onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-21 02:37:16 +01:00
Code Issues Releases Wiki Activity
fwbuilder/test/ipt/optimizer_test.fwb
Vadim Kurland 0ee88506b5 * ../src/iptlib/NATCompiler_ipt.cpp (VerifyRules2::processNext): 
fixes #1109: "rules that do not pass verifyRules() checks may
cause compiler crash in test mode or gui crash in single rule
compile mode"
2010-01-20 02:55:38 +00:00

1338 lines
64 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" id="root">
<Library id="id413EEA4C" color="#d2ffd0" name="User" comment="" ro="False">
<ObjectGroup id="id413EEA4D_clusters" name="Clusters" comment="" ro="False"/>
<ObjectGroup id="id413EEA4D" name="Objects" comment="" ro="False">
<ObjectGroup id="id413EEA4D_og_ats_1" name="Address Tables" comment="" ro="False"/>
<ObjectGroup id="id413EEA4D_og_dnsn_1" name="DNS Names" comment="" ro="False"/>
<ObjectGroup id="id413EEA4E" name="Addresses" comment="" ro="False"/>
<ObjectGroup id="id413EEA4F" name="Groups" comment="" ro="False"/>
<ObjectGroup id="id413EEA50" name="Hosts" comment="" ro="False">
<Host id="id413EEA6D" name="Inside Host 1" comment="" ro="False">
<Interface id="id413EEA6F" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id413EEA71" name="Inside Host 1:eth0:ip" comment="" ro="False" address="10.0.1.1" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host id="id413EEA7C" name="Inside Host 2" comment="" ro="False">
<Interface id="id413EEA7F" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id413EEA81" name="Inside Host 2:eth0:ip" comment="" ro="False" address="10.0.1.2" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host id="id413EEA8C" name="Inside Host 3" comment="" ro="False">
<Interface id="id413EEA8F" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id413EEA91" name="Inside Host 3:eth0:ip" comment="" ro="False" address="10.0.1.3" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host id="id413EEA94" name="Inside Host 4" comment="" ro="False">
<Interface id="id413EEA97" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id413EEA99" name="Inside Host 4:eth0:ip" comment="" ro="False" address="10.0.1.4" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host id="id413EEAA4" name="Outside Host 1" comment="" ro="False">
<Interface id="id413EEAA7" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id413EEAA9" name="Outside Host 1:eth0:ip" comment="" ro="False" address="10.0.0.1" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host id="id413EEAB4" name="Outside Host 3" comment="" ro="False">
<Interface id="id413EEAB7" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id413EEAB9" name="Outside Host 3:eth0:ip" comment="" ro="False" address="10.0.0.3" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host id="id413EEABC" name="Outside Host 4" comment="" ro="False">
<Interface id="id413EEABF" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id413EEAC1" name="Outside Host 4:eth0:ip" comment="" ro="False" address="10.0.0.4" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host id="id413EEAC4" name="Outside Host 2" comment="" ro="False">
<Interface id="id413EEAC7" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id413EEAC9" name="Outside Host 2:eth0:ip" comment="" ro="False" address="10.0.0.2" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
</ObjectGroup>
<ObjectGroup id="id413EEA51" name="Networks" comment="" ro="False">
<Network id="id413EEACC" name="Test Network 1" comment="" ro="False" address="10.0.3.0" netmask="255.255.255.0"/>
<Network id="id4145F2F8" name="dmz_net" comment="DMZ net - using NAT" ro="False" address="192.168.2.0" netmask="255.255.255.0"/>
<Network id="id4145F2F7" name="Internal_net" comment="" ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
</ObjectGroup>
<ObjectGroup id="id413EEA52" name="Address Ranges" comment="" ro="False"/>
</ObjectGroup>
<ServiceGroup id="id413EEA53" name="Services" comment="" ro="False">
<ServiceGroup id="id413EEA53_userservices" name="Users" comment="" ro="False"/>
<ServiceGroup id="id413EEA53_og_tag_1" name="TagServices" comment="" ro="False"/>
<ServiceGroup id="id413EEA54" name="Groups" comment="" ro="False"/>
<ServiceGroup id="id413EEA55" name="ICMP" comment="" ro="False"/>
<ServiceGroup id="id413EEA56" name="IP" comment="" ro="False"/>
<ServiceGroup id="id413EEA57" name="TCP" comment="" ro="False"/>
<ServiceGroup id="id413EEA58" name="UDP" comment="" ro="False"/>
<ServiceGroup id="id413EEA59" name="Custom" comment="" ro="False"/>
</ServiceGroup>
<ObjectGroup id="id413EEA5A" name="Firewalls" comment="" ro="False">
<Firewall id="id413EEA5C" host_OS="linux24" lastCompiled="0" lastInstalled="0" lastModified="0" platform="iptables" version="1.2.9" name="optitest" comment="" ro="False">
<NAT id="id413EEA60" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id413EEA5F" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4145343B" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="Test 1 : Don't Optimize 1 dst">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id413EEA61"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#7694C0</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id41453449" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="Test 2 : Don't Optimize 1 service">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id413EEA61"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#7694C0</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id41453457" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="Test 3 : Don't Optimize 1 src &amp; 1 dst">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id413EEA61"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#7694C0</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id41453465" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="Test 4 : Don't Optimize 1 src &amp; 1 service">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id413EEA61"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#7694C0</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id41453473" disabled="False" log="False" position="4" action="Accept" direction="Both" comment="Test 5 : Don't Optimize 1 dst &amp; 1 service">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id413EEA61"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#7694C0</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id41453481" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="Test 6 : Don't Optimize 1 src, 1 dst &amp; 1 service">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id413EEA61"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#7694C0</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4145348F" disabled="False" log="True" position="6" action="Accept" direction="Both" comment="Test 7 : Optimize : src, dst, svc&#10;Time should appear on the src rules in the FORWARD table&#10;+Logging&#10;">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
<ObjectRef ref="id413EEA7C"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
<ObjectRef ref="id413EEAC4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-FTP"/>
<ServiceRef ref="id4127EA73"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id413EEA61"/>
</Itf>
<When neg="False">
<IntervalRef ref="id413EEACD"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id414534A0" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="Test 7 : Optimize on service - dsts -&gt; user chain">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
<ObjectRef ref="id413EEAC4"/>
<ObjectRef ref="id413EEAB4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id413EEA61"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id414534B0" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="Test 8 : Optimize on service - srcs -&gt; user chain">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
<ObjectRef ref="id413EEA7C"/>
<ObjectRef ref="id413EEA8C"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id413EEA61"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id414534C0" disabled="False" log="False" position="9" action="Reject" direction="Both" comment="Test 9 : Optimize on service - srcs -&gt; user chain&#10; Dst to stay on rule in FORWARD table&#10;&#10;+ options TCP RST Reject Test">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
<ObjectRef ref="id413EEA7C"/>
<ObjectRef ref="id413EEA8C"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id413EEA61"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject">TCP RST</Option>
<Option name="color">#8BC065</Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id414534D0" disabled="False" log="True" position="10" action="Accept" direction="Both" comment="Test 10 : Optimize on src &amp; dst, services -&gt; user chain&#10;+ Logging ">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="id4127EA73"/>
<ServiceRef ref="id3C20EEB5"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id413EEA61"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id414534E0" disabled="False" log="False" position="11" action="Accept" direction="Both" comment="Test 11 : Special case - with multiport we shouldn't&#10;optimize here as all services are TCP and we have &lt;15&#10;of them&#10;&#10;NOT OPTIMUM - We've split before multiport which re-merges multiple services of the same type&#10;SOLUTION ?">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-FTP"/>
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id413EEA61"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id414534EF" disabled="False" log="True" position="12" action="Accept" direction="Both" comment="Test 12 : Optimize : src, dst, svc&#10;+ options limit test&#10;+ logging">
<Src neg="False">
<ObjectRef ref="id413EEA7C"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
<ObjectRef ref="id413EEAC4"/>
<ObjectRef ref="id413EEAB4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-FTP"/>
<ServiceRef ref="id3C20EEB5"/>
<ServiceRef ref="id4127EA73"/>
<ServiceRef ref="id3CB12797"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id413EEA61"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="color">#8BC065</Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
<Option name="limit_burst">4</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">8</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id41453502" disabled="False" log="True" position="13" action="Accept" direction="Both" comment="Test 13 : Optimize : src, dst, svc&#10;Time should appear on the src rules in the FORWARD table&#10;+Logging&#10;&#10;NOT OPTIMUM : Time appears in Logging&#10;SOLUTION : Patch logging not to include time?">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
<ObjectRef ref="id413EEA7C"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
<ObjectRef ref="id413EEAC4"/>
<ObjectRef ref="id413EEAB4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-FTP"/>
<ServiceRef ref="id3C20EEB5"/>
<ServiceRef ref="id4127EA73"/>
<ServiceRef ref="id3CB12797"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id413EEA61"/>
</Itf>
<When neg="False">
<IntervalRef ref="id413EEACD"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id41453516" disabled="False" log="False" position="14" action="Accept" direction="Both" comment="Test 14 : Optimize : src, dst, svc&#10;Time should appear on the service rules&#10;since we there are two of them and we don't optimize&#10;for time (yet!)&#10;+ Logging&#10;&#10;NOT OPTIMUM : Time appears in Logging&#10;SOLUTION : Patch logging not to include time?">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
<ObjectRef ref="id413EEA7C"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
<ObjectRef ref="id413EEAC4"/>
<ObjectRef ref="id413EEAB4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-FTP"/>
<ServiceRef ref="id3C20EEB5"/>
<ServiceRef ref="id4127EA73"/>
<ServiceRef ref="id3CB12797"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id413EEA61"/>
</Itf>
<When neg="False">
<IntervalRef ref="id413EEACD"/>
<IntervalRef ref="id413EEACE"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4145352B" disabled="False" log="False" position="15" action="Reject" direction="Both" comment="Test 15 : Don't optimize if we have limit options">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAC4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id413EEA61"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject">TCP RST</Option>
<Option name="color">#7694C0</Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
<Option name="limit_burst">4</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">8</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id41453539" disabled="False" log="True" position="16" action="Deny" direction="Both" comment="Test 16 : Check INPUT/OUPUT with FW part of rule">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEA5C"/>
<ObjectRef ref="id413EEAA4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-FTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id413EEA61"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4145342D" disabled="False" log="False" position="17" action="Accept" direction="Both" comment="Test 0 : Don't Optimize 1 src">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id413EEA61"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#7694C0</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id413EEF55" disabled="False" log="False" position="18" action="Accept" direction="Both" comment="Test 0 : Don't Optimize 1 src">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#7694C0</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id413EEF0A" disabled="False" log="False" position="19" action="Accept" direction="Both" comment="Test 1 : Don't Optimize 1 dst">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#7694C0</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id413EEEFF" disabled="False" log="False" position="20" action="Accept" direction="Both" comment="Test 2 : Don't Optimize 1 service">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#7694C0</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id413EEF80" disabled="False" log="False" position="21" action="Accept" direction="Both" comment="Test 3 : Don't Optimize 1 src &amp; 1 dst">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#7694C0</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id413EEFE0" disabled="False" log="False" position="22" action="Accept" direction="Both" comment="Test 4 : Don't Optimize 1 src &amp; 1 service">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#7694C0</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id413EEFB4" disabled="False" log="False" position="23" action="Accept" direction="Both" comment="Test 5 : Don't Optimize 1 dst &amp; 1 service">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#7694C0</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id413EF013" disabled="False" log="False" position="24" action="Accept" direction="Both" comment="Test 6 : Don't Optimize 1 src, 1 dst &amp; 1 service">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#7694C0</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id413FD6F5" disabled="False" log="True" position="25" action="Accept" direction="Both" comment="Test 7 : Optimize : src, dst, svc&#10;Time should appear on the src rules in the FORWARD table&#10;+Logging&#10;">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
<ObjectRef ref="id413EEA7C"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
<ObjectRef ref="id413EEAC4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-FTP"/>
<ServiceRef ref="id4127EA73"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="id413EEACD"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id413EF03D" disabled="False" log="False" position="26" action="Accept" direction="Both" comment="Test 7 : Optimize on service - dsts -&gt; user chain">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
<ObjectRef ref="id413EEAC4"/>
<ObjectRef ref="id413EEAB4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id413EF062" disabled="False" log="False" position="27" action="Accept" direction="Both" comment="Test 8 : Optimize on service - srcs -&gt; user chain">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
<ObjectRef ref="id413EEA7C"/>
<ObjectRef ref="id413EEA8C"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id413EF08B" disabled="False" log="False" position="28" action="Reject" direction="Both" comment="Test 9 : Optimize on service - srcs -&gt; user chain&#10; Dst to stay on rule in FORWARD table&#10;&#10;+ options TCP RST Reject Test">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
<ObjectRef ref="id413EEA7C"/>
<ObjectRef ref="id413EEA8C"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject">TCP RST</Option>
<Option name="color">#8BC065</Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id413F033B" disabled="False" log="True" position="29" action="Accept" direction="Both" comment="Test 10 : Optimize on src &amp; dst, services -&gt; user chain&#10;+ Logging ">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="id4127EA73"/>
<ServiceRef ref="id3C20EEB5"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id413F0486" disabled="False" log="False" position="30" action="Accept" direction="Both" comment="Test 11 : Special case - with multiport we shouldn't&#10;optimize here as all services are TCP and we have &lt;15&#10;of them&#10;&#10;NOT OPTIMUM - We've split before multiport which re-merges multiple services of the same type&#10;SOLUTION ?">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-FTP"/>
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id413EEACF" disabled="False" log="True" position="31" action="Accept" direction="Both" comment="Test 12 : Optimize : src, dst, svc&#10;+ options limit test&#10;+ logging">
<Src neg="False">
<ObjectRef ref="id413EEA7C"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
<ObjectRef ref="id413EEAC4"/>
<ObjectRef ref="id413EEAB4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-FTP"/>
<ServiceRef ref="id3C20EEB5"/>
<ServiceRef ref="id4127EA73"/>
<ServiceRef ref="id3CB12797"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="color">#8BC065</Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
<Option name="limit_burst">4</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">8</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id413EEDC5" disabled="False" log="True" position="32" action="Accept" direction="Both" comment="Test 13 : Optimize : src, dst, svc&#10;Time should appear on the src rules in the FORWARD table&#10;+Logging&#10;&#10;NOT OPTIMUM : Time appears in Logging&#10;SOLUTION : Patch logging not to include time?">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
<ObjectRef ref="id413EEA7C"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
<ObjectRef ref="id413EEAC4"/>
<ObjectRef ref="id413EEAB4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-FTP"/>
<ServiceRef ref="id3C20EEB5"/>
<ServiceRef ref="id4127EA73"/>
<ServiceRef ref="id3CB12797"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="id413EEACD"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id413EEE2D" disabled="False" log="False" position="33" action="Accept" direction="Both" comment="Test 14 : Optimize : src, dst, svc&#10;Time should appear on the service rules&#10;since we there are two of them and we don't optimize&#10;for time (yet!)&#10;+ Logging&#10;&#10;NOT OPTIMUM : Time appears in Logging&#10;SOLUTION : Patch logging not to include time?">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
<ObjectRef ref="id413EEA7C"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAA4"/>
<ObjectRef ref="id413EEAC4"/>
<ObjectRef ref="id413EEAB4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-FTP"/>
<ServiceRef ref="id3C20EEB5"/>
<ServiceRef ref="id4127EA73"/>
<ServiceRef ref="id3CB12797"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="id413EEACD"/>
<IntervalRef ref="id413EEACE"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id413F065C" disabled="False" log="False" position="34" action="Reject" direction="Both" comment="Test 15 : Don't optimize if we have limit options">
<Src neg="False">
<ObjectRef ref="id413EEA6D"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEAC4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject">TCP RST</Option>
<Option name="color">#7694C0</Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
<Option name="limit_burst">4</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">8</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id413F0C67" disabled="False" log="True" position="35" action="Deny" direction="Both" comment="Test 16 : Check INPUT/OUPUT with FW part of rule">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id413EEA5C"/>
<ObjectRef ref="id413EEAA4"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-FTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id413EEA5C-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id413EEA61" dedicated_failover="False" dyn="False" label="Outside" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id413EEA63" name="optitest:eth0:ip" comment="" ro="False" address="10.0.0.254" netmask="255.255.255.0"/>
</Interface>
<Interface id="id413EEA64" dedicated_failover="False" dyn="False" label="Inside" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id413EEA66" name="optitest:eth1:ip" comment="" ro="False" address="10.0.1.254" netmask="255.255.255.0"/>
</Interface>
<Interface id="id413EEA67" dedicated_failover="False" dyn="False" label="DMZ" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id413EEA69" name="optitest:eth2:ip" comment="" ro="False" address="10.0.2.254" netmask="255.255.255.0"/>
</Interface>
<Management address="10.0.1.254">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">true</Option>
<Option name="limit_suffix">/second</Option>
<Option name="limit_value">5</Option>
<Option name="linux24_accept_redirects"></Option>
<Option name="linux24_accept_source_route"></Option>
<Option name="linux24_icmp_echo_ignore_all"></Option>
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
<Option name="linux24_ip_dynaddr"></Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="linux24_log_martians"></Option>
<Option name="linux24_path_ip"></Option>
<Option name="linux24_path_iptables"></Option>
<Option name="linux24_path_logger"></Option>
<Option name="linux24_path_lsmod"></Option>
<Option name="linux24_path_modprobe"></Option>
<Option name="linux24_rp_filter"></Option>
<Option name="linux24_tcp_ecn"></Option>
<Option name="linux24_tcp_fack"></Option>
<Option name="linux24_tcp_fin_timeout">0</Option>
<Option name="linux24_tcp_keepalive_interval">0</Option>
<Option name="linux24_tcp_sack"></Option>
<Option name="linux24_tcp_syncookies"></Option>
<Option name="linux24_tcp_timestamps"></Option>
<Option name="linux24_tcp_window_scaling"></Option>
<Option name="load_modules">False</Option>
<Option name="local_nat">False</Option>
<Option name="log_all">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">False</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="use_ULOG">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id4145F25F" host_OS="linux24" lastCompiled="0" lastInstalled="0" lastModified="0" platform="iptables" version="" name="firewall99" comment="testing rules with action-on-reject &quot;TCP reset&quot;&#10;" ro="False">
<NAT id="id4145F2E2" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id4145F264" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4145F2B5" disabled="False" log="False" position="0" action="Reject" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id4145F2F7"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject">TCP RST</Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4145F2BF" disabled="False" log="False" position="1" action="Reject" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id4145F2F7"/>
<ObjectRef ref="id4145F2F8"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject">TCP RST</Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4145F2CA" disabled="False" log="False" position="2" action="Reject" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id4145F2F7"/>
<ObjectRef ref="id4145F2F8"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="icmp-Unreachables"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject">TCP RST</Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4145F2D6" disabled="False" log="False" position="3" action="Reject" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id4145F2F7"/>
<ObjectRef ref="id4145F2F8"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="icmp-Unreachables"/>
<ServiceRef ref="tcp-FTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject">TCP RST</Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id4145F25F-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id4145F2E3" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id4145F2E7" name="firewall99:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id4145F2E8" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id4145F2EC" name="firewall99:eth1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
</Interface>
<Interface id="id4145F2ED" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id4145F2F1" name="firewall99:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="192.168.1.1">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="inst_cmdline"></Option>
<Option name="inst_script"></Option>
<Option name="install_script"></Option>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_path_ip"></Option>
<Option name="linux24_path_iptables"></Option>
<Option name="linux24_path_logger"></Option>
<Option name="linux24_path_lsmod"></Option>
<Option name="linux24_path_modprobe"></Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="local_nat">False</Option>
<Option name="log_all">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix">RULE %N -- %A %I</Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="platform">iptables</Option>
<Option name="proxy_arp">False</Option>
<Option name="script_env_path">/bin:/usr/bin:/sbin:/usr/sbin</Option>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="use_ULOG">False</Option>
<Option name="use_ip_tool">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="id413EEA5B" name="Time" comment="" ro="False">
<Interval id="id413EEACD" days_of_week="0,1,2,3,4,5,6" from_day="28" from_hour="0" from_minute="0" from_month="2" from_weekday="-1" from_year="2935093" to_day="28" to_hour="11" to_minute="59" to_month="2" to_weekday="-1" to_year="2935093" name="Mornings Only" comment="" ro="False"/>
<Interval id="id413EEACE" days_of_week="0,1,2,3,4,5,6" from_day="28" from_hour="12" from_minute="0" from_month="2" from_weekday="-1" from_year="2935093" to_day="28" to_hour="23" to_minute="59" to_month="2" to_weekday="-1" to_year="2935093" name="Afternoons Only" comment="" ro="False"/>
</IntervalGroup>
</Library>
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<Library id="id4145F24F" color="#FFFFFF" name="tmp" comment="" ro="False">
<ObjectGroup id="id4145F250_clusters" name="Clusters" comment="" ro="False"/>
<ObjectGroup id="id4145F250" name="Objects" comment="" ro="False">
<ObjectGroup id="id4145F250_og_ats_1" name="Address Tables" comment="" ro="False"/>
<ObjectGroup id="id4145F250_og_dnsn_1" name="DNS Names" comment="" ro="False"/>
<ObjectGroup id="id4145F251" name="Addresses" comment="" ro="False"/>
<ObjectGroup id="id4145F252" name="Groups" comment="" ro="False"/>
<ObjectGroup id="id4145F253" name="Hosts" comment="" ro="False"/>
<ObjectGroup id="id4145F254" name="Networks" comment="" ro="False"/>
<ObjectGroup id="id4145F255" name="Address Ranges" comment="" ro="False"/>
</ObjectGroup>
<ServiceGroup id="id4145F256" name="Services" comment="" ro="False">
<ServiceGroup id="id4145F256_userservices" name="Users" comment="" ro="False"/>
<ServiceGroup id="id4145F256_og_tag_1" name="TagServices" comment="" ro="False"/>
<ServiceGroup id="id4145F257" name="Groups" comment="" ro="False"/>
<ServiceGroup id="id4145F258" name="ICMP" comment="" ro="False"/>
<ServiceGroup id="id4145F259" name="IP" comment="" ro="False"/>
<ServiceGroup id="id4145F25A" name="TCP" comment="" ro="False"/>
<ServiceGroup id="id4145F25B" name="UDP" comment="" ro="False"/>
<ServiceGroup id="id4145F25C" name="Custom" comment="" ro="False"/>
</ServiceGroup>
<ObjectGroup id="id4145F25D" name="Firewalls" comment="" ro="False"/>
<IntervalGroup id="id4145F25E" name="Time" comment="" ro="False"/>
</Library>
</Library>
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
<AnyInterval id="sysid2" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1" name="Any" comment="Any Interval" ro="False"/>
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
<ServiceGroup id="stdid05_userservices" name="Users" comment="" ro="False"/>
<ServiceGroup id="stdid05_og_tag_1" name="TagServices" comment="" ro="False"/>
<ServiceGroup id="stdid09" name="TCP" comment="" ro="False">
<TCPService id="tcp-HTTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="http" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="80" dst_range_end="80"/>
<TCPService id="tcp-FTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ftp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="21" dst_range_end="21"/>
</ServiceGroup>
<ServiceGroup id="stdid08" name="UDP" comment="" ro="False">
<UDPService id="id4127EA73" name="rsync" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="873" dst_range_end="873"/>
</ServiceGroup>
<ServiceGroup id="stdid07" name="ICMP" comment="" ro="False">
<ICMPService id="id3C20EEB5" code="-1" type="-1" name="any ICMP" comment="" ro="False"/>
<ICMPService id="icmp-Unreachables" code="-1" type="3" name="all ICMP unreachables" comment="" ro="False"/>
</ServiceGroup>
<ServiceGroup id="stdid06" name="IP" comment="" ro="False">
<IPService id="id3CB12797" fragm="False" lsrr="False" protocol_num="51" rr="False" short_fragm="False" ssrr="False" ts="False" name="AH" comment="IPSEC Authentication Header Protocol" ro="False"/>
</ServiceGroup>
</ServiceGroup>
</Library>
</FWObjectDatabase>
Reference in New Issue View Git Blame Copy Permalink