment="" ro="False"/>
</ServiceGroup>
<ServiceGroup id="stdid08" name="UDP">
<UDPService id="udp-DNS" name="domain" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
<UDPService id="udp-bootpc" name="bootpc" src_range_start="0" src_range_end="0" dst_range_start="68" dst_range_end="68"/>
<UDPService id="udp-bootps" name="bootps" src_range_start="0" src_range_end="0" dst_range_start="67" dst_range_end="67"/>
<UDPService id="id41291783" name="SSDP" comment="Simple Service Discovery Protocol (used for UPnP)" src_range_start="0" src_range_end="0" dst_range_start="1900" dst_range_end="1900"/>
<ServiceGroup id="stdid08" name="UDP" comment="" ro="False">
<UDPService id="udp-DNS" name="domain" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
<UDPService id="udp-bootpc" name="bootpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="68" dst_range_end="68"/>
<UDPService id="udp-bootps" name="bootps" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="67" dst_range_end="67"/>
<UDPService id="id41291783" name="SSDP" comment="Simple Service Discovery Protocol (used for UPnP)" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1900" dst_range_end="1900"/>
</ServiceGroup>
</ServiceGroup>
</Library>

544
src/res/templates.xml.in
View File

@ -1,22 +1,17 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="@FWBUILDER_XML_VERSION@" lastModified="1215463063" id="root">
<Library id="sysid99" name="Deleted Objects" ro="False">
<ICMP6Service id="idE0C27650" name="ipv6 dest unreachable" comment="No route to destination" code="0" type="1"/>
<Interface id="id4699503D32343" name="Null0" bridgeport="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id4699503E32343" name="c36xx:Null0:ip" address="0.0.0.0" netmask="255.255.255.255"/>
</Interface>
</Library>
<Library id="syslib100" name="Firewall Templates" comment="Template objects that can be used to generate typical firewall configurations" color="#ffb4b4" ro="True">
<ObjectGroup id="id4070BB9B" name="Objects">
<ObjectGroup id="id4070BB9B_og_ats_1" name="Address Tables"/>
<ObjectGroup id="id4070BB9B_og_dnsn_1" name="DNS Names"/>
<ObjectGroup id="id4070BB9C" name="Addresses"/>
<ObjectGroup id="id4070BB9D" name="Groups"/>
<ObjectGroup id="id4070BB9E" name="Hosts">
<Host id="id40CBF1A5" name="PC with 1 interface" comment="This object represents a PC with a single network interface">
<Interface id="id40CBF1A7" name="eth0" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id40CBF1A9" name="pc:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="@FWBUILDER_XML_VERSION@" lastModified="1239820101" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False"/>
<Library id="syslib100" color="#ffb4b4" name="Firewall Templates" comment="Template objects that can be used to generate typical firewall configurations" ro="True">
<ObjectGroup id="id4070BB9B" name="Objects" comment="" ro="False">
<ObjectGroup id="id4070BB9B_og_ats_1" name="Address Tables" comment="" ro="False"/>
<ObjectGroup id="id4070BB9B_og_dnsn_1" name="DNS Names" comment="" ro="False"/>
<ObjectGroup id="id4070BB9C" name="Addresses" comment="" ro="False"/>
<ObjectGroup id="id4070BB9D" name="Groups" comment="" ro="False"/>
<ObjectGroup id="id4070BB9E" name="Hosts" comment="" ro="False">
<Host id="id40CBF1A5" name="PC with 1 interface" comment="This object represents a PC with a single network interface" ro="False">
<Interface id="id40CBF1A7" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id40CBF1A9" name="pc:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -27,12 +22,12 @@
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host id="id40CBF1AC" name="PC with 2 interfaces" comment="This object represents a PC with two network interfaces">
<Interface id="id40CBF1AE" name="eth0" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id40CBF1B0" name="pc:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
<Host id="id40CBF1AC" name="PC with 2 interfaces" comment="This object represents a PC with two network interfaces" ro="False">
<Interface id="id40CBF1AE" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id40CBF1B0" name="pc:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id40CBF1B1" name="eth1" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id40CBF1B3" name="pc:eth1:ip" address="192.168.2.1" netmask="255.255.255.0"/>
<Interface id="id40CBF1B1" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id40CBF1B3" name="pc:eth1:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -43,12 +38,12 @@
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host id="id40CBF1C8" name="Router with 2 interfaces" comment="This object represents a router with two interfaces. You may need to change interface names if your router uses different naming scheme.">
<Interface id="id40CBF1CB" name="FastEthernet 0/0" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id40CBF1CD" name="rtr:FE0/0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
<Host id="id40CBF1C8" name="Router with 2 interfaces" comment="This object represents a router with two interfaces. You may need to change interface names if your router uses different naming scheme." ro="False">
<Interface id="id40CBF1CB" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="FastEthernet 0/0" comment="" ro="False">
<IPv4 id="id40CBF1CD" name="rtr:FE0/0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id40CBF1CE" name="FastEthernet 0/1" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id40CBF1D0" name="rtr:FE0/1:ip" address="192.168.2.1" netmask="255.255.255.0"/>
<Interface id="id40CBF1CE" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="FastEthernet 0/1" comment="" ro="False">
<IPv4 id="id40CBF1D0" name="rtr:FE0/1:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -60,23 +55,23 @@
</HostOptions>
</Host>
</ObjectGroup>
<ObjectGroup id="id4070BB9F" name="Networks"/>
<ObjectGroup id="id4070BBA0" name="Address Ranges"/>
<ObjectGroup id="id4070BB9F" name="Networks" comment="" ro="False"/>
<ObjectGroup id="id4070BBA0" name="Address Ranges" comment="" ro="False"/>
</ObjectGroup>
<ServiceGroup id="id4070BBA1" name="Services">
<ServiceGroup id="id4070BBA1_userservices" name="Users"/>
<ServiceGroup id="id4070BBA1_og_tag_1" name="TagServices"/>
<ServiceGroup id="id4070BBA2" name="Groups"/>
<ServiceGroup id="id4070BBA3" name="ICMP"/>
<ServiceGroup id="id4070BBA4" name="IP"/>
<ServiceGroup id="id4070BBA5" name="TCP"/>
<ServiceGroup id="id4070BBA6" name="UDP"/>
<ServiceGroup id="id4070BBA7" name="Custom"/>
<ServiceGroup id="id4070BBA1" name="Services" comment="" ro="False">
<ServiceGroup id="id4070BBA1_userservices" name="Users" comment="" ro="False"/>
<ServiceGroup id="id4070BBA1_og_tag_1" name="TagServices" comment="" ro="False"/>
<ServiceGroup id="id4070BBA2" name="Groups" comment="" ro="False"/>
<ServiceGroup id="id4070BBA3" name="ICMP" comment="" ro="False"/>
<ServiceGroup id="id4070BBA4" name="IP" comment="" ro="False"/>
<ServiceGroup id="id4070BBA5" name="TCP" comment="" ro="False"/>
<ServiceGroup id="id4070BBA6" name="UDP" comment="" ro="False"/>
<ServiceGroup id="id4070BBA7" name="Custom" comment="" ro="False"/>
</ServiceGroup>
<ObjectGroup id="id4070BBA8" name="Firewalls">
<Firewall id="id40708A6A" name="fw template 1" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" host_OS="unknown_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" ro="False" version="">
<NAT id="id40708A6E" name="NAT" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id4070BFF5" disabled="False" position="0">
<ObjectGroup id="id4070BBA8" name="Firewalls" comment="" ro="False">
<Firewall id="id40708A6A" host_OS="unknown_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" version="" name="fw template 1" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
<NAT id="id40708A6E" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id4070BFF5" disabled="False" position="0" comment="">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
@ -98,8 +93,8 @@
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id40708A6D" name="Policy" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4070BFE9" comment="anti spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="0">
<Policy id="id40708A6D" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4070BFE9" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id40708A6A"/>
<ObjectRef ref="id3DC75CE7-1"/>
@ -118,7 +113,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4094092C" action="Accept" direction="Both" disabled="False" log="False" position="1">
<PolicyRule id="id4094092C" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -136,7 +131,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40941C75" comment="SSH Access to firewall is permitted&#10;only from internal network" action="Accept" disabled="False" log="False" position="2">
<PolicyRule id="id40941C75" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -154,7 +149,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40941D2E" comment="Firewall uses one of the machines&#10;on internal network for DNS" action="Accept" disabled="False" log="True" position="3">
<PolicyRule id="id40941D2E" disabled="False" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id40708A6A"/>
</Src>
@ -172,7 +167,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40941CB8" comment="All other attempts to connect to&#10;the firewall are denied and logged" action="Deny" disabled="False" log="True" position="4">
<PolicyRule id="id40941CB8" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -190,7 +185,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4070BFDE" action="Accept" disabled="False" log="False" position="5">
<PolicyRule id="id4070BFDE" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -208,7 +203,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40708A71" action="Deny" disabled="False" log="True" position="6">
<PolicyRule id="id40708A71" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -227,13 +222,13 @@
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id40708A6A-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id4070BFD8" name="eth0" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False"/>
<Interface id="id4070BFDA" name="eth1" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id4070BFDC" name="ip" address="192.168.1.1" netmask="255.255.255.0"/>
<Routing id="id40708A6A-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id4070BFD8" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False"/>
<Interface id="id4070BFDA" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id4070BFDC" name="ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id40940929" name="lo" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id4094092B" name="lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
<Interface id="id40940929" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id4094092B" name="lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -280,9 +275,9 @@
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id40941E8C" name="fw template 2" comment="Similar to fw 1, but the firewall is used as DHCP and DNS server for internal network.&#10;This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall can send DNS queries to servers out on the Internet. Another rule permits DNS queries from internal network to the firewall. Special rules permit DHCP requests from internal network and replies sent by the firewall." host_OS="unknown_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" ro="False" version="">
<NAT id="id40941E91" name="NAT" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id40941E92" disabled="False" position="0">
<Firewall id="id40941E8C" host_OS="unknown_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" version="" name="fw template 2" comment="Similar to fw 1, but the firewall is used as DHCP and DNS server for internal network.&#10;This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall can send DNS queries to servers out on the Internet. Another rule permits DNS queries from internal network to the firewall. Special rules permit DHCP requests from internal network and replies sent by the firewall." ro="False">
<NAT id="id40941E91" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id40941E92" disabled="False" position="0" comment="">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
@ -304,8 +299,8 @@
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id40941EA0" name="Policy" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id40941ED5" comment="anti spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="2">
<Policy id="id40941EA0" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id40941ED5" disabled="False" log="True" position="2" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id40941E8C"/>
<ObjectRef ref="id3DC75CE7-1"/>
@ -324,7 +319,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40941EE6" action="Accept" direction="Both" disabled="False" log="False" position="3">
<PolicyRule id="id40941EE6" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -342,7 +337,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40941EA1" comment="SSH Access to firewall is permitted&#10;only from internal network&#10;Also firewall serves DNS for internal&#10;network" action="Accept" disabled="False" log="False" position="2">
<PolicyRule id="id40941EA1" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network&#10;Also firewall serves DNS for internal&#10;network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -361,7 +356,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40942038" comment="DHCP requests are permitted&#10;from internal network" action="Accept" disabled="False" log="False" position="3">
<PolicyRule id="id40942038" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="DHCP requests are permitted&#10;from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id3F6D115D"/>
@ -381,7 +376,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4094204A" comment="DHCP replies" action="Accept" disabled="False" log="False" position="4">
<PolicyRule id="id4094204A" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="DHCP replies">
<Src neg="False">
<ObjectRef ref="id40941E8C"/>
</Src>
@ -399,7 +394,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40941EAB" comment="Firewall should be able to send&#10;DNS queries to the Internet" action="Accept" disabled="False" log="True" position="5">
<PolicyRule id="id40941EAB" disabled="False" log="True" position="5" action="Accept" direction="Both" comment="Firewall should be able to send&#10;DNS queries to the Internet">
<Src neg="False">
<ObjectRef ref="id40941E8C"/>
</Src>
@ -417,7 +412,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40941EB5" comment="All other attempts to connect to&#10;the firewall are denied and logged" action="Deny" disabled="False" log="True" position="6">
<PolicyRule id="id40941EB5" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -435,7 +430,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40941EBF" action="Accept" disabled="False" log="False" position="7">
<PolicyRule id="id40941EBF" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -453,7 +448,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40941EC9" action="Deny" disabled="False" log="True" position="8">
<PolicyRule id="id40941EC9" disabled="False" log="True" position="8" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -472,13 +467,13 @@
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id40941E8C-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id40941ED3" name="eth0" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False"/>
<Interface id="id40941EE0" name="eth1" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id40941EE1" name="ip" address="192.168.1.1" netmask="255.255.255.0"/>
<Routing id="id40941E8C-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id40941ED3" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False"/>
<Interface id="id40941EE0" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id40941EE1" name="ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id40941EE3" name="lo" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id40941EE4" name="lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
<Interface id="id40941EE3" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id40941EE4" name="lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -525,9 +520,9 @@
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id40986AFE" name="fw template 3" comment="This firewall has three interfaces. Eth0 faces outside and has a static routable address; eth1 faces inside; eth2 is connected to DMZ subnet.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0, DMZ is 192.168.2.0/255.255.255.0. Since DMZ used private IP address, it needs NAT. There is a mail relay host located on DMZ (object 'server on dmz'). Policy rules permit SMTP connections to it from the Internet and allow this server to connect to a host on internal network 'internal server'. All other access from DMZ to internal net is denied. To provide access to the mail relay its private address is mapped to firewall's outside interface address by NAT rule #1." host_OS="freebsd" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" ro="False" version="">
<NAT id="id40986B03" name="NAT" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id40987169" comment="no need to translate&#10;between DMZ and &#10;internal net" disabled="False" position="0">
<Firewall id="id40986AFE" host_OS="freebsd" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" version="" name="fw template 3" comment="This firewall has three interfaces. Eth0 faces outside and has a static routable address; eth1 faces inside; eth2 is connected to DMZ subnet.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0, DMZ is 192.168.2.0/255.255.255.0. Since DMZ used private IP address, it needs NAT. There is a mail relay host located on DMZ (object 'server on dmz'). Policy rules permit SMTP connections to it from the Internet and allow this server to connect to a host on internal network 'internal server'. All other access from DMZ to internal net is denied. To provide access to the mail relay its private address is mapped to firewall's outside interface address by NAT rule #1." ro="False">
<NAT id="id40986B03" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id40987169" disabled="False" position="0" comment="no need to translate&#10;between DMZ and &#10;internal net">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-2"/>
</OSrc>
@ -548,7 +543,7 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id40986B04" comment="Translate source address&#10;for outgoing connections" disabled="False" position="1">
<NATRule id="id40986B04" disabled="False" position="1" comment="Translate source address&#10;for outgoing connections">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id3DC75CE7-2"/>
@ -570,7 +565,7 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id40986E4B" disabled="False" position="2">
<NATRule id="id40986E4B" disabled="False" position="2" comment="">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
@ -592,8 +587,8 @@
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id40986B12" name="Policy" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id40986B47" comment="anti spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="4">
<Policy id="id40986B12" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id40986B47" disabled="False" log="True" position="4" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id40986AFE"/>
<ObjectRef ref="id3DC75CE7-1"/>
@ -613,7 +608,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40986B58" action="Accept" direction="Both" disabled="False" log="False" position="5">
<PolicyRule id="id40986B58" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -631,7 +626,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40986B13" comment="SSH Access to firewall is permitted&#10;only from internal network" action="Accept" disabled="False" log="False" position="2">
<PolicyRule id="id40986B13" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -649,7 +644,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40986B1D" comment="Firewall uses one of the machines&#10;on internal network for DNS" action="Accept" disabled="False" log="False" position="3">
<PolicyRule id="id40986B1D" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id40986AFE"/>
</Src>
@ -667,7 +662,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40986B27" comment="All other attempts to connect to&#10;the firewall are denied and logged" action="Deny" disabled="False" log="True" position="4">
<PolicyRule id="id40986B27" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -685,7 +680,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40986E5C" comment="Quickly reject attempts to connect&#10;to ident server to avoid SMTP delays" action="Reject" disabled="False" log="False" position="5">
<PolicyRule id="id40986E5C" disabled="False" log="False" position="5" action="Reject" direction="Both" comment="Quickly reject attempts to connect&#10;to ident server to avoid SMTP delays">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -703,7 +698,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40986E16" comment="Mail relay on DMZ can accept&#10;connections from hosts on the&#10;Internet" action="Accept" disabled="False" log="False" position="6">
<PolicyRule id="id40986E16" disabled="False" log="False" position="6" action="Accept" direction="Both" comment="Mail relay on DMZ can accept&#10;connections from hosts on the&#10;Internet">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -721,7 +716,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40986EE1" comment="this rule permits a mail relay&#10;located on DMZ to connect&#10;to internal mail server" action="Accept" disabled="False" log="False" position="7">
<PolicyRule id="id40986EE1" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="this rule permits a mail relay&#10;located on DMZ to connect&#10;to internal mail server">
<Src neg="False">
<ObjectRef ref="id3D84EECF"/>
</Src>
@ -739,7 +734,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40987009" comment="Mail relay needs DNS and can&#10;connect to mail servers on the&#10;Internet" action="Accept" disabled="False" log="False" position="8">
<PolicyRule id="id40987009" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="Mail relay needs DNS and can&#10;connect to mail servers on the&#10;Internet">
<Src neg="False">
<ObjectRef ref="id3D84EECF"/>
</Src>
@ -758,7 +753,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40986B79" comment="All other access from DMZ to&#10;internal net is denied" action="Deny" disabled="False" log="True" position="9">
<PolicyRule id="id40986B79" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="All other access from DMZ to&#10;internal net is denied">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-2"/>
</Src>
@ -776,7 +771,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40986B31" comment="This permits access from internal net&#10;to the Internet and DMZ" action="Accept" disabled="False" log="False" position="10">
<PolicyRule id="id40986B31" disabled="False" log="False" position="10" action="Accept" direction="Both" comment="This permits access from internal net&#10;to the Internet and DMZ">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -794,7 +789,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40986B3B" action="Deny" disabled="False" log="True" position="11">
<PolicyRule id="id40986B3B" disabled="False" log="True" position="11" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -813,18 +808,18 @@
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id40986AFE-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id40986B45" name="eth0" bridgeport="False" dyn="False" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id40986E5B" name="fw 3:eth0:ip" comment="This is a test address, change it to your real one" address="192.0.2.1" netmask="255.255.255.0"/>
<Routing id="id40986AFE-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id40986B45" bridgeport="False" dyn="False" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id40986E5B" name="fw 3:eth0:ip" comment="This is a test address, change it to your real one" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id40986B52" name="eth1" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id40986B53" name="ip" address="192.168.1.1" netmask="255.255.255.0"/>
<Interface id="id40986B52" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id40986B53" name="ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id40986B55" name="lo" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id40986B56" name="lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
<Interface id="id40986B55" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id40986B56" name="lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Interface id="id40986B67" name="eth2" bridgeport="False" dyn="False" label="dmz" mgmt="False" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id40986B69" name="ip" address="192.168.2.1" netmask="255.255.255.0"/>
<Interface id="id40986B67" bridgeport="False" dyn="False" label="dmz" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id40986B69" name="ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -871,10 +866,10 @@
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id409878E4" name="host fw template 1" comment="This is an example of a firewall protecting a host ( a server or a workstation). Only SSH access to the host is permitted. Host has dynamic address." host_OS="unknown_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" ro="False" version="">
<NAT id="id409878E9" name="NAT" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id409878F8" name="Policy" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4098792D" comment="anti spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="6">
<Firewall id="id409878E4" host_OS="unknown_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="unknown" version="" name="host fw template 1" comment="This is an example of a firewall protecting a host ( a server or a workstation). Only SSH access to the host is permitted. Host has dynamic address." ro="False">
<NAT id="id409878E9" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id409878F8" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4098792D" disabled="False" log="True" position="6" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id409878E4"/>
</Src>
@ -892,7 +887,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4098793E" action="Accept" direction="Both" disabled="False" log="False" position="7">
<PolicyRule id="id4098793E" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -910,7 +905,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id409878F9" comment="SSH Access to the host; useful ICMP&#10;types; ping request" action="Accept" disabled="False" log="False" position="2">
<PolicyRule id="id409878F9" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to the host; useful ICMP&#10;types; ping request">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -930,7 +925,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40987917" action="Accept" disabled="False" log="False" position="3">
<PolicyRule id="id40987917" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id409878E4"/>
</Src>
@ -948,7 +943,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id40987921" action="Deny" disabled="False" log="True" position="4">
<PolicyRule id="id40987921" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -967,10 +962,10 @@
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id409878E4-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id4098792B" name="eth0" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False"/>
<Interface id="id4098793B" name="lo" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id4098793C" name="lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
<Routing id="id409878E4-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id4098792B" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False"/>
<Interface id="id4098793B" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id4098793C" name="lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -1013,9 +1008,9 @@
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id41293477" name="linksys firewall" comment="This firewall is based on Linksys appliance running Sveasoft firmware; it has two interfaces. Interface vlan1 faces outside and has a dynamic address; br0 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH or HTTP. The firewall uses name servers supplied by the ISP for DNS. Special rule blocks DHCP requests on external interface without logging to reduce noise in the log.&#10;&#10;Internal network is configured with address 192.168.1.0/255.255.255.0" host_OS="linksys" lastCompiled="0" lastInstalled="0" lastModified="0" platform="iptables" ro="False" version="">
<NAT id="id412934D3" name="NAT" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id412934D4" disabled="False" position="0">
<Firewall id="id41293477" host_OS="linksys" lastCompiled="0" lastInstalled="0" lastModified="0" platform="iptables" version="" name="linksys firewall" comment="This firewall is based on Linksys appliance running Sveasoft firmware; it has two interfaces. Interface vlan1 faces outside and has a dynamic address; br0 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH or HTTP. The firewall uses name servers supplied by the ISP for DNS. Special rule blocks DHCP requests on external interface without logging to reduce noise in the log.&#10;&#10;Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
<NAT id="id412934D3" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id412934D4" disabled="False" position="0" comment="">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
@ -1037,8 +1032,8 @@
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id4129347C" name="Policy" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id412934E4" comment="anti spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="8">
<Policy id="id4129347C" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id412934E4" disabled="False" log="True" position="8" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id41293477"/>
<ObjectRef ref="id3DC75CE7-1"/>
@ -1057,7 +1052,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id412934F5" action="Accept" direction="Both" disabled="False" log="False" position="9">
<PolicyRule id="id412934F5" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1075,7 +1070,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4129347D" action="Deny" disabled="False" log="False" position="2">
<PolicyRule id="id4129347D" disabled="False" log="False" position="2" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1093,7 +1088,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id41293488" comment="SSH Access to firewall is permitted&#10;only from internal network" action="Accept" disabled="False" log="False" position="3">
<PolicyRule id="id41293488" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1115,7 +1110,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id41293496" comment="need this rule for ping and traceroute" action="Accept" disabled="False" log="False" position="4">
<PolicyRule id="id41293496" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="need this rule for ping and traceroute">
<Src neg="False">
<ObjectRef ref="id41293477"/>
</Src>
@ -1144,7 +1139,7 @@
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id412934A1" action="Accept" disabled="False" log="False" position="5">
<PolicyRule id="id412934A1" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id41293477"/>
</Src>
@ -1162,7 +1157,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id412934AB" comment="All other attempts to connect to&#10;the firewall are denied and logged" action="Deny" disabled="False" log="True" position="6">
<PolicyRule id="id412934AB" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1180,7 +1175,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id412934B5" action="Accept" disabled="False" log="False" position="7">
<PolicyRule id="id412934B5" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1198,7 +1193,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id412934BF" action="Accept" disabled="False" log="False" position="8">
<PolicyRule id="id412934BF" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1216,7 +1211,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id412934C9" action="Deny" disabled="False" log="True" position="9">
<PolicyRule id="id412934C9" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1235,13 +1230,13 @@
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id41293477-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id412934E2" name="vlan1" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False"/>
<Interface id="id412934EF" name="br0" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id412934F0" name="linksys firewall:br0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
<Routing id="id41293477-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id412934E2" bridgeport="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan1" comment="" ro="False"/>
<Interface id="id412934EF" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False" name="br0" comment="" ro="False">
<IPv4 id="id412934F0" name="linksys firewall:br0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id412934F2" name="lo" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id412934F3" name="linksys firewall:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
<Interface id="id412934F2" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id412934F3" name="linksys firewall:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="192.168.1.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -1340,10 +1335,10 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id4129355E" name="web server" host_OS="linux24" lastCompiled="0" lastInstalled="0" lastModified="0" platform="iptables" ro="False" version="">
<NAT id="id41293598" name="NAT" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id41293563" name="Policy" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4129359C" action="Deny" direction="Inbound" disabled="False" log="True" position="10">
<Firewall id="id4129355E" host_OS="linux24" lastCompiled="0" lastInstalled="0" lastModified="0" platform="iptables" version="" name="web server" comment="" ro="False">
<NAT id="id41293598" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id41293563" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4129359C" disabled="False" log="True" position="10" action="Deny" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="id4129355E"/>
</Src>
@ -1361,7 +1356,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id412935A9" action="Accept" direction="Both" disabled="False" log="False" position="11">
<PolicyRule id="id412935A9" disabled="False" log="False" position="11" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1379,7 +1374,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id41293564" action="Accept" disabled="False" log="False" position="2">
<PolicyRule id="id41293564" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1399,7 +1394,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id41293570" comment="server needs DNS to back-resolve clients IPs.&#10;Even if it does not log host names during its&#10;normal operations, statistics scripts such as&#10;webalizer need it for reporting." action="Accept" disabled="False" log="False" position="3">
<PolicyRule id="id41293570" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="server needs DNS to back-resolve clients IPs.&#10;Even if it does not log host names during its&#10;normal operations, statistics scripts such as&#10;webalizer need it for reporting.">
<Src neg="False">
<ObjectRef ref="id4129355E"/>
</Src>
@ -1417,7 +1412,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4129357A" comment="this rule allows the server to send&#10;statistics and reports via email. Disable&#10;this rule if you do not need it." action="Accept" disabled="False" log="False" position="4">
<PolicyRule id="id4129357A" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="this rule allows the server to send&#10;statistics and reports via email. Disable&#10;this rule if you do not need it.">
<Src neg="False">
<ObjectRef ref="id4129355E"/>
</Src>
@ -1435,7 +1430,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id41293584" comment="this rejects auth (ident) queries that remote&#10;mail relays may send to this server when it&#10;tries to send email out." action="Reject" disabled="False" log="False" position="5">
<PolicyRule id="id41293584" disabled="False" log="False" position="5" action="Reject" direction="Both" comment="this rejects auth (ident) queries that remote&#10;mail relays may send to this server when it&#10;tries to send email out.">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1453,7 +1448,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4129358E" action="Deny" disabled="False" log="True" position="6">
<PolicyRule id="id4129358E" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1472,12 +1467,12 @@
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id4129355E-routing" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id41293599" name="eth0" bridgeport="False" dyn="False" label="outside" mgmt="True" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id4129359A" name="web server:eth0:ip" address="192.168.1.10" netmask="255.255.255.0"/>
<Routing id="id4129355E-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id41293599" bridgeport="False" dyn="False" label="outside" mgmt="True" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id4129359A" name="web server:eth0:ip" comment="" ro="False" address="192.168.1.10" netmask="255.255.255.0"/>
</Interface>
<Interface id="id412935A6" name="lo" bridgeport="False" dyn="False" label="loopback" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id412935A7" name="web server:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
<Interface id="id412935A6" bridgeport="False" dyn="False" label="loopback" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id412935A7" name="web server:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="192.168.1.10">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -1536,10 +1531,10 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id4699503132343" name="c36xx" comment="An example of Cisco router" host_OS="ios" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1184450093" platform="iosacl" ro="False" version="12.x">
<NAT id="id4699503532343" name="NAT" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id4699503432343" name="Policy" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id46995E2832343" comment="anti-spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="0">
<Firewall id="id4699503132343" host_OS="ios" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1184450093" platform="iosacl" version="12.x" name="c36xx" comment="An example of Cisco router" ro="False">
<NAT id="id4699503532343" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id4699503432343" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id46995E2832343" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti-spoofing rule">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id4699503132343"/>
@ -1560,7 +1555,7 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id469954CB32343" action="Accept" direction="Inbound" disabled="False" log="False" position="1">
<PolicyRule id="id469954CB32343" disabled="False" log="False" position="1" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1580,7 +1575,7 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id469954DA32343" action="Deny" direction="Both" disabled="False" log="True" position="2">
<PolicyRule id="id469954DA32343" disabled="False" log="True" position="2" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1600,7 +1595,7 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id469954B332343" action="Deny" direction="Both" disabled="False" log="True" position="3">
<PolicyRule id="id469954B332343" disabled="False" log="True" position="3" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1621,18 +1616,18 @@
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id4699503632343" name="Routing" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id4699503732343" name="Ethernet1/0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id4699503832343" name="c36xx:Ethernet1/0:ip" address="192.0.2.1" netmask="255.255.255.0"/>
<Routing id="id4699503632343" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id4699503732343" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="Ethernet1/0" comment="" ro="False">
<IPv4 id="id4699503832343" name="c36xx:Ethernet1/0:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id4699503932343" name="Ethernet1/1" bridgeport="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False">
<IPv4 id="id4699503A32343" name="c36xx:Ethernet1/1:ip" comment="Configure IP address and netmask for this interface" address="0.0.0.0" netmask="0.0.0.0"/>
<Interface id="id4699503932343" bridgeport="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="Ethernet1/1" comment="" ro="False">
<IPv4 id="id4699503A32343" name="c36xx:Ethernet1/1:ip" comment="Configure IP address and netmask for this interface" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
</Interface>
<Interface id="id4699503B32343" name="FastEthernet0/0" bridgeport="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id4699503C32343" name="c36xx:FastEthernet0/0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
<Interface id="id4699503B32343" bridgeport="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="FastEthernet0/0" comment="" ro="False">
<IPv4 id="id4699503C32343" name="c36xx:FastEthernet0/0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id4699503F32343" name="Serial1/0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id4699504032343" name="c36xx:Serial1/0:ip" comment="Configure IP address and netmask for this interface" address="0.0.0.0" netmask="0.0.0.0"/>
<Interface id="id4699503F32343" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="Serial1/0" comment="" ro="False">
<IPv4 id="id4699504032343" name="c36xx:Serial1/0:ip" comment="Configure IP address and netmask for this interface" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
</Interface>
<Management address="192.168.1.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -1710,23 +1705,152 @@
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3836X47925" host_OS="endian_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1239820196" platform="endian" version="" name="IPCOP or Endian appliance (2 interfaces)" comment="Endian firewall appliance, 2 interfaces:&#10;br0 is GREEN&#10;eth1 is RED&#10;Do not forget to change IP addresses to &#10;match your firewall." ro="False">
<NAT id="id3840X47925" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id3839X47925" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id3841X47925" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id3842X47925" bridgeport="False" dyn="False" label="GREEN" mgmt="True" security_level="100" unnum="False" unprotected="False" name="br0" comment="" ro="False">
<IPv4 id="id3843X47925" name="br0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id3844X47925" bridgeport="False" dyn="False" label="RED" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id3845X47925" name="eth1:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="activationCmd">/etc/rc.d/rc.firewall restart</Option>
<Option name="admUser">root</Option>
<Option name="check_shading">true</Option>
<Option name="comment"> defaults for ipcop </Option>
<Option name="configure_interfaces">true</Option>
<Option name="firewall_dir">/etc/rc.d/</Option>
<Option name="firewall_is_part_of_any_and_networks">true</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_accept_redirects"></Option>
<Option name="linux24_accept_source_route"></Option>
<Option name="linux24_icmp_echo_ignore_all"></Option>
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
<Option name="linux24_ip_dynaddr"></Option>
<Option name="linux24_ip_forward"></Option>
<Option name="linux24_ipv6_forward"></Option>
<Option name="linux24_log_martians"></Option>
<Option name="linux24_path_ip"></Option>
<Option name="linux24_path_ip6tables"></Option>
<Option name="linux24_path_ip6tables_restore"></Option>
<Option name="linux24_path_iptables"></Option>
<Option name="linux24_path_iptables_restore"></Option>
<Option name="linux24_path_logger"></Option>
<Option name="linux24_path_lsmod"></Option>
<Option name="linux24_path_modprobe"></Option>
<Option name="linux24_rp_filter"></Option>
<Option name="linux24_tcp_ecn"></Option>
<Option name="linux24_tcp_fack"></Option>
<Option name="linux24_tcp_fin_timeout">0</Option>
<Option name="linux24_tcp_keepalive_interval">0</Option>
<Option name="linux24_tcp_sack"></Option>
<Option name="linux24_tcp_syncookies"></Option>
<Option name="linux24_tcp_timestamps"></Option>
<Option name="linux24_tcp_window_scaling"></Option>
<Option name="load_modules">true</Option>
<Option name="local_nat">false</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="output_file">rc.firewall.local</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3872X48257" host_OS="endian_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1239820203" platform="endian" version="" name="IPCOP or Endian appliance (3 interfaces)" comment="Endian firewall appliance, 3 interfaces:&#10;br0 is GREEN&#10;eth1 is RED&#10;eth2 is ORANGE&#10;Do not forget to change IP addresses to &#10;match your firewall." ro="False">
<NAT id="id3879X48257" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id3878X48257" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id3880X48257" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id3881X48257" bridgeport="False" dyn="False" label="GREEN" mgmt="True" security_level="100" unnum="False" unprotected="False" name="br0" comment="" ro="False">
<IPv4 id="id3883X48257" name="br0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id3884X48257" bridgeport="False" dyn="False" label="RED" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id3886X48257" name="eth1:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id4907X48257" bridgeport="False" dyn="False" label="ORANGE" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id4908X48257" name="eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="activationCmd">/etc/rc.d/rc.firewall restart</Option>
<Option name="admUser">root</Option>
<Option name="check_shading">true</Option>
<Option name="comment"> defaults for ipcop </Option>
<Option name="configure_interfaces">true</Option>
<Option name="firewall_dir">/etc/rc.d/</Option>
<Option name="firewall_is_part_of_any_and_networks">true</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_accept_redirects"></Option>
<Option name="linux24_accept_source_route"></Option>
<Option name="linux24_icmp_echo_ignore_all"></Option>
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
<Option name="linux24_ip_dynaddr"></Option>
<Option name="linux24_ip_forward"></Option>
<Option name="linux24_ipv6_forward"></Option>
<Option name="linux24_log_martians"></Option>
<Option name="linux24_path_ip"></Option>
<Option name="linux24_path_ip6tables"></Option>
<Option name="linux24_path_ip6tables_restore"></Option>
<Option name="linux24_path_iptables"></Option>
<Option name="linux24_path_iptables_restore"></Option>
<Option name="linux24_path_logger"></Option>
<Option name="linux24_path_lsmod"></Option>
<Option name="linux24_path_modprobe"></Option>
<Option name="linux24_rp_filter"></Option>
<Option name="linux24_tcp_ecn"></Option>
<Option name="linux24_tcp_fack"></Option>
<Option name="linux24_tcp_fin_timeout">0</Option>
<Option name="linux24_tcp_keepalive_interval">0</Option>
<Option name="linux24_tcp_sack"></Option>
<Option name="linux24_tcp_syncookies"></Option>
<Option name="linux24_tcp_timestamps"></Option>
<Option name="linux24_tcp_window_scaling"></Option>
<Option name="load_modules">true</Option>
<Option name="local_nat">false</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="output_file">rc.firewall.local</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="id4070BBA9" name="Time"/>
<IntervalGroup id="id4070BBA9" name="Time" comment="" ro="False"/>
</Library>
<Library id="syslib000" name="Standard" comment="Standard objects" color="#d4f8ff" ro="True">
<ObjectGroup id="stdid01" name="Objects">
<ObjectGroup id="stdid03" name="Networks">
<Network id="id3DC75CE7-1" name="net-192.168.1.0" comment="192.168.1.0/24 - Address often used for home and small office networks.&#10;" address="192.168.1.0" netmask="255.255.255.0"/>
<Network id="id3DC75CE7-2" name="net-192.168.2.0" comment="192.168.2.0/24 - Address often used for home and small office networks.&#10;" address="192.168.2.0" netmask="255.255.255.0"/>
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<ObjectGroup id="stdid01" name="Objects" comment="" ro="False">
<ObjectGroup id="stdid03" name="Networks" comment="" ro="False">
<Network id="id3DC75CE7-1" name="net-192.168.1.0" comment="192.168.1.0/24 - Address often used for home and small office networks.&#10;" ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
<Network id="id3DC75CE7-2" name="net-192.168.2.0" comment="192.168.2.0/24 - Address often used for home and small office networks.&#10;" ro="False" address="192.168.2.0" netmask="255.255.255.0"/>
</ObjectGroup>
<ObjectGroup id="stdid15" name="Address Ranges">
<AddressRange id="id3F6D115D" name="old-broadcast" start_address="0.0.0.0" end_address="0.0.0.0"/>
<AddressRange id="id3F6D115C" name="broadcast" start_address="255.255.255.255" end_address="255.255.255.255"/>
<ObjectGroup id="stdid15" name="Address Ranges" comment="" ro="False">
<AddressRange id="id3F6D115D" name="old-broadcast" comment="" ro="False" start_address="0.0.0.0" end_address="0.0.0.0"/>
<AddressRange id="id3F6D115C" name="broadcast" comment="" ro="False" start_address="255.255.255.255" end_address="255.255.255.255"/>
</ObjectGroup>
<ObjectGroup id="stdid02" name="Hosts">
<Host id="id3D84EECE" name="internal server" comment="This host is used in examples and template objects">
<Interface id="id3D84EED2" name="eth0" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3D84EED3" name="ip" address="192.168.1.10" netmask="255.255.255.0"/>
<ObjectGroup id="stdid02" name="Hosts" comment="" ro="False">
<Host id="id3D84EECE" name="internal server" comment="This host is used in examples and template objects" ro="False">
<Interface id="id3D84EED2" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3D84EED3" name="ip" comment="" ro="False" address="192.168.1.10" netmask="255.255.255.0"/>
</Interface>
<Management address="192.168.1.10">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -1741,9 +1865,9 @@
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host id="id3D84EECF" name="server on dmz" comment="This host is used in examples and template objects">
<Interface id="id3D84EEE3" name="eth0" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3D84EEE4" name="ip" address="192.168.2.10" netmask="255.255.255.0"/>
<Host id="id3D84EECF" name="server on dmz" comment="This host is used in examples and template objects" ro="False">
<Interface id="id3D84EEE3" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3D84EEE4" name="ip" comment="" ro="False" address="192.168.2.10" netmask="255.255.255.0"/>
</Interface>
<Management address="192.168.2.10">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -1760,54 +1884,54 @@
</Host>
</ObjectGroup>
</ObjectGroup>
<AnyNetwork id="sysid0" name="Any" comment="Any Network" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" name="Any" comment="Any IP Service" protocol_num="0"/>
<AnyInterval id="sysid2" name="Any" comment="Any Interval" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1"/>
<ServiceGroup id="stdid05" name="Services">
<ServiceGroup id="stdid09" name="TCP">
<TCPService id="tcp-SSH" name="ssh" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/>
<TCPService id="tcp-Auth" name="auth" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="113" dst_range_end="113"/>
<TCPService id="tcp-SMTP" name="smtp" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="25" dst_range_end="25"/>
<TCPService id="tcp-HTTP" name="http" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="80" dst_range_end="80"/>
<TCPService id="tcp-DNS" name="domain" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
<TCPService id="id41291784" name="upnp" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="5000" dst_range_end="5000"/>
<TCPService id="id41291785" name="upnp-5431" comment="Although UPnP specification say it should use TCP port 5000, Linksys running Sveasoft firmware listens on port 5431" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="5431" dst_range_end="5431"/>
<TCPService id="id412Z18A9" name="icslap" comment="Sometimes this protocol is called icslap, but Microsoft does not call it that and just says that DSPP uses port 2869 in Windows XP SP2" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="2869" dst_range_end="2869"/>
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
<AnyInterval id="sysid2" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1" name="Any" comment="Any Interval" ro="False"/>
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
<ServiceGroup id="stdid09" name="TCP" comment="" ro="False">
<TCPService id="tcp-SSH" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ssh" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/>
<TCPService id="tcp-Auth" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="auth" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="113" dst_range_end="113"/>
<TCPService id="tcp-SMTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="smtp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="25" dst_range_end="25"/>
<TCPService id="tcp-HTTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="http" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="80" dst_range_end="80"/>
<TCPService id="tcp-DNS" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="domain" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
<TCPService id="id41291784" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="upnp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5000" dst_range_end="5000"/>
<TCPService id="id41291785" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="upnp-5431" comment="Although UPnP specification say it should use TCP port 5000, Linksys running Sveasoft firmware listens on port 5431" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5431" dst_range_end="5431"/>
<TCPService id="id412Z18A9" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="icslap" comment="Sometimes this protocol is called icslap, but Microsoft does not call it that and just says that DSPP uses port 2869 in Windows XP SP2" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2869" dst_range_end="2869"/>
</ServiceGroup>
<ServiceGroup id="stdid10" name="Groups">
<ServiceGroup id="id3F530CC8" name="DNS">
<ServiceGroup id="stdid10" name="Groups" comment="" ro="False">
<ServiceGroup id="id3F530CC8" name="DNS" comment="" ro="False">
<ServiceRef ref="udp-DNS"/>
<ServiceRef ref="tcp-DNS"/>
</ServiceGroup>
<ServiceGroup id="sg-DHCP" name="DHCP">
<ServiceGroup id="sg-DHCP" name="DHCP" comment="" ro="False">
<ServiceRef ref="udp-bootpc"/>
<ServiceRef ref="udp-bootps"/>
</ServiceGroup>
<ServiceGroup id="sg-Useful_ICMP" name="Useful_ICMP">
<ServiceGroup id="sg-Useful_ICMP" name="Useful_ICMP" comment="" ro="False">
<ServiceRef ref="icmp-Time_exceeded"/>
<ServiceRef ref="icmp-Time_exceeded_in_transit"/>
<ServiceRef ref="icmp-ping_reply"/>
<ServiceRef ref="icmp-Unreachables"/>
</ServiceGroup>
<ServiceGroup id="id41291786" name="UPnP">
<ServiceGroup id="id41291786" name="UPnP" comment="" ro="False">
<ServiceRef ref="id41291784"/>
<ServiceRef ref="id41291785"/>
<ServiceRef ref="id41291783"/>
<ServiceRef ref="id412Z18A9"/>
</ServiceGroup>
</ServiceGroup>
<ServiceGroup id="stdid07" name="ICMP">
<ICMPService id="icmp-ping_request" name="ping request" code="0" type="8"/>
<ICMPService id="icmp-ping_reply" name="ping reply" code="0" type="0"/>
<ICMPService id="icmp-Time_exceeded" name="time exceeded" comment="ICMP messages of this type are needed for traceroute" code="0" type="11"/>
<ICMPService id="icmp-Unreachables" name="all ICMP unreachables" code="-1" type="3"/>
<ICMPService id="icmp-Time_exceeded_in_transit" name="time exceeded in transit" code="1" type="11"/>
<ServiceGroup id="stdid07" name="ICMP" comment="" ro="False">
<ICMPService id="icmp-ping_request" code="0" type="8" name="ping request" comment="" ro="False"/>
<ICMPService id="icmp-ping_reply" code="0" type="0" name="ping reply" comment="" ro="False"/>
<ICMPService id="icmp-Time_exceeded" code="0" type="11" name="time exceeded" comment="ICMP messages of this type are needed for traceroute" ro="False"/>
<ICMPService id="icmp-Unreachables" code="-1" type="3" name="all ICMP unreachables" comment="" ro="False"/>
<ICMPService id="icmp-Time_exceeded_in_transit" code="1" type="11" name="time exceeded in transit" comment="" ro="False"/>
</ServiceGroup>
<ServiceGroup id="stdid08" name="UDP">
<UDPService id="udp-DNS" name="domain" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
<UDPService id="udp-bootpc" name="bootpc" src_range_start="0" src_range_end="0" dst_range_start="68" dst_range_end="68"/>
<UDPService id="udp-bootps" name="bootps" src_range_start="0" src_range_end="0" dst_range_start="67" dst_range_end="67"/>
<UDPService id="id41291783" name="SSDP" comment="Simple Service Discovery Protocol (used for UPnP)" src_range_start="0" src_range_end="0" dst_range_start="1900" dst_range_end="1900"/>
<ServiceGroup id="stdid08" name="UDP" comment="" ro="False">
<UDPService id="udp-DNS" name="domain" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
<UDPService id="udp-bootpc" name="bootpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="68" dst_range_end="68"/>
<UDPService id="udp-bootps" name="bootps" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="67" dst_range_end="67"/>
<UDPService id="id41291783" name="SSDP" comment="Simple Service Discovery Protocol (used for UPnP)" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1900" dst_range_end="1900"/>
</ServiceGroup>
</ServiceGroup>
</Library>

245
test/ipt/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="10" lastModified="1239403597" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="10" lastModified="1239499273" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<ICMP6Service id="idE0C27650" code="0" type="1" name="ipv6 dest unreachable" comment="No route to destination" ro="False"/>
<IPv4 id="id41D295E2" name="firewall30:ppp.200*:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
@ -39105,6 +39105,249 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id42323X39196" host_OS="ipcop" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1239554688" platform="ipcop" version="" name="firewall-ipcop-1" comment="This is an example of a firewall protecting a host ( a server or a workstation). Only SSH access to the host is permitted. Host has dynamic address." ro="False">
<NAT id="id42392X39196" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id42329X39196" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id42330X39196" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id42323X39196"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id42394X39196"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id42342X39196" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id42397X39196"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id42354X39196" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to the host; useful ICMP&#10;types; ping request">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id42323X39196"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
<ServiceRef ref="sg-Useful_ICMP"/>
<ServiceRef ref="icmp-ping_request"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id42368X39196" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id42323X39196"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id42380X39196" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id42393X39196" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id42394X39196" bridgeport="False" dyn="False" label="RED" mgmt="True" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id42396X39196" name="firewall-ipcop-1:eth0:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id42397X39196" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id42399X39196" name="firewall-ipcop-1:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Interface id="id80905X39196" bridgeport="False" dyn="False" label="GREEN" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id80906X39196" name="firewall-ipcop-1:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Management address="192.0.2.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activation">
echo '%FWBPROMPT%';
cat &gt; %FWDIR%/%FWSCRIPT%;
echo '%FWBPROMPT%'; chmod +x %FWDIR%/%FWSCRIPT%; sudo -S %FWDIR%/%FWSCRIPT%; sudo -S ps ax|awk '/shutdown/ {printf "kill %d\n",$1;}'|sh
echo '%FWBPROMPT%'; chmod +x %FWDIR%/%FWSCRIPT%; sudo -S %FWDIR%/%FWSCRIPT%; sudo -S ps ax|awk '/shutdown/ {printf "kill %d\n",$1;}'|sh
echo '%FWBPROMPT%'; chmod +x /tmp/%FWSCRIPT%; sudo -S /sbin/shutdown -r +%RBTIMEOUT%; sudo -S /tmp/%FWSCRIPT%
echo '%FWBPROMPT%'; chmod +x /tmp/%FWSCRIPT%; sudo -S /tmp/%FWSCRIPT%
echo '%FWBPROMPT%';
cat &gt; %FWDIR%/%FWSCRIPT%;
echo '%FWBPROMPT%'; sh %FWDIR%/%FWSCRIPT%; ps ax|awk '/shutdown/ {printf "kill %d\n",$1;}'|sh
echo '%FWBPROMPT%'; sh %FWDIR%/%FWSCRIPT%; ps ax|awk '/shutdown/ {printf "kill %d\n",$1;}'|sh
echo '%FWBPROMPT%'; /sbin/shutdown -r +%RBTIMEOUT%; sh /tmp/%FWSCRIPT%
echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
</Option>
<Option name="activationCmd">/etc/rc.d/rc.firewall</Option>
<Option name="admUser">admin</Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_interfaces">true</Option>
<Option name="debug">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script">echo "This is epilog script"
</Option>
<Option name="firewall_dir">/etc/rc.d/</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="fwdir">/etc/fw</Option>
<Option name="fwdir_test">/tmp</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">true</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
<Option name="local_nat">False</Option>
<Option name="log_all">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_script">echo "This is prolog script"</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="timeout_units">sec</Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="use_ULOG">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="stdid11_1" name="Time" comment="" ro="False">
<Interval id="id3D6864D0" days_of_week="0,1" from_day="-1" from_hour="1" from_minute="1" from_month="-1" from_weekday="0" from_year="-1" to_day="-1" to_hour="2" to_minute="2" to_month="-1" to_weekday="1" to_year="-1" name="test time 1" comment="" ro="False"/>