mirror of
https://github.com/fwbuilder/fwbuilder
synced 2025-06-15 14:47:52 +02:00
30754 lines
1.5 MiB
30754 lines
1.5 MiB
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
|
|
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="22" lastModified="1322706224" id="root">
|
|
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
|
|
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
|
|
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
|
|
<AnyInterval id="sysid2" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1" name="Any" comment="Any Interval" ro="False"/>
|
|
<ObjectGroup id="stdid01" name="Objects" comment="" ro="False">
|
|
<ObjectGroup id="stdid16" name="Addresses" comment="" ro="False">
|
|
<IPv4 id="id2001X88798" name="all-hosts" comment="" ro="False" address="224.0.0.1" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2002X88798" name="all-routers" comment="" ro="False" address="224.0.0.2" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2003X88798" name="all DVMRP" comment="" ro="False" address="224.0.0.4" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2117X88798" name="OSPF (all routers)" comment="RFC2328" ro="False" address="224.0.0.5" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2128X88798" name="OSPF (designated routers)" comment="RFC2328" ro="False" address="224.0.0.6" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2430X88798" name="RIP" comment="RFC1723" ro="False" address="224.0.0.9" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2439X88798" name="EIGRP" comment="" ro="False" address="224.0.0.10" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2446X88798" name="DHCP server, relay agent" comment="RFC 1884" ro="False" address="224.0.0.12" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2455X88798" name="PIM" comment="" ro="False" address="224.0.0.13" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2462X88798" name="RSVP" comment="" ro="False" address="224.0.0.14" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2469X88798" name="VRRP" comment="RFC3768" ro="False" address="224.0.0.18" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2777X88798" name="IGMP" comment="" ro="False" address="224.0.0.22" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2784X88798" name="OSPFIGP-TE" comment="RFC4973" ro="False" address="224.0.0.24" netmask="0.0.0.0"/>
|
|
<IPv4 id="id3094X88798" name="HSRP" comment="" ro="False" address="224.0.0.102" netmask="0.0.0.0"/>
|
|
<IPv4 id="id3403X88798" name="mDNS" comment="" ro="False" address="224.0.0.251" netmask="0.0.0.0"/>
|
|
<IPv4 id="id3410X88798" name="LLMNR" comment="Link-Local Multicast Name Resolution, RFC4795" ro="False" address="224.0.0.252" netmask="0.0.0.0"/>
|
|
<IPv4 id="id3411X88798" name="Teredo" comment="" ro="False" address="224.0.0.253" netmask="0.0.0.0"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid17" name="DNS Names" comment="" ro="False"/>
|
|
<ObjectGroup id="stdid18" name="Address Tables" comment="" ro="False"/>
|
|
<ObjectGroup id="stdid04" name="Groups" comment="" ro="False">
|
|
<ObjectGroup id="id3DC75CE8" name="rfc1918-nets" comment="" ro="False">
|
|
<ObjectRef ref="id3DC75CE5"/>
|
|
<ObjectRef ref="id3DC75CE6"/>
|
|
<ObjectRef ref="id3DC75CE7"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3292X75851" name="ipv6 private" comment="These are various ipv6 networks that should not be routed on the Internet " ro="False">
|
|
<ObjectRef ref="id2088X75851"/>
|
|
<ObjectRef ref="id2986X75851"/>
|
|
<ObjectRef ref="id2383X75851"/>
|
|
</ObjectGroup>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid02" name="Hosts" comment="" ro="False">
|
|
<Host id="id3D84EECE" name="internal server" comment="This host is used in examples and template objects" ro="False">
|
|
<Interface id="id3D84EED2" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3D84EED3" name="ip" comment="" ro="False" address="192.168.1.10" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3D84EECF" name="server on dmz" comment="This host is used in examples and template objects" ro="False">
|
|
<Interface id="id3D84EEE3" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3D84EEE4" name="ip" comment="" ro="False" address="192.168.2.10" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.2.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid03" name="Networks" comment="" ro="False">
|
|
<Network id="id3DC75CEC" name="all multicasts" comment="224.0.0.0/4 - This block, formerly known as the Class D address space, is allocated for use in IPv4 multicast address assignments. The IANA guidelines for assignments from this space are described in [RFC3171]. " ro="False" address="224.0.0.0" netmask="240.0.0.0"/>
|
|
<Network id="id3F4ECE3E" name="link-local" comment="169.254.0.0/16 - This is the "link local" block. It is allocated for communication between hosts on a single link. Hosts obtain these addresses by auto-configuration, such as when a DHCP server may not be found. " ro="False" address="169.254.0.0" netmask="255.255.0.0"/>
|
|
<Network id="id3F4ECE3D" name="loopback-net" comment="127.0.0.0/8 - This block is assigned for use as the Internet host loopback address. A datagram sent by a higher level protocol to an address anywhere within this block should loop back inside the host. This is ordinarily implemented using only 127.0.0.1/32 for loopback, but no addresses within this block should ever appear on any network anywhere [RFC1700, page 5]. " ro="False" address="127.0.0.0" netmask="255.0.0.0"/>
|
|
<Network id="id3DC75CE5" name="net-10.0.0.0" comment="10.0.0.0/8 - This block is set aside for use in private networks. Its intended use is documented in [RFC1918]. Addresses within this block should not appear on the public Internet." ro="False" address="10.0.0.0" netmask="255.0.0.0"/>
|
|
<Network id="id3DC75CE7" name="net-172.16.0.0" comment="172.16.0.0/12 - This block is set aside for use in private networks. Its intended use is documented in [RFC1918]. Addresses within this block should not appear on the public Internet. " ro="False" address="172.16.0.0" netmask="255.240.0.0"/>
|
|
<Network id="id3DC75CE6" name="net-192.168.0.0" comment="192.168.0.0/16 - This block is set aside for use in private networks. Its intended use is documented in [RFC1918]. Addresses within this block should not appear on the public Internet. " ro="False" address="192.168.0.0" netmask="255.255.0.0"/>
|
|
<Network id="id3F4ECE3F" name="test-net" comment="192.0.2.0/24 - This block is assigned as "TEST-NET" for use in documentation and example code. It is often used in conjunction with domain names example.com or example.net in vendor and protocol documentation. Addresses within this block should not appear on the public Internet. " ro="False" address="192.0.2.0" netmask="255.255.255.0"/>
|
|
<Network id="id3F4ECE40" name="this-net" comment="0.0.0.0/8 - Addresses in this block refer to source hosts on "this" network. Address 0.0.0.0/32 may be used as a source address for this host on this network; other addresses within 0.0.0.0/8 may be used to refer to specified hosts on this network [RFC1700, page 4]." ro="False" address="0.0.0.0" netmask="255.0.0.0"/>
|
|
<Network id="id3DC75CE7-1" name="net-192.168.1.0" comment="192.168.1.0/24 - Address often used for home and small office networks. " ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
|
|
<Network id="id3DC75CE7-2" name="net-192.168.2.0" comment="192.168.2.0/24 - Address often used for home and small office networks. " ro="False" address="192.168.2.0" netmask="255.255.255.0"/>
|
|
<NetworkIPv6 id="id2088X75851" name="documentation net" comment="RFC3849" ro="False" address="2001:db8::" netmask="32"/>
|
|
<NetworkIPv6 id="id2383X75851" name="link-local ipv6" comment="RFC4291 Link-local unicast net" ro="False" address="fe80::" netmask="10"/>
|
|
<NetworkIPv6 id="id2685X75851" name="multicast ipv6" comment="RFC4291 ipv6 multicast addresses" ro="False" address="ff00::" netmask="8"/>
|
|
<NetworkIPv6 id="id2986X75851" name="experimental ipv6" comment="RFC2928, RFC4773 "The block of Sub-TLA IDs assigned to the IANA (i.e., 2001:0000::/29 - 2001:01F8::/29) is for assignment for testing and experimental usage to support activities such as the 6bone, and for new approaches like exchanges." [RFC2928] " ro="False" address="2001::" netmask="23"/>
|
|
<Network id="id3289X12564" name="TEST-NET-2" comment="RFC 5735 RFC 5737 " ro="False" address="198.51.100.0" netmask="255.255.255.0"/>
|
|
<Network id="id3300X12564" name="TEST-NET-3" comment="RFC 5735 RFC 5737" ro="False" address="203.0.113.0" netmask="255.255.255.0"/>
|
|
<Network id="id3311X12564" name="Benchmark tests network" comment="RFC 5735" ro="False" address="198.18.0.0" netmask="255.254.0.0"/>
|
|
<NetworkIPv6 id="id3326X12564" name="mapped-ipv4" comment="" ro="False" address="::ffff:0.0.0.0" netmask="96"/>
|
|
<NetworkIPv6 id="id3341X12564" name="translated-ipv4" comment="" ro="False" address="::ffff:0:0:0" netmask="96"/>
|
|
<NetworkIPv6 id="id3350X12564" name="Teredo" comment="" ro="False" address="2001::" netmask="32"/>
|
|
<NetworkIPv6 id="id3359X12564" name="unique-local" comment="" ro="False" address="fc00::" netmask="7"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid15" name="Address Ranges" comment="" ro="False">
|
|
<AddressRange id="id3F6D115C" name="broadcast" comment="" ro="False" start_address="255.255.255.255" end_address="255.255.255.255"/>
|
|
<AddressRange id="id3F6D115D" name="old-broadcast" comment="" ro="False" start_address="0.0.0.0" end_address="0.0.0.0"/>
|
|
</ObjectGroup>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
|
|
<CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
|
|
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
|
|
</CustomService>
|
|
<CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
|
|
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
|
|
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
|
|
</CustomService>
|
|
<ServiceGroup id="stdid10" name="Groups" comment="" ro="False">
|
|
<ServiceGroup id="sg-DHCP" name="DHCP" comment="" ro="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3F530CC8" name="DNS" comment="" ro="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
<ServiceRef ref="tcp-DNS"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3CB1279B" name="IPSEC" comment="" ro="False">
|
|
<ServiceRef ref="id3CB12797"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="sg-NETBIOS" name="NETBIOS" comment="" ro="False">
|
|
<ServiceRef ref="udp-netbios-dgm"/>
|
|
<ServiceRef ref="udp-netbios-ns"/>
|
|
<ServiceRef ref="id3E755609"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3CB131CC" name="PCAnywhere" comment="" ro="False">
|
|
<ServiceRef ref="id3CB131CA"/>
|
|
<ServiceRef ref="id3CB131C8"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="sg-Useful_ICMP" name="Useful_ICMP" comment="" ro="False">
|
|
<ServiceRef ref="icmp-Time_exceeded"/>
|
|
<ServiceRef ref="icmp-Time_exceeded_in_transit"/>
|
|
<ServiceRef ref="icmp-ping_reply"/>
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id1569X4889" name="Ipv6 unreachable messages" comment="" ro="False">
|
|
<ServiceRef ref="idE0D27650"/>
|
|
<ServiceRef ref="idCFE27650"/>
|
|
<ServiceRef ref="idE0B27650"/>
|
|
<ServiceRef ref="id1519Z388"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3B4FEDD9" name="kerberos" comment="" ro="False">
|
|
<ServiceRef ref="id3B4FEDA5"/>
|
|
<ServiceRef ref="id3B4FEDA9"/>
|
|
<ServiceRef ref="id3B4FEDA7"/>
|
|
<ServiceRef ref="id3B4FEDAB"/>
|
|
<ServiceRef ref="id3B4FEDA3"/>
|
|
<ServiceRef ref="id3B4FEE21"/>
|
|
<ServiceRef ref="id3B4FEE23"/>
|
|
<ServiceRef ref="id3E7E3EA2"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3B4FF35E" name="nfs" comment="" ro="False">
|
|
<ServiceRef ref="id3B4FEE7A"/>
|
|
<ServiceRef ref="id3B4FEE78"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3B4FEFFA" name="quake" comment="" ro="False">
|
|
<ServiceRef ref="id3B4FEF7C"/>
|
|
<ServiceRef ref="id3B4FEF7E"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3D703C9A" name="Real Player" comment="" ro="False">
|
|
<ServiceRef ref="id3D703C99"/>
|
|
<ServiceRef ref="id3D703C8B"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3E7E3E95" name="WinNT" comment="" ro="False">
|
|
<ServiceRef ref="sg-NETBIOS"/>
|
|
<ServiceRef ref="id3DC8C8BB"/>
|
|
<ServiceRef ref="id3E7E3D58"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3E7E3E9A" name="Win2000" comment="" ro="False">
|
|
<ServiceRef ref="id3E7E3E95"/>
|
|
<ServiceRef ref="udp-DNS"/>
|
|
<ServiceRef ref="id3DC8C8BC"/>
|
|
<ServiceRef ref="id3E7E3EA2"/>
|
|
<ServiceRef ref="id3AECF778"/>
|
|
<ServiceRef ref="id3D703C90"/>
|
|
<ServiceRef ref="id3E7E4039"/>
|
|
<ServiceRef ref="id3E7E403A"/>
|
|
<ServiceRef ref="id3B4FEDA5"/>
|
|
<ServiceRef ref="tcp-DNS"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id41291786" name="UPnP" comment="" ro="False">
|
|
<ServiceRef ref="id41291784"/>
|
|
<ServiceRef ref="id41291785"/>
|
|
<ServiceRef ref="id41291783"/>
|
|
<ServiceRef ref="id412Z18A9"/>
|
|
</ServiceGroup>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid07" name="ICMP" comment="" ro="False">
|
|
<ICMPService id="icmp-Unreachables" code="-1" type="3" name="all ICMP unreachables" comment="" ro="False"/>
|
|
<ICMPService id="id3C20EEB5" code="-1" type="-1" name="any ICMP" comment="" ro="False"/>
|
|
<ICMPService id="icmp-Host_unreach" code="1" type="3" name="host_unreach" comment="" ro="False"/>
|
|
<ICMPService id="icmp-ping_reply" code="0" type="0" name="ping reply" comment="" ro="False"/>
|
|
<ICMPService id="icmp-ping_request" code="0" type="8" name="ping request" comment="" ro="False"/>
|
|
<ICMPService id="icmp-Port_unreach" code="3" type="3" name="port unreach" comment="Port unreachable" ro="False"/>
|
|
<ICMPService id="icmp-Time_exceeded" code="0" type="11" name="time exceeded" comment="ICMP messages of this type are needed for traceroute" ro="False"/>
|
|
<ICMPService id="icmp-Time_exceeded_in_transit" code="1" type="11" name="time exceeded in transit" comment="" ro="False"/>
|
|
<ICMP6Service id="ipv6-icmp-ping_request" code="0" type="128" name="ipv6 ping request" comment="IPv6 ping request" ro="False"/>
|
|
<ICMP6Service id="ipv6-icmp-ping_reply" code="0" type="129" name="ipv6 ping reply" comment="IPv6 ping reply" ro="False"/>
|
|
<ICMP6Service id="ipv6-icmp-routersol" code="0" type="133" name="ipv6 routersol" comment="IPv6 router solicitation" ro="False"/>
|
|
<ICMP6Service id="ipv6-icmp-routeradv" code="0" type="134" name="ipv6 routeradv" comment="IPv6 router advertisement" ro="False"/>
|
|
<ICMP6Service id="ipv6-icmp-neighbrsol" code="0" type="135" name="ipv6 neighbrsol" comment="IPv6 neighbor solicitation" ro="False"/>
|
|
<ICMP6Service id="ipv6-icmp-neighbradv" code="0" type="136" name="ipv6 neighbradv" comment="IPv6 neighbor advertisement" ro="False"/>
|
|
<ICMP6Service id="ipv6-icmp-redir" code="0" type="137" name="ipv6 redir" comment="IPv6 redirect: shorter route exists" ro="False"/>
|
|
<ICMP6Service id="id1519Z388" code="-1" type="4" name="ipv6 parameter problem" comment="IPv6 Parameter Problem: RFC4443" ro="False"/>
|
|
<ICMP6Service id="idCFE27650" code="0" type="3" name="ipv6 time exceeded" comment="Time exceeded in transit" ro="False"/>
|
|
<ICMP6Service id="idCFF27650" code="1" type="3" name="ipv6 time exceeded in reassembly" comment="Time exceeded in reassembly" ro="False"/>
|
|
<ICMP6Service id="idE0B27650" code="-1" type="2" name="ipv6 packet too big" comment="" ro="False"/>
|
|
<ICMP6Service id="idE0D27650" code="-1" type="1" name="ipv6 all dest unreachable" comment="All icmpv6 codes for type "destination unreachable" " ro="False"/>
|
|
<ICMP6Service id="idCFE27660" code="-1" type="-1" name="ipv6 any ICMP6" comment="any ICMPv6" ro="False"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid06" name="IP" comment="" ro="False">
|
|
<IPService id="id3CB12797" fragm="False" lsrr="False" protocol_num="51" rr="False" short_fragm="False" ssrr="False" ts="False" name="AH" comment="IPSEC Authentication Header Protocol" ro="False"/>
|
|
<IPService id="ip-IPSEC" fragm="False" lsrr="False" protocol_num="50" rr="False" short_fragm="False" ssrr="False" ts="False" name="ESP" comment="IPSEC Encapsulating Security Payload Protocol" ro="False"/>
|
|
<IPService id="ip-RR" fragm="False" lsrr="False" protocol_num="0" rr="True" short_fragm="False" ssrr="False" ts="False" name="RR" comment="Route recording packets" ro="False"/>
|
|
<IPService id="ip-SRR" fragm="False" lsrr="True" protocol_num="0" rr="False" short_fragm="False" ssrr="True" ts="False" name="SRR" comment="All sorts of Source Routing Packets" ro="False"/>
|
|
<IPService id="ip-IP_Fragments" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="True" ssrr="False" ts="False" name="ip_fragments" comment="'Short' fragments" ro="False"/>
|
|
<IPService id="id3D703C8E" fragm="False" lsrr="False" protocol_num="57" rr="False" short_fragm="False" ssrr="False" ts="False" name="SKIP" comment="IPSEC Simple Key Management for Internet Protocols" ro="False"/>
|
|
<IPService id="id3D703C8F" fragm="False" lsrr="False" protocol_num="47" rr="False" short_fragm="False" ssrr="False" ts="False" name="GRE" comment="Generic Routing Encapsulation " ro="False"/>
|
|
<IPService id="id3D703C95" fragm="False" lsrr="False" protocol_num="112" rr="False" short_fragm="False" ssrr="False" ts="False" name="vrrp" comment="Virtual Router Redundancy Protocol" ro="False"/>
|
|
<IPService id="ip-IGMP" fragm="False" lsrr="False" protocol_num="2" rr="False" rtralt="True" rtralt_value="0" short_fragm="False" ssrr="False" ts="False" name="IGMP" comment="Internet Group Management Protocol, Version 3, RFC 3376" ro="False"/>
|
|
<IPService id="ip-PIM" fragm="False" lsrr="False" protocol_num="103" rr="False" rtralt="False" rtralt_value="0" short_fragm="False" ssrr="False" ts="False" name="PIM" comment="Protocol Independent Multicast - Dense Mode (PIM-DM), RFC 3973, or Protocol Independent Multicast-Sparse Mode (PIM-SM) RFC 2362" ro="False"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid09" name="TCP" comment="" ro="False">
|
|
<TCPService id="tcp-ALL_TCP_Masqueraded" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ALL TCP Masqueraded" comment="ipchains used to use this range of port numbers for masquerading. " ro="False" src_range_start="61000" src_range_end="65095" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id3D703C94" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="AOL" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5190" dst_range_end="5190"/>
|
|
<TCPService id="tcp-All_TCP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="All TCP" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id3CB131C4" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Citrix-ICA" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1494" dst_range_end="1494"/>
|
|
<TCPService id="id3D703C91" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Entrust-Admin" comment="Entrust CA Administration Service" ro="False" src_range_start="0" src_range_end="0" dst_range_start="709" dst_range_end="709"/>
|
|
<TCPService id="id3D703C92" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Entrust-KeyMgmt" comment="Entrust CA Key Management Service" ro="False" src_range_start="0" src_range_end="0" dst_range_start="710" dst_range_end="710"/>
|
|
<TCPService id="id3AEDBEAC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="H323" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1720" dst_range_end="1720"/>
|
|
<TCPService id="id412Z18A9" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="icslap" comment="Sometimes this protocol is called icslap, but Microsoft does not call it that and just says that DSPP uses port 2869 in Windows XP SP2" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2869" dst_range_end="2869"/>
|
|
<TCPService id="id3E7E4039" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="LDAP GC" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3268" dst_range_end="3268"/>
|
|
<TCPService id="id3E7E403A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="LDAP GC SSL" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3269" dst_range_end="3269"/>
|
|
<TCPService id="id3D703C83" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="OpenWindows" comment="Open Windows" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2000" dst_range_end="2000"/>
|
|
<TCPService id="id3CB131C8" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="PCAnywhere-data" comment="data channel for PCAnywhere v7.52 and later " ro="False" src_range_start="0" src_range_end="0" dst_range_start="5631" dst_range_end="5631"/>
|
|
<TCPService id="id3D703C8B" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Real-Audio" comment="RealNetworks PNA Protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="7070" dst_range_end="7070"/>
|
|
<TCPService id="id3D703C93" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="RealSecure" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2998" dst_range_end="2998"/>
|
|
<TCPService id="id3DC8C8BC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="SMB" comment="SMB over TCP (without NETBIOS) " ro="False" src_range_start="0" src_range_end="0" dst_range_start="445" dst_range_end="445"/>
|
|
<TCPService id="id3D703C8D" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="TACACSplus" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="49" dst_range_end="49"/>
|
|
<TCPService id="id3D703C84" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="TCP high ports" comment="TCP high ports" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1024" dst_range_end="65535"/>
|
|
<TCPService id="id3E7E3D58" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="WINS replication" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="42" dst_range_end="42"/>
|
|
<TCPService id="id3D703C82" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="X11" comment="X Window System" ro="False" src_range_start="0" src_range_end="0" dst_range_start="6000" dst_range_end="6063"/>
|
|
<TCPService id="tcp-Auth" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="auth" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="113" dst_range_end="113"/>
|
|
<TCPService id="id3AEDBE6E" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="daytime" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="13" dst_range_end="13"/>
|
|
<TCPService id="tcp-DNS" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="domain" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
|
|
<TCPService id="id3B4FEDA3" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="eklogin" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2105" dst_range_end="2105"/>
|
|
<TCPService id="id3AECF774" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="finger" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="79" dst_range_end="79"/>
|
|
<TCPService id="tcp-FTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ftp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="21" dst_range_end="21"/>
|
|
<TCPService id="tcp-FTP_data" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ftp data" comment="FTP data channel. Note: FTP protocol does not really require server to use source port 20 for the data channel, but many ftp server implementations do so." ro="False" src_range_start="20" src_range_end="20" dst_range_start="1024" dst_range_end="65535"/>
|
|
<TCPService id="id3E7553BC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ftp data passive" comment="FTP data channel for passive mode transfers " ro="False" src_range_start="0" src_range_end="0" dst_range_start="20" dst_range_end="20"/>
|
|
<TCPService id="tcp-HTTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="http" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="80" dst_range_end="80"/>
|
|
<TCPService id="id3B4FED69" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="https" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="443" dst_range_end="443"/>
|
|
<TCPService id="id3AECF776" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="imap" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="143" dst_range_end="143"/>
|
|
<TCPService id="id3B4FED9F" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="imaps" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="993" dst_range_end="993"/>
|
|
<TCPService id="id3B4FF13C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="irc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="6667" dst_range_end="6667"/>
|
|
<TCPService id="id3E7E3EA2" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="kerberos" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="88" dst_range_end="88"/>
|
|
<TCPService id="id3B4FEE21" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="klogin" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="543" dst_range_end="543"/>
|
|
<TCPService id="id3B4FEE23" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ksh" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="544" dst_range_end="544"/>
|
|
<TCPService id="id3AECF778" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ldap" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="389" dst_range_end="389"/>
|
|
<TCPService id="id3D703C90" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ldaps" comment="Lightweight Directory Access Protocol over TLS/SSL" ro="False" src_range_start="0" src_range_end="0" dst_range_start="636" dst_range_end="636"/>
|
|
<TCPService id="id3B4FF000" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="linuxconf" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="98" dst_range_end="98"/>
|
|
<TCPService id="id3D703C97" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="lpr" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="515" dst_range_end="515"/>
|
|
<TCPService id="id3DC8C8BB" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="microsoft-rpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="135" dst_range_end="135"/>
|
|
<TCPService id="id3D703C98" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ms-sql" comment="Microsoft SQL Server" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1433" dst_range_end="1433"/>
|
|
<TCPService id="id3B4FEEEE" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="mysql" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3306" dst_range_end="3306"/>
|
|
<TCPService id="id3E755609" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="netbios-ssn" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="139" dst_range_end="139"/>
|
|
<TCPService id="id3B4FEE7A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nfs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2049" dst_range_end="2049"/>
|
|
<TCPService id="tcp-NNTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nntp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="119" dst_range_end="119"/>
|
|
<TCPService id="id3E7553BB" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nntps" comment="NNTP over SSL" ro="False" src_range_start="0" src_range_end="0" dst_range_start="563" dst_range_end="563"/>
|
|
<TCPService id="id3B4FEE1D" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="pop3" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="110" dst_range_end="110"/>
|
|
<TCPService id="id3E7553BA" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="pop3s" comment="POP-3 over SSL" ro="False" src_range_start="0" src_range_end="0" dst_range_start="995" dst_range_end="995"/>
|
|
<TCPService id="id3B4FF0EA" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="postgres" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5432" dst_range_end="5432"/>
|
|
<TCPService id="id3AECF782" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="printer" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="515" dst_range_end="515"/>
|
|
<TCPService id="id3B4FEF7C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="quake" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="26000" dst_range_end="26000"/>
|
|
<TCPService id="id3AECF77A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rexec" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="512" dst_range_end="512"/>
|
|
<TCPService id="id3AECF77C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rlogin" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="513" dst_range_end="513"/>
|
|
<TCPService id="id3AECF77E" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rshell" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="514" dst_range_end="514"/>
|
|
<TCPService id="id3D703C99" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rtsp" comment="Real Time Streaming Protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="554" dst_range_end="554"/>
|
|
<TCPService id="id3B4FEF34" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rwhois" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4321" dst_range_end="4321"/>
|
|
<TCPService id="id3D703C89" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="securidprop" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5510" dst_range_end="5510"/>
|
|
<TCPService id="tcp-SMTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="smtp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="25" dst_range_end="25"/>
|
|
<TCPService id="id3B4FF04C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="smtps" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="465" dst_range_end="465"/>
|
|
<TCPService id="id3B4FEE76" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="socks" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1080" dst_range_end="1080"/>
|
|
<TCPService id="id3D703C87" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="sqlnet1" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1521" dst_range_end="1521"/>
|
|
<TCPService id="id3B4FF09A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="squid" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3128" dst_range_end="3128"/>
|
|
<TCPService id="tcp-SSH" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ssh" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/>
|
|
<TCPService id="id3AEDBE00" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="sunrpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="111" dst_range_end="111"/>
|
|
<TCPService id="tcp-TCP-SYN" ack_flag="False" ack_flag_mask="True" fin_flag="False" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" name="tcp-syn" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="tcp-Telnet" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="telnet" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="23" dst_range_end="23"/>
|
|
<TCPService id="tcp-uucp" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="uucp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="540" dst_range_end="540"/>
|
|
<TCPService id="id3CB131C6" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="winterm" comment="Windows Terminal Services" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3389" dst_range_end="3389"/>
|
|
<TCPService id="id3B4FF1B8" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xfs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="7100" dst_range_end="7100"/>
|
|
<TCPService id="id3C685B2B" ack_flag="True" ack_flag_mask="True" fin_flag="True" fin_flag_mask="True" psh_flag="True" psh_flag_mask="True" rst_flag="True" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="True" urg_flag_mask="True" name="xmas scan - full" comment="This service object matches TCP packet with all six flags set." ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id4127E949" ack_flag="False" ack_flag_mask="True" fin_flag="True" fin_flag_mask="True" psh_flag="True" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="False" syn_flag_mask="True" urg_flag="True" urg_flag_mask="True" name="xmas scan" comment="This service object matches TCP packet with flags FIN, PSH and URG set and other flags cleared. This is a "christmas scan" as defined in snort rules. Nmap can generate this scan, too." ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id4127EA72" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rsync" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="873" dst_range_end="873"/>
|
|
<TCPService id="id4127EBAC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="distcc" comment="distributed compiler" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3632" dst_range_end="3632"/>
|
|
<TCPService id="id4127ECF1" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="cvspserver" comment="CVS client/server operations" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2401" dst_range_end="2401"/>
|
|
<TCPService id="id4127ECF2" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="cvsup" comment="CVSup file transfer/John Polstra/FreeBSD" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5999" dst_range_end="5999"/>
|
|
<TCPService id="id4127ED5E" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="afp" comment="AFP (Apple file sharing) over TCP" ro="False" src_range_start="0" src_range_end="0" dst_range_start="548" dst_range_end="548"/>
|
|
<TCPService id="id4127EDF6" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="whois" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="43" dst_range_end="43"/>
|
|
<TCPService id="id4127F04F" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="bgp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="179" dst_range_end="179"/>
|
|
<TCPService id="id4127F146" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="radius" comment="Radius protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1812" dst_range_end="1812"/>
|
|
<TCPService id="id4127F147" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="radius acct" comment="Radius Accounting" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1813" dst_range_end="1813"/>
|
|
<TCPService id="id41291784" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="upnp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5000" dst_range_end="5000"/>
|
|
<TCPService id="id41291785" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="upnp-5431" comment="Although UPnP specification say it should use TCP port 5000, Linksys running Sveasoft firmware listens on port 5431" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5431" dst_range_end="5431"/>
|
|
<TCPService id="id41291787" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-java-0" comment="Java VNC viewer, display 0" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5800" dst_range_end="5800"/>
|
|
<TCPService id="id41291788" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-0" comment="Regular VNC viewer, display 0" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5900" dst_range_end="5900"/>
|
|
<TCPService id="id41291887" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-java-1" comment="Java VNC viewer, display 1" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5801" dst_range_end="5801"/>
|
|
<TCPService id="id41291888" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-1" comment="Regular VNC viewer, display 1" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5901" dst_range_end="5901"/>
|
|
<TCPService id="id463FE5FE11008" ack_flag="False" ack_flag_mask="False" established="True" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="All TCP established" comment="Some firewall platforms can match TCP packets with flags ACK or RST set; the option is usually called "established". Note that you can use this object only in the policy rules of the firewall that supports this option. If you need to match reply packets for a specific TCP service and wish to use option "established", make a copy of this object and set source port range to match the service. " ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id1577X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rtmp" comment="Real Time Messaging Protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1935" dst_range_end="1935"/>
|
|
<TCPService id="id1590X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xmpp-client" comment="Extensible Messaging and Presence Protocol (XMPP) RFC3920 " ro="False" src_range_start="0" src_range_end="0" dst_range_start="5222" dst_range_end="5222"/>
|
|
<TCPService id="id1609X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xmpp-server" comment="Extensible Messaging and Presence Protocol (XMPP) RFC3920 " ro="False" src_range_start="0" src_range_end="0" dst_range_start="5269" dst_range_end="5269"/>
|
|
<TCPService id="id1622X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xmpp-client-ssl" comment="Extensible Messaging and Presence Protocol (XMPP) RFC3920 " ro="False" src_range_start="0" src_range_end="0" dst_range_start="5223" dst_range_end="5223"/>
|
|
<TCPService id="id1631X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xmpp-server-ssl" comment="Extensible Messaging and Presence Protocol (XMPP) RFC3920 " ro="False" src_range_start="0" src_range_end="0" dst_range_start="5270" dst_range_end="5270"/>
|
|
<TCPService id="id1644X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nrpe" comment="NRPE add-on for Nagios http://www.nagios.org/ " ro="False" src_range_start="0" src_range_end="0" dst_range_start="5666" dst_range_end="5666"/>
|
|
<TCPService id="tcp-DNS_zone_transf" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="dns-tcp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid08" name="UDP" comment="" ro="False">
|
|
<UDPService id="udp-ALL_UDP_Masqueraded" name="ALL UDP Masqueraded" comment="ipchains used to use this port range for masqueraded packets" ro="False" src_range_start="61000" src_range_end="65095" dst_range_start="0" dst_range_end="0"/>
|
|
<UDPService id="udp-All_UDP" name="All UDP" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<UDPService id="id3D703C96" name="ICQ" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4000" dst_range_end="4000"/>
|
|
<UDPService id="id3CB129D2" name="IKE" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="500" dst_range_end="500"/>
|
|
<UDPService id="id3CB131CA" name="PCAnywhere-status" comment="status channel for PCAnywhere v7.52 and later" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5632" dst_range_end="5632"/>
|
|
<UDPService id="id3AED0D6B" name="RIP" comment="routing protocol RIP" ro="False" src_range_start="0" src_range_end="0" dst_range_start="520" dst_range_end="520"/>
|
|
<UDPService id="id3D703C8C" name="Radius" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1645" dst_range_end="1645"/>
|
|
<UDPService id="id3D703C85" name="UDP high ports" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1024" dst_range_end="65535"/>
|
|
<UDPService id="id3D703C86" name="Who" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="513" dst_range_end="513"/>
|
|
<UDPService id="id3B4FEDA1" name="afs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="7000" dst_range_end="7009"/>
|
|
<UDPService id="udp-bootpc" name="bootpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="68" dst_range_end="68"/>
|
|
<UDPService id="udp-bootps" name="bootps" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="67" dst_range_end="67"/>
|
|
<UDPService id="id3AEDBE70" name="daytime" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="13" dst_range_end="13"/>
|
|
<UDPService id="udp-DNS" name="domain" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
|
|
<UDPService id="id3D703C8A" name="interphone" comment="VocalTec Internet Phone" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22555" dst_range_end="22555"/>
|
|
<UDPService id="id3B4FEDA5" name="kerberos" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="88" dst_range_end="88"/>
|
|
<UDPService id="id3B4FEDA9" name="kerberos-adm" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="749" dst_range_end="750"/>
|
|
<UDPService id="id3B4FEDA7" name="kpasswd" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="464" dst_range_end="464"/>
|
|
<UDPService id="id3B4FEDAB" name="krb524" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4444" dst_range_end="4444"/>
|
|
<UDPService id="id3F865B0D" name="microsoft-rpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="135" dst_range_end="135"/>
|
|
<UDPService id="udp-netbios-dgm" name="netbios-dgm" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="138" dst_range_end="138"/>
|
|
<UDPService id="udp-netbios-ns" name="netbios-ns" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="137" dst_range_end="137"/>
|
|
<UDPService id="udp-netbios-ssn" name="netbios-ssn" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="139" dst_range_end="139"/>
|
|
<UDPService id="id3B4FEE78" name="nfs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2049" dst_range_end="2049"/>
|
|
<UDPService id="udp-ntp" name="ntp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="123" dst_range_end="123"/>
|
|
<UDPService id="id3B4FEF7E" name="quake" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="26000" dst_range_end="26000"/>
|
|
<UDPService id="id3D703C88" name="secureid-udp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1024" dst_range_end="1024"/>
|
|
<UDPService id="udp-SNMP" name="snmp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="161" dst_range_end="161"/>
|
|
<UDPService id="id3AED0D69" name="snmp-trap" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="162" dst_range_end="162"/>
|
|
<UDPService id="id3AEDBE19" name="sunrpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="111" dst_range_end="111"/>
|
|
<UDPService id="id3AECF780" name="syslog" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="514" dst_range_end="514"/>
|
|
<UDPService id="id3AED0D67" name="tftp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="69" dst_range_end="69"/>
|
|
<UDPService id="id3AED0D8C" name="traceroute" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="33434" dst_range_end="33524"/>
|
|
<UDPService id="id4127EA73" name="rsync" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="873" dst_range_end="873"/>
|
|
<UDPService id="id41291783" name="SSDP" comment="Simple Service Discovery Protocol (used for UPnP)" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1900" dst_range_end="1900"/>
|
|
<UDPService id="id41291883" name="OpenVPN" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1194" dst_range_end="1194"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid13" name="Custom" comment="" ro="False">
|
|
<CustomService id="id3B64EEA8" name="rpc" comment="works in iptables and requires patch-o-matic. For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-m record_rpc</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
|
</CustomService>
|
|
<CustomService id="id3B64EF4E" name="irc-conn" comment="IRC connection tracker, supports DCC. Works on iptables and requires patch-o-matic. For more information look for patch-o-matic on http://www.netfilter.org/ " ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-m irc</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
|
</CustomService>
|
|
<CustomService id="id3B64EF50" name="psd" comment="Port scan detector, works only on iptables and requires patch-o-matic For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-m psd --psd-weight-threshold 5 --psd-delay-threshold 10000</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
|
</CustomService>
|
|
<CustomService id="id3B64EF52" name="string" comment="Matches a string in a whole packet, works in iptables and requires patch-o-matic. For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-m string --string test_pattern</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
|
</CustomService>
|
|
<CustomService id="id3B64EF54" name="talk" comment="Talk protocol support. Works in iptables and requires patch-o-matic. For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-m talk</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
|
</CustomService>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid19" name="TagServices" comment="" ro="False"/>
|
|
<ServiceGroup id="stdid20" name="UserServices" comment="" ro="False"/>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="stdid12" name="Firewalls" comment="" ro="False"/>
|
|
<ObjectGroup id="stdid21" name="Clusters" comment="" ro="False"/>
|
|
<IntervalGroup id="stdid11" name="Time" comment="" ro="False">
|
|
<Interval id="int-workhours" days_of_week="1,2,3,4,5" from_day="-1" from_hour="9" from_minute="0" from_month="-1" from_weekday="1" from_year="-1" to_day="-1" to_hour="17" to_minute="0" to_month="-1" to_weekday="5" to_year="-1" name="workhours" comment="any day, 9:00am through 5:00pm" ro="False"/>
|
|
<Interval id="int-weekends" days_of_week="6,0" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1" name="weekends" comment="weekends: Saturday 0:00 through Sunday 23:59 " ro="False"/>
|
|
<Interval id="int-afterhours" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="18" from_minute="0" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="-1" to_year="-1" name="afterhours" comment="any day 6:00pm - 12:00am" ro="False"/>
|
|
<Interval id="id3C63479C" days_of_week="6" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="6" to_year="-1" name="Sat" comment="" ro="False"/>
|
|
<Interval id="id3C63479E" days_of_week="0" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="0" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1" name="Sun" comment="" ro="False"/>
|
|
</IntervalGroup>
|
|
</Library>
|
|
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
|
|
<ICMP6Service id="idE0C27650" code="0" type="1" name="ipv6 dest unreachable" comment="No route to destination" ro="False"/>
|
|
<Library id="id40E233F3" color="#FFFFFF" name="West Coast" comment="" ro="False">
|
|
<ObjectGroup id="id40E233F4_clusters" name="Clusters" comment="" ro="False"/>
|
|
<ObjectGroup id="id40E233F4" name="Objects" comment="" ro="False">
|
|
<ObjectGroup id="id40E233F4_og_ats_1" name="Address Tables" comment="" ro="False"/>
|
|
<ObjectGroup id="id40E233F5" name="Addresses" comment="" ro="False"/>
|
|
<ObjectGroup id="id40E233F6" name="Groups" comment="" ro="False">
|
|
<ObjectGroup id="id40E23403" name="West Coast Servers" comment="" ro="False"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id40E233F7" name="Hosts" comment="" ro="False"/>
|
|
<ObjectGroup id="id40E233F8" name="Networks" comment="" ro="False"/>
|
|
<ObjectGroup id="id40E233F9" name="Address Ranges" comment="" ro="False"/>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="id40E233FA" name="Services" comment="" ro="False">
|
|
<ServiceGroup id="id40E233FA_og_tag_1" name="TagServices" comment="" ro="False"/>
|
|
<ServiceGroup id="id40E233FB" name="Groups" comment="" ro="False"/>
|
|
<ServiceGroup id="id40E233FC" name="ICMP" comment="" ro="False"/>
|
|
<ServiceGroup id="id40E233FD" name="IP" comment="" ro="False"/>
|
|
<ServiceGroup id="id40E233FE" name="TCP" comment="" ro="False"/>
|
|
<ServiceGroup id="id40E233FF" name="UDP" comment="" ro="False"/>
|
|
<ServiceGroup id="id40E23400" name="Custom" comment="" ro="False"/>
|
|
<ServiceGroup id="id40E233FA_userservices" name="Users" comment="" ro="False"/>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="id40E23401" name="Firewalls" comment="" ro="False"/>
|
|
<IntervalGroup id="id40E23402" name="Time" comment="" ro="False"/>
|
|
</Library>
|
|
<Library id="id40D07E7A" color="#FFFFFF" name="LAX" comment="" ro="False">
|
|
<ObjectGroup id="id40D07E7B_clusters" name="Clusters" comment="" ro="False"/>
|
|
<ObjectGroup id="id40D07E7B" name="Objects" comment="" ro="False">
|
|
<ObjectGroup id="id40D07E7B_og_ats_1" name="Address Tables" comment="" ro="False"/>
|
|
<ObjectGroup id="id40D07E7C" name="Addresses" comment="" ro="False">
|
|
<IPv4 id="id40E238E6" name="laxftp1" comment="" ro="False" address="10.1.10.10" netmask="255.255.255.255"/>
|
|
<IPv4 id="id40E238E7" name="laxweb1" comment="" ro="False" address="10.1.10.11" netmask="255.255.255.255"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id40D07E7D" name="Groups" comment="" ro="False">
|
|
<ObjectGroup id="id40E23565" name="LAX Servers" comment="" ro="False"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id40D07E7E" name="Hosts" comment="" ro="False"/>
|
|
<ObjectGroup id="id40D07E7F" name="Networks" comment="" ro="False"/>
|
|
<ObjectGroup id="id40D07E80" name="Address Ranges" comment="" ro="False"/>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="id40D07E81" name="Services" comment="" ro="False">
|
|
<ServiceGroup id="id40D07E81_og_tag_1" name="TagServices" comment="" ro="False"/>
|
|
<ServiceGroup id="id40D07E82" name="Groups" comment="" ro="False"/>
|
|
<ServiceGroup id="id40D07E83" name="ICMP" comment="" ro="False"/>
|
|
<ServiceGroup id="id40D07E84" name="IP" comment="" ro="False"/>
|
|
<ServiceGroup id="id40D07E85" name="TCP" comment="" ro="False"/>
|
|
<ServiceGroup id="id40D07E86" name="UDP" comment="" ro="False"/>
|
|
<ServiceGroup id="id40D07E87" name="Custom" comment="" ro="False"/>
|
|
<ServiceGroup id="id40D07E81_userservices" name="Users" comment="" ro="False"/>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="id40D07E88" name="Firewalls" comment="" ro="False"/>
|
|
<IntervalGroup id="id40D07E89" name="Time" comment="" ro="False"/>
|
|
</Library>
|
|
<Library id="id40C3E07E" color="#FFFFFF" name="SFO" comment="" ro="False">
|
|
<ObjectGroup id="id40C3E07F_clusters" name="Clusters" comment="" ro="False"/>
|
|
<ObjectGroup id="id40C3E07F" name="Objects" comment="" ro="False">
|
|
<ObjectGroup id="id40C3E07F_og_ats_1" name="Address Tables" comment="" ro="False"/>
|
|
<ObjectGroup id="id40C3E081" name="Groups" comment="" ro="False">
|
|
<ObjectGroup id="id40E23562" name="SFO Servers" comment="" ro="False"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id40C3E080" name="Addresses" comment="" ro="False">
|
|
<IPv4 id="id40E238E9" name="sfoweb1" comment="" ro="False" address="10.2.10.11" netmask="255.255.255.255"/>
|
|
<IPv4 id="id40E238E8" name="sfoftp1" comment="" ro="False" address="10.2.10.10" netmask="255.255.255.255"/>
|
|
</ObjectGroup>
|
|
</ObjectGroup>
|
|
</Library>
|
|
<Library id="id44EC13FB8791" color="#d2ffd0" name="tmp" comment="" ro="False">
|
|
<ObjectGroup id="id44EC13FC8791_clusters" name="Clusters" comment="" ro="False"/>
|
|
<ObjectGroup id="id44EC13FC8791" name="Objects" comment="" ro="False">
|
|
<ObjectGroup id="id44EC13FD8791" name="Addresses" comment="" ro="False"/>
|
|
<ObjectGroup id="id44EC13FE8791" name="DNS Names" comment="" ro="False"/>
|
|
<ObjectGroup id="id44EC13FF8791" name="Address Tables" comment="" ro="False"/>
|
|
<ObjectGroup id="id44EC14008791" name="Groups" comment="" ro="False"/>
|
|
<ObjectGroup id="id44EC14018791" name="Hosts" comment="" ro="False"/>
|
|
<ObjectGroup id="id44EC14028791" name="Networks" comment="" ro="False"/>
|
|
<ObjectGroup id="id44EC14038791" name="Address Ranges" comment="" ro="False"/>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="id44EC14048791" name="Services" comment="" ro="False">
|
|
<ServiceGroup id="id44EC14058791" name="Groups" comment="" ro="False"/>
|
|
<ServiceGroup id="id44EC14068791" name="ICMP" comment="" ro="False"/>
|
|
<ServiceGroup id="id44EC14078791" name="IP" comment="" ro="False"/>
|
|
<ServiceGroup id="id44EC14088791" name="TCP" comment="" ro="False"/>
|
|
<ServiceGroup id="id44EC14098791" name="UDP" comment="" ro="False"/>
|
|
<ServiceGroup id="id44EC140A8791" name="Custom" comment="" ro="False"/>
|
|
<ServiceGroup id="id44EC140B8791" name="TagServices" comment="" ro="False"/>
|
|
<ServiceGroup id="id44EC14048791_userservices" name="Users" comment="" ro="False"/>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="id44EC140C8791" name="Firewalls" comment="" ro="False"/>
|
|
<IntervalGroup id="id44EC140D8791" name="Time" comment="" ro="False"/>
|
|
</Library>
|
|
<AddressTable id="id44F7056328576" filename="/home/vadim/tmp/bug-1544488/addr-table-1.tbl" run_time="True" name="atbl" comment="" ro="False"/>
|
|
<Interface id="id45DE9D012560" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="pcn1" comment="" ro="False">
|
|
<IPv4 id="id45DE9D032560" name="openbsd-4.0:pcn1:ip" comment="" ro="False" address="10.1.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4848A43B4626" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id14583X3490" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id14585X3490" name="firewall20:eth3:ip" comment="" ro="False" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Policy id="id33887X22329" name="Policy_ipv4" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id34074X22329" name="combined" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="False">
|
|
<PolicyRule id="id34262X22329" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id34064X22329"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id34245X22329" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="this rule shadows the next. Note that we add command line flag -xt to the compiler">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id34059X22329"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id34228X22329" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id48416A7216880"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id34059X22329"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id34211X22329" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id48416A7116880"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id33881X22329"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id34194X22329" disabled="False" group="" log="True" position="4" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2238571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id34059X22329"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id34177X22329" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2278571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id34059X22329"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id34160X22329" disabled="False" group="" log="True" position="6" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2238571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id33881X22329"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id34143X22329" disabled="False" group="" log="True" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2278571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id33881X22329"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id34126X22329" disabled="False" group="" log="True" position="8" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id33881X22329"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id34109X22329" disabled="False" group="" log="True" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id34092X22329" disabled="False" group="" log="True" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2238571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id34075X22329" disabled="False" group="" log="True" position="11" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2278571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id15947X59575" name="rule3_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id15948X59575" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="block fragments">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id15868X59575"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id15960X59575" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id4144D59F"/>
|
|
<ObjectRef ref="id4144D5A0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id15868X59575"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<IPv4 id="id16587X32012" name="firewal11:eth1:ip1" comment="" ro="False" address="33.33.33.34" netmask="255.255.255.0"/>
|
|
<Firewall id="id79413X23273" host_OS="linux24" lastCompiled="1244482781" lastInstalled="0" lastModified="1244584259" platform="iptables" version="" name="fw1" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
|
|
<NAT id="id80067X23273" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id80068X23273" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id80100X23273" disabled="False" group="" position="1" action="Translate" comment="source port only">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id80122X23273"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id80132X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id80135X23273" disabled="False" group="" position="2" action="Translate" comment="dest port only">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id80157X23273"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id80167X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id80170X23273" disabled="False" group="" position="3" action="Translate" comment="SDNAT ">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id79496X23273"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id80198X23273"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id80204X23273" disabled="False" group="" position="4" action="Translate" comment="SDNAT with source port">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id80122X23273"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id80198X23273"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id80132X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id80237X23273" disabled="False" group="" position="5" action="Translate" comment="SDNAT with dest port">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id80157X23273"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id80198X23273"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id80167X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id80270X23273" disabled="False" group="" position="6" action="Translate" comment="SDNAT translate src and dst addresses and src and dst ports">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id80292X23273"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id80198X23273"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id80302X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id80305X23273" disabled="False" group="" position="7" action="Translate" comment="invalid rule">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id80157X23273"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id80132X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id80338X23273" disabled="False" group="" position="8" action="Translate" comment="invalid rule">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id79496X23273"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id80132X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id79419X23273" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id79420X23273" disabled="False" group="New Group" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id79878X23273"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id79899X23273" disabled="False" group="New Group" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id79926X23273" disabled="False" group="New Group" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted only from internal network">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id79954X23273" disabled="False" group="New Group" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines on internal network for DNS">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3F530CC8"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id79982X23273" disabled="False" group="New Group" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to the firewall are denied and logged">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id80010X23273" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id80030X23273"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id80039X23273" disabled="False" group="" log="True" position="6" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id80371X23273" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id80372X23273" dedicated_failover="False" dyn="False" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id80373X23273" name="fw1:eth0:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id80374X23273" dedicated_failover="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id80375X23273" name="fw1:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id80376X23273" name="fw1:eth1:ipv6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id80377X23273" dedicated_failover="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id80378X23273" name="fw1:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">true</Option>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="check_shading">true</Option>
|
|
<Option name="configure_interfaces">true</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">true</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id18510X75509" host_OS="openbsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1253295292" platform="pf" version="" name="firewall63" comment="testing tos matching" ro="False">
|
|
<NAT id="id18578X75509" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id18579X75509" disabled="True" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id18516X75509" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id18517X75509" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C6820443"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id18529X75509" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idC5F120443"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id18541X75509" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idC5F120443"/>
|
|
<ServiceRef ref="id3C6820443"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id18554X75509" disabled="True" group="" log="True" position="3" action="Deny" direction="Both" comment="DSCP matching is not supported by pf">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C6920443"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id18566X75509" disabled="False" group="" log="True" position="4" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id18593X75509" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id18594X75509" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id18596X75509" name="firewall63:eth1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id18597X75509" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id18599X75509" name="firewall63:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id18600X75509" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id18602X75509" name="firewall63:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="enable_ipv6">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_directed_broadcast">0</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_ip_redirect">0</Option>
|
|
<Option name="openbsd_ip_sourceroute">0</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<IPv4 id="id20241X55531" name="firewall80:en1:ip-1" comment="" ro="False" address="33.33.33.33" netmask="255.255.255.0"/>
|
|
<IPv4 id="id20710X27133" name="fw2:eth3:ip" comment="" ro="False" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
<IPv4 id="id119356X58767" name="openbsd47:em0:ip-1" comment="" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
|
|
<IPv4 id="id33933X2131" name="firewall104:bridge0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<Interface id="id34202X23052" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="bridge0" comment="" ro="False">
|
|
<IPv4 id="id34209X23052" name="firewall107:bridge0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">bridge</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id34211X23052" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="em2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id34214X23052" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="em3" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<IPv4 id="id35220X5121" name="firewall109:em1:ip" comment="" ro="False" address="10.1.1.81" netmask="255.255.255.0"/>
|
|
<Interface id="id35557X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="em1" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options">media 100baseTX mediaopt full-duplex up</Option>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id35560X5911" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="em2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options">media 100baseTX mediaopt full-duplex up</Option>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id35543X5911" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="vlan102" comment="" ro="False">
|
|
<IPv4 id="id35546X5911" name="firewall109:em2:vlan102:ip" comment="" ro="False" address="192.168.102.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">102</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<IPv4 id="id35541X5911" name="firewall109-2:em2:vlan8210:ip" comment="" ro="False" address="192.168.101.1" netmask="255.255.255.0"/>
|
|
</Library>
|
|
<Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
|
|
<ObjectGroup id="stdid01_1_clusters" name="Clusters" comment="" ro="False"/>
|
|
<ObjectGroup id="stdid01_1" name="Objects" comment="" ro="False">
|
|
<ObjectGroup id="stdid01_1_og_ats_1" name="Address Tables" comment="" ro="False">
|
|
<AddressTable id="id4389EE9018346" filename="addr-table-1.tbl" run_time="False" name="addr-table-1" comment="" ro="False"/>
|
|
<AddressTable id="id4389EE9118346" filename="block-hosts.tbl" run_time="True" name="block these" comment="this is run-time table" ro="False"/>
|
|
<AddressTable id="id452762A75348" filename="" run_time="True" name="spammers" comment="empty file name; should generate code like this: table <spammers> persist without "file 'blah'" " ro="False"/>
|
|
<AddressTable id="id20634X8713" filename="file_does_not_exist.tbl" run_time="False" name="missing table" comment="" ro="False"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid16_1" name="Addresses" comment="" ro="False">
|
|
<IPv4 id="id4388C37D674" name="sapmhost1" comment="" ro="False" address="61.150.47.112" netmask="255.255.255.255"/>
|
|
<IPv4 id="id446FCEEA10619" name="spamhost2" comment="" ro="False" address="7.7.7.7" netmask="255.255.255.255"/>
|
|
<IPv4 id="id44F7082928576" name="some address" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.255"/>
|
|
<IPv6 id="id48416A7216880" name="6bone.net" comment="" ro="False" address="2001:5c0:0:2::24" netmask="128"/>
|
|
<IPv6 id="id48416A7116880" name="altavista" comment="" ro="False" address="3ffe:1200:2001:1:8000::1" netmask="128"/>
|
|
<IPv4 id="id417B3641" name="net_address" comment="" ro="False" address="192.168.1.0" netmask="255.255.255.255"/>
|
|
<IPv4 id="id20598X3490" name="routable server address 1" comment="" ro="False" address="222.222.222.22" netmask="0.0.0.0"/>
|
|
<IPv4 id="id20599X3490" name="routable server address 2" comment="" ro="False" address="222.222.222.23" netmask="0.0.0.0"/>
|
|
<IPv4 id="id79488X23273" name="h-10.3.14.40" comment="Imported from "c3620" 10.3.14.40/255.255.255.255" ro="False" address="10.3.14.40" netmask="255.255.255.255"/>
|
|
<IPv4 id="id79492X23273" name="h-192.168.171.2" comment="Imported from "c3620" 192.168.171.2/255.255.255.255" ro="False" address="192.168.171.2" netmask="255.255.255.255"/>
|
|
<IPv4 id="id79522X23273" name="h-10.3.14.201" comment="Imported from "c3620" 10.3.14.201/255.255.255.255" ro="False" address="10.3.14.201" netmask="255.255.255.255"/>
|
|
<IPv4 id="id80198X23273" name="a-192.168.1.10" comment="" ro="False" address="192.168.1.10" netmask="0.0.0.0"/>
|
|
<IPv4 id="id71290X60336" name="h-10.3.14.41" comment="" ro="False" address="10.3.14.41" netmask="0.0.0.0"/>
|
|
<IPv4 id="id272368X18008" name="dmz-host" comment="" ro="False" address="192.168.2.200" netmask="0.0.0.0"/>
|
|
<IPv4 id="id33008X21143" name="addr-10.1.1.1" comment="" ro="False" address="10.1.1.1" netmask="0.0.0.0"/>
|
|
<IPv4 id="id518129X21143" name="addr-10.1.1.2" comment="" ro="False" address="10.1.1.2" netmask="0.0.0.0"/>
|
|
<IPv4 id="id134690X19225" name="addr-222.222.222.40" comment="" ro="False" address="222.222.222.40" netmask="0.0.0.0"/>
|
|
<IPv4 id="id135048X19225" name="a-192.168.1.10-copy" comment="" ro="False" address="192.168.1.10" netmask="0.0.0.0"/>
|
|
<IPv4 id="id41167X11081" name="a-192.168.1.11" comment="" ro="False" address="255.255.255.255" netmask="0.0.0.0"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid04_1" name="Groups" comment="" ro="False">
|
|
<ObjectGroup id="id3B4572AF" name="group1" comment="" ro="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3B4572B5" name="platform" comment="" ro="False">
|
|
<ObjectRef ref="id3AFC0F70"/>
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3BBC0EFC" name="netgroup1" comment="" ro="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3CD87A9A" name="group-range-1" comment="" ro="False">
|
|
<ObjectRef ref="id3CD87A53"/>
|
|
<ObjectRef ref="id3CD87A5E"/>
|
|
<ObjectRef ref="id3CD87A6D"/>
|
|
<ObjectRef ref="id3CD87A7C"/>
|
|
<ObjectRef ref="id3CD87A8B"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3D8FED30" name="group2" comment="" ro="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3DE69469" name="egroup" comment="" ro="False"/>
|
|
<ObjectGroup id="id3DE6946A" name="egroup2" comment="" ro="False">
|
|
<ObjectRef ref="id3DE69469"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id4390C25525682" name="at group" comment="this group is a combination of a regular address object and an address table in run-time mode" ro="False">
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id446FB0EA10619"/>
|
|
<ObjectRef ref="id446FCEEA10619"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id446FB0EA10619" name="tbl group" comment="" ro="False">
|
|
<ObjectRef ref="id4389EE9018346"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id4653861721432" name="f2i1,3" comment="" ro="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
<ObjectRef ref="id3AFB68D2"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id4653B74121432" name="f2i1" comment="" ro="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id4834A2238571" name="ipv6 addresses" comment="" ro="False">
|
|
<ObjectRef ref="id48416A7016880"/>
|
|
<ObjectRef ref="id48416A7216880"/>
|
|
<ObjectRef ref="id48416A7116880"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id4834A2278571" name="ipv4 ipv6 addresses" comment="" ro="False">
|
|
<ObjectRef ref="id417B3641"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
<ObjectRef ref="id48416A7216880"/>
|
|
<ObjectRef ref="id48416A7116880"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id135005X19225" name="fw2-6-em0-em2" comment="" ro="False">
|
|
<ObjectRef ref="id134564X19225"/>
|
|
<ObjectRef ref="id134573X19225"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id135011X19225" name="fw2-6-em1-em3" comment="" ro="False">
|
|
<ObjectRef ref="id134567X19225"/>
|
|
<ObjectRef ref="id134570X19225"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id59240X22951" name="fw93_group_1" comment="" ro="False">
|
|
<ObjectRef ref="id80198X23273"/>
|
|
<ObjectRef ref="id43F7DCF631316"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id59256X22951" name="fw93_group_2" comment="" ro="False">
|
|
<ObjectRef ref="id79492X23273"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id59274X22951" name="fw93_group_3" comment="" ro="False">
|
|
<ObjectRef ref="id4389EE9018346"/>
|
|
<ObjectRef ref="id4733FFE419714"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id59769X22951" name="fw93_group_4_ipv6" comment="" ro="False">
|
|
<ObjectRef ref="id79830X23273"/>
|
|
<ObjectRef ref="id48416A7116880"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id59939X22951" name="fw93_group_5_mix" comment="" ro="False">
|
|
<ObjectRef ref="id79830X23273"/>
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
<ObjectRef ref="id3359X12564"/>
|
|
<ObjectRef ref="id3341X12564"/>
|
|
<ObjectRef ref="id4733FFE419714"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id60030X22951" name="fw93_group_6" comment="this group uses the same object as fw93_group_1" ro="False">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
<ObjectRef ref="id80198X23273"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id60070X22951" name="fw93_group_1-copy" comment="" ro="False">
|
|
<ObjectRef ref="id80198X23273"/>
|
|
<ObjectRef ref="id43F7DCF631316"/>
|
|
</ObjectGroup>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid02_1" name="Hosts" comment="" ro="False">
|
|
<Host id="id3B64FFAC" name="broadcast" comment="broadcast on internal subnet" ro="False">
|
|
<Interface id="id3B64FFAC-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="id3B64FFAC-i-ipv4" name="address" comment="" ro="False" address="192.168.1.255" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="host-hostA" name="hostA" comment="" ro="False">
|
|
<Interface id="host-hostA-i" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="hostA_eth0" comment="" ro="False">
|
|
<IPv4 id="host-hostA-i-ipv4" name="address" comment="" ro="False" address="192.168.1.10" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3B3D5A3B" name="hostA-2" comment="" ro="False">
|
|
<Interface id="id3B3D5A3B-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
|
|
<IPv4 id="id3B3D5A3B-i-1-addr" name="address" comment="" ro="False" address="192.168.1.10" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3AFADBF9" name="hostA-NAT" comment="translated address for hostA" ro="False">
|
|
<Interface id="id3AFADBF9-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="id3AFADBF9-i-ipv4" name="address" comment="" ro="False" address="22.22.22.23" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="host-hostB" name="hostB" comment="" ro="False">
|
|
<Interface id="host-hostB-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="host-hostB-i-ipv4" name="address" comment="" ro="False" address="192.168.1.20" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.20">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3BD6736B" name="hostB-NAT" comment="" ro="False">
|
|
<Interface id="id3BD6736B-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="id3BD6736B-i-ipv4" name="address" comment="" ro="False" address="22.22.23.24" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3AFC0F70" name="host-fw2" comment="this host has the same IP address as firewall1 and firewall2" ro="False">
|
|
<Interface id="id3AFC0F70-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="id3AFC0F70-i-ipv4" name="host-fw2-addr" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3AFC191C" name="hostF-int" comment="the same address as internal iface of firewall1" ro="False">
|
|
<Interface id="id3AFC191C-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="id3AFC191C-i-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3B19C5EB" name="outside-host" comment="some host outside our network" ro="False">
|
|
<Interface id="id3B19C5EB-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="id3B19C5EB-i-ipv4" name="address" comment="" ro="False" address="200.200.200.200" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="host-secondary1-com" name="secondary1.com" comment="" ro="False">
|
|
<Interface id="host-secondary1-com-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="host-secondary1-com-i-ipv4" name="address" comment="" ro="False" address="211.11.11.11" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="211.11.11.11">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="host-secondary2-com" name="secondary2.com" comment="" ro="False">
|
|
<Interface id="host-secondary2-com-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="host-secondary2-com-i-ipv4" name="address" comment="" ro="False" address="211.22.22.22" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="211.22.22.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3BF1B3E1" name="host-with_mac" comment="" ro="False">
|
|
<Interface id="id3BF1B3E2" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="id3BF1B3E2-ipv4" name="address" comment="" ro="False" address="192.168.1.10" netmask="255.255.255.0"/>
|
|
<physAddress id="id3BF1B3E2-pa" address="00:10:4b:de:e9:6f" name="unknown-pa" comment="" ro="False"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">True</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3BF1B3E7" name="host-with_mac-2" comment="" ro="False">
|
|
<Interface id="id3BF1B3E8" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="id3BF1B3E8-ipv4" name="host-with_mac-2:addr" comment="" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
|
|
<physAddress id="id3BF1B3E8-pa" address="00:10:4b:de:e9:6f" name="unknown-pa" comment="" ro="False"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr_filter">True</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3BF23930" name="z-host" comment="" ro="False">
|
|
<Interface id="id3BF23931" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="id3BF23931-ipv4" name="address" comment="" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
|
|
<physAddress id="id3BF23931-pa" address="00:a0:24:53:06:8c" name="unknown-pa" comment="" ro="False"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3CD87A53" name="n192.168.1.11" comment="" ro="False">
|
|
<Interface id="id3CD87A53-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
|
|
<IPv4 id="id3CD87A53-i-1-addr" name="address" comment="" ro="False" address="192.168.1.11" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.11">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3CD87A5E" name="n192.168.1.12" comment="" ro="False">
|
|
<Interface id="id3CD87A5E-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
|
|
<IPv4 id="id3CD87A5E-i-1-addr" name="address" comment="" ro="False" address="192.168.1.12" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.12">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3CD87A6D" name="n192.168.1.13" comment="" ro="False">
|
|
<Interface id="id3CD87A6D-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
|
|
<IPv4 id="id3CD87A6D-i-1-addr" name="address" comment="" ro="False" address="192.168.1.13" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.13">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3CD87A7C" name="n192.168.1.14" comment="" ro="False">
|
|
<Interface id="id3CD87A7C-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
|
|
<IPv4 id="id3CD87A7C-i-1-addr" name="address" comment="" ro="False" address="192.168.1.14" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.14">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3CD87A8B" name="n192.168.1.15" comment="" ro="False">
|
|
<Interface id="id3CD87A8B-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
|
|
<IPv4 id="id3CD87A8B-i-1-addr" name="address" comment="" ro="False" address="192.168.1.15" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.15">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3D58118B" name="hostC" comment="" ro="False">
|
|
<Interface id="id3D58118B-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
|
|
<IPv4 id="id3D58118B-i-1-addr" name="address" comment="" ro="False" address="192.168.1.100" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3D58118F" name="hostC-1" comment="" ro="False">
|
|
<Interface id="id3D581193" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3D581194" name="hostC-1:eth0" comment="" ro="False" address="192.168.1.100" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3E7ABEC4" name="nat-addr1" comment="" ro="False">
|
|
<Interface id="id3E7ABEC6" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
|
|
<IPv4 id="id3E7ABEC7" name="nat-addr1:interface1(ip)" comment="" ro="False" address="22.22.22.50" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3E7ABECA" name="nat-addr2" comment="" ro="False">
|
|
<Interface id="id3E7ABECC" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
|
|
<IPv4 id="id3E7ABECD" name="nat-addr2:interface1(ip)" comment="" ro="False" address="22.22.22.51" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3EE25A56" name="dyn host" comment="" ro="False">
|
|
<Interface id="id3EE25A58" dedicated_failover="False" dyn="True" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid03_1" name="Networks" comment="" ro="False">
|
|
<Network id="net-Internal_net" name="Internal_net" comment="" ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
|
|
<Network id="id3B022266" name="dmz_net" comment="DMZ net - using NAT" ro="False" address="192.168.2.0" netmask="255.255.255.0"/>
|
|
<Network id="id3B665641" name="external_net" comment="" ro="False" address="22.22.22.0" netmask="255.255.255.0"/>
|
|
<Network id="id3B665643" name="foreign_net" comment="" ro="False" address="33.33.33.0" netmask="255.255.255.0"/>
|
|
<Network id="id3FDCD983" name="foreign_net2" comment="" ro="False" address="33.33.44.0" netmask="255.255.255.0"/>
|
|
<Network id="id43F7DCF631316" name="22.22.22/28" comment="" ro="False" address="22.22.22.0" netmask="255.255.255.240"/>
|
|
<NetworkIPv6 id="id4834B9206131" name="net-fe80" comment="" ro="False" address="fe80::" netmask="64"/>
|
|
<NetworkIPv6 id="id48416A7016880" name="DIGITAL-CA-DEC" comment="" ro="False" address="3ffe:1200:2000::" netmask="36"/>
|
|
<Network id="id3CEBFDFC" name="n-192.168.1.0" comment="" ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
|
|
<Network id="id4733FFE419714" name="n-192.168.2.0" comment="" ro="False" address="192.168.2.0" netmask="255.255.255.0"/>
|
|
<Network id="id79551X23273" name="net-10.3.14.0/24" comment="Imported from "c3620" 10.3.14.0/255.255.255.0" ro="False" address="10.3.14.0" netmask="255.255.255.0"/>
|
|
<NetworkIPv6 id="id79830X23273" name="ipv6 net fe80::/64" comment="" ro="False" address="fe80::" netmask="64"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid15_1" name="Address Ranges" comment="" ro="False">
|
|
<AddressRange id="id3CD8769F" name="test_range_1" comment="" ro="False" start_address="192.168.1.11" end_address="192.168.1.15"/>
|
|
<AddressRange id="id43F7DCF831316" name="22.22.22.1-22.22.22.5" comment="" ro="False" start_address="22.22.22.1" end_address="22.22.22.5"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id4386458A18448" name="DNS Names" comment="" ro="False">
|
|
<DNSName id="id43869E8E18346" dnsrec="buildmaster" dnsrectype="A" run_time="False" name="buildmaster (ct)" comment="an example of a local host" ro="False"/>
|
|
<DNSName id="id43869E8F18346" dnsrec="buildmaster" dnsrectype="A" run_time="True" name="buildmaster (rt)" comment="an example of a local host" ro="False"/>
|
|
<DNSName id="id43869E8C18346" dnsrec="www.cnn.com" dnsrectype="A" run_time="False" name="cnn (ct)" comment="" ro="False"/>
|
|
<DNSName id="id43869E8D18346" dnsrec="www.cnn.com" dnsrectype="A" run_time="True" name="cnn (rt)" comment="" ro="False"/>
|
|
<DNSName id="id4387287918346" dnsrec="www.google.com" dnsrectype="A" run_time="False" name="google (ct)" comment="" ro="False"/>
|
|
<DNSName id="id4387287A18346" dnsrec="www.google.com" dnsrectype="A" run_time="True" name="google (rt)" comment="" ro="False"/>
|
|
<DNSName id="id44EC181D8791" dnsrec="www.heise.de" dnsrectype="A" run_time="True" name="heise" comment="" ro="False"/>
|
|
</ObjectGroup>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="stdid05_1" name="Services" comment="" ro="False">
|
|
<ServiceGroup id="stdid05_1_og_tag_1" name="TagServices" comment="" ro="False">
|
|
<TagService id="id43EC6B892355" tagcode="ipsec_tag" name="ipsec_tag" comment="" ro="False"/>
|
|
<TagService id="id43F4556A28869" tagcode="INTNET" name="INTNET" comment="" ro="False"/>
|
|
<TagService id="id1391120443" tagcode="tag2" name="tag2" comment="" ro="False"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid10_1" name="Groups" comment="" ro="False">
|
|
<ServiceGroup id="id3B457567" name="svcgroup1" comment="" ro="False">
|
|
<ServiceRef ref="id3B457561"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3C1A66C9" name="large group TCP" comment="" ro="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
<ServiceRef ref="tcp-Auth"/>
|
|
<ServiceRef ref="tcp-DNS_zone_transf"/>
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
<ServiceRef ref="tcp-uucp"/>
|
|
<ServiceRef ref="id3C1A66EF"/>
|
|
<ServiceRef ref="id3AEDBE6E"/>
|
|
<ServiceRef ref="id3B4FEDA3"/>
|
|
<ServiceRef ref="id3B4FED69"/>
|
|
<ServiceRef ref="id3AECF776"/>
|
|
<ServiceRef ref="id3B4FED9F"/>
|
|
<ServiceRef ref="id3B4FF13C"/>
|
|
<ServiceRef ref="id3B4FEE21"/>
|
|
<ServiceRef ref="id3B4FEE23"/>
|
|
<ServiceRef ref="id3AECF778"/>
|
|
<ServiceRef ref="id3B4FF000"/>
|
|
<ServiceRef ref="id3B4FEEEE"/>
|
|
<ServiceRef ref="id3B4FEE7A"/>
|
|
<ServiceRef ref="id3B4FEE1D"/>
|
|
<ServiceRef ref="id3B4FF0EA"/>
|
|
<ServiceRef ref="id3AECF782"/>
|
|
<ServiceRef ref="id3B4FEF7C"/>
|
|
<ServiceRef ref="id3AECF77A"/>
|
|
<ServiceRef ref="id3AECF77C"/>
|
|
<ServiceRef ref="id3AECF77E"/>
|
|
<ServiceRef ref="id3B4FEF34"/>
|
|
<ServiceRef ref="id3B4FF04C"/>
|
|
<ServiceRef ref="id3B4FEE76"/>
|
|
<ServiceRef ref="id3AEDBE00"/>
|
|
<ServiceRef ref="id3B4FF1B8"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3CD878C8" name="small group TCP" comment="" ro="False">
|
|
<ServiceRef ref="tcp-Auth"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-uucp"/>
|
|
<ServiceRef ref="id3B4FED69"/>
|
|
<ServiceRef ref="id3AECF776"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3DE6946C" name="sgroup" comment="" ro="False"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid07_1" name="ICMP" comment="" ro="False">
|
|
<ICMPService id="id3C1A5D46" code="-1" type="-1" name="any ICMP" comment="" ro="False"/>
|
|
<ICMPService id="id3D0E95E4" code="-1" type="3" name="Any unreach." comment="" ro="False"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid06_1" name="IP" comment="" ro="False">
|
|
<IPService id="id3B457561" fragm="False" lsrr="False" protocol_num="1" rr="False" short_fragm="False" ssrr="False" ts="False" name="ICMP" comment="" ro="False"/>
|
|
<IPService id="id3B6659A5" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="False" ssrr="False" ts="True" name="TS" comment="" ro="False"/>
|
|
<IPService id="id3C6820443" dscp="" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="False" ssrr="False" tos="0x20" ts="False" name="tos 0x20" comment="" ro="False"/>
|
|
<IPService id="id3C6920443" dscp="0x20" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="False" ssrr="False" tos="" ts="False" name="dscp 0x20" comment="" ro="False"/>
|
|
<IPService id="idC5F120443" dscp="" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="False" ssrr="False" tos="0x10" ts="False" name="tos 0x10" comment="" ro="False"/>
|
|
<IPService id="id79465X23273" fragm="True" protocol_num="0" name="ip-0 fragm" comment="Imported from "c3620" protocol 0" ro="False"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid09_1" name="TCP" comment="" ro="False">
|
|
<TCPService id="tcp-IRC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="irc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="6667" dst_range_end="6667"/>
|
|
<TCPService id="id3B20468D" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="test-TCP" comment="port range" ro="False" src_range_start="0" src_range_end="0" dst_range_start="10000" dst_range_end="11000"/>
|
|
<TCPService id="id3B5009F7" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="squid" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3128" dst_range_end="3128"/>
|
|
<TCPService id="id3B58E3F1" ack_flag="True" ack_flag_mask="True" fin_flag="True" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="True" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" name="xmas-tree" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id3C1A66EF" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="gopher" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="70" dst_range_end="70"/>
|
|
<TCPService id="id3E59AD29" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp-1080" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1080" dst_range_end="1080"/>
|
|
<TCPService id="id78996X23273" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp-8080" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="8080" dst_range_end="8080"/>
|
|
<TCPService id="id79496X23273" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0-0:22-22" comment="Imported from "c3620" 0-0:22-22" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/>
|
|
<TCPService id="id80030X23273" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="False" name="New TCP Service 1" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1" dst_range_end="1"/>
|
|
<TCPService id="id45517X93766" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ftp-proxy" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="8021" dst_range_end="8021"/>
|
|
<TCPService id="id438265X27177" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="src-tcp" comment="port range" ro="False" src_range_start="1000" src_range_end="2000" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id172244X18008" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp-81" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="81" dst_range_end="81"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid08_1" name="UDP" comment="" ro="False">
|
|
<UDPService id="id78911X23273" name="udp-src-6767" comment="" ro="False" src_range_start="6767" src_range_end="6767" dst_range_start="0" dst_range_end="0"/>
|
|
<UDPService id="id78921X23273" name="udp-src-67" comment="" ro="False" src_range_start="67" src_range_end="67" dst_range_start="0" dst_range_end="0"/>
|
|
<UDPService id="id80122X23273" name="sport123" comment="" ro="False" src_range_start="123" src_range_end="123" dst_range_start="0" dst_range_end="0"/>
|
|
<UDPService id="id80132X23273" name="sport5050" comment="" ro="False" src_range_start="5050" src_range_end="5050" dst_range_start="0" dst_range_end="0"/>
|
|
<UDPService id="id80157X23273" name="dport53" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
|
|
<UDPService id="id80167X23273" name="dport1053" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1053" dst_range_end="1053"/>
|
|
<UDPService id="id80292X23273" name="sdport53" comment="" ro="False" src_range_start="1024" src_range_end="65535" dst_range_start="53" dst_range_end="53"/>
|
|
<UDPService id="id80302X23273" name="sdport1053" comment="" ro="False" src_range_start="32767" src_range_end="65535" dst_range_start="1053" dst_range_end="1053"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid13_1" name="Custom" comment="" ro="False">
|
|
<CustomService id="id3B64FE22" name="talk" comment="Talk support" ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iosacl"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-m ip_conntrack_talk -m ip_nat_talk</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
|
</CustomService>
|
|
<CustomService id="id41F9FFBA" name="natproto" comment="for bug 1111267: should add proto {tcp udp icmp gre}" ro="False" protocol=" {tcp udp icmp gre}" address_family="ipv4">
|
|
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iosacl"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"> </CustomServiceCommand>
|
|
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
|
</CustomService>
|
|
<CustomService id="id78051X16372" name="all protocols pf" comment="" ro="False" protocol="{tcp udp icmp gre}" address_family="ipv4">
|
|
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iosacl"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"> </CustomServiceCommand>
|
|
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
|
</CustomService>
|
|
<CustomService id="id15832X50242" name="natproto (old style)" comment="for bug 1111267: should add proto {tcp udp icmp gre}, compiler should recognize "proto ..." in the code string" ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iosacl"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf">proto {tcp udp icmp gre}</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
|
</CustomService>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid05_1_userservices" name="Users" comment="" ro="False">
|
|
<UserService id="id4849253820246" name="user2000" comment="" ro="False" userid="2000"/>
|
|
<UserService id="id484A558E5896" name="user500" comment="" ro="False" userid="500"/>
|
|
<UserService id="id484A6C525896" name="proxy" comment="" ro="False" userid="proxy"/>
|
|
</ServiceGroup>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="stdid12_1" name="Firewalls" comment="" ro="False">
|
|
<Firewall id="fw-firewall2" host_OS="openbsd" inactive="False" lastCompiled="1249943117" lastInstalled="0" lastModified="1306442913" platform="pf" version="" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
|
|
<NAT id="nat-firewall2" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="nat-firewall2-0" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3EE25AA2" disabled="True" group="" position="1" action="Translate" comment="illegal rule - host 'dyn host' has dynamic address">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3EE25A56"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="nat-firewall2-1" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3CDB43B8" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="pol-firewall2" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3B09D29D" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="pol-firewall2-0" disabled="False" group="" log="True" position="1" action="Deny" direction="Inbound" comment="Automatically generated rule blocking short fragments">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="pol-firewall2-1" disabled="False" group="" log="True" position="2" action="Deny" direction="Inbound" comment="Automatically generated anti-spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B92DFC5" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="комментарий по-русски, Проверяем конвертацию в Utf-8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth0"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3C4E4C38" disabled="False" group="" log="True" position="4" action="Deny" direction="Inbound" comment="code should go into INPUT chain with address in destination for comparison">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth0"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CE59C76" disabled="False" group="" log="True" position="5" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
<ServiceRef ref="id3B58E3F1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix">** RULE %N</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B6659FC" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-RR"/>
|
|
<ServiceRef ref="ip-SRR"/>
|
|
<ServiceRef ref="id3B6659A5"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3BF1B45E" disabled="True" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3BF1B3E1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3BF1B44E" disabled="True" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3BF1B3E7"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="pol-firewall2-3" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="this rule is limited to 4 simultaneous connections by rule options">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-secondary1-com"/>
|
|
<ObjectRef ref="host-secondary2-com"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-DNS_zone_transf"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="int-afterhours"/>
|
|
<IntervalRef ref="id3C63479C"/>
|
|
<IntervalRef ref="id3C63479E"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_rule_max_state">4</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4250E683" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-FTP_data"/>
|
|
<ServiceRef ref="id3CD878C8"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_max_src_nodes">10</Option>
|
|
<Option name="pf_max_src_states">10</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="pol-firewall2-2" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C1A66C9"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">3</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">15</Option>
|
|
<Option name="pf_max_src_nodes">10</Option>
|
|
<Option name="pf_max_src_states">10</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">True</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CD8770E" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CD8769F"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CD878C8"/>
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_max_src_nodes">75</Option>
|
|
<Option name="pf_max_src_states">2</Option>
|
|
<Option name="pf_rule_max_state">10</Option>
|
|
<Option name="pf_source_tracking">True</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CD87B1E" disabled="True" group="" log="False" position="13" action="Accept" direction="Both" comment="testing rule shading - this rule is exactly the same as pervious one, but uses group instead of address range">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CD87A9A"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CD878C8"/>
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="pol-firewall2-4" disabled="False" group="" log="False" position="14" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CE597E3" disabled="True" group="" log="False" position="15" action="Accept" direction="Both" comment="this rule and the next one can be used to test shading">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CE591F6" disabled="False" group="" log="False" position="16" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B3D5A3B"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EE2579E" disabled="True" group="" log="False" position="17" action="Accept" direction="Both" comment="illegal rule - object firewall8 has dynamic interface">
|
|
<Src neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
<ObjectRef ref="id3D581152"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
<ObjectRef ref="id3D581152"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="pol-firewall2-5" disabled="False" group="" log="False" position="18" action="Accept" direction="Both" comment="Automatically generated 'masquerading' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id15806X38936" disabled="False" group="" log="False" position="19" action="Accept" direction="Both" comment="test for bug 1111267: "CustomService should specify protocol and parameters for it" Should generate "proto { tcp udp icmp gre}" ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id78051X16372"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id16809X4058" disabled="False" group="" log="False" position="20" action="Accept" direction="Outbound" comment="bug #2791950 "no way to generate "pass out" rule with no interface" Interface field should be "any", direction "outbound" ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id16821X4058" disabled="False" group="" log="False" position="21" action="Accept" direction="Outbound" comment="bug #2791950 "no way to generate "pass out" rule with no interface" ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id23867X4058" disabled="False" group="" log="False" position="22" action="Accept" direction="Outbound" comment="bug #2791950 "no way to generate "pass out" rule with no interface" ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="pol-firewall2-7" disabled="False" group="" log="True" position="23" action="Deny" direction="Both" comment="Automatically generated 'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="fw-firewall2-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="if-FW-firewall2-eth1" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="if-FW-firewall2-eth1-ipv4" name="address" comment="" ro="False" address="222.222.222.222" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="if-FW-firewall2-eth0" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="if-FW-firewall2-eth0-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3E5F1D39" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3E5F1D3B" name="firewall:lo(ip)" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf1_file"></Option>
|
|
<Option name="conf_file_name_on_firewall">/etc/pf.conf</Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">True</Option>
|
|
<Option name="firewall_dir">/etc/firewall</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="generate_rc_conf_file">False</Option>
|
|
<Option name="generate_shell_script">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N - %A</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.100</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_directed_broadcast">0</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_ip_redirect">0</Option>
|
|
<Option name="openbsd_ip_sourceroute">0</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">12000</Option>
|
|
<Option name="pf_adaptive_start">6000</Option>
|
|
<Option name="pf_block_policy"></Option>
|
|
<Option name="pf_do_limit_frags">True</Option>
|
|
<Option name="pf_do_limit_src_nodes">True</Option>
|
|
<Option name="pf_do_limit_states">True</Option>
|
|
<Option name="pf_do_limit_table_entries">True</Option>
|
|
<Option name="pf_do_limit_tables">True</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">True</Option>
|
|
<Option name="pf_do_timeout_interval">True</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">10</Option>
|
|
<Option name="pf_icmp_first">10</Option>
|
|
<Option name="pf_limit_frags">4000</Option>
|
|
<Option name="pf_limit_src_nodes">1000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">1000000</Option>
|
|
<Option name="pf_limit_tables">1000</Option>
|
|
<Option name="pf_modulate_state">True</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">10</Option>
|
|
<Option name="pf_other_multiple">10</Option>
|
|
<Option name="pf_other_single">10</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">True</Option>
|
|
<Option name="pf_set_debug"></Option>
|
|
<Option name="pf_set_icmp_error">True</Option>
|
|
<Option name="pf_set_icmp_first">True</Option>
|
|
<Option name="pf_set_other_first">True</Option>
|
|
<Option name="pf_set_other_multiple">True</Option>
|
|
<Option name="pf_set_other_single">True</Option>
|
|
<Option name="pf_set_tcp_closed">True</Option>
|
|
<Option name="pf_set_tcp_closing">True</Option>
|
|
<Option name="pf_set_tcp_established">True</Option>
|
|
<Option name="pf_set_tcp_finwait">True</Option>
|
|
<Option name="pf_set_tcp_first">True</Option>
|
|
<Option name="pf_set_tcp_opening">True</Option>
|
|
<Option name="pf_set_udp_first">True</Option>
|
|
<Option name="pf_set_udp_multiple">True</Option>
|
|
<Option name="pf_set_udp_single">True</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">30</Option>
|
|
<Option name="pf_tcp_closing">60</Option>
|
|
<Option name="pf_tcp_established">86400</Option>
|
|
<Option name="pf_tcp_finwait">60</Option>
|
|
<Option name="pf_tcp_first">120</Option>
|
|
<Option name="pf_tcp_opening">120</Option>
|
|
<Option name="pf_timeout_frag">40</Option>
|
|
<Option name="pf_timeout_interval">15</Option>
|
|
<Option name="pf_udp_first">10</Option>
|
|
<Option name="pf_udp_multiple">10</Option>
|
|
<Option name="pf_udp_single">10</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script">echo 'This is prolog script'
|
|
</Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="script_name_on_firewall">/etc/pf.fw</Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3AF5AA0A" host_OS="openbsd" inactive="False" lastCompiled="1157930802" lastInstalled="0" lastModified="1295542650" platform="pf" version="" name="firewall1" comment="this object is used to test all kinds of negation in policy rules Also using interface policy on eth1 to test specific case with negation and rule shading depection " ro="False">
|
|
<NAT id="id3AF5AA0D" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3C98491C" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3AFADC09" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3CD23959" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3B1328FB" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E7ABBCD" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA99"/>
|
|
<ObjectRef ref="id3B11F434"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E7ABFA4" disabled="False" group="" position="5" action="Translate" comment="more examples of NAT rules with multiple objects in TSrc in firewall3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E7ABEC4"/>
|
|
<ObjectRef ref="id3E7ABECA"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3AF5AAD3" disabled="False" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3CCA1B57" disabled="False" group="" position="7" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3BBC0EFC"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3B50F7CB" disabled="False" group="" position="8" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3BD8D94B" disabled="False" group="" position="9" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3BD8D9DD" disabled="False" group="" position="10" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3BBC0EA4" disabled="False" group="" position="11" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3BBC0EFC"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id122244X18008" disabled="False" group="" position="12" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="id172244X18008"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id272339X18008" disabled="False" group="" position="13" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="id172244X18008"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id272368X18008"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3BBC0F93" disabled="False" group="" position="14" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3BBC0EFC"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3BC6BCE5" disabled="False" group="" position="15" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3FDCD893" disabled="False" group="" position="16" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B665643"/>
|
|
<ObjectRef ref="id3FDCD983"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AF5AA99"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3AF5AA0C" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3C5987DC" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B4572B5"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3B4572B5"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B457567"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA96"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CD34BEF" disabled="False" group="" log="False" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B457567"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA96"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AF5AAB4" disabled="False" group="" log="True" position="2" action="Deny" direction="Inbound" comment="Anti-spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA99"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AF5AAAB" disabled="False" group="" log="True" position="3" action="Deny" direction="Outbound" comment="Anti-spoofing rule">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA99"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D58886F" disabled="False" group="" log="False" position="4" action="Accept" direction="Inbound" comment="testing rule shading: this rule is not shaded by rule #1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA99"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CCA26E4" disabled="False" group="" log="True" position="5" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B9AB902" disabled="True" group="" log="True" position="6" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AFC0F90" disabled="False" group="" log="True" position="7" action="Accept" direction="Both" comment="hostF has the same IP address as firewal.">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4119961C" disabled="False" group="" log="True" position="8" action="Deny" direction="Both" comment="testing negation in the policy rule">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix">/minute</Option>
|
|
<Option name="limit_value">10</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B021E10" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="testing negation in the policy rule">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix">/minute</Option>
|
|
<Option name="limit_value">10</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0B4A13" disabled="False" group="" log="True" position="10" action="Deny" direction="Both" comment="this rule is shaded by rule above.">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B5535B7" disabled="False" group="" log="True" position="11" action="Deny" direction="Both" comment="this rule shades rule below">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B11F63D" disabled="False" group="" log="True" position="12" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41199643" disabled="False" group="" log="True" position="13" action="Reject" direction="Both" comment="testing negation in the policy rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix">/minute</Option>
|
|
<Option name="limit_value">10</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B021E6F" disabled="True" group="" log="True" position="14" action="Deny" direction="Both" comment="testing negation in service field">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CCA2CF4" disabled="True" group="" log="True" position="15" action="Accept" direction="Both" comment="testing negation in service field">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B45739A" disabled="False" group="" log="True" position="16" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B4572B5"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3B4572B5"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B457567"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AF5AAC8" disabled="False" group="" log="False" position="17" action="Accept" direction="Both" comment="'masquerading' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id14484X90789" disabled="False" group="" log="False" position="18" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id20447X90789" disabled="False" group="" log="False" position="19" action="Accept" direction="Inbound" comment="rule from http://www.benzedrine.cx/transquid.html Used to permit connections to transparent squid proxy. Should be "in $int_if" but destination is loopback interface">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B0B4D35"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA96"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AF5AAE3" disabled="False" group="" log="True" position="20" action="Deny" direction="Both" comment="'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3AF5AA0A-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3AF5AA96" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3AF5AA96-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3AF5AA99" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3AF5AA99-ipv4" name="address" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3B0B4BC8" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id3B0B4BC8-ipv4" name="address" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3B0B4D35" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3B0B4D35-ipv4" name="address" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3B11F434" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id3B11F434-ipv4" name="address" comment="" ro="False" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="22.22.23.23">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="generate_rc_conf_file">False</Option>
|
|
<Option name="generate_shell_script">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">1000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_limits">True</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_timeouts">True</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">pf_file_top</Option>
|
|
<Option name="prolog_script"># prolog:
|
|
# some pf command at the very top of the .conf file goes here
|
|
|
|
|
|
</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3DE69291" host_OS="openbsd" inactive="False" lastCompiled="1157930804" lastInstalled="0" lastModified="1193632387" platform="pf" version="" name="firewall13" comment="testing detection of empty groups" ro="False">
|
|
<NAT id="id3DE69292" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3DE69752" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DE69469"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3DE697CD" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DE69469"/>
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3DE69866" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DE6946C"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3DE692BD" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3DE6946F" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DE6946A"/>
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3DE6947B" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3DE6946C"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3DE69487" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3DE69291-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3DE6935E" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3DE6935F" name="address" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3DE6937E" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3DE6937F" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="modulate_state">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_directed_broadcast">0</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_ip_redirect">0</Option>
|
|
<Option name="openbsd_ip_sourceroute">0</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3AFB66C6" host_OS="openbsd" inactive="False" lastCompiled="1261961536" lastInstalled="0" lastModified="1322706428" platform="pf" version="" name="firewall2" comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " ro="False">
|
|
<NAT id="id3AFB66C7" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3AFB66C8" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3AFB66D6" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3CABE6DF" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id40E9A827" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id40E9A83B" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id40E9A850" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id40E9A8DE" disabled="False" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3D703C8F"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id40E9A8F2" disabled="False" group="" position="7" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3C20EEB5"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id40E9A907" disabled="False" group="" position="8" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id431BEFED" disabled="False" group="" position="9" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3AFB69BD" disabled="False" group="" position="10" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3BEEF6D2" disabled="False" group="" position="11" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFC0F70"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3BD67563" disabled="False" group="" position="12" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3BD6736B"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3BD6757E" disabled="True" group="" position="13" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3BD6736B"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3B66568B" disabled="True" group="" position="14" action="Translate" comment="NETMAP ">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3B6656EF" disabled="True" group="" position="15" action="Translate" comment="NETMAP">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id431C0728" disabled="False" group="" position="16" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id431C0714" disabled="False" group="" position="17" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id431C0700" disabled="False" group="" position="18" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB6706-ipv4"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id431C355F" disabled="False" group="" position="19" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3D703C8F"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3AFB69F7" disabled="False" group="" position="20" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id414BEA12" disabled="False" group="" position="21" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id414BEC22" disabled="False" group="" position="22" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB6706-ipv4"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id546F21844" disabled="False" group="" position="23" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB6706-ipv4"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6703-ipv4"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3B7313C4" disabled="False" group="" position="24" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E59ADF3" disabled="False" group="" position="25" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id40ECF000" disabled="False" group="" position="26" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AFB6703"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E59AC6D" disabled="False" group="" position="27" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3E59AD29"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id294558X26175" disabled="False" group="" position="28" action="Translate" comment="SF bug 3162862">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id424735X26175" disabled="False" group="" position="29" action="Translate" comment="SF bug 3162862">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
<ObjectRef ref="id4733FFE419714"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id511857X26175" disabled="False" group="" position="30" action="Translate" comment="SF bug 3162862">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
<ObjectRef ref="id4733FFE419714"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id41F9FFBB" disabled="False" group="" position="31" action="Translate" comment="for bug 1111267: this custom service object has "proto ..." in the protocol string, compiler can put it in generated nat command in the right place.">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id41F9FFBA"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6706-ipv4"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id15833X50242" disabled="False" group="" position="32" action="Translate" comment="for bug 1111267: this custom service object has "proto .." in the code string but we can't insert it in the generated nat command b/c it would appear in the wrong place, after "from". ">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id15832X50242"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6706-ipv4"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id41FA0A82" disabled="False" group="" position="33" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3D703C8F"/>
|
|
<ServiceRef ref="id3C20EEB5"/>
|
|
<ServiceRef ref="tcp-All_TCP"/>
|
|
<ServiceRef ref="udp-All_UDP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6706-ipv4"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id96271X9659" disabled="False" group="" position="34" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6703"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id68651X9659" disabled="False" group="" position="35" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id68617X9659"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id41115X11081" disabled="False" group="" position="36" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFC0F70"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id80198X23273"/>
|
|
<ObjectRef ref="id41167X11081"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id68890X11081" disabled="False" group="" position="37" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id80198X23273"/>
|
|
<ObjectRef ref="id41167X11081"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="pf_bitmask">False</Option>
|
|
<Option name="pf_pool_type_none">False</Option>
|
|
<Option name="pf_random">False</Option>
|
|
<Option name="pf_round_robin">True</Option>
|
|
<Option name="pf_source_hash">False</Option>
|
|
<Option name="pf_static_port">False</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id42316X15554" disabled="False" group="" position="38" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id42234X15554"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id42239X15554" disabled="False" group="" position="39" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id42234X15554"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id42229X15554"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3AFB66E4" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id41451D62" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB6703"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AFB6708" disabled="False" group="" log="True" position="1" action="Deny" direction="Inbound" comment="Anti-spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id465385F321432" disabled="False" group="" log="True" position="2" action="Deny" direction="Inbound" comment="rules 2,3,4 test group usage in interface all three rules should yield the same config">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4653861721432"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4653B74421432" disabled="False" group="" log="True" position="3" action="Deny" direction="Inbound" comment="Anti-spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4653B74121432"/>
|
|
<ObjectRef ref="id3AFB68D2"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4653860421432" disabled="False" group="" log="True" position="4" action="Deny" direction="Inbound" comment="Anti-spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
<ObjectRef ref="id3AFB68D2"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AFB6710" disabled="False" group="" log="True" position="5" action="Deny" direction="Outbound" comment="Anti-spoofing rule">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AFB66E5" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="block fragments">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C6FD2" disabled="False" group="" log="True" position="7" action="Reject" direction="Both" comment="sends TCP RST and makes custom record in the log">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-Auth"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">IDENT</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D8FEDA9" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
<ObjectRef ref="id3D8FED30"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D8FEE11" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
<ObjectRef ref="id3D8FED30"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AFB66EF" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="'masquerading' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3C447B8D" disabled="True" group="" log="True" position="11" action="Accept" direction="Both" comment="host-fw2 has the same address as one of the firewall's interfaces">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC0F70"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3C447BCB" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AFB66F9" disabled="False" group="" log="True" position="13" action="Deny" direction="Both" comment="'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3AFB66C6-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3AFB6703" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3AFB6703-ipv4" name="fw2:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
<AttachedNetworks id="id42234X15554" name="firewall2:eth0:attached" comment="" ro="False"/>
|
|
</Interface>
|
|
<Interface id="id3AFB6706" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3AFB6706-ipv4" name="fw2:eth1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
<AttachedNetworks id="id42229X15554" name="firewall2:eth1:attached" comment="" ro="False"/>
|
|
</Interface>
|
|
<Interface id="id3AFB68D2" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id3AFB68D2-ipv4" name="fw2:eth3:ip" comment="" ro="False" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3B0221F1" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id3B0221F1-ipv4" name="fw2:eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3CD2449F" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3CD2449F-ipv4" name="lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id68617X9659" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth4" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Management address="192.168.2.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf_file_name_on_firewall"></Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects">0</Option>
|
|
<Option name="linux24_accept_source_route">0</Option>
|
|
<Option name="linux24_icmp_echo_ignore_all">1</Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses">1</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_log_martians">1</Option>
|
|
<Option name="linux24_rp_filter">1</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N - %A **</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.100</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">True</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">True</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization">aggressive</Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">32</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">True</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">True</Option>
|
|
<Option name="pf_set_tcp_opening">True</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">10</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">5</Option>
|
|
<Option name="pf_tcp_opening">5</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">pf_file_after_set</Option>
|
|
<Option name="prolog_script"># prolog
|
|
# prolog commands go after set commands
|
|
</Option>
|
|
<Option name="proxy_arp">True</Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="script_name_on_firewall"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3B0C6380" host_OS="openbsd" inactive="False" lastCompiled="1261961538" lastInstalled="0" lastModified="1263950493" platform="pf" version="" name="firewall4" comment="this object is used to test a configuration where firewall has dynamic address " ro="False">
|
|
<NAT id="id3B0C6381" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3B0C6382" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3B0C6390" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3B202AFF" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E797EFF" disabled="False" group="" position="3" action="Translate" comment="SDNAT rule ">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3CD88A77"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B0C63DF"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id14151X17863" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3CD88A77"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id30999X2816" disabled="False" group="" position="5" action="Translate" comment="eth1 is dynamic">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B0C63E1"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3B0C639E" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id16047X49036" disabled="False" group="" log="False" position="0" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id16046X49036</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id16878X2816" disabled="False" group="" log="True" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B0C63E1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B54F071" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B0C63E1"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C63E3" disabled="False" group="" log="True" position="3" action="Deny" direction="Inbound" comment="Anti-spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B0C63E1"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C63EB" disabled="False" group="" log="True" position="4" action="Deny" direction="Outbound" comment="Anti-spoofing rule">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B0C63E1"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C639F" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="hostF has the same IP address as firewal.">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C63B4" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C63A9" disabled="False" group="" log="True" position="7" action="Deny" direction="Both" comment="testing negation in the policy rule">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C63BF" disabled="True" group="" log="True" position="8" action="Deny" direction="Both" comment="testing negation in service field">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C63CB" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="'masquerading' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C63D5" disabled="False" group="" log="True" position="10" action="Deny" direction="Both" comment="'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id16046X49036" name="ftp-proxy/*" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3B0C6380-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3B0C63DF" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3B0C63DF-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3B0C63E1" dedicated_failover="False" dyn="True" label="" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3B0C63E1-ipv4" name="address" comment="" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3B0C63F3" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id3B0C63F3-ipv4" name="address" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3B0C63F5" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3B0C63F5-ipv4" name="address" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3CD88A77" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id3CD88A77-ipv4" name="address" comment="" ro="False" address="222.222.222.222" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="222.222.222.222">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf_file_name_on_firewall">/etc/fw/pf.conf</Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="ipt_mangle_only_rulesets"></Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization">high-latency</Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">pf_file_after_tables</Option>
|
|
<Option name="prolog_script"># prolog commands go after table definitions
|
|
</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="script_name_on_firewall">pf.fw</Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3E1FC43C" host_OS="openbsd" inactive="False" lastCompiled="1261961539" lastInstalled="0" lastModified="1261961523" platform="pf" version="" name="firewall5" comment="testing IP fragments and scrub" ro="False">
|
|
<NAT id="id3E1FC43D" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3E1FC8FC" disabled="True" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E1FC43C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3E1FC469" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3E1FC62E" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E1FC7B6" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
<ServiceRef ref="id3B58E3F1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E1FC47F" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3E1FC43C-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3E1FC489" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3E1FC48A" name="address" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3E1FC48C" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3E1FC48D" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3E5F1D4C" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3E5F1D4E" name="firewall5:lo(ip)" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf_file_name_on_firewall"></Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_directed_broadcast">0</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_ip_redirect">0</Option>
|
|
<Option name="openbsd_ip_sourceroute">0</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization">normal</Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="script_name_on_firewall"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3C698F1D" host_OS="openbsd" inactive="False" lastCompiled="1157930821" lastInstalled="0" lastModified="1200415203" platform="pf" version="" name="firewall6" comment="testing rule with firewall in dst and negation" ro="False">
|
|
<NAT id="id3C698F1E" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3C698F9D" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3C699028" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3C698F1D"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3C69901D"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3C698FB2" disabled="False" group="" log="False" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3C698F1D"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3C698F1D-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3C699013" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3C699013-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3C69901D" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3C69901D-ipv4" name="address" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3C699030" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id3C699030-ipv4" name="address" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3C699032" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3C699032-ipv4" name="address" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3C699034" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id3C699034-ipv4" name="address" comment="" ro="False" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="22.22.23.23">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3C69BD4F" host_OS="openbsd" inactive="False" lastCompiled="1157930822" lastInstalled="0" lastModified="1200415209" platform="pf" version="" name="firewall7" comment="testing rules with broadcasts" ro="False">
|
|
<NAT id="id3C69BD50" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3C69BD51" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3C69BDE1" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3C69BD5C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3C69BF13" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3C69BD4F-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3C69BD5C" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3C69BD5C-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3C69BD5E" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3C69BD5E-ipv4" name="address" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3C69BD68" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id3C69BD68-ipv4" name="address" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3C69BD6A" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3C69BD6A-ipv4" name="address" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3C69BD6C" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id3C69BD6C-ipv4" name="address" comment="" ro="False" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="22.22.23.23">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3D581152" host_OS="openbsd" inactive="False" lastCompiled="1157930823" lastInstalled="0" lastModified="1200415211" platform="pf" version="" name="firewall8" comment="" ro="False">
|
|
<NAT id="id3D581156" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3D58164E" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3D581152"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3D58163D" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3D58115B"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3D5812BC" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3D58115E"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3D581322" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3D581152"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D58118B"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3D5812AE" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3D58115D"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D58118B"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3D5812CC" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3D58115D"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D58118F"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3D5812FA" disabled="False" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3D58115D"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D581193"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3D58130E" disabled="False" group="" position="7" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3D58115D"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D581194"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id40ECF00B" disabled="False" group="" position="8" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D58115B"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3D581155" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3E5F239B" disabled="False" group="" log="False" position="0" action="Accounting" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E5F2391" disabled="False" group="" log="True" position="1" action="Accounting" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D5811A5" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D58115E"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D58119B" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D58115D"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D5811FB" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D58115B"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D5811B1" disabled="False" group="" log="True" position="5" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3D581152-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3D58115B" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3D58115D" name="firewall8:eth1:1" comment="" ro="False" address="33.33.33.34" netmask="255.255.255.0"/>
|
|
<IPv4 id="id3D58115E" name="firewall8:eth1:0" comment="" ro="False" address="33.33.33.33" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3D581188" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3D58118A" name="firewall8:eth0" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3E5F18E9" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3E5F18EB" name="firewall8:lo(ip)" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3EE256C2" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_path_pfctl">/usr/sbin/pfctl</Option>
|
|
<Option name="openbsd_path_sysctl">/usr/sbin/sysctl</Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3E853CBE" host_OS="freebsd" inactive="False" lastCompiled="1255644798" lastInstalled="0" lastModified="1255644788" platform="pf" version="" name="firewall9" comment="testing rules with broadcasts" ro="False">
|
|
<NAT id="id3E853CBF" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3E853EF8" disabled="True" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E853CD8"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E853F16" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E853CBE"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3E853CC0" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3E853CCE" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3E853CCB"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E853CEF" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3E853CDE"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E853D1B" disabled="True" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3E853CD8"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E853CC1" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E853D26" disabled="False" group="" log="True" position="4" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3E853CBE-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3E853CCB" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3E853CCC" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3E853CD8" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="enc0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3E853CDE" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3E853CDF" name="address" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward"></Option>
|
|
<Option name="freebsd_ip_redirect"></Option>
|
|
<Option name="freebsd_ip_sourceroute"></Option>
|
|
<Option name="freebsd_ipv6_forward"></Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_pfctl">/usr/local/bin/pfctl</Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id43867C1018346" host_OS="freebsd" inactive="False" lastCompiled="1157930808" lastInstalled="0" lastModified="1193632397" platform="pf" version="" name="firewall33" comment="testing DNSName object" ro="False">
|
|
<NAT id="id43867C4818346" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id43876E2618346" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id43869E8C18346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43867C5818346"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id43876E5218346" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43867C5818346"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id43876E6918346" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
<ObjectRef ref="id4387287A18346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43867C5818346"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id43876E7B18346" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
<ObjectRef ref="id4387287A18346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43867C5818346"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id43867C1618346" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id43867C2418346" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43869E8C18346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43869E9018346" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43869E9E18346" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43869E8E18346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43869EAA18346" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43869E8F18346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4386E38318346" disabled="False" group="" log="False" position="4" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8C18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4386E37718346" disabled="False" group="" log="False" position="5" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43867C3018346" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8E18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4386C10D18346" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8F18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id438728A918346" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8C18346"/>
|
|
<ObjectRef ref="id4387287918346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id438728BA18346" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
<ObjectRef ref="id4387287A18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id438728CD18346" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8C18346"/>
|
|
<ObjectRef ref="id4387287A18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43867C3C18346" disabled="False" group="" log="True" position="11" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id43867C5718346" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id43867C5818346" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0.100" comment="VLAN interface" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id43867C5918346" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id43867C5B18346" name="firewall33:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id43867C5C18346" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id43867C5E18346" name="firewall33:eth1:ip" comment="" ro="False" address="192.168.1.100" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A on %I </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4389EDAE18346" host_OS="openbsd" inactive="False" lastCompiled="1210047001" lastInstalled="0" lastModified="1210046836" platform="pf" version="" name="firewall34" comment="testing AddressTable object" ro="False">
|
|
<NAT id="id4389EE4818346" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id4389EEB018346" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id4389EE8418346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id446FDDE610619" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id4390C25525682"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id4389EE8418346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id43891B6E674" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4389EE8418346"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id467A0FE823947" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id4389EE8418346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id4389EE9018346"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id467A0FF823947" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id4389EE8418346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id4389EE9018346"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id467A209B23947" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id467A20AD23947" disabled="False" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id4389EE8518346"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id4389EDB418346" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id4389EDB518346" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9018346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4388CFEA674" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4390C25825682" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4390C25525682"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id446FB0ED10619" disabled="False" group="" log="True" position="3" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id446FB0EA10619"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id452762A85348" disabled="False" group="" log="True" position="4" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id452762A75348"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4389EDC118346" disabled="False" group="" log="False" position="5" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4388CFF8674" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4388C36F674" disabled="False" group="" log="True" position="7" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4388F5A9674" disabled="True" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4389EEA118346" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">5</Option>
|
|
<Option name="pf_max_src_conn_flush">True</Option>
|
|
<Option name="pf_max_src_conn_global">True</Option>
|
|
<Option name="pf_max_src_conn_overload_table">spammers</Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4389EDCD18346" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4389EE3C18346" disabled="False" group="" log="True" position="11" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id4389EE8318346" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id4389EE8418346" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0.100" comment="VLAN interface" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4389EE8518346" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id4389EE8718346" name="firewall34:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4389EE8818346" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id4389EE8A18346" name="firewall34:eth1:ip" comment="" ro="False" address="192.168.1.100" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A on %I </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id43EC5DDC2355" host_OS="freebsd" inactive="False" lastCompiled="1215308407" lastInstalled="0" lastModified="1297645431" platform="pf" version="" name="firewall38" comment="testing rules with tag service" ro="False">
|
|
<NAT id="id43EC5E1F2355" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id43EC5E2E2355" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43EC5DDC2355"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id43EC5E6E2355" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id43EC6B892355"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43EC5DDC2355"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id43EC5DE22355" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id43EC5DE32355" disabled="False" group="" log="False" position="0" action="Continue" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43EC5E3D2355"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id43F4556A28869</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43F447F228869" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43F447EB28869"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43F4555D28869" disabled="False" group="" log="False" position="2" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id43F4556A28869"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43EC5E402355"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43F462CA28869" disabled="False" group="" log="False" position="3" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43EC5E402355"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43EC5DEF2355" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43EC5E412355"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43EC6B8B2355" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id43EC6B892355"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1391220443" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id43EC6B892355"/>
|
|
<ServiceRef ref="id1391120443"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43EC6BAF2355" disabled="True" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id43EC6B892355"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43EC6BC02355" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id43EC6B892355"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43EC6BEA2355" disabled="True" group="" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id43EC6B892355"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43F4407F28542" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="classify_str">mail</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="pf_classify_str">mail</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="tagvalue"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43EC5E132355" disabled="False" group="" log="True" position="11" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id43EC5E3C2355" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id43EC5E3D2355" dedicated_failover="False" dyn="False" label="int_if" mgmt="False" security_level="100" unnum="False" unprotected="False" name="le0" comment="" ro="False">
|
|
<IPv4 id="id43EC5E3F2355" name="firewall38:le0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id43EC5E402355" dedicated_failover="False" dyn="False" label="ext_if" mgmt="False" security_level="0" unnum="True" unprotected="False" name="enc0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id43EC5E412355" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id43EC5E432355" name="firewall38:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id43F447EB28869" dedicated_failover="False" dyn="False" label="wifi_int" mgmt="False" security_level="0" unnum="False" unprotected="False" name="enc1" comment="" ro="False">
|
|
<IPv4 id="id43F447EC28869" name="firewall38:enc1:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf1_file"></Option>
|
|
<Option name="conf_file_name_on_firewall"></Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="generate_rc_conf_file">False</Option>
|
|
<Option name="generate_shell_script">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="script_name_on_firewall"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id43F7DBEE31316" host_OS="openbsd" inactive="False" lastCompiled="1261961537" lastInstalled="0" lastModified="1261961510" platform="pf" version="" name="firewall3" comment="testing NAT rules with multiple objects in TSrc and TDst and NAT rule options" ro="False">
|
|
<NAT id="id43F7DC6531316" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id43F7DC6631316" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43F7DCEB31316"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="pf_bitmask">False</Option>
|
|
<Option name="pf_pool_type_none">True</Option>
|
|
<Option name="pf_random">False</Option>
|
|
<Option name="pf_round_robin">False</Option>
|
|
<Option name="pf_source_hash">False</Option>
|
|
<Option name="pf_static_port">False</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id43F7DCC331316" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43F7DC7531316"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="nat_bitmask">True</Option>
|
|
<Option name="nat_random">False</Option>
|
|
<Option name="nat_round_robin">False</Option>
|
|
<Option name="nat_source_hash">False</Option>
|
|
<Option name="nat_static_port">False</Option>
|
|
<Option name="pf_bitmask">True</Option>
|
|
<Option name="pf_pool_type_none">False</Option>
|
|
<Option name="pf_random">False</Option>
|
|
<Option name="pf_round_robin">False</Option>
|
|
<Option name="pf_source_hash">False</Option>
|
|
<Option name="pf_static_port">False</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id43F7DCD731316" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43F7DCF631316"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="pf_bitmask">False</Option>
|
|
<Option name="pf_pool_type_none">False</Option>
|
|
<Option name="pf_random">False</Option>
|
|
<Option name="pf_round_robin">False</Option>
|
|
<Option name="pf_source_hash">True</Option>
|
|
<Option name="pf_static_port">False</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id43F7DD1431316" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43F7DCF831316"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="pf_bitmask">False</Option>
|
|
<Option name="pf_pool_type_none">False</Option>
|
|
<Option name="pf_random">False</Option>
|
|
<Option name="pf_round_robin">True</Option>
|
|
<Option name="pf_source_hash">False</Option>
|
|
<Option name="pf_static_port">True</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id43F7E942514" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id43F7DCEB31316"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="pf_bitmask">False</Option>
|
|
<Option name="pf_pool_type_none">False</Option>
|
|
<Option name="pf_random">False</Option>
|
|
<Option name="pf_round_robin">True</Option>
|
|
<Option name="pf_source_hash">False</Option>
|
|
<Option name="pf_static_port">False</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id43F7DBF431316" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id43F7DC4131316" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="All other attempts to connect to the firewall are denied and logged">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id43F7DBEE31316"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43F7DC4D31316" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">1000</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id43F7DC7431316" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id43F7DC7531316" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="le0" comment="" ro="False">
|
|
<IPv4 id="id43F7DCEB31316" name="firewall3:le0:ip-1" comment="" ro="False" address="22.22.22.21" netmask="255.255.255.0"/>
|
|
<IPv4 id="id43F7DCEC31316" name="firewall3:le0:ip-2" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id43F7DC7631316" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="le1" comment="" ro="False">
|
|
<IPv4 id="id43F7DC7831316" name="firewall3:le1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id43F7DC7931316" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id43F7DC7B31316" name="firewall3:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf_file_name_on_firewall"></Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization">conservative</Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">0</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">pf_file_after_scrub</Option>
|
|
<Option name="prolog_script"># prolog
|
|
# prolog commands go after scrub commands
|
|
</Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall"></Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id445DB34232739" host_OS="freebsd" inactive="False" lastCompiled="1249840380" lastInstalled="0" lastModified="1249840375" platform="pf" version="" name="firewall39" comment="testing branching rules" ro="False">
|
|
<NAT id="id445DB3CF32739" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id445DB3D032739" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id445DB34232739"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id445DB3DE32739" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id43EC6B892355"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id445DB34232739"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id445DB34832739" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id445DB34932739" disabled="False" group="" log="False" position="0" action="Continue" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DB3ED32739"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id43F4556A28869</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB35532739" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DB3F432739"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB36132739" disabled="False" group="" log="True" position="2" action="Branch" direction="Inbound" comment="logging is not allowed with 'anchor' compiler should not generate 'log' keyword ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DB3F032739"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="branch_name">rule2_branch</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB36D32739" disabled="False" group="" log="False" position="3" action="Branch" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DB3F032739"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="branch_name">rule3_branch</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB37932739" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DB3F132739"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB38532739" disabled="False" group="" log="False" position="5" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="branch_name">rule5_branch</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB39132739" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB39D32739" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id43EC6B892355"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB3AA32739" disabled="True" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id43EC6B892355"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB3B732739" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="classify_str">mail</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="pf_classify_str">mail</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="tagvalue"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB3C332739" disabled="False" group="" log="True" position="10" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id445DB3FE32739" name="rule2_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id445DB40A32739" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id445DB34232739"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB42332739" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id445DB3FF32739" name="rule3_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id445DB41632739" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB43032739" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3CD87A53"/>
|
|
<ObjectRef ref="id3CD87A5E"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB43E32739" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id445DB40032739" name="rule5_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id445DB3EC32739" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id445DB3ED32739" dedicated_failover="False" dyn="False" label="int_if" mgmt="False" security_level="100" unnum="False" unprotected="False" name="le0" comment="" ro="False">
|
|
<IPv4 id="id445DB3EF32739" name="firewall39:le0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id445DB3F032739" dedicated_failover="False" dyn="False" label="ext_if" mgmt="False" security_level="0" unnum="True" unprotected="False" name="enc0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id445DB3F132739" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id445DB3F332739" name="firewall39:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id445DB3F432739" dedicated_failover="False" dyn="False" label="wifi_int" mgmt="False" security_level="0" unnum="False" unprotected="False" name="enc1" comment="" ro="False">
|
|
<IPv4 id="id445DB3F632739" name="firewall39:enc1:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf_file_name_on_firewall">pf.conf</Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="script_name_on_firewall">pf.fw</Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id44948F9F2976" host_OS="openbsd" inactive="False" lastCompiled="1157930816" lastInstalled="0" lastModified="1193632410" platform="pf" version="" name="firewall40" comment="testing Route action " ro="False">
|
|
<NAT id="id449490392976" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id449490482976" disabled="False" group="" position="0" action="Translate" comment="Translate source address for outgoing connections">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id449490662976"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id4494A6FF3539" disabled="False" group="" position="1" action="Translate" comment="Translate source address for outgoing connections">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4494906F2976"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id44948FA52976" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id44957E2D3539" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4494906C2976"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44957E3A3539" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id449490692976"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id449490212976" disabled="False" group="" log="False" position="2" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id449490692976"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.10</Option>
|
|
<Option name="pf_route_opt_if">le1</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4494AF342976" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id449490692976"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr">192.0.3.10</Option>
|
|
<Option name="pf_route_opt_if">le2</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44958DBE3539" disabled="False" group="" log="False" position="4" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44948F9F2976"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4494902D2976" disabled="False" group="" log="True" position="5" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id449490652976" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id449490662976" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="le1" comment="" ro="False">
|
|
<IPv4 id="id449490682976" name="firewall40:le1:ip" comment="This is a test address, change it to your real one" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id449490692976" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="fxp0" comment="" ro="False">
|
|
<IPv4 id="id4494906B2976" name="firewall40:fxp0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4494906C2976" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo0" comment="" ro="False">
|
|
<IPv4 id="id4494906E2976" name="firewall40:lo0:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4494906F2976" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="le2" comment="" ro="False">
|
|
<IPv4 id="id449490712976" name="firewall40:le2:ip" comment="" ro="False" address="192.0.3.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">0</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id44EC18128791" host_OS="freebsd" inactive="False" lastCompiled="1263599379" lastInstalled="0" lastModified="1263599377" platform="pf" version="" name="firewall41" comment="testing rule shadowing with run-time objects, rules with such objects should be ignored " ro="False">
|
|
<NAT id="id44EC18168791" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id44EC18158791" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id44EC181E8791" disabled="False" group="" log="True" position="0" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44EC18128791"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44EC181D8791"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44F7056428576" disabled="False" group="" log="True" position="1" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44EC18128791"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9018346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id20664X8713" disabled="False" group="" log="True" position="2" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44EC18128791"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id452762A75348"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id20710X8713" disabled="False" group="" log="True" position="3" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44EC18128791"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id20634X8713"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44F707E428576" disabled="False" group="" log="True" position="4" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44EC18128791"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id44EC18178791" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id44EC18188791" dedicated_failover="False" dyn="False" label="ext" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id44EC18198791" name="firewall41:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id44EC181A8791" dedicated_failover="False" dyn="False" label="int" security_level="50" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id44EC181B8791" name="firewall41:eth1:ip" comment="" ro="False" address="2.2.2.2" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf_file_name_on_firewall"></Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">0</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall"></Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4699449021967" host_OS="openbsd" inactive="False" lastCompiled="1202682006" lastInstalled="0" lastModified="1202681966" platform="pf" version="3.x" name="firewall10-1" comment="PF 3.x, testing "flags S/SA keep state"" ro="False">
|
|
<NAT id="id469944D321967" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id469944D421967" disabled="True" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id469944F421967"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id469944E221967" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4699449021967"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id4699449621967" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id4699449721967" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id469944F121967"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id469944A321967" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id469944F521967"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id469944AF21967" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="via ipsec">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id469944F421967"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">True</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id469944C721967" disabled="False" group="" log="True" position="3" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id469944F021967" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id469944F121967" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id469944F321967" name="firewall10-1:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id469944F421967" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="enc0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id469944F521967" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo0" comment="" ro="False">
|
|
<IPv4 id="id469944F721967" name="firewall10-1:lo0:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.100</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4699570022254" host_OS="openbsd" inactive="False" lastCompiled="1249943166" lastInstalled="0" lastModified="1305064193" platform="pf" version="4.0" name="firewall10-2" comment="PF 4.x, testing "flags S/SA keep state"" ro="False">
|
|
<NAT id="id4699573822254" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id4699573922254" disabled="True" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4699575922254"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id4699574722254" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4699570022254"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id4699570622254" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id4699570722254" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4699575622254"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4699571422254" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4699575A22254"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4699572022254" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="via ipsec">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4699575922254"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">True</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4699572C22254" disabled="False" group="" log="True" position="3" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id4699575522254" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id4699575622254" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id4699575822254" name="firewall10-2:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4699575922254" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="enc0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4699575A22254" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="True" name="lo0" comment="" ro="False">
|
|
<IPv4 id="id4699575C22254" name="firewall10-2:lo0:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.100</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">True</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id469948EA22616" host_OS="openbsd" inactive="False" lastCompiled="1202682008" lastInstalled="0" lastModified="1202681977" platform="pf" version="3.x" name="firewall10-3" comment="PF 3.x, testing "flags S/SA keep state" "Accept tcp sessions opened prior to restart" ON " ro="False">
|
|
<NAT id="id4699492222616" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id4699492322616" disabled="True" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4699494322616"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id4699493122616" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id469948EA22616"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id469948F022616" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id469948F122616" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4699494022616"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id469948FE22616" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4699494422616"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4699490A22616" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="via ipsec">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4699494322616"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">True</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4699491622616" disabled="False" group="" log="True" position="3" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id4699493F22616" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id4699494022616" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id4699494222616" name="firewall10-3:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4699494322616" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="enc0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4699494422616" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo0" comment="" ro="False">
|
|
<IPv4 id="id4699494622616" name="firewall10-3:lo0:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.100</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4699494C22616" host_OS="openbsd" inactive="False" lastCompiled="1202682010" lastInstalled="0" lastModified="1305064201" platform="pf" version="4.0" name="firewall10-4" comment="PF 4.x, testing "flags S/SA keep state" "Accept tcp sessions opened prior to restart" is ON " ro="False">
|
|
<NAT id="id4699498422616" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id4699498522616" disabled="True" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id469949A522616"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id4699499322616" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4699494C22616"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id4699495222616" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id4699495322616" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id469949A222616"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4699496022616" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id469949A622616"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4699496C22616" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="via ipsec">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id469949A522616"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">True</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4699497822616" disabled="False" group="" log="True" position="3" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id469949A122616" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id469949A222616" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id469949A422616" name="firewall10-4:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id469949A522616" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="enc0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id469949A622616" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="True" name="lo0" comment="" ro="False">
|
|
<IPv4 id="id469949A822616" name="firewall10-4:lo0:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.100</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id46F605DE10002" host_OS="openbsd" inactive="False" lastCompiled="1202682011" lastInstalled="0" lastModified="1202681989" platform="pf" version="3.x" name="firewall10-5" comment="PF 3.x, testing "flags S/SA keep state" "Accept tcp sessions opened prior to restart" ON Using "pass all outgoing" " ro="False">
|
|
<NAT id="id46F6061610002" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id46F6061710002" disabled="True" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id46F6063710002"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id46F6062510002" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id46F605DE10002"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id46F605E410002" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id46F6520210002" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="This adds "pass out ... keep state" rule that compiler 2.1.14 does not add automatically for pf 3.x Note that checkbox "add 'keep state'" is on in options ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46F6063710002"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">True</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46F605E510002" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46F6063410002"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46F605F210002" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46F6063810002"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46F605FE10002" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="via ipsec">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46F6063710002"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">True</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46F6060A10002" disabled="False" group="" log="True" position="4" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id46F6063310002" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id46F6063410002" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id46F6063610002" name="firewall10-5:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id46F6063710002" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="enc0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id46F6063810002" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo0" comment="" ro="False">
|
|
<IPv4 id="id46F6063A10002" name="firewall10-5:lo0:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.100</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">True</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id46F6064010002" host_OS="openbsd" inactive="False" lastCompiled="1202682012" lastInstalled="0" lastModified="1305064206" platform="pf" version="4.0" name="firewall10-6" comment="PF 4.x, testing "flags S/SA keep state" "Accept tcp sessions opened prior to restart" is ON Using "pass all outgoing" " ro="False">
|
|
<NAT id="id46F6067810002" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id46F6067910002" disabled="True" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id46F6069910002"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id46F6068710002" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id46F6064010002"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id46F6064610002" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id46F6064710002" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46F6069610002"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46F6065410002" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46F6069A10002"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46F6066010002" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="via ipsec">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46F6069910002"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">True</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46F6066C10002" disabled="False" group="" log="True" position="3" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id46F6069510002" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id46F6069610002" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id46F6069810002" name="firewall10-6:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id46F6069910002" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="enc0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id46F6069A10002" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="True" name="lo0" comment="" ro="False">
|
|
<IPv4 id="id46F6069C10002" name="firewall10-6:lo0:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.100</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">True</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id476458AA9697" host_OS="openbsd" inactive="False" lastCompiled="1157930816" lastInstalled="0" lastModified="1237954922" platform="pf" version="" name="firewall40-1" comment="testing Route action with load balancing " ro="False">
|
|
<NAT id="id476458FA9697" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id476458FB9697" disabled="False" group="" position="0" action="Translate" comment="Translate source address for outgoing connections">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id476459189697"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id476459099697" disabled="False" group="" position="1" action="Translate" comment="Translate source address for outgoing connections">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id476459219697"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id476458B09697" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id47646C979697" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">random</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
|
|
<Option name="pf_route_opt_if">le1</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47646C869697" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">round_robin</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
|
|
<Option name="pf_route_opt_if">le2</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47646C759697" disabled="False" group="" log="False" position="2" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">round_robin</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
|
|
<Option name="pf_route_opt_if">le2</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id476480059697" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">round_robin</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
|
|
<Option name="pf_route_opt_if">le1</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id476480169697" disabled="False" group="" log="False" position="4" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">round_robin</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
|
|
<Option name="pf_route_opt_if">le2</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id476480279697" disabled="False" group="" log="False" position="5" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">round_robin</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
|
|
<Option name="pf_route_opt_if">le2</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id476458C99697" disabled="False" group="" log="False" position="6" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">random</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.0/24</Option>
|
|
<Option name="pf_route_opt_if">le1</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id476458D69697" disabled="False" group="" log="False" position="7" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">source_hash</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.0/24</Option>
|
|
<Option name="pf_route_opt_if">le2</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4764592B9697" disabled="False" group="" log="False" position="8" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">round_robin</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.0/255.255.255.0</Option>
|
|
<Option name="pf_route_opt_if">le2</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4764BABB9697" disabled="False" group="" log="False" position="9" action="Accept" direction="Inbound" comment="this should fail because it has one address for the next hop and it is /32. Run compiler with command line argument -xt to convert errors to warnings and make it generate .conf file anyway">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C86E6E</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">round_robin</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1</Option>
|
|
<Option name="pf_route_opt_if">le2</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4764BACC9697" disabled="False" group="" log="False" position="10" action="Accept" direction="Inbound" comment="this should fail because it has one address for the next hop and it is /32. ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C86E6E</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">round_robin</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1/32</Option>
|
|
<Option name="pf_route_opt_if">le2</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id476509419697" disabled="False" group="" log="False" position="11" action="Accept" direction="Inbound" comment="this should fail because it ip address in next hop is illegal">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C86E6E</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">round_robin</Option>
|
|
<Option name="pf_route_opt_addr">192.0.300.1/32</Option>
|
|
<Option name="pf_route_opt_if">le2</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id16074X72625" name="routes" comment="testing different options for the route-to action" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id16087X72625" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="route_through, load balancing random">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">random</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
|
|
<Option name="pf_route_opt_if">le1</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id16104X72625" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="error: interface is required">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">random</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1</Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_reply_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id16121X72625" disabled="False" group="" log="False" position="2" action="Accept" direction="Inbound" comment="error: interface is required">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">random</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1</Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_copy_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id16138X72625" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="fastroute">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">True</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">random</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id16155X72625" disabled="False" group="" log="False" position="4" action="Accept" direction="Inbound" comment="fastroute">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">True</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">random</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1</Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id16172X72625" disabled="False" group="" log="False" position="5" action="Accept" direction="Inbound" comment="fastroute">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">True</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">random</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1</Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id22949X72625" disabled="False" group="" log="False" position="6" action="Accept" direction="Inbound" comment="route_through, load balancing none error: interface is required">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id22966X72625" disabled="False" group="" log="False" position="7" action="Accept" direction="Inbound" comment="route_through, load balancing bitmask error: interface is required">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">bitmask</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id29767X72625" disabled="False" group="" log="False" position="8" action="Accept" direction="Inbound" comment="route_through, load balancing random error: interface is required">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">random</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id29784X72625" disabled="False" group="" log="False" position="9" action="Accept" direction="Inbound" comment="route_through, load balancing source hash error: interface is required">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">source_hash</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id29801X72625" disabled="False" group="" log="False" position="10" action="Accept" direction="Inbound" comment="route_through, load balancing round robin error: interface is required">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">round_robin</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id16075X72625" disabled="False" group="" log="True" position="11" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id476459179697" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id476459189697" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="le1" comment="" ro="False">
|
|
<IPv4 id="id4764591A9697" name="firewall40-1:le1:ip" comment="This is a test address, change it to your real one" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4764591B9697" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="fxp0" comment="" ro="False">
|
|
<IPv4 id="id4764591D9697" name="firewall40-1:fxp0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4764591E9697" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo0" comment="" ro="False">
|
|
<IPv4 id="id476459209697" name="firewall40-1:lo0:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id476459219697" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="le2" comment="" ro="False">
|
|
<IPv4 id="id476459239697" name="firewall40-1:le2:ip" comment="" ro="False" address="192.0.3.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="ipt_mangle_only_rulesets"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">0</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4833F62B6131" host_OS="freebsd" inactive="False" lastCompiled="1249840785" lastInstalled="0" lastModified="1249840779" platform="pf" version="" name="firewall-ipv6-1" comment="" ro="False">
|
|
<NAT id="id4833F62F6131" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id483F5B7623190" name="Policy_ipv4" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id15141X22329" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4841FADB30813"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id15124X22329" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="this rule shadows the next. Note that we add command line flag -xt to the compiler">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F6316131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id4833F62E6131" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id4841FADE30813" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4841FADB30813"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4837BFE628819" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="this rule shadows the next. Note that we add command line flag -xt to the compiler">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F6316131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4834578B6131" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id48416A7216880"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F6316131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4834577C6131" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id48416A7116880"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F62B6131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4834D3038571" disabled="False" group="" log="True" position="4" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2238571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F6316131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4834D3108571" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2278571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F6316131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4835040E8571" disabled="False" group="" log="True" position="6" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2238571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F62B6131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4835041F8571" disabled="False" group="" log="True" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2278571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F62B6131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4834576F6131" disabled="False" group="" log="True" position="8" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F62B6131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4834B9216131" disabled="False" group="" log="True" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id483566468571" disabled="False" group="" log="True" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2238571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id483566548571" disabled="False" group="" log="True" position="11" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2278571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id4833F6306131" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id4833F6316131" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id4833F6326131" name="firewall-ipv6-1:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id4833F6346131" name="firewall-ipv6-1:eth0:ipv6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4841FADB30813" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id4841FADC30813" name="firewall-ipv6-1:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<IPv6 id="id4841FADD30813" name="firewall-ipv6-1:lo:ipv6" comment="" ro="False" address="::1" netmask="128"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="1.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf_file_name_on_firewall">/etc/fw/pf-ipv6.conf</Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="freebsd_ip_redirect"></Option>
|
|
<Option name="freebsd_ip_sourceroute"></Option>
|
|
<Option name="freebsd_ipv6_forward">1</Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipfw"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="generate_shell_script">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_directed_broadcast"></Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_ip_redirect"></Option>
|
|
<Option name="openbsd_ip_sourceroute"></Option>
|
|
<Option name="openbsd_ipv6_forward">1</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">0</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall">pf-ipv6.fw</Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4848A4294626" host_OS="openbsd" inactive="False" lastCompiled="1188097225" lastInstalled="1142003872" lastModified="1212696462" platform="pf" version="" name="firewall-base-rulesets" comment="this firewall is used to test a rule in the global policy of object "firewall" " ro="False">
|
|
<NAT id="id4848A4304626" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id4848A42F4626" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id4848A4414626" name="web_server_inbound" comment="Basic rules for web servers. " ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id4848A4424626" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4848A44F4626" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id48493B6E4626" name="mail_server_inbound" comment="Basic rules for mail servers" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id48493B6F4626" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id48493B7B4626" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id484B0A134626" name="mail_server_outbound" comment="Basic rules for mail servers" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id484B0A2D4626" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3F530CC8"/>
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484B0A3A4626" disabled="False" group="" log="False" position="1" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id484B3D324626" name="web_server_outbound" comment="Basic rules for web servers. " ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id484B3D3F4626" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484B3D4C4626" disabled="False" group="" log="False" position="1" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3F530CC8"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id4848A4314626" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id4848A4324626" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="en0" comment="" ro="False">
|
|
<IPv4 id="id4848A4344626" name="firewall-base-rulesets:en0:ip" comment="" ro="False" address="33.33.33.33" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4848A4354626" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="en1" comment="" ro="False">
|
|
<IPv4 id="id4848A4374626" name="firewall-base-rulesets:en1:ip" comment="" ro="False" address="172.16.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4848A4384626" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="en2" comment="" ro="False">
|
|
<IPv4 id="id4848A43A4626" name="firewall-base-rulesets:en2:ip" comment="" ro="False" address="192.168.100.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.100.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id484A05C44626" host_OS="openbsd" inactive="False" lastCompiled="1188097218" lastInstalled="1142003872" lastModified="1212696679" platform="pf" version="" name="firewall51" comment="testing branching rules that point at rule sets defined in object firewall-base-rulesets" ro="False">
|
|
<NAT id="id484A06174626" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id484A05CA4626" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id484A05CB4626" disabled="False" group="" log="False" position="0" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id48493B6E4626</Option>
|
|
<Option name="branch_name">rule0_branch</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484B704C4626" disabled="False" group="" log="False" position="1" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id484B0A134626</Option>
|
|
<Option name="branch_name">rule0_branch</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_reply_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A05D84626" disabled="False" group="" log="False" position="2" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id4848A4414626</Option>
|
|
<Option name="branch_name">rule1_branch</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484B705F4626" disabled="False" group="" log="False" position="3" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id484B3D324626</Option>
|
|
<Option name="branch_name">rule1_branch</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_reply_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A05E44626" disabled="False" group="" log="False" position="4" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="branch_name">rule2_branch</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id484A06094626" name="rule2_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id484A060A4626" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
<ObjectRef ref="id4733FFE419714"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id484A06184626" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id484A06194626" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="en0" comment="" ro="False">
|
|
<IPv4 id="id484A061B4626" name="firewall51:en0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id484A061C4626" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="en1" comment="" ro="False">
|
|
<IPv4 id="id484A061E4626" name="firewall51:en1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id484A061F4626" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id484A06224626" name="firewall51:lo:ip1" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<IPv4 id="id484A06234626" name="firewall51:lo:ip2" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4848F19020246" host_OS="openbsd" inactive="False" lastCompiled="1255054109" lastInstalled="0" lastModified="1305064357" platform="pf" version="4.0" name="firewall62" comment="testing rules using UserService object Note that iptables does not allow entering iptables command that tries to match using module 'owner' in any chain other than OUTPUT. This includes user defined chains too (it checks how control passes to user defined chain and blocks command if it appears that user defined chain gets control not from OUTPUT) " ro="False">
|
|
<NAT id="id4848F1D320246" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id4848F19620246" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id484A6C465896" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="rule from FR 1948872 should generate pass in quick on en0 user proxy ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id484A6C525896"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4848F1D520246"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4848F19720246" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
<ServiceRef ref="id484A558E5896"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A55A15896" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A8D2620246" disabled="False" group="" log="False" position="3" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A599620246" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A8D3820246" disabled="False" group="" log="False" position="5" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4848F1A320246" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4848F1D520246"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4848F1AF20246" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4848F1BB20246" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A558F5896" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
<ServiceRef ref="id484A558E5896"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484AF47A20246" disabled="False" group="" log="False" position="10" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A261420246" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A260320246" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4848F1C720246" disabled="False" group="" log="False" position="13" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id4848F1D420246" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id4848F1D520246" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="en0" comment="" ro="False">
|
|
<IPv4 id="id4848F1D720246" name="firewall62:en0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4848F1D820246" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="en1" comment="" ro="False">
|
|
<IPv4 id="id4848F1DA20246" name="firewall62:en1:ip" comment="" ro="False" address="222.222.222.222" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf_file_name_on_firewall"></Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">True</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">0</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall"></Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id530B20443" host_OS="openbsd" inactive="False" lastCompiled="1215308098" lastInstalled="0" lastModified="1215308090" platform="pf" version="" name="firewall63" comment="testing tos matching" ro="False">
|
|
<NAT id="id533820443" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id533920443" disabled="True" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id530B20443"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id531120443" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id531220443" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C6820443"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="idDCDE20443" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idC5F120443"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="idF3EB20443" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idC5F120443"/>
|
|
<ServiceRef ref="id3C6820443"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id531F20443" disabled="True" group="" log="True" position="3" action="Deny" direction="Both" comment="DSCP matching is not supported by pf">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C6920443"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id532C20443" disabled="False" group="" log="True" position="4" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id534720443" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id534820443" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id534A20443" name="firewall63:eth1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id534B20443" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id534D20443" name="firewall63:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id534E20443" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id535020443" name="firewall63:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="enable_ipv6">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_directed_broadcast">0</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_ip_redirect">0</Option>
|
|
<Option name="openbsd_ip_sourceroute">0</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id14540X3490" host_OS="openbsd" inactive="False" lastCompiled="1226899264" lastInstalled="0" lastModified="1307151609" platform="pf" version="" name="firewall20" comment="firewall using proxy arp" ro="False">
|
|
<NAT id="id14569X3490" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id32714X3490" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id14540X3490"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id26641X3490" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id14577X3490"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32698X3490" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id14579X3490"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id63096X3490" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id63095X3490"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id14546X3490" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id14547X3490" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id20598X3490"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id14574X3490"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id20601X3490" disabled="False" group="" log="False" position="1" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id20598X3490"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id14577X3490"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id14557X3490" disabled="False" group="" log="False" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id14570X3490" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id14571X3490" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="dc2" comment="" ro="False">
|
|
<IPv4 id="id14573X3490" name="firewall20:dc2:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id14574X3490" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="dc0" comment="" ro="False">
|
|
<IPv4 id="id14576X3490" name="firewall20:dc0:ip" comment="" ro="False" address="10.1.1.1" netmask="255.255.255.0"/>
|
|
<IPv4 id="id63095X3490" name="firewall20:dc0:ip-1" comment="" ro="False" address="222.222.222.40" netmask="255.255.255.240"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id14577X3490" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="dc1" comment="" ro="False">
|
|
<IPv4 id="id14579X3490" name="firewall20:dc1:ip" comment="" ro="False" address="222.222.222.20" netmask="255.255.255.240"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id14580X3490" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id14582X3490" name="firewall20:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="22.22.23.23">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id33881X22329" host_OS="freebsd" inactive="False" lastCompiled="1249840349" lastInstalled="0" lastModified="1249840343" platform="pf" version="" name="firewall-ipv6-2" comment="Combined ipv4/ipv6 policy ruleset" ro="False">
|
|
<NAT id="id34057X22329" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id33912X22329" name="Policy" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id22170X16797" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id34064X22329"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id22153X16797" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="this rule shadows the next. Note that we add command line flag -xt to the compiler">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id34059X22329"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id22136X16797" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id48416A7216880"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id34059X22329"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id22119X16797" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id48416A7116880"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id33881X22329"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id22102X16797" disabled="False" group="" log="True" position="4" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2238571"/>
|
|
<ObjectRef ref="id20598X3490"/>
|
|
<ObjectRef ref="id20599X3490"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id34059X22329"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id22085X16797" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2278571"/>
|
|
<ObjectRef ref="id4387287918346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id34059X22329"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id22068X16797" disabled="False" group="" log="True" position="6" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2238571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id33881X22329"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id22051X16797" disabled="False" group="" log="True" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2278571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id33881X22329"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id22034X16797" disabled="False" group="" log="True" position="8" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id33881X22329"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id22017X16797" disabled="False" group="" log="True" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id22000X16797" disabled="False" group="" log="True" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2238571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id21983X16797" disabled="False" group="" log="True" position="11" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2278571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id16929X60595" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ipv6-icmp-ping_request"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id34058X22329" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id34059X22329" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id34062X22329" name="firewall-ipv6-2:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id34063X22329" name="firewall-ipv6-2:eth0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id34064X22329" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id34067X22329" name="firewall-ipv6-2:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<IPv6 id="id34068X22329" name="firewall-ipv6-2:lo:ip6" comment="" ro="False" address="::1" netmask="128"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="1.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf_file_name_on_firewall">pf.conf</Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="freebsd_ip_redirect"></Option>
|
|
<Option name="freebsd_ip_sourceroute"></Option>
|
|
<Option name="freebsd_ipv6_forward">1</Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipfw"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="generate_shell_script">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"></Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_directed_broadcast"></Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_ip_redirect"></Option>
|
|
<Option name="openbsd_ip_sourceroute"></Option>
|
|
<Option name="openbsd_ipv6_forward">1</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">0</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall">pf.fw</Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id16377X32012" host_OS="openbsd" inactive="False" lastCompiled="1239317855" lastInstalled="0" lastModified="1242337567" platform="pf" version="" name="firewall11" comment="example to illustrate access to the firewall limited to only few source addresses. Since in PF firewall is always part of "any", have to explcitly add a rule to block ssh to the firewall from other sources." ro="False">
|
|
<NAT id="id16456X32012" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id16383X32012" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id16601X32012" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id16377X32012"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id57898X32012" disabled="False" group="" log="False" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id16377X32012"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id23480X32012" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3BBC0EFC"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id16444X32012" disabled="False" group="" log="False" position="3" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id16583X32012" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id16584X32012" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="en1" comment="" ro="False">
|
|
<IPv4 id="id16588X32012" name="firewall11:en1:ip" comment="" ro="False" address="33.33.33.33" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id16589X32012" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="en0" comment="" ro="False">
|
|
<IPv4 id="id16591X32012" name="firewall11:en0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id16592X32012" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo0" comment="" ro="False">
|
|
<IPv4 id="id16594X32012" name="firewall11:lo0:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id16595X32012" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_path_pfctl">/usr/sbin/pfctl</Option>
|
|
<Option name="openbsd_path_sysctl">/usr/sbin/sysctl</Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id78969X23273" host_OS="openbsd" inactive="False" lastCompiled="1244584306" lastInstalled="1142003872" lastModified="1305064312" platform="pf" version="4.0" name="firewall12" comment="This firewall does not do NAT for addresses, but translates port for a server " ro="False">
|
|
<NAT id="id79033X23273" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id79034X23273" disabled="True" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id78996X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id79067X23273" disabled="True" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id78996X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id79099X23273" disabled="True" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id78996X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id79131X23273" disabled="True" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id78969X23273"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id78996X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id79164X23273" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id78969X23273"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id78969X23273"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id78996X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id79197X23273" disabled="True" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id78969X23273"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id78996X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id79229X23273" disabled="True" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id78996X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id79295X23273" disabled="False" group="" position="7" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id78911X23273"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id78969X23273"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id78921X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id79328X23273" disabled="True" group="" position="8" action="Translate" comment="port-only translation">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id78996X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id79361X23273" disabled="False" group="" position="9" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id78969X23273"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id78996X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id79394X23273" disabled="False" group="" position="10" action="Translate" comment="SDNAT ">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id78969X23273"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id79496X23273"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id78969X23273"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id80198X23273"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id80398X23273" disabled="False" group="" position="11" action="Translate" comment="SDNAT with source port">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id78969X23273"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id80122X23273"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id78969X23273"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id80198X23273"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id80132X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id80431X23273" disabled="False" group="" position="12" action="Translate" comment="SDNAT with dest port">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id80157X23273"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id78969X23273"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id80198X23273"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id80167X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id80464X23273" disabled="False" group="" position="13" action="Translate" comment="SDNAT translate src and dst addresses and src and dst ports">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id80292X23273"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id78969X23273"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id80198X23273"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id80302X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id80497X23273" disabled="False" group="" position="14" action="Translate" comment="Matches destination port, translates source port">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id80157X23273"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id78969X23273"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id80132X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id80530X23273" disabled="True" group="" position="15" action="Translate" comment="invalid rule">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id79496X23273"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id80132X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id78975X23273" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id78976X23273" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id78996X23273"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id79005X23273" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id80563X23273" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id80564X23273" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="en0" comment="" ro="False">
|
|
<IPv4 id="id80565X23273" name="firewall12:en0:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id80566X23273" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="en1" comment="" ro="False">
|
|
<IPv4 id="id80567X23273" name="firewall12:en1:ip" comment="" ro="False" address="22.22.23.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id176032X23273" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo0" comment="" ro="False">
|
|
<IPv4 id="id176033X23273" name="firewall12:lo0:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="22.22.22.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id79438X23273" host_OS="ios" inactive="False" lastCompiled="1221357477" lastInstalled="1223233524" lastModified="1243804646" platform="iosacl" version="12.1" name="c3620" comment="ff" ro="False">
|
|
<NAT id="id79872X23273" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id79444X23273" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id79445X23273" disabled="False" group="" log="False" position="0" action="Deny" direction="Inbound" comment="Imported from e1_0_acl_in ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id79465X23273"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id79474X23273" disabled="False" group="" log="True" position="1" action="Accept" direction="Inbound" comment="Imported from e1_0_acl_in ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id79488X23273"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id79492X23273"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id79496X23273"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id79505X23273" disabled="False" group="" log="True" position="2" action="Accept" direction="Inbound" comment="Imported from e1_0_acl_in ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id79488X23273"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id79522X23273"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id79496X23273"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id79534X23273" disabled="False" group="" log="True" position="3" action="Accept" direction="Inbound" comment="Imported from e1_0_acl_in ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id79551X23273"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id79563X23273" disabled="False" group="" log="True" position="4" action="Deny" direction="Inbound" comment="Imported from e1_0_acl_in ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id79591X23273" disabled="False" group="" log="True" position="5" action="Accept" direction="Outbound" comment="Imported from e1_0_acl_out ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id79551X23273"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C08B5A</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id79619X23273" disabled="False" group="" log="True" position="6" action="Deny" direction="Outbound" comment="Imported from e1_0_acl_out ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id79647X23273" disabled="False" group="" log="True" position="7" action="Accept" direction="Inbound" comment="Imported from fe0_0_acl_in ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id79488X23273"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id79492X23273"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id79496X23273"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id79675X23273" disabled="False" group="" log="True" position="8" action="Accept" direction="Inbound" comment="Imported from fe0_0_acl_in ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id79488X23273"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id79522X23273"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id79496X23273"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id79703X23273" disabled="False" group="" log="True" position="9" action="Accept" direction="Inbound" comment="Imported from fe0_0_acl_in ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id79551X23273"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id79731X23273" disabled="False" group="" log="True" position="10" action="Deny" direction="Inbound" comment="Imported from fe0_0_acl_in ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id79759X23273" disabled="False" group="" log="True" position="11" action="Accept" direction="Outbound" comment="Imported from fe0_0_acl_out ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id79551X23273"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id79787X23273" disabled="False" group="" log="True" position="12" action="Deny" direction="Outbound" comment="Imported from fe0_0_acl_out ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id79815X23273" name="ipv6_rules" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id79816X23273" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id79830X23273"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id79845X23273" name="extra_acl" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id79846X23273" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id79873X23273" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id79874X23273" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="FastEthernet0/0" comment="" ro="False">
|
|
<IPv4 id="id79875X23273" name="c3620:FastEthernet0/0:ip1" comment="" ro="False" address="192.168.100.100" netmask="255.255.255.0"/>
|
|
<IPv4 id="id79876X23273" name="c3620:FastEthernet0/0:ip2" comment="" ro="False" address="10.3.14.201" netmask="255.255.255.0"/>
|
|
<IPv6 id="id79877X23273" name="c3620:FastEthernet0/0:ipv6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id79878X23273" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="Ethernet1/0" comment="" ro="False">
|
|
<IPv4 id="id79879X23273" name="c3620:Ethernet1/0:ip" comment="" ro="False" address="192.168.171.2" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id79880X23273" dedicated_failover="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="Serial1/0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id79881X23273" dedicated_failover="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="Ethernet1/1" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id79882X23273" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="Serial1/1" comment="" ro="False">
|
|
<IPv4 id="id79883X23273" name="c3620:Serial1/1:ip" comment="" ro="False" address="3.3.3.3" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.100.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">true</Option>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="configure_interfaces">true</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_acl_basic">True</Option>
|
|
<Option name="iosacl_acl_no_clear">False</Option>
|
|
<Option name="iosacl_acl_substitution">False</Option>
|
|
<Option name="iosacl_acl_temp_addr"></Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_epilog_script"></Option>
|
|
<Option name="iosacl_include_comments">True</Option>
|
|
<Option name="iosacl_logging_buffered">False</Option>
|
|
<Option name="iosacl_logging_buffered_level">0</Option>
|
|
<Option name="iosacl_logging_console">False</Option>
|
|
<Option name="iosacl_logging_console_level">0</Option>
|
|
<Option name="iosacl_logging_timestamp">False</Option>
|
|
<Option name="iosacl_logging_trap_level">0</Option>
|
|
<Option name="iosacl_prolog_script"></Option>
|
|
<Option name="iosacl_regroup_commands">False</Option>
|
|
<Option name="iosacl_syslog_facility"></Option>
|
|
<Option name="iosacl_syslog_host"></Option>
|
|
<Option name="ipt_mangle_only_rulesets"></Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">true</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id18609X75509" host_OS="openbsd" inactive="False" lastCompiled="1253295658" lastInstalled="0" lastModified="1253295652" platform="pf" version="" name="firewall70" comment="testing for unpotected interfaces" ro="False">
|
|
<NAT id="id18677X75509" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id18678X75509" disabled="True" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id18609X75509"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id18615X75509" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id18616X75509" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id18609X75509"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id50647X75509" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id18609X75509"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id18696X75509"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id50664X75509" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id18609X75509"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id18696X75509"/>
|
|
<ObjectRef ref="id18693X75509"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id50681X75509" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id18609X75509"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id34697X75509"/>
|
|
<ObjectRef ref="id18696X75509"/>
|
|
<ObjectRef ref="id18693X75509"/>
|
|
<ObjectRef ref="id82758X75509"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id66678X75509" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id18609X75509"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="id18696X75509"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id66698X75509" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id18609X75509"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="id18696X75509"/>
|
|
<ObjectRef ref="id18693X75509"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id18692X75509" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id18693X75509" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="en1" comment="" ro="False">
|
|
<IPv4 id="id18695X75509" name="firewall70:en1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id18696X75509" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="en0" comment="" ro="False">
|
|
<IPv4 id="id18698X75509" name="firewall70:en0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id18699X75509" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="lo0" comment="" ro="False">
|
|
<IPv4 id="id18701X75509" name="firewall70:lo0:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id34697X75509" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="en2" comment="" ro="False">
|
|
<IPv4 id="id90782X75509" name="firewall70:en2:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id82758X75509" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="True" name="en3" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="enable_ipv6">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_directed_broadcast">0</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_ip_redirect">0</Option>
|
|
<Option name="openbsd_ip_sourceroute">0</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id19494X46601" host_OS="freebsd" inactive="False" lastCompiled="1258399658" lastInstalled="0" lastModified="1258399653" platform="pf" version="4.0" name="firewall21" comment="branching in NAT rules PF v4.0-4.2" ro="False">
|
|
<NAT id="id19574X46601" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id19575X46601" disabled="False" group="" position="0" action="NATBranch" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id19696X53465</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id45518X93766" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id19494X46601"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id45517X93766"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id28067X46601</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id36650X50270" disabled="False" group="" position="2" action="NATBranch" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id28067X46601</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id45141X50270" disabled="False" group="" position="3" action="NATBranch" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id19505X46601"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id28067X46601</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<NAT id="id28067X46601" name="NAT_1" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<NATRule id="id28068X46601" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id19494X46601"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<NAT id="id19696X53465" name="ftp-proxy/*" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id19513X46601" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id19562X46601" disabled="False" group="" log="False" position="0" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id54048X91166</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id71200X93766" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id19508X46601"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id45517X93766"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id54048X91166" name="ftp-proxy/*" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id19603X46601" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id19500X46601" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="en1" comment="" ro="False">
|
|
<IPv4 id="id19503X46601" name="firewall21:en1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id19505X46601" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="en0" comment="" ro="False">
|
|
<IPv4 id="id45156X50270" name="firewall21:en0:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id19508X46601" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id19511X46601" name="firewall21:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward"></Option>
|
|
<Option name="freebsd_ip_redirect"></Option>
|
|
<Option name="freebsd_ip_sourceroute"></Option>
|
|
<Option name="freebsd_ipv6_forward"></Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_pfctl">/usr/local/bin/pfctl</Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="ipt_mangle_only_rulesets"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id19695X55350" host_OS="freebsd" inactive="False" lastCompiled="1258397758" lastInstalled="0" lastModified="1307152273" platform="pf" version="4.3" name="firewall22" comment="branching in NAT rules PF v4.3 and later" ro="False">
|
|
<NAT id="id19729X55350" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id19730X55350" disabled="False" group="" position="0" action="NATBranch" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id19787X55350</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_copy_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id19744X55350" disabled="False" group="" position="1" action="NATBranch" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id19772X55350</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id19758X55350" disabled="False" group="" position="2" action="NATBranch" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id19706X55350"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id19772X55350</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<NAT id="id19772X55350" name="NAT_1" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<NATRule id="id19773X55350" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id19695X55350"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<NAT id="id19787X55350" name="ftp-proxy/*" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id19716X55350" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id19717X55350" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id19788X55350" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id19701X55350" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="en1" comment="" ro="False">
|
|
<IPv4 id="id19704X55350" name="firewall22:en1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id19706X55350" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="en0" comment="" ro="False">
|
|
<IPv4 id="id19709X55350" name="firewall22:en0:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id19711X55350" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id19714X55350" name="firewall22:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf_file_name_on_firewall"></Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward"></Option>
|
|
<Option name="freebsd_ip_redirect"></Option>
|
|
<Option name="freebsd_ip_sourceroute"></Option>
|
|
<Option name="freebsd_ipv6_forward"></Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_pfctl">/usr/local/bin/pfctl</Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="ipt_mangle_only_rulesets"></Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_state_policy">if-bound</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="script_name_on_firewall"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id20228X55531" host_OS="openbsd" inactive="False" lastCompiled="1157930823" lastInstalled="0" lastModified="1269710325" platform="pf" version="ge_3.7" name="firewall80" comment="Testin state tracking options " ro="False">
|
|
<NAT id="id20330X55531" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id20256X55531" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id47259X55531" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id20240X55531"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47213X55531" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id20240X55531"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">True</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47167X55531" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id20240X55531"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">True</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id20293X55531" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id20240X55531"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">10</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">True</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id70212X25510" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="synproxy">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id20240X55531"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">10</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">True</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id20317X55531" disabled="False" group="" log="True" position="5" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id20458X55531" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id20236X55531" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="en1" comment="" ro="False">
|
|
<IPv4 id="id20240X55531" name="firewall80:en1:ip" comment="" ro="False" address="33.33.33.34" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id20243X55531" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="en0" comment="" ro="False">
|
|
<IPv4 id="id20246X55531" name="firewall80:en0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id20248X55531" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo0" comment="" ro="False">
|
|
<IPv4 id="id20251X55531" name="firewall80:lo0:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id20253X55531" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_path_pfctl">/usr/sbin/pfctl</Option>
|
|
<Option name="openbsd_path_sysctl">/usr/sbin/sysctl</Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id20420X57591" host_OS="openbsd" inactive="False" lastCompiled="1157930823" lastInstalled="0" lastModified="1269710305" platform="pf" version="4.5" name="firewall80-4.5" comment="Testin state tracking options " ro="False">
|
|
<NAT id="id20508X57591" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id20446X57591" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id20447X57591" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id20431X57591"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id20459X57591" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id20431X57591"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">True</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id20471X57591" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id20431X57591"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">True</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id20483X57591" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="activate source tracking">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id20431X57591"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">10</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">True</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id21396X29287" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="modulate state">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id20431X57591"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">10</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">True</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">True</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id21466X29287" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="synproxy">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id20431X57591"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">10</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">True</Option>
|
|
<Option name="pf_synproxy">True</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id20602X57591" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="keep state, no-sync, pflow">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id20431X57591"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">10</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">True</Option>
|
|
<Option name="pf_pflow">True</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">True</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id215627X25510" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id20431X57591"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id215802X25510" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="synproxy">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">True</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id20495X57591" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id20510X57591" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id20428X57591" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="en1" comment="" ro="False">
|
|
<IPv4 id="id20431X57591" name="firewall80-4.5:en1:ip" comment="" ro="False" address="33.33.33.34" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id20433X57591" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="en0" comment="" ro="False">
|
|
<IPv4 id="id20436X57591" name="firewall80-4.5:en0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id20438X57591" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo0" comment="" ro="False">
|
|
<IPv4 id="id20441X57591" name="firewall80-4.5:lo0:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id20443X57591" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_path_pfctl">/usr/sbin/pfctl</Option>
|
|
<Option name="openbsd_path_sysctl">/usr/sbin/sysctl</Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id20689X27133" host_OS="openbsd" inactive="False" lastCompiled="1261961536" lastInstalled="0" lastModified="1263954178" platform="pf" version="" name="firewall2-1" comment="testing different errors in NATCompiler_pf::VerifyRules " ro="False">
|
|
<NAT id="id20900X27133" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id85391X27133" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id20697X27133"/>
|
|
<ObjectRef ref="id20702X27133"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id21433X27133" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id20702X27133"/>
|
|
</ODst>
|
|
<OSrv neg="True">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id195657X27133" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id20702X27133"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id389298X27133" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="True">
|
|
<ObjectRef ref="id20702X27133"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id20910X27177" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id20702X27133"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id169032X27177" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id20702X27133"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="True">
|
|
<ServiceRef ref="id78996X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id271008X27177" disabled="False" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id20702X27133"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3E59AD29"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
<ServiceRef ref="id78996X23273"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id326659X27177" disabled="False" group="" position="7" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id20702X27133"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3E59AD29"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3CD878C8"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id382417X27177" disabled="False" group="" position="8" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id438265X27177"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id503211X27177" disabled="False" group="" position="9" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id20707X27133"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id559169X27177" disabled="False" group="" position="10" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id20702X27133"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3E59AD29"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id615239X27177" disabled="False" group="" position="11" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id20702X27133"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3E59AD29"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id671450X27177" disabled="False" group="" position="12" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id20702X27133"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3E59AD29"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id43F7DCF831316"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id727757X27177" disabled="False" group="" position="13" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id20702X27133"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3E59AD29"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id831403X27177" disabled="False" group="" position="14" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43F7DCF631316"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id887931X27177" disabled="False" group="" position="15" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id43F7DCF631316"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id944562X27177" disabled="False" group="" position="16" action="NATBranch" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3E59AD29"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id1001336X27177" disabled="False" group="" position="17" action="NATBranch" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3E59AD29"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id20900X27133</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id20722X27133" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id20887X27133" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id21346X27133" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id20697X27133" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id20700X27133" name="fw2:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id20702X27133" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id20705X27133" name="fw2:eth1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id20707X27133" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="eth3" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id20712X27133" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id20715X27133" name="fw2:eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id20717X27133" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id20720X27133" name="lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.2.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf_file_name_on_firewall"></Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects">0</Option>
|
|
<Option name="linux24_accept_source_route">0</Option>
|
|
<Option name="linux24_icmp_echo_ignore_all">1</Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses">1</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_log_martians">1</Option>
|
|
<Option name="linux24_rp_filter">1</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N - %A **</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.100</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">True</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">True</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization">aggressive</Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">32</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">True</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">True</Option>
|
|
<Option name="pf_set_tcp_opening">True</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">10</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">5</Option>
|
|
<Option name="pf_tcp_opening">5</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">pf_file_after_set</Option>
|
|
<Option name="prolog_script"># prolog
|
|
# prolog commands go after set commands
|
|
</Option>
|
|
<Option name="proxy_arp">True</Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="script_name_on_firewall"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id21423X46405" host_OS="openbsd" inactive="False" lastCompiled="1286413974" lastInstalled="0" lastModified="1286413946" platform="pf" version="" name="firewall91" comment="" ro="False">
|
|
<NAT id="id21427X46405" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id21425X46405" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id49288X46405" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id21429X46405" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id21431X46405" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="pcn0" comment="" ro="False">
|
|
<IPv4 id="id21432X46405" name="firewall91:pcn0:ip" comment="" ro="False" address="10.3.14.50" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id21433X46405" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
|
|
<IPv4 id="id21434X46405" name="firewall91:em0:ip" comment="" ro="False" address="10.1.1.50" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
<Interface id="id30689X46405" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan101" comment="" ro="False">
|
|
<IPv4 id="id39977X46405" name="firewall91:em0:vlan101:ip" comment="" ro="False" address="10.100.101.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">101</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id30707X46405" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan103" comment="" ro="False">
|
|
<IPv4 id="id39990X46405" name="firewall91:em0:vlan103:ip" comment="" ro="False" address="10.100.103.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">103</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf_file_name_on_firewall">/etc/fw/pf.conf</Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">0</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall">/etc/fw/pf.fw</Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id21522X15225" host_OS="openbsd" inactive="False" lastCompiled="1267754603" lastInstalled="0" lastModified="1267754555" platform="pf" version="4.0" name="firewall14" comment="Testing scrub rules format PF < 4.6" ro="False">
|
|
<NAT id="id21570X15225" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id21556X15225" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id21557X15225" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id21572X15225" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id21530X15225" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="pcn0" comment="" ro="False">
|
|
<IPv4 id="id21533X15225" name="firewall14:pcn0:ip" comment="" ro="False" address="10.3.14.50" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id21535X15225" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
|
|
<IPv4 id="id21544X15225" name="firewall14:em0:ip" comment="" ro="False" address="10.1.1.50" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
<Interface id="id21546X15225" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan101" comment="" ro="False">
|
|
<IPv4 id="id21549X15225" name="firewall14:em0:vlan101:ip" comment="" ro="False" address="10.100.101.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">101</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id21551X15225" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan103" comment="" ro="False">
|
|
<IPv4 id="id21554X15225" name="firewall14:em0:vlan103:ip" comment="" ro="False" address="10.100.103.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">103</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf_file_name_on_firewall"></Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">64</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id21721X15225" host_OS="openbsd" inactive="False" lastCompiled="1267754604" lastInstalled="0" lastModified="1267754587" platform="pf" version="4.6" name="firewall14-1" comment="Testing scrub rules format PF 4.6" ro="False">
|
|
<NAT id="id21769X15225" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id21755X15225" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id21756X15225" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id21771X15225" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id21729X15225" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="pcn0" comment="" ro="False">
|
|
<IPv4 id="id21732X15225" name="firewall14-1:pcn0:ip" comment="" ro="False" address="10.3.14.50" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id21734X15225" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
|
|
<IPv4 id="id21743X15225" name="firewall14-1:em0:ip" comment="" ro="False" address="10.1.1.50" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
<Interface id="id21745X15225" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan101" comment="" ro="False">
|
|
<IPv4 id="id21748X15225" name="firewall14-1:em0:vlan101:ip" comment="" ro="False" address="10.100.101.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">101</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id21750X15225" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan103" comment="" ro="False">
|
|
<IPv4 id="id21753X15225" name="firewall14-1:em0:vlan103:ip" comment="" ro="False" address="10.100.103.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">103</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf_file_name_on_firewall"></Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">64</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">False</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id22021X58767" host_OS="openbsd" inactive="False" lastCompiled="1286413975" lastInstalled="1271995582" lastModified="1307148472" platform="pf" version="4.7" name="firewall92" comment="syntax of the nat and rdr rules has changed in 4.7 " ro="False">
|
|
<NAT id="id22025X58767" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id70699X58767" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id22061X58767"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id22029X58767"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id22320X62375" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id71290X60336"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id22029X58767"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id119361X58767"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id22236X60336" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id71290X60336"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id22029X58767"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id119368X58767" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id22029X58767"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id119361X58767"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id67083X7140" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id22061X58767"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id22029X58767"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id22031X58767"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id67125X7140" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id22061X58767"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id79522X23273"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="True">
|
|
<ObjectRef ref="id22029X58767"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id22023X58767" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id71304X61128" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id79551X23273"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id22021X58767"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id22049X58767" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id22061X58767"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id22238X59856" disabled="False" group="" log="False" position="2" action="Continue" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id119361X58767"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id43F4556A28869</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id119406X58767" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id22037X58767" disabled="False" group="" log="True" position="4" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id22027X58767" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id22029X58767" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
|
|
<IPv4 id="id22030X58767" name="firewall92:em0:ip" comment="" ro="False" address="10.3.14.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id22031X58767" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="em1" comment="" ro="False">
|
|
<IPv4 id="id22032X58767" name="firewall92:em1:ip" comment="" ro="False" address="10.1.1.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf_file_name_on_firewall">/etc/fw/path with space/pf.conf</Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">False</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">True</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">5</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall">/etc/fw/pf.fw</Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id32636X21143" host_OS="openbsd" inactive="False" lastCompiled="1296525125" lastInstalled="1271995582" lastModified="1297661451" platform="pf" version="4.7" name="firewall100" comment="routing rules" ro="False">
|
|
<NAT id="id32797X21143" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id32654X21143" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id32768X21143" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id32932X21143" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RoutingRule id="id518163X21143" disabled="False" group="" metric="0" position="0" comment="setting default via gateway line 2 comment ">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id33008X21143"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id33049X21143" disabled="False" group="" metric="0" position="1" comment="empty rule ">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id518312X21143" disabled="False" group="" metric="0" position="2" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id79492X23273"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id33008X21143"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id396733X21143" disabled="False" group="" metric="3" position="3" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id33008X21143"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id518111X21143" disabled="False" group="" metric="0" position="4" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
<ObjectRef ref="id3B665643"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id33008X21143"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id32644X21143" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
|
|
<IPv4 id="id32647X21143" name="firewall100:em0:ip" comment="" ro="False" address="10.3.14.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">True</Option>
|
|
<Option name="iface_mtu">1490</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id32649X21143" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="em1" comment="" ro="False">
|
|
<IPv4 id="id32652X21143" name="firewall100:em1:ip" comment="" ro="False" address="10.1.1.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf_file_name_on_firewall">/etc/fw/path with space/pf.conf</Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">False</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">True</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">5</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall">/etc/fw/pf.fw</Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id32878X1082" host_OS="freebsd" inactive="False" lastCompiled="1296777918" lastInstalled="0" lastModified="1296687915" platform="pf" version="" name="firewall-ipv6-3" comment="" ro="False">
|
|
<NAT id="id33298X1082" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id32900X1082" name="Policy_ipv4" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id32902X1082" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id32893X1082"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id32959X1082" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id32961X1082" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id32893X1082"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id33301X1082" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id32886X1082" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="50" unnum="False" unprotected="False" name="ed0" comment="" ro="False">
|
|
<IPv4 id="id32890X1082" name="firewall-ipv6-3:ed0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<IPv4 id="id33436X1082" name="firewall-ipv6-3:ed0:ip-1" comment="" ro="False" address="10.10.10.1" netmask="255.255.255.0"/>
|
|
<IPv4 id="id33467X1082" name="firewall-ipv6-3:ed0:ip-2" comment="" ro="False" address="10.10.10.2" netmask="255.255.255.0"/>
|
|
<IPv6 id="id32891X1082" name="firewall-ipv6-3:ed0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<IPv6 id="id33445X1082" name="firewall-ipv6-3:ed0:ipv6" comment="" ro="False" address="2001:db8::1" netmask="64"/>
|
|
<IPv6 id="id33458X1082" name="firewall-ipv6-3:ed0:ipv6-1" comment="" ro="False" address="2001:db8::2" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id32893X1082" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo0" comment="" ro="False">
|
|
<IPv4 id="id32897X1082" name="firewall-ipv6-3:lo0:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<IPv6 id="id32898X1082" name="firewall-ipv6-3:lo0:ip6" comment="" ro="False" address="::1" netmask="128"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id196213X1082" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="ed1" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id196239X1082" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan100" comment="" ro="False">
|
|
<IPv4 id="id196259X1082" name="firewall-ipv6-3:ed1:vlan100:ip" comment="" ro="False" address="172.16.1.1" netmask="255.255.255.240"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">100</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id196253X1082" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="vlan101" comment="" ro="False">
|
|
<IPv4 id="id196268X1082" name="firewall-ipv6-3:ed1:vlan101:ip" comment="" ro="False" address="172.16.2.1" netmask="255.255.255.240"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">101</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Management address="1.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf1_file"></Option>
|
|
<Option name="conf_file_name_on_firewall"></Option>
|
|
<Option name="configure_carp_interfaces">True</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="freebsd_ip_redirect"></Option>
|
|
<Option name="freebsd_ip_sourceroute"></Option>
|
|
<Option name="freebsd_ipv6_forward">1</Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipfw"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="generate_rc_conf_file">True</Option>
|
|
<Option name="generate_shell_script">False</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_directed_broadcast"></Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_ip_redirect"></Option>
|
|
<Option name="openbsd_ip_sourceroute"></Option>
|
|
<Option name="openbsd_ipv6_forward">1</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">0</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall"></Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id33080X19696" host_OS="freebsd" inactive="False" lastCompiled="1296525125" lastInstalled="1271995582" lastModified="1297661513" platform="pf" version="4.7" name="firewall101" comment="routing rules, shell script format" ro="False">
|
|
<NAT id="id33129X19696" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id33098X19696" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id33100X19696" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id33132X19696" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RoutingRule id="id33134X19696" disabled="False" group="" metric="0" position="0" comment="setting default via gateway line 2 comment ">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id33008X21143"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id33152X19696" disabled="False" group="" metric="0" position="1" comment="empty rule ">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id33170X19696" disabled="False" group="" metric="0" position="2" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id79492X23273"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id33008X21143"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id33188X19696" disabled="False" group="" metric="3" position="3" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id33008X21143"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id33206X19696" disabled="False" group="" metric="0" position="4" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
<ObjectRef ref="id3B665643"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id33008X21143"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id33088X19696" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
|
|
<IPv4 id="id33091X19696" name="firewall101:em0:ip" comment="" ro="False" address="10.3.14.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">True</Option>
|
|
<Option name="iface_mtu">1490</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id33093X19696" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="em1" comment="" ro="False">
|
|
<IPv4 id="id33096X19696" name="firewall101:em1:ip" comment="" ro="False" address="10.1.1.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf1_file"></Option>
|
|
<Option name="conf_file_name_on_firewall">/etc/fw/path with space/pf.conf</Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="generate_rc_conf_file">False</Option>
|
|
<Option name="generate_shell_script">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">False</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">True</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">5</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall">/etc/fw/pf.fw</Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id33316X5965" host_OS="freebsd" inactive="False" lastCompiled="1296525125" lastInstalled="1271995582" lastModified="1297661443" platform="pf" version="4.7" name="firewall102" comment="routing rules, rc.conf format" ro="False">
|
|
<NAT id="id33365X5965" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id33334X5965" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id33336X5965" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id33368X5965" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RoutingRule id="id34886X2131" disabled="False" group="" metric="0" position="0" comment="setting default via gateway line 2 comment ">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id33008X21143"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id34850X2131" disabled="False" group="" metric="0" position="1" comment="empty rule ">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id34814X2131" disabled="False" group="" metric="0" position="2" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id79492X23273"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id33008X21143"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id34778X2131" disabled="False" group="" metric="3" position="3" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id33008X21143"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id34741X2131" disabled="False" group="" metric="0" position="4" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
<ObjectRef ref="id3B665643"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id33008X21143"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id33324X5965" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
|
|
<IPv4 id="id33327X5965" name="firewall102:em0:ip" comment="" ro="False" address="10.3.14.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">True</Option>
|
|
<Option name="iface_mtu">1490</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id33329X5965" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="em1" comment="" ro="False">
|
|
<IPv4 id="id33332X5965" name="firewall102:em1:ip" comment="" ro="False" address="10.1.1.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf1_file"></Option>
|
|
<Option name="conf_file_name_on_firewall">/etc/fw/path with space/pf.conf</Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="generate_rc_conf_file">True</Option>
|
|
<Option name="generate_shell_script">False</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">False</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">True</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">5</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall">/etc/fw/pf.fw</Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id33552X2131" host_OS="freebsd" inactive="False" lastCompiled="1296525125" lastInstalled="1271995582" lastModified="1297029283" platform="pf" version="4.7" name="firewall103" comment="bridge interface, static address, shell script format" ro="False">
|
|
<NAT id="id33601X2131" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id33570X2131" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id33572X2131" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id33604X2131" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id33560X2131" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
|
|
<IPv4 id="id33563X2131" name="firewall103:em0:ip" comment="" ro="False" address="10.3.14.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id33565X2131" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="em1" comment="" ro="False">
|
|
<IPv4 id="id33568X2131" name="firewall103:em1:ip" comment="" ro="False" address="10.1.1.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id33841X2131" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="bridge0" comment="" ro="False">
|
|
<IPv4 id="id33899X2131" name="firewall103:bridge0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">bridge</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id33875X2131" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="em2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id33893X2131" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="em3" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf1_file"></Option>
|
|
<Option name="conf_file_name_on_firewall">/etc/fw/path with space/pf.conf</Option>
|
|
<Option name="configure_bridge_interfaces">True</Option>
|
|
<Option name="configure_carp_interfaces">True</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="generate_rc_conf_file">False</Option>
|
|
<Option name="generate_shell_script">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">False</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">True</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">5</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall">/etc/fw/pf.fw</Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id33908X2131" host_OS="freebsd" inactive="False" lastCompiled="1296525125" lastInstalled="1271995582" lastModified="1297725454" platform="pf" version="4.7" name="firewall104" comment="bridge interface, dynamic address, shell script format, with STP" ro="False">
|
|
<NAT id="id33972X2131" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id33941X2131" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id33943X2131" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id33975X2131" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id33916X2131" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
|
|
<IPv4 id="id33919X2131" name="firewall104:em0:ip" comment="" ro="False" address="10.3.14.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id33921X2131" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="em1" comment="" ro="False">
|
|
<IPv4 id="id33924X2131" name="firewall104:em1:ip" comment="" ro="False" address="10.1.1.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id33926X2131" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="bridge0" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">True</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">bridge</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id33935X2131" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="em2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id33938X2131" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="em3" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf1_file"></Option>
|
|
<Option name="conf_file_name_on_firewall">/etc/fw/path with space/pf.conf</Option>
|
|
<Option name="configure_bridge_interfaces">True</Option>
|
|
<Option name="configure_carp_interfaces">True</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="generate_rc_conf_file">False</Option>
|
|
<Option name="generate_shell_script">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">False</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">True</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">5</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall">/etc/fw/pf.fw</Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id34168X2131" host_OS="freebsd" inactive="False" lastCompiled="1296525125" lastInstalled="1271995582" lastModified="1297029297" platform="pf" version="4.7" name="firewall105" comment="bridge interface, static address, rc.conf format" ro="False">
|
|
<NAT id="id34232X2131" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id34201X2131" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id34203X2131" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id34235X2131" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id34176X2131" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
|
|
<IPv4 id="id34179X2131" name="firewall105:em0:ip" comment="" ro="False" address="10.3.14.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id34181X2131" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="em1" comment="" ro="False">
|
|
<IPv4 id="id34184X2131" name="firewall105:em1:ip" comment="" ro="False" address="10.1.1.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id34186X2131" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="bridge0" comment="" ro="False">
|
|
<IPv4 id="id34193X2131" name="firewall105:bridge0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">bridge</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id34195X2131" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="em2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id34198X2131" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="em3" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf1_file"></Option>
|
|
<Option name="conf_file_name_on_firewall">/etc/fw/path with space/pf.conf</Option>
|
|
<Option name="configure_bridge_interfaces">True</Option>
|
|
<Option name="configure_carp_interfaces">True</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="generate_rc_conf_file">True</Option>
|
|
<Option name="generate_shell_script">False</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">False</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">True</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">5</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall">/etc/fw/pf.fw</Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id34447X2131" host_OS="freebsd" inactive="False" lastCompiled="1296525125" lastInstalled="1271995582" lastModified="1297725471" platform="pf" version="4.7" name="firewall106" comment="bridge interface, dynamic address, rc.conf format, with STP" ro="False">
|
|
<NAT id="id34509X2131" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id34478X2131" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id34480X2131" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id34512X2131" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RoutingRule id="id34514X2131" disabled="False" group="" metric="0" position="0" comment="setting default via gateway line 2 comment ">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id33008X21143"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id34532X2131" disabled="False" group="" metric="0" position="1" comment="empty rule ">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id34550X2131" disabled="False" group="" metric="0" position="2" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id79492X23273"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id33008X21143"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id34568X2131" disabled="False" group="" metric="3" position="3" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id33008X21143"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id34586X2131" disabled="False" group="" metric="0" position="4" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
<ObjectRef ref="id3B665643"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id33008X21143"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id34455X2131" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
|
|
<IPv4 id="id34458X2131" name="firewall106:em0:ip" comment="" ro="False" address="10.3.14.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id34460X2131" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="em1" comment="" ro="False">
|
|
<IPv4 id="id34463X2131" name="firewall106:em1:ip" comment="" ro="False" address="10.1.1.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id34465X2131" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="bridge0" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">True</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">bridge</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id34472X2131" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="em2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id34475X2131" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="em3" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf1_file"></Option>
|
|
<Option name="conf_file_name_on_firewall">/etc/fw/path with space/pf.conf</Option>
|
|
<Option name="configure_bridge_interfaces">True</Option>
|
|
<Option name="configure_carp_interfaces">True</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="generate_rc_conf_file">True</Option>
|
|
<Option name="generate_shell_script">False</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">False</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">True</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">5</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall">/etc/fw/pf.fw</Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id34184X23052" host_OS="freebsd" inactive="False" lastCompiled="1296525125" lastInstalled="1271995582" lastModified="1297116311" platform="pf" version="4.7" name="firewall107" comment="vlan interface, static address, shell script format" ro="False">
|
|
<NAT id="id34248X23052" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id34217X23052" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id34219X23052" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id34251X23052" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id34192X23052" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
|
|
<IPv4 id="id34195X23052" name="firewall107:em0:ip" comment="" ro="False" address="10.3.14.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id34197X23052" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="em1" comment="" ro="False">
|
|
<IPv4 id="id34200X23052" name="firewall107:em1:ip" comment="" ro="False" address="10.1.1.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id34345X23052" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="em2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id34371X23052" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan101" comment="" ro="False">
|
|
<IPv4 id="id34385X23052" name="firewall107:em2:vlan101:ip" comment="" ro="False" address="192.168.101.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">101</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id34394X23052" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="vlan102" comment="" ro="False">
|
|
<IPv4 id="id34400X23052" name="firewall107:em2:vlan102:ip" comment="" ro="False" address="192.168.102.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">102</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf1_file"></Option>
|
|
<Option name="conf_file_name_on_firewall">/etc/fw/path with space/pf.conf</Option>
|
|
<Option name="configure_bridge_interfaces">True</Option>
|
|
<Option name="configure_carp_interfaces">True</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="generate_rc_conf_file">False</Option>
|
|
<Option name="generate_shell_script">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">False</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">True</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">5</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall">/etc/fw/pf.fw</Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id34409X23052" host_OS="freebsd" inactive="False" lastCompiled="1296525125" lastInstalled="1271995582" lastModified="1297116315" platform="pf" version="4.7" name="firewall108" comment="vlan interface, static address, rc.conf format" ro="False">
|
|
<NAT id="id34477X23052" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id34446X23052" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id34448X23052" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id34480X23052" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id34417X23052" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
|
|
<IPv4 id="id34420X23052" name="firewall108:em0:ip" comment="" ro="False" address="10.3.14.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id34422X23052" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="em1" comment="" ro="False">
|
|
<IPv4 id="id34425X23052" name="firewall108:em1:ip" comment="" ro="False" address="10.1.1.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id34427X23052" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="em2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id34436X23052" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan101" comment="" ro="False">
|
|
<IPv4 id="id34439X23052" name="firewall108:em2:vlan101:ip" comment="" ro="False" address="192.168.101.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">101</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id34441X23052" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="vlan102" comment="" ro="False">
|
|
<IPv4 id="id34444X23052" name="firewall108:em2:vlan102:ip" comment="" ro="False" address="192.168.102.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">102</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf1_file"></Option>
|
|
<Option name="conf_file_name_on_firewall">/etc/fw/path with space/pf.conf</Option>
|
|
<Option name="configure_bridge_interfaces">True</Option>
|
|
<Option name="configure_carp_interfaces">True</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="generate_rc_conf_file">True</Option>
|
|
<Option name="generate_shell_script">False</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">False</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">True</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">5</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall">/etc/fw/pf.fw</Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id34464X3677" host_OS="openbsd" inactive="False" lastCompiled="1296525125" lastInstalled="1271995582" lastModified="1297198275" platform="pf" version="4.7" name="firewall103-1" comment="bridge interface, static address, shell script format, OpenBSD 4.7" ro="False">
|
|
<NAT id="id34528X3677" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id34497X3677" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id34499X3677" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id34531X3677" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id34472X3677" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
|
|
<IPv4 id="id34475X3677" name="firewall103:em0:ip" comment="" ro="False" address="10.3.14.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id34477X3677" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="em1" comment="" ro="False">
|
|
<IPv4 id="id34480X3677" name="firewall103:em1:ip" comment="" ro="False" address="10.1.1.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id34482X3677" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="bridge0" comment="" ro="False">
|
|
<IPv4 id="id34489X3677" name="firewall103:bridge0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="type">bridge</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id34491X3677" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="em2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id34494X3677" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="em3" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf1_file"></Option>
|
|
<Option name="conf_file_name_on_firewall">/etc/fw/path with space/pf.conf</Option>
|
|
<Option name="configure_bridge_interfaces">True</Option>
|
|
<Option name="configure_carp_interfaces">True</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="generate_rc_conf_file">False</Option>
|
|
<Option name="generate_shell_script">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">False</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">True</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">5</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall">/etc/fw/pf.fw</Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id34541X3677" host_OS="openbsd" inactive="False" lastCompiled="1296525125" lastInstalled="1271995582" lastModified="1297198295" platform="pf" version="4.7" name="firewall104-1" comment="bridge interface, dynamic address, shell script format, OpenBSD 4.7" ro="False">
|
|
<NAT id="id34603X3677" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id34572X3677" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id34574X3677" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id34606X3677" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id34549X3677" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
|
|
<IPv4 id="id34552X3677" name="firewall104:em0:ip" comment="" ro="False" address="10.3.14.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id34554X3677" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="em1" comment="" ro="False">
|
|
<IPv4 id="id34557X3677" name="firewall104:em1:ip" comment="" ro="False" address="10.1.1.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id34559X3677" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="bridge0" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">bridge</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id34566X3677" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="em2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id34569X3677" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="em3" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf1_file"></Option>
|
|
<Option name="conf_file_name_on_firewall">/etc/fw/path with space/pf.conf</Option>
|
|
<Option name="configure_bridge_interfaces">True</Option>
|
|
<Option name="configure_carp_interfaces">True</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="generate_rc_conf_file">False</Option>
|
|
<Option name="generate_shell_script">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">False</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">True</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">5</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall">/etc/fw/pf.fw</Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id34670X3677" host_OS="openbsd" inactive="False" lastCompiled="1296525125" lastInstalled="1271995582" lastModified="1297198283" platform="pf" version="4.0" name="firewall103-2" comment="bridge interface, static address, shell script format, OpenBSD <4.7" ro="False">
|
|
<NAT id="id34734X3677" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id34703X3677" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id34705X3677" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id34737X3677" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id34678X3677" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
|
|
<IPv4 id="id34681X3677" name="firewall103-2:em0:ip" comment="" ro="False" address="10.3.14.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id34683X3677" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="em1" comment="" ro="False">
|
|
<IPv4 id="id34686X3677" name="firewall103-2:em1:ip" comment="" ro="False" address="10.1.1.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id34688X3677" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="bridge0" comment="" ro="False">
|
|
<IPv4 id="id34695X3677" name="firewall103-2:bridge0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">bridge</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id34697X3677" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="em2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id34700X3677" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="em3" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf1_file"></Option>
|
|
<Option name="conf_file_name_on_firewall">/etc/fw/path with space/pf.conf</Option>
|
|
<Option name="configure_bridge_interfaces">True</Option>
|
|
<Option name="configure_carp_interfaces">True</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="generate_rc_conf_file">False</Option>
|
|
<Option name="generate_shell_script">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">False</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">True</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">5</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall">/etc/fw/pf.fw</Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id164588X20402" host_OS="freebsd" inactive="False" lastCompiled="1297645524" lastInstalled="0" lastModified="1305062829" platform="pf" version="" name="firewall110" comment="testing shadowing of rules with tag action" ro="False">
|
|
<NAT id="id164956X20402" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id164614X20402" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id345014X20402" disabled="False" group="" log="False" position="0" action="Continue" direction="Both" comment="see #1867 this rule is non-terminating and should not shadow next ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id1391120443</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id344958X20402" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="classify_str">ssh_q</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str">ssh_q</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id164616X20402" disabled="False" group="" log="False" position="2" action="Continue" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id43F4556A28869</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id165025X20402" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id164596X20402" dedicated_failover="False" dyn="False" label="int_if" mgmt="False" security_level="100" unnum="False" unprotected="False" name="le0" comment="" ro="False">
|
|
<IPv4 id="id164599X20402" name="firewall110:le0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id164601X20402" dedicated_failover="False" dyn="False" label="ext_if" mgmt="False" security_level="0" unnum="True" unprotected="False" name="enc0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id164604X20402" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id164607X20402" name="firewall110:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id164609X20402" dedicated_failover="False" dyn="False" label="wifi_int" mgmt="False" security_level="0" unnum="False" unprotected="False" name="enc1" comment="" ro="False">
|
|
<IPv4 id="id164612X20402" name="firewall110:enc1:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf1_file"></Option>
|
|
<Option name="conf_file_name_on_firewall"></Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="generate_rc_conf_file">False</Option>
|
|
<Option name="generate_shell_script">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="script_name_on_firewall"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id35204X5121" host_OS="freebsd" inactive="False" lastCompiled="1297728239" lastInstalled="1271995582" lastModified="1297899814" platform="pf" version="4.7" name="firewall109" comment="complex configuration with bridge and vlan" ro="False">
|
|
<NAT id="id35272X5121" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id35241X5121" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id35243X5121" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id35275X5121" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id35212X5121" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
|
|
<IPv4 id="id35215X5121" name="firewall109:em0:ip" comment="" ro="False" address="10.3.14.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="iface_mtu">1500</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id35217X5121" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="True" unprotected="False" name="em1" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options">media 100baseTX mediaopt full-duplex</Option>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id35222X5121" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="em2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options">media 100baseTX mediaopt full-duplex</Option>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id35231X5121" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan101" comment="" ro="False">
|
|
<IPv4 id="id35234X5121" name="firewall109:em2:vlan101:ip" comment="" ro="False" address="192.168.101.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">101</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id35236X5121" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="vlan102" comment="" ro="False">
|
|
<IPv4 id="id35239X5121" name="firewall109:em2:vlan102:ip" comment="" ro="False" address="192.168.102.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">102</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Interface id="id35379X5121" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="bridge0" comment="" ro="False">
|
|
<IPv4 id="id35360X5600" name="firewall109:bridge0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">bridge</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id35413X5121" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="em1" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id35431X5121" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="em2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf1_file"></Option>
|
|
<Option name="conf_file_name_on_firewall">/etc/fw/path with space/pf.conf</Option>
|
|
<Option name="configure_bridge_interfaces">True</Option>
|
|
<Option name="configure_carp_interfaces">True</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="generate_rc_conf_file">False</Option>
|
|
<Option name="generate_shell_script">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_block_policy"></Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">False</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_debug"></Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">True</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">5</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall">/etc/fw/pf.fw</Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id35385X5600" host_OS="freebsd" inactive="False" lastCompiled="1297728261" lastInstalled="1271995582" lastModified="1297901993" platform="pf" version="4.7" name="firewall109-1" comment="complex configuration with bridge and vlan, rc.conf format" ro="False">
|
|
<NAT id="id35466X5600" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id35435X5600" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id35437X5600" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id35469X5600" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id35393X5600" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
|
|
<IPv4 id="id35396X5600" name="firewall109:em0:ip" comment="" ro="False" address="10.3.14.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="iface_mtu">1500</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id35398X5600" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="True" unprotected="False" name="em1" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options">media 100baseTX mediaopt full-duplex</Option>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id35401X5600" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="em2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options">media 100baseTX mediaopt full-duplex</Option>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id35410X5600" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan101" comment="" ro="False">
|
|
<IPv4 id="id35413X5600" name="firewall109:em2:vlan101:ip" comment="" ro="False" address="192.168.101.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">101</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id35415X5600" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="vlan102" comment="" ro="False">
|
|
<IPv4 id="id35418X5600" name="firewall109:em2:vlan102:ip" comment="" ro="False" address="192.168.102.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">102</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Interface id="id35420X5600" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="bridge0" comment="" ro="False">
|
|
<IPv4 id="id35427X5600" name="firewall109:bridge0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">bridge</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id35429X5600" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="em1" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id35432X5600" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="em2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf1_file"></Option>
|
|
<Option name="conf_file_name_on_firewall">/etc/fw/path with space/pf.conf</Option>
|
|
<Option name="configure_bridge_interfaces">True</Option>
|
|
<Option name="configure_carp_interfaces">True</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="generate_rc_conf_file">True</Option>
|
|
<Option name="generate_shell_script">False</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">False</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">True</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">5</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall">/etc/fw/pf.fw</Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id35513X5911" host_OS="freebsd" inactive="False" lastCompiled="1297894219" lastInstalled="1271995582" lastModified="1297891411" platform="pf" version="4.7" name="firewall109-2" comment="complex configuration with bridge and vlan, uses vlan interfaces with names not matching vlan IDs " ro="False">
|
|
<NAT id="id35594X5911" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id35563X5911" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id35565X5911" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id35597X5911" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id35521X5911" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
|
|
<IPv4 id="id35524X5911" name="firewall109:em0:ip" comment="" ro="False" address="10.3.14.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id35526X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="True" unprotected="False" name="em1" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
<Interface id="id35658X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="vlan9210" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">210</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Interface id="id35529X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="em2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id35538X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="vlan8210" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">210</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Interface id="id35548X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="bridge0" comment="" ro="False">
|
|
<IPv4 id="id35555X5911" name="firewall109:bridge0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">bridge</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id35644X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan8210" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id35672X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan9210" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf1_file"></Option>
|
|
<Option name="conf_file_name_on_firewall">/etc/fw/path with space/pf.conf</Option>
|
|
<Option name="configure_bridge_interfaces">True</Option>
|
|
<Option name="configure_carp_interfaces">True</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="generate_rc_conf_file">False</Option>
|
|
<Option name="generate_shell_script">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_block_policy"></Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">False</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_debug"></Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">True</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">5</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall">/etc/fw/pf.fw</Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id35714X5911" host_OS="freebsd" inactive="False" lastCompiled="1297891451" lastInstalled="1271995582" lastModified="1297891442" platform="pf" version="4.7" name="firewall109-3" comment="complex configuration with bridge and vlan, uses vlan interfaces with names not matching vlan IDs. rc.conf format " ro="False">
|
|
<NAT id="id35789X5911" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id35758X5911" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id35760X5911" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id35792X5911" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id35722X5911" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
|
|
<IPv4 id="id35725X5911" name="firewall109-3:em0:ip" comment="" ro="False" address="10.3.14.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id35727X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="True" unprotected="False" name="em1" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
<Interface id="id35732X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="vlan9210" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">210</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Interface id="id35735X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="em2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id35740X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="vlan8210" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">210</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Interface id="id35743X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="bridge0" comment="" ro="False">
|
|
<IPv4 id="id35750X5911" name="firewall109-3:bridge0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">bridge</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id35752X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan8210" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id35755X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan9210" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_configure_mtu">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf1_file"></Option>
|
|
<Option name="conf_file_name_on_firewall">/etc/fw/path with space/pf.conf</Option>
|
|
<Option name="configure_bridge_interfaces">True</Option>
|
|
<Option name="configure_carp_interfaces">True</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="generate_rc_conf_file">True</Option>
|
|
<Option name="generate_shell_script">False</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_block_policy"></Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">False</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_debug"></Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">True</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">5</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall">/etc/fw/pf.fw</Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id134556X19225" host_OS="freebsd" inactive="False" lastCompiled="1272404353" lastInstalled="1142003872" lastModified="1321921721" platform="pf" version="" name="firewall2-6" comment="tests for nat rules with inbound and outbound interfaces" ro="False">
|
|
<NAT id="id134616X19225" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id134618X19225" disabled="False" group="" position="0" action="Translate" comment="NETMAP and no -o itf">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id134661X19225" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id134690X19225"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id134567X19225"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id134705X19225" disabled="False" group="" position="2" action="Translate" comment="	">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id134690X19225"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id134570X19225"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id134748X19225" disabled="False" group="" position="3" action="Translate" comment="	">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id134690X19225"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id134567X19225"/>
|
|
<ObjectRef ref="id134570X19225"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id134967X19225" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id134690X19225"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="id135005X19225"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id135011X19225"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id2090177X19225" disabled="False" group="" position="5" action="Translate" comment="	">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id134690X19225"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="True">
|
|
<ObjectRef ref="id134570X19225"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id2090090X19225" disabled="False" group="" position="6" action="Translate" comment="	">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id134690X19225"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="True">
|
|
<ObjectRef ref="id134567X19225"/>
|
|
<ObjectRef ref="id134570X19225"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id2385015X19225" disabled="False" group="" position="7" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id134690X19225"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="id135005X19225"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="True">
|
|
<ObjectRef ref="id135011X19225"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id135016X19225" disabled="False" group="" position="8" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id134690X19225"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id135048X19225"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id135190X19225" disabled="False" group="" position="9" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id134690X19225"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id135048X19225"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id134564X19225"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id135320X19225" disabled="False" group="" position="10" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id134690X19225"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id135048X19225"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="id134570X19225"/>
|
|
<ObjectRef ref="id134567X19225"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id134564X19225"/>
|
|
<ObjectRef ref="id134573X19225"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id135365X19225" disabled="False" group="" position="11" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id134690X19225"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id135048X19225"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="id135011X19225"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id135005X19225"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id2384823X19225" disabled="False" group="" position="12" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id134690X19225"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id135048X19225"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="True">
|
|
<ObjectRef ref="id134564X19225"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id2384735X19225" disabled="False" group="" position="13" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id134690X19225"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id135048X19225"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="id134570X19225"/>
|
|
<ObjectRef ref="id134567X19225"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="True">
|
|
<ObjectRef ref="id134564X19225"/>
|
|
<ObjectRef ref="id134573X19225"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id2384923X19225" disabled="False" group="" position="14" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id134690X19225"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id135048X19225"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="id135011X19225"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="True">
|
|
<ObjectRef ref="id135005X19225"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id135408X19225" disabled="False" group="" position="15" action="Translate" comment="REDIRECT ">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id134556X19225"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="id134564X19225"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id134564X19225"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#7694C0</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id134585X19225" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id134587X19225" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id135452X19225" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id134564X19225" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
|
|
<IPv4 id="id134565X19225" name="firewall2-6:em0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id134567X19225" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="em1" comment="" ro="False">
|
|
<IPv4 id="id134568X19225" name="firewall2-6:em1:ip" comment="" ro="False" address="222.222.222.222" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id134570X19225" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="em3" comment="" ro="False">
|
|
<IPv4 id="id134571X19225" name="firewall2-6:em3:ip" comment="subnet 33.33.33.24-31" ro="False" address="33.33.33.25" netmask="255.255.255.248"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id134573X19225" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="em2" comment="" ro="False">
|
|
<IPv4 id="id134574X19225" name="firewall2-6:em2:ip" comment="" ro="False" address="33.33.33.3" netmask="255.255.255.248"/>
|
|
<IPv4 id="id134575X19225" name="firewall2-6:em2:ip-1" comment="" ro="False" address="33.33.33.4" netmask="255.255.255.248"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id134577X19225" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id134578X19225" name="firewall2-6:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">true</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">true</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="id"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">5</Option>
|
|
<Option name="linux24_accept_redirects">0</Option>
|
|
<Option name="linux24_accept_source_route">0</Option>
|
|
<Option name="linux24_icmp_echo_ignore_all">1</Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses">1</Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_log_martians">1</Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter">1</Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">true</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">after_flush</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">True</Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="useULOG">False</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_ip_tool">True</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id39552X32371" host_OS="freebsd" inactive="False" lastCompiled="1297645524" lastInstalled="0" lastModified="1305063598" platform="pf" version="4.0" name="firewall111" comment="testing rules with options tag, classify and route and combinations " ro="False">
|
|
<NAT id="id39665X32371" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id39578X32371" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id39580X32371" disabled="False" group="tag" log="False" position="0" action="Continue" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id1391120443</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id697332X32371" disabled="False" group="tag" log="False" position="1" action="Continue" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id1391120443</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id64755X32371" disabled="False" group="tag" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id1391120443</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id799448X32371" disabled="False" group="tag" log="False" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id1391120443</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id114721X32371" disabled="False" group="tag" log="False" position="4" action="Accounting" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id1391120443</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id164799X32371" disabled="False" group="tag" log="False" position="5" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id164851X32371</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id1391120443</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id39608X32371" disabled="False" group="classify" log="False" position="6" action="Continue" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="classify_str">ssh_q</Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str">ssh_q</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id825093X32371" disabled="False" group="classify" log="False" position="7" action="Continue" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="classify_str">ssh_q</Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str">ssh_q</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="tagobject_id"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id190018X32371" disabled="False" group="classify" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="classify_str">ssh_q</Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str">ssh_q</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id825173X32371" disabled="False" group="classify" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="classify_str">ssh_q</Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str">ssh_q</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="tagobject_id"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id190074X32371" disabled="False" group="classify" log="False" position="10" action="Accounting" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="classify_str">ssh_q</Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str">ssh_q</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id190130X32371" disabled="False" group="classify" log="False" position="11" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id164851X32371</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="classify_str">ssh_q</Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str">ssh_q</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id493056X32371" disabled="False" group="route" log="False" position="12" action="Continue" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="classification">False</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr">192.168.1.100</Option>
|
|
<Option name="pf_route_opt_if">le0</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="tagobject_id"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id825253X32371" disabled="False" group="route" log="False" position="13" action="Continue" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="classification">False</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr">192.168.1.100</Option>
|
|
<Option name="pf_route_opt_if">le0</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="tagobject_id"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id518537X32371" disabled="False" group="route" log="False" position="14" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="classification">False</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr">192.168.1.100</Option>
|
|
<Option name="pf_route_opt_if">le0</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="tagobject_id"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id825333X32371" disabled="False" group="route" log="False" position="15" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="classification">False</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr">192.168.1.100</Option>
|
|
<Option name="pf_route_opt_if">le0</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="tagobject_id"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id518593X32371" disabled="False" group="route" log="False" position="16" action="Accounting" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="classification">False</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr">192.168.1.100</Option>
|
|
<Option name="pf_route_opt_if">le0</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="tagobject_id"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id518649X32371" disabled="False" group="route" log="False" position="17" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id164851X32371</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr">192.168.1.100</Option>
|
|
<Option name="pf_route_opt_if">le0</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="tagobject_id"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id928733X32371" disabled="False" group="tag + classify" log="False" position="18" action="Continue" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="classification">True</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str">ssh_q</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id1391120443</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1164258X32371" disabled="False" group="tag + classify" log="False" position="19" action="Continue" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="classification">True</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str">ssh_q</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id1391120443</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id954690X32371" disabled="False" group="tag + classify" log="False" position="20" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="classification">True</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str">ssh_q</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id1391120443</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1164338X32371" disabled="False" group="tag + classify" log="False" position="21" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="classification">True</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str">ssh_q</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id1391120443</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id980671X32371" disabled="False" group="tag + classify" log="False" position="22" action="Accounting" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="classification">True</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str">ssh_q</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id1391120443</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id980751X32371" disabled="False" group="tag + classify" log="False" position="23" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id164851X32371</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str">ssh_q</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id1391120443</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1111088X32371" disabled="False" group="tag + classify + route" log="False" position="24" action="Continue" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="classification">True</Option>
|
|
<Option name="color">#A37EC0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str">ssh_q</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr">192.168.1.100</Option>
|
|
<Option name="pf_route_opt_if">le0</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id1391120443</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1164098X32371" disabled="False" group="tag + classify + route" log="False" position="25" action="Continue" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="classification">True</Option>
|
|
<Option name="color">#A37EC0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str">ssh_q</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr">192.168.1.100</Option>
|
|
<Option name="pf_route_opt_if">le0</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id1391120443</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1137537X32371" disabled="False" group="tag + classify + route" log="False" position="26" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="classification">True</Option>
|
|
<Option name="color">#A37EC0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str">ssh_q</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr">192.168.1.100</Option>
|
|
<Option name="pf_route_opt_if">le0</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id1391120443</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1164178X32371" disabled="False" group="tag + classify + route" log="False" position="27" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="classification">True</Option>
|
|
<Option name="color">#A37EC0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str">ssh_q</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr">192.168.1.100</Option>
|
|
<Option name="pf_route_opt_if">le0</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id1391120443</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1137593X32371" disabled="False" group="tag + classify + route" log="False" position="28" action="Accounting" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="classification">True</Option>
|
|
<Option name="color">#A37EC0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str">ssh_q</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr">192.168.1.100</Option>
|
|
<Option name="pf_route_opt_if">le0</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id1391120443</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1137649X32371" disabled="False" group="tag + classify + route" log="False" position="29" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id164851X32371</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="color">#A37EC0</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str">ssh_q</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr">192.168.1.100</Option>
|
|
<Option name="pf_route_opt_if">le0</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id1391120443</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id39636X32371" disabled="False" group="" log="False" position="30" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="tagobject_id"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id164851X32371" name="Policy_1" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id39668X32371" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id39560X32371" dedicated_failover="False" dyn="False" label="int_if" mgmt="False" security_level="100" unnum="False" unprotected="False" name="le0" comment="" ro="False">
|
|
<IPv4 id="id39563X32371" name="firewall111:le0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id39565X32371" dedicated_failover="False" dyn="False" label="ext_if" mgmt="False" security_level="0" unnum="True" unprotected="False" name="enc0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id39568X32371" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id39571X32371" name="firewall111:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id39573X32371" dedicated_failover="False" dyn="False" label="wifi_int" mgmt="False" security_level="0" unnum="False" unprotected="False" name="enc1" comment="" ro="False">
|
|
<IPv4 id="id39576X32371" name="firewall111:enc1:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf1_file"></Option>
|
|
<Option name="conf_file_name_on_firewall"></Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="generate_rc_conf_file">False</Option>
|
|
<Option name="generate_shell_script">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="script_name_on_firewall"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id145440X24525" host_OS="openbsd" inactive="False" lastCompiled="1157930816" lastInstalled="0" lastModified="1309899485" platform="pf" version="4.7" name="firewall40-2" comment="testing Route action for PF v4.7 and later " ro="False">
|
|
<NAT id="id145640X24525" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id145642X24525" disabled="False" group="" position="0" action="Translate" comment="Translate source address for outgoing connections">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id145448X24525"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id145685X24525" disabled="False" group="" position="1" action="Translate" comment="Translate source address for outgoing connections">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id145463X24525"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id145468X24525" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id145526X24525" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id145453X24525"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.10</Option>
|
|
<Option name="pf_route_opt_if">le1</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id145555X24525" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id145453X24525"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr">192.0.3.10</Option>
|
|
<Option name="pf_route_opt_if">le2</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id356123X24525" disabled="False" group="" log="False" position="2" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id145453X24525"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_no_sync">False</Option>
|
|
<Option name="pf_pflow">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr">192.0.3.10</Option>
|
|
<Option name="pf_route_opt_if">le2</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_sloppy_tracker">False</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="pf_synproxy">False</Option>
|
|
<Option name="routing">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="tagobject_id"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id145729X24525" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id145448X24525" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="le1" comment="" ro="False">
|
|
<IPv4 id="id145451X24525" name="firewall40:le1:ip" comment="This is a test address, change it to your real one" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id145453X24525" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="fxp0" comment="" ro="False">
|
|
<IPv4 id="id145456X24525" name="firewall40:fxp0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id145458X24525" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo0" comment="" ro="False">
|
|
<IPv4 id="id145461X24525" name="firewall40:lo0:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id145463X24525" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="le2" comment="" ro="False">
|
|
<IPv4 id="id145466X24525" name="firewall40:le2:ip" comment="" ro="False" address="192.0.3.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">0</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id58699X22951" host_OS="openbsd" inactive="False" lastCompiled="1321910391" lastInstalled="1271995582" lastModified="1321921833" platform="pf" version="4.7" name="firewall93" comment="testing option “preserve group and addresses table object names”" ro="False">
|
|
<NAT id="id58860X22951" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id58862X22951" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id22061X58767"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id58707X22951"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id58717X22951" name="Policy" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id58719X22951" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id79551X23273"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id58699X22951"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id58747X22951" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id59240X22951"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id60209X22951" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="see #2671">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id59240X22951"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
<ServiceRef ref="id80157X23273"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id59336X22951" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="using the same group second time, objects should not get duplicated in the generated table. See #2671">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id59240X22951"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id59392X22951" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="just one object in the group">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id59256X22951"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id59491X22951" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="object a-192.168.1.10 is a member of at least two groups used in this rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id59240X22951"/>
|
|
<ObjectRef ref="id59256X22951"/>
|
|
<ObjectRef ref="id60030X22951"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id60089X22951" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="the same rule, same objects as rule 3, but different group with the same objects">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id60070X22951"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id60043X22951" disabled="False" group="" log="False" position="7" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id60030X22951"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id59548X22951" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="group uses address table object">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id59274X22951"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id59757X22951" disabled="False" group="" log="False" position="9" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id59769X22951"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id59823X22951" disabled="False" group="" log="False" position="10" action="Deny" direction="Inbound" comment="the same group second time, check for duplicates. See #2671">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id59769X22951"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id59971X22951" disabled="False" group="" log="False" position="11" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id59939X22951"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#A37EC0</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id59121X22951" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id58707X22951" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
|
|
<IPv4 id="id58710X22951" name="firewall93:em0:ip" comment="" ro="False" address="10.3.14.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id58712X22951" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="em1" comment="" ro="False">
|
|
<IPv4 id="id58715X22951" name="firewall93:em1:ip" comment="" ro="False" address="10.1.1.81" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf1_file"></Option>
|
|
<Option name="conf_file_name_on_firewall">/etc/fw/path with space/pf.conf</Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="generate_rc_conf_file">False</Option>
|
|
<Option name="generate_shell_script">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_block_policy"></Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">False</Option>
|
|
<Option name="pf_scrub_reassemble_tcp">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_debug"></Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">True</Option>
|
|
<Option name="pf_state_policy"></Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">5</Option>
|
|
<Option name="preserve_group_names">True</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_name_on_firewall">/etc/fw/pf.fw</Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
</ObjectGroup>
|
|
<IntervalGroup id="stdid11_1" name="Time" comment="" ro="False"/>
|
|
</Library>
|
|
<Library id="id415276C8" color="#FFFFFF" name="lab" comment="" ro="False">
|
|
<ObjectGroup id="id415276C9_clusters" name="Clusters" comment="" ro="False"/>
|
|
<ObjectGroup id="id415276C9" name="Objects" comment="" ro="False">
|
|
<ObjectGroup id="id415276C9_og_ats_1" name="Address Tables" comment="" ro="False"/>
|
|
<ObjectGroup id="id415276CA" name="Addresses" comment="" ro="False">
|
|
<IPv4 id="id4144D59F" name="hst1" comment="" ro="False" address="10.3.14.10" netmask="255.255.255.255"/>
|
|
<IPv4 id="id4144D5A0" name="hst2" comment="" ro="False" address="10.3.14.40" netmask="255.255.255.255"/>
|
|
<IPv4 id="id119361X58767" name="h-10.1.1.1" comment="" ro="False" address="10.1.1.1" netmask="0.0.0.0"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id415276CB" name="Groups" comment="" ro="False"/>
|
|
<ObjectGroup id="id415276CC" name="Hosts" comment="" ro="False"/>
|
|
<ObjectGroup id="id415276CD" name="Networks" comment="" ro="False">
|
|
<Network id="id414C5C51" name="n-10.3.14" comment="" ro="False" address="10.3.14.0" netmask="255.255.255.0"/>
|
|
<Network id="id414C70BE" name="labnet" comment="" ro="False" address="10.1.1.0" netmask="255.255.255.0"/>
|
|
<Network id="id414C7BA7" name="n-10.1.2" comment="" ro="False" address="10.1.2.0" netmask="255.255.255.0"/>
|
|
<Network id="id22061X58767" name="net-10.1.1.0" comment="" ro="False" address="10.1.1.0" netmask="255.255.255.0"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id415276CE" name="Address Ranges" comment="" ro="False"/>
|
|
<ObjectGroup id="id4386458B18448" name="DNS Names" comment="" ro="False"/>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="id415276CF" name="Services" comment="" ro="False">
|
|
<ServiceGroup id="id415276CF_og_tag_1" name="TagServices" comment="" ro="False">
|
|
<TagService id="id4847247323126" tagcode="INTNET" name="INTNET" comment="" ro="False"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id415276D0" name="Groups" comment="" ro="False"/>
|
|
<ServiceGroup id="id415276D1" name="ICMP" comment="" ro="False"/>
|
|
<ServiceGroup id="id415276D2" name="IP" comment="" ro="False"/>
|
|
<ServiceGroup id="id415276D3" name="TCP" comment="" ro="False"/>
|
|
<ServiceGroup id="id415276D4" name="UDP" comment="" ro="False"/>
|
|
<ServiceGroup id="id415276D5" name="Custom" comment="" ro="False"/>
|
|
<ServiceGroup id="id415276CF_userservices" name="Users" comment="" ro="False"/>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="id415276D6" name="Firewalls" comment="" ro="False">
|
|
<Firewall id="id3AF5A2BA" host_OS="openbsd" inactive="False" lastCompiled="1172032243" lastInstalled="1172032344" lastModified="1212609898" platform="pf" version="" name="labfw-openbsd" comment="firewall protects host it is running on Note that we set output file name to /tmp/labfw.fw to test what compiler is going to do (since it generates three files rather than one), as well as to test installer in this case " ro="False">
|
|
<NAT id="id3AF5A2BD" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id414E693E" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id414C70BE"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5A2CB"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id414E7DF6" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id414C70BE"/>
|
|
<ObjectRef ref="id414C5C51"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id414C5C51"/>
|
|
<ObjectRef ref="id414C70BE"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3AF5A2BC" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id48472A0C23126" disabled="False" group="" log="False" position="0" action="Continue" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="routing">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="tagobject_id">id4847247323126</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id414C70C1" disabled="False" group="" log="True" position="1" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id414C70BE"/>
|
|
<ObjectRef ref="id414C7BA7"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5A2CB"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id414C47E4" disabled="False" group="" log="True" position="2" action="Deny" direction="Outbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
<ObjectRef ref="id414C70BE"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5A2CB"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41441D4F" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB7090"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445E76C726850" disabled="False" group="" log="False" position="4" action="Branch" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5A2CB"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="branch_name">rule3_branch</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id414E7E0E" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id414C5C51"/>
|
|
<ObjectRef ref="id414C70BE"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id414C70BE"/>
|
|
<ObjectRef ref="id414C5C51"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AF5A757" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="allow all outgoing connections">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
<ObjectRef ref="id414C70BE"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AF5A762" disabled="False" group="" log="True" position="7" action="Deny" direction="Both" comment="'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id445E76D326850" name="rule3_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id445E77D326850" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="block fragments">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445E77BB26850" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id4144D59F"/>
|
|
<ObjectRef ref="id4144D5A0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3AF5A2BA-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3AF5A2CB" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="0" unnum="False" unprotected="False" name="pcn0" comment="" ro="False">
|
|
<IPv4 id="id3AF5A2CB-ipv4" name="labfw-openbsd:pcn0:ip" comment="" ro="False" address="10.3.14.120" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3AFB7090" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3AFB7090-ipv4" name="labfw-openbsd:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id414C70BB" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="pcn1" comment="" ro="False">
|
|
<IPv4 id="id414C70BD" name="labfw-openbsd:pcn1:ip" comment="" ro="False" address="10.1.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="10.3.14.120">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress">labfw</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc/fw</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="mgmt_addr">10.3.14.40</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_directed_broadcast"></Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_ip_redirect"></Option>
|
|
<Option name="openbsd_ip_sourceroute"></Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id42B5D8FC" host_OS="freebsd" inactive="True" lastCompiled="1157930826" lastInstalled="0" lastModified="1147032998" platform="pf" version="" name="labfw-fbsd" comment="" ro="False">
|
|
<NAT id="id42B5D93E" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id42B5D93F" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id414C70BE"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id42B5D95D"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id42B5D901" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id42B5D977" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id414C70BE"/>
|
|
<ObjectRef ref="id42B5D8FC"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id42B5D95D"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id42B5D982" disabled="False" group="" log="True" position="1" action="Deny" direction="Outbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id42B5D8FC"/>
|
|
<ObjectRef ref="id414C70BE"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id42B5D95D"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id42B5D99C" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id42B5D98E"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id42B5D902" disabled="False" group="" log="True" position="3" action="Deny" direction="Both" comment="block fragments">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id42B5D8FC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id42B5D929" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="need this because PF consults policy rules after nat as well">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id42B5D8FC"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id42B612DC" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="allow all outgoing connections">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id414C70BE"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id42B5D934" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id42B5D8FC-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id42B5D95D" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="0" unnum="False" unprotected="False" name="lnc0" comment="" ro="False">
|
|
<IPv4 id="id42B5D98D" name="labfw-fbsd:lnc0:ip" comment="" ro="False" address="10.3.14.121" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id42B5D98E" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo0" comment="" ro="False">
|
|
<IPv4 id="id42B5D9A6" name="labfw-fbsd:lo0:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id42B5D9A7" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lnc1" comment="" ro="False">
|
|
<IPv4 id="id42B5D9AB" name="labfw-fbsd:lnc1:ip" comment="" ro="False" address="10.1.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="10.3.14.121">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress">10.3.14.121</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc/fw</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="freebsd_ip_redirect"></Option>
|
|
<Option name="freebsd_ip_sourceroute"></Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipfw"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="mgmt_addr">10.3.14.40</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_directed_broadcast"></Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_ip_redirect"></Option>
|
|
<Option name="openbsd_ip_sourceroute"></Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id45DE9C5B2560" host_OS="openbsd" inactive="False" lastCompiled="1202683169" lastInstalled="1202683190" lastModified="1202683163" platform="pf" version="ge_3.7" name="openbsd-4.0" comment="firewall protects host it is running on Note that we set output file name to /tmp/labfw.fw to test what compiler is going to do (since it generates three files rather than one), as well as to test installer in this case " ro="False">
|
|
<NAT id="id45DE9CDB2560" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id45DE9C612560" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id47B0069F19082" disabled="True" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4144D5A0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45DE9C5B2560"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45DE9C6F2560" disabled="False" group="" log="True" position="1" action="Deny" direction="Outbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id45DE9C5B2560"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45DE9CFB2560"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45DE9C7C2560" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45DE9CFE2560"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45DE9C882560" disabled="False" group="" log="False" position="3" action="Branch" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45DE9C5B2560"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45DE9CFB2560"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="branch_name">rule3_branch</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45DE9CC22560" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="allow all outgoing connections">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id45DE9C5B2560"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45DE9CCF2560" disabled="False" group="" log="True" position="5" action="Deny" direction="Both" comment="'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id45DE9C942560" name="rule3_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id45DE9C952560" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="block fragments">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45DE9C5B2560"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45DE9CA12560" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id4144D59F"/>
|
|
<ObjectRef ref="id4144D5A0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45DE9C5B2560"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id45DE9CFA2560" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id45DE9CFB2560" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="0" unnum="False" unprotected="False" name="pcn0" comment="" ro="False">
|
|
<IPv4 id="id45DE9CFD2560" name="openbsd-4.0:pcn0:ip" comment="" ro="False" address="10.3.14.54" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id45DE9CFE2560" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id45DE9D002560" name="openbsd-4.0:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="10.3.14.54">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc/fw</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="mgmt_addr">10.3.14.40</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_directed_broadcast"></Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_ip_redirect"></Option>
|
|
<Option name="openbsd_ip_sourceroute"></Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id47B07CD419082" host_OS="openbsd" inactive="False" lastCompiled="1262822165" lastInstalled="1255112564" lastModified="1255112550" platform="pf" version="4.x" name="openbsd-4.2" comment="firewall protects host it is running on Note that we set output file name to /tmp/labfw.fw to test what compiler is going to do (since it generates three files rather than one), as well as to test installer in this case " ro="False">
|
|
<NAT id="id47B07D4319082" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id47B07CDA19082" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id47B07CDB19082" disabled="True" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4144D5A0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id47B07CD419082"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47B07CE719082" disabled="False" group="" log="True" position="1" action="Deny" direction="Outbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id47B07CD419082"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id47B07D4519082"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47B07CF319082" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id47B07D4819082"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47B07CFF19082" disabled="False" group="" log="False" position="3" action="Branch" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id47B07CD419082"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id47B07D4519082"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id47B07D0B19082</Option>
|
|
<Option name="branch_name">rule3_branch</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47B07D2B19082" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="allow all outgoing connections">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id47B07CD419082"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47B07D3719082" disabled="False" group="" log="True" position="5" action="Deny" direction="Both" comment="'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id47B07D0B19082" name="rule3_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id47B07D0C19082" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="block fragments">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id47B07CD419082"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47B07D1819082" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id4144D59F"/>
|
|
<ObjectRef ref="id4144D5A0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id47B07CD419082"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id47B07D4419082" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id47B07D4519082" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="0" unnum="False" unprotected="False" name="pcn0" comment="" ro="False">
|
|
<IPv4 id="id47B07D4719082" name="openbsd-4.2:pcn0:ip" comment="" ro="False" address="10.3.14.50" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id47B07D4819082" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id47B07D4A19082" name="openbsd-4.2:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="10.3.14.50">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="conf_file_name_on_firewall"></Option>
|
|
<Option name="configure_carp_interfaces">False</Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc/fw</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_directed_broadcast"></Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_ip_redirect"></Option>
|
|
<Option name="openbsd_ip_sourceroute"></Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">True</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_modulate_state">False</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="script_name_on_firewall"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id15868X59575" host_OS="openbsd" inactive="False" lastCompiled="1236662709" lastInstalled="1236662718" lastModified="1236662645" platform="pf" version="4.x" name="openbsd-4.2-2" comment="firewall protects host it is running on Note that we set output file name to /tmp/labfw.fw to test what compiler is going to do (since it generates three files rather than one), as well as to test installer in this case " ro="False">
|
|
<NAT id="id15979X59575" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id15874X59575" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id15899X59575" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id15984X59575"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id15911X59575" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id15868X59575"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id15981X59575"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="branch_name">rule3_branch</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id15935X59575" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id15980X59575" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id15981X59575" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="0" unnum="False" unprotected="False" name="pcn0" comment="" ro="False">
|
|
<IPv4 id="id15983X59575" name="openbsd-4.2-2:pcn0:ip" comment="" ro="False" address="10.3.14.50" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id15984X59575" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id15986X59575" name="openbsd-4.2-2:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="10.3.14.50">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc/fw</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="mgmt_addr">10.3.14.30</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_directed_broadcast"></Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_ip_redirect"></Option>
|
|
<Option name="openbsd_ip_sourceroute"></Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">True</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
</ObjectGroup>
|
|
<IntervalGroup id="id415276D7" name="Time" comment="" ro="False"/>
|
|
</Library>
|
|
<Library id="id4387B43718346" color="#FFFFFF" name="proxy_arp_example" comment="" ro="False">
|
|
<ObjectGroup id="id4387B43818346_clusters" name="Clusters" comment="" ro="False"/>
|
|
<ObjectGroup id="id4387B43818346" name="Objects" comment="" ro="False">
|
|
<ObjectGroup id="id4387B43918346" name="Addresses" comment="" ro="False">
|
|
<IPv4 id="id87762X3490" name="routable server address 1" comment="" ro="False" address="222.222.222.22" netmask="0.0.0.0"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id4387B43A18346" name="DNS Names" comment="" ro="False"/>
|
|
<ObjectGroup id="id4387B43B18346" name="Address Tables" comment="" ro="False"/>
|
|
<ObjectGroup id="id4387B43C18346" name="Groups" comment="" ro="False"/>
|
|
<ObjectGroup id="id4387B43D18346" name="Hosts" comment="" ro="False"/>
|
|
<ObjectGroup id="id4387B43E18346" name="Networks" comment="" ro="False">
|
|
<Network id="id87753X3490" name="Internal_net" comment="" ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id4387B43F18346" name="Address Ranges" comment="" ro="False"/>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="id4387B44018346" name="Services" comment="" ro="False">
|
|
<ServiceGroup id="id4387B44018346_og_tag_1" name="TagServices" comment="" ro="False"/>
|
|
<ServiceGroup id="id4387B44118346" name="Groups" comment="" ro="False"/>
|
|
<ServiceGroup id="id4387B44218346" name="ICMP" comment="" ro="False"/>
|
|
<ServiceGroup id="id4387B44318346" name="IP" comment="" ro="False"/>
|
|
<ServiceGroup id="id4387B44418346" name="TCP" comment="" ro="False"/>
|
|
<ServiceGroup id="id4387B44518346" name="UDP" comment="" ro="False"/>
|
|
<ServiceGroup id="id4387B44618346" name="Custom" comment="" ro="False"/>
|
|
<ServiceGroup id="id4387B44018346_userservices" name="Users" comment="" ro="False"/>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="id4387B44718346" name="Firewalls" comment="" ro="False">
|
|
<Firewall id="id81411X3490" host_OS="openbsd" inactive="False" lastCompiled="1226899264" lastInstalled="0" lastModified="1226899486" platform="pf" version="" name="firewall20" comment="firewall using proxy arp" ro="False">
|
|
<NAT id="id81452X3490" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id81453X3490" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id87753X3490"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id81411X3490"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id81467X3490" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id87753X3490"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id81518X3490"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id81481X3490" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id87753X3490"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id81520X3490"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id81495X3490" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id87753X3490"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id81517X3490"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id81417X3490" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id81418X3490" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id87762X3490"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id81513X3490"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id81428X3490" disabled="False" group="" log="False" position="1" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id87762X3490"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id81518X3490"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id81440X3490" disabled="False" group="" log="False" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id81509X3490" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id81510X3490" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="dc2" comment="" ro="False">
|
|
<IPv4 id="id81512X3490" name="firewall20:dc2:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id81513X3490" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="dc0" comment="" ro="False">
|
|
<IPv4 id="id81516X3490" name="firewall20:dc0:ip1" comment="" ro="False" address="10.1.1.1" netmask="255.255.255.0"/>
|
|
<IPv4 id="id81517X3490" name="firewall20:dc0:ip2" comment="" ro="False" address="222.222.222.21" netmask="255.255.255.240"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id81518X3490" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="dc1" comment="" ro="False">
|
|
<IPv4 id="id81520X3490" name="firewall20:dc1:ip" comment="" ro="False" address="222.222.222.20" netmask="255.255.255.240"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id81521X3490" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id81523X3490" name="firewall20:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="22.22.23.23">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
</ObjectGroup>
|
|
<IntervalGroup id="id4387B44818346" name="Time" comment="" ro="False"/>
|
|
</Library>
|
|
<Library id="id81391X3490" name="New Library" comment="" ro="False">
|
|
<ObjectGroup id="id81392X3490_clusters" name="Clusters" comment="" ro="False"/>
|
|
<ObjectGroup id="id81392X3490" name="Objects" comment="" ro="False">
|
|
<ObjectGroup id="id81393X3490" name="Addresses" comment="" ro="False"/>
|
|
<ObjectGroup id="id81394X3490" name="DNS Names" comment="" ro="False"/>
|
|
<ObjectGroup id="id81395X3490" name="Address Tables" comment="" ro="False"/>
|
|
<ObjectGroup id="id81396X3490" name="Groups" comment="" ro="False"/>
|
|
<ObjectGroup id="id81397X3490" name="Hosts" comment="" ro="False"/>
|
|
<ObjectGroup id="id81398X3490" name="Networks" comment="" ro="False"/>
|
|
<ObjectGroup id="id81399X3490" name="Address Ranges" comment="" ro="False"/>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="id81400X3490" name="Services" comment="" ro="False">
|
|
<ServiceGroup id="id81401X3490" name="Groups" comment="" ro="False"/>
|
|
<ServiceGroup id="id81402X3490" name="ICMP" comment="" ro="False"/>
|
|
<ServiceGroup id="id81403X3490" name="IP" comment="" ro="False"/>
|
|
<ServiceGroup id="id81404X3490" name="TCP" comment="" ro="False"/>
|
|
<ServiceGroup id="id81405X3490" name="UDP" comment="" ro="False"/>
|
|
<ServiceGroup id="id81406X3490" name="Users" comment="" ro="False"/>
|
|
<ServiceGroup id="id81407X3490" name="Custom" comment="" ro="False"/>
|
|
<ServiceGroup id="id81408X3490" name="TagServices" comment="" ro="False"/>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="id81409X3490" name="Firewalls" comment="" ro="False"/>
|
|
<IntervalGroup id="id81410X3490" name="Time" comment="" ro="False"/>
|
|
</Library>
|
|
<Library id="id154425X32012" color="#FFFFFF" name="ssh access example" comment="" ro="False">
|
|
<ObjectGroup id="id154426X32012_clusters" name="Clusters" comment="" ro="False"/>
|
|
<ObjectGroup id="id154426X32012" name="Objects" comment="" ro="False">
|
|
<ObjectGroup id="id154427X32012" name="Addresses" comment="" ro="False"/>
|
|
<ObjectGroup id="id154428X32012" name="DNS Names" comment="" ro="False"/>
|
|
<ObjectGroup id="id154429X32012" name="Address Tables" comment="" ro="False"/>
|
|
<ObjectGroup id="id154430X32012" name="Groups" comment="" ro="False">
|
|
<ObjectGroup id="id161498X32012" name="group1" comment="" ro="False">
|
|
<ObjectRef ref="id168492X32012"/>
|
|
<ObjectRef ref="id168501X32012"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id161501X32012" name="netgroup1" comment="" ro="False">
|
|
<ObjectRef ref="id168491X32012"/>
|
|
<ObjectRef ref="id168510X32012"/>
|
|
</ObjectGroup>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id154431X32012" name="Hosts" comment="" ro="False">
|
|
<Host id="id168492X32012" name="hostA" comment="" ro="False">
|
|
<Interface id="id168494X32012" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="hostA_eth0" comment="" ro="False">
|
|
<IPv4 id="id168495X32012" name="hostA:hostA_eth0:ip" comment="" ro="False" address="192.168.1.10" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id168501X32012" name="hostB" comment="" ro="False">
|
|
<Interface id="id168503X32012" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="id168504X32012" name="hostB:unknown:ip" comment="" ro="False" address="192.168.1.20" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.20">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id154432X32012" name="Networks" comment="" ro="False">
|
|
<Network id="id168491X32012" name="dmz_net" comment="DMZ net - using NAT" ro="False" address="192.168.2.0" netmask="255.255.255.0"/>
|
|
<Network id="id168510X32012" name="Internal_net" comment="" ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id154433X32012" name="Address Ranges" comment="" ro="False"/>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="id154434X32012" name="Services" comment="" ro="False">
|
|
<ServiceGroup id="id154435X32012" name="Groups" comment="" ro="False"/>
|
|
<ServiceGroup id="id154436X32012" name="ICMP" comment="" ro="False"/>
|
|
<ServiceGroup id="id154437X32012" name="IP" comment="" ro="False"/>
|
|
<ServiceGroup id="id154438X32012" name="TCP" comment="" ro="False"/>
|
|
<ServiceGroup id="id154439X32012" name="UDP" comment="" ro="False"/>
|
|
<ServiceGroup id="id154440X32012" name="Users" comment="" ro="False"/>
|
|
<ServiceGroup id="id154441X32012" name="Custom" comment="" ro="False"/>
|
|
<ServiceGroup id="id154442X32012" name="TagServices" comment="" ro="False"/>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="id154443X32012" name="Firewalls" comment="" ro="False">
|
|
<Firewall id="id154445X32012" host_OS="openbsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1239318033" platform="pf" version="" name="firewal11" comment="example to illustrate access to the firewall limited to only few source addresses. Since in PF firewall is always part of "any", have to explcitly add a rule to block ssh to the firewall from other sources." ro="False">
|
|
<NAT id="id154500X32012" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id154451X32012" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id154452X32012" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id161498X32012"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id154445X32012"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id154464X32012" disabled="False" group="" log="False" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id154445X32012"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id154476X32012" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id161501X32012"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id154488X32012" disabled="False" group="" log="False" position="3" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id154501X32012" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id154502X32012" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="en1" comment="" ro="False">
|
|
<IPv4 id="id154504X32012" name="firewal11:en1:ip" comment="" ro="False" address="33.33.33.33" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id154505X32012" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="en0" comment="" ro="False">
|
|
<IPv4 id="id154507X32012" name="firewal11:en0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id154508X32012" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo0" comment="" ro="False">
|
|
<IPv4 id="id154510X32012" name="firewal11:lo0:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id154511X32012" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_path_pfctl">/usr/sbin/pfctl</Option>
|
|
<Option name="openbsd_path_sysctl">/usr/sbin/sysctl</Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
</ObjectGroup>
|
|
<IntervalGroup id="id154444X32012" name="Time" comment="" ro="False"/>
|
|
</Library>
|
|
</FWObjectDatabase>
|