onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-20 18:27:16 +01:00
Code Issues Releases Wiki Activity
fwbuilder/test/pf/objects-for-regression-tests.fwb

30647 lines
562 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="9" id="root"><Library color="#d2ffd0" comment="User defined objects" id="syslib001" name="User" ro="False">
<ObjectGroup id="stdid01_1" name="Objects">
<ObjectGroup id="stdid01_1_og_ats_1" name="Address Tables">
<AddressTable comment="" filename="addr-table-1.tbl" id="id4389EE9018346" name="addr-table-1" run_time="False"/>
<AddressTable comment="this is run-time table" filename="block-hosts.tbl" id="id4389EE9118346" name="block these" run_time="True"/>
<AddressTable comment="empty file name; should generate code like this:&#10;&#10;table &lt;spammers&gt; persist&#10;&#10;without &quot;file 'blah'&quot;&#10;&#10;" filename="" id="id452762A75348" name="spammers" run_time="True"/>
</ObjectGroup>
<ObjectGroup id="stdid16_1" name="Addresses">
<IPv4 comment="" id="id4388C37D674" name="sapmhost1" address="61.150.47.112" netmask="255.255.255.255"/>
<IPv4 comment="" id="id446FCEEA10619" name="spamhost2" address="7.7.7.7" netmask="255.255.255.255"/>
<IPv4 comment="" id="id44F7082928576" name="some address" address="1.1.1.1" netmask="255.255.255.255"/>
<IPv6 comment="" id="id48416A7216880" name="6bone.net" address="2001:5c0:0:2::24" netmask="128"/>
<IPv6 comment="" id="id48416A7116880" name="altavista" address="3ffe:1200:2001:1:8000::1" netmask="128"/>
<IPv4 comment="" id="id417B3641" name="net_address" address="192.168.1.0" netmask="255.255.255.255"/>
</ObjectGroup>
<ObjectGroup id="stdid04_1" name="Groups">
<ObjectGroup id="id3B4572AF" name="group1">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
</ObjectGroup>
<ObjectGroup id="id3B4572B5" name="platform">
<ObjectRef ref="id3AFC0F70"/>
<ObjectRef ref="id3AFC191C"/>
</ObjectGroup>
<ObjectGroup id="id3BBC0EFC" name="netgroup1">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3B022266"/>
</ObjectGroup>
<ObjectGroup id="id3CD87A9A" name="group-range-1">
<ObjectRef ref="id3CD87A53"/>
<ObjectRef ref="id3CD87A5E"/>
<ObjectRef ref="id3CD87A6D"/>
<ObjectRef ref="id3CD87A7C"/>
<ObjectRef ref="id3CD87A8B"/>
</ObjectGroup>
<ObjectGroup id="id3D8FED30" name="group2">
<ObjectRef ref="host-hostA"/>
</ObjectGroup>
<ObjectGroup id="id3DE69469" name="egroup"/>
<ObjectGroup id="id3DE6946A" name="egroup2">
<ObjectRef ref="id3DE69469"/>
</ObjectGroup>
<ObjectGroup comment="this group is a combination of a regular address object and an address table in run-time mode" id="id4390C25525682" name="at group">
<ObjectRef ref="id4388C37D674"/>
<ObjectRef ref="id4389EE9118346"/>
<ObjectRef ref="id446FB0EA10619"/>
<ObjectRef ref="id446FCEEA10619"/>
</ObjectGroup>
<ObjectGroup comment="" id="id446FB0EA10619" name="tbl group">
<ObjectRef ref="id4389EE9018346"/>
</ObjectGroup>
<ObjectGroup comment="" id="id4653861721432" name="f2i1,3">
<ObjectRef ref="id3AFB6706"/>
<ObjectRef ref="id3AFB68D2"/>
</ObjectGroup>
<ObjectGroup comment="" id="id4653B74121432" name="f2i1">
<ObjectRef ref="id3AFB6706"/>
</ObjectGroup>
<ObjectGroup comment="" id="id4834A2238571" name="ipv6 addresses">
<ObjectRef ref="id48416A7016880"/>
<ObjectRef ref="id48416A7216880"/>
<ObjectRef ref="id48416A7116880"/>
</ObjectGroup>
<ObjectGroup comment="" id="id4834A2278571" name="ipv4 ipv6 addresses">
<ObjectRef ref="id417B3641"/>
<ObjectRef ref="id4388C37D674"/>
<ObjectRef ref="id48416A7216880"/>
<ObjectRef ref="id48416A7116880"/>
</ObjectGroup>
</ObjectGroup>
<ObjectGroup id="stdid02_1" name="Hosts">
<Host comment="broadcast on internal subnet" id="id3B64FFAC" name="broadcast">
<Interface bridgeport="False" dyn="False" id="id3B64FFAC-i" name="unknown" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3B64FFAC-i-ipv4" name="address" address="192.168.1.255" netmask="255.255.255.255"/>
</Interface>
<HostOptions>
<Option name="use_mac_addr_filter">false</Option>
</HostOptions>
</Host>
<Host comment="" id="host-hostA" name="hostA">
<Interface bridgeport="False" dyn="False" id="host-hostA-i" label="" name="hostA_eth0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="host-hostA-i-ipv4" name="address" address="192.168.1.10" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.1.10">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host comment="" id="id3B3D5A3B" name="hostA-2">
<Interface bridgeport="False" dyn="False" id="id3B3D5A3B-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3B3D5A3B-i-1-addr" name="address" address="192.168.1.10" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.1.10">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host comment="translated address for hostA" id="id3AFADBF9" name="hostA-NAT">
<Interface bridgeport="False" dyn="False" id="id3AFADBF9-i" name="unknown" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3AFADBF9-i-ipv4" name="address" address="22.22.22.23" netmask="255.255.255.255"/>
</Interface>
<HostOptions>
<Option name="use_mac_addr_filter">false</Option>
</HostOptions>
</Host>
<Host comment="" id="host-hostB" name="hostB">
<Interface bridgeport="False" dyn="False" id="host-hostB-i" name="unknown" security_level="100" unnum="False" unprotected="False">
<IPv4 id="host-hostB-i-ipv4" name="address" address="192.168.1.20" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.1.20">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr_filter">false</Option>
</HostOptions>
</Host>
<Host comment="" id="id3BD6736B" name="hostB-NAT">
<Interface bridgeport="False" dyn="False" id="id3BD6736B-i" name="unknown" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3BD6736B-i-ipv4" name="address" address="22.22.23.24" netmask="255.255.255.255"/>
</Interface>
<HostOptions>
<Option name="use_mac_addr_filter">false</Option>
</HostOptions>
</Host>
<Host comment="this host has the same IP address as firewall1 and firewall2" id="id3AFC0F70" name="host-fw2">
<Interface bridgeport="False" dyn="False" id="id3AFC0F70-i" name="unknown" security_level="100" unnum="False" unprotected="False">
<IPv4 comment="" id="id3AFC0F70-i-ipv4" name="host-fw2-addr" address="22.22.22.22" netmask="255.255.255.255"/>
</Interface>
<HostOptions>
<Option name="use_mac_addr_filter">false</Option>
</HostOptions>
</Host>
<Host comment="the same address as internal iface of firewall1" id="id3AFC191C" name="hostF-int">
<Interface bridgeport="False" dyn="False" id="id3AFC191C-i" name="unknown" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3AFC191C-i-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.255"/>
</Interface>
<HostOptions>
<Option name="use_mac_addr_filter">false</Option>
</HostOptions>
</Host>
<Host comment="some host outside our network" id="id3B19C5EB" name="outside-host">
<Interface bridgeport="False" dyn="False" id="id3B19C5EB-i" name="unknown" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3B19C5EB-i-ipv4" name="address" address="200.200.200.200" netmask="255.255.255.255"/>
</Interface>
<HostOptions>
<Option name="use_mac_addr_filter">false</Option>
</HostOptions>
</Host>
<Host comment="" id="host-secondary1-com" name="secondary1.com">
<Interface bridgeport="False" dyn="False" id="host-secondary1-com-i" name="unknown" security_level="100" unnum="False" unprotected="False">
<IPv4 id="host-secondary1-com-i-ipv4" name="address" address="211.11.11.11" netmask="255.255.255.255"/>
</Interface>
<Management address="211.11.11.11">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr_filter">false</Option>
</HostOptions>
</Host>
<Host comment="" id="host-secondary2-com" name="secondary2.com">
<Interface bridgeport="False" dyn="False" id="host-secondary2-com-i" name="unknown" security_level="100" unnum="False" unprotected="False">
<IPv4 id="host-secondary2-com-i-ipv4" name="address" address="211.22.22.22" netmask="255.255.255.255"/>
</Interface>
<Management address="211.22.22.22">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr_filter">false</Option>
</HostOptions>
</Host>
<Host comment="" id="id3BF1B3E1" name="host-with_mac">
<Interface bridgeport="False" dyn="False" id="id3BF1B3E2" label="" name="unknown" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3BF1B3E2-ipv4" name="address" address="192.168.1.10" netmask="255.255.255.0"/>
<physAddress address="00:10:4b:de:e9:6f" id="id3BF1B3E2-pa" name="unknown-pa"/>
</Interface>
<Management address="192.168.1.10">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr_filter">True</Option>
</HostOptions>
</Host>
<Host comment="" id="id3BF1B3E7" name="host-with_mac-2">
<Interface bridgeport="False" dyn="False" id="id3BF1B3E8" label="" name="unknown" security_level="100" unnum="False" unprotected="False">
<IPv4 comment="" id="id3BF1B3E8-ipv4" name="host-with_mac-2:addr" address="0.0.0.0" netmask="0.0.0.0"/>
<physAddress address="00:10:4b:de:e9:6f" id="id3BF1B3E8-pa" name="unknown-pa"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr_filter">True</Option>
</HostOptions>
</Host>
<Host comment="" id="id3BF23930" name="z-host">
<Interface bridgeport="False" dyn="False" id="id3BF23931" label="" name="unknown" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3BF23931-ipv4" name="address" address="0.0.0.0" netmask="0.0.0.0"/>
<physAddress address="00:a0:24:53:06:8c" id="id3BF23931-pa" name="unknown-pa"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host comment="" id="id3CD87A53" name="n192.168.1.11">
<Interface bridgeport="False" dyn="False" id="id3CD87A53-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3CD87A53-i-1-addr" name="address" address="192.168.1.11" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.1.11">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr">False</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host comment="" id="id3CD87A5E" name="n192.168.1.12">
<Interface bridgeport="False" dyn="False" id="id3CD87A5E-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3CD87A5E-i-1-addr" name="address" address="192.168.1.12" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.1.12">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr">False</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host comment="" id="id3CD87A6D" name="n192.168.1.13">
<Interface bridgeport="False" dyn="False" id="id3CD87A6D-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3CD87A6D-i-1-addr" name="address" address="192.168.1.13" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.1.13">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr">False</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host comment="" id="id3CD87A7C" name="n192.168.1.14">
<Interface bridgeport="False" dyn="False" id="id3CD87A7C-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3CD87A7C-i-1-addr" name="address" address="192.168.1.14" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.1.14">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr">False</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host comment="" id="id3CD87A8B" name="n192.168.1.15">
<Interface bridgeport="False" dyn="False" id="id3CD87A8B-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3CD87A8B-i-1-addr" name="address" address="192.168.1.15" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.1.15">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr">False</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host comment="" id="id3D58118B" name="hostC">
<Interface bridgeport="False" dyn="False" id="id3D58118B-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3D58118B-i-1-addr" name="address" address="192.168.1.100" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.1.100">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr">false</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host comment="" id="id3D58118F" name="hostC-1">
<Interface bridgeport="False" comment="" dyn="False" id="id3D581193" label="" name="eth0" security_level="0" unnum="False" unprotected="False">
<IPv4 comment="" id="id3D581194" name="hostC-1:eth0" address="192.168.1.100" netmask="255.255.255.0"/>
</Interface>
<Management address="192.168.1.100">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr">false</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host id="id3E7ABEC4" name="nat-addr1">
<Interface bridgeport="False" dyn="False" id="id3E7ABEC6" name="interface1" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3E7ABEC7" name="nat-addr1:interface1(ip)" address="22.22.22.50" netmask="255.255.255.255"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr">false</Option>
</HostOptions>
</Host>
<Host id="id3E7ABECA" name="nat-addr2">
<Interface bridgeport="False" dyn="False" id="id3E7ABECC" name="interface1" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3E7ABECD" name="nat-addr2:interface1(ip)" address="22.22.22.51" netmask="255.255.255.255"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr">false</Option>
</HostOptions>
</Host>
<Host id="id3EE25A56" name="dyn host">
<Interface bridgeport="False" dyn="True" id="id3EE25A58" name="eth0" security_level="0" unnum="False" unprotected="False"/>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr">false</Option>
</HostOptions>
</Host>
</ObjectGroup>
<ObjectGroup id="stdid03_1" name="Networks">
<Network comment="" id="net-Internal_net" name="Internal_net" address="192.168.1.0" netmask="255.255.255.0"/>
<Network comment="DMZ net - using NAT" id="id3B022266" name="dmz_net" address="192.168.2.0" netmask="255.255.255.0"/>
<Network comment="" id="id3B665641" name="external_net" address="22.22.22.0" netmask="255.255.255.0"/>
<Network comment="" id="id3B665643" name="foreign_net" address="33.33.33.0" netmask="255.255.255.0"/>
<Network comment="" id="id3FDCD983" name="foreign_net2" address="33.33.44.0" netmask="255.255.255.0"/>
<Network comment="" id="id43F7DCF631316" name="22.22.22/28" address="22.22.22.0" netmask="255.255.255.240"/>
<NetworkIPv6 comment="" id="id4834B9206131" name="net-fe80" address="fe80::" netmask="64"/>
<NetworkIPv6 comment="" id="id48416A7016880" name="DIGITAL-CA-DEC" address="3ffe:1200:2000::" netmask="36"/>
</ObjectGroup>
<ObjectGroup id="stdid15_1" name="Address Ranges">
<AddressRange comment="" id="id3CD8769F" name="test_range_1" start_address="192.168.1.11" end_address="192.168.1.15"/>
<AddressRange comment="" id="id43F7DCF831316" name="22.22.22.1-22.22.22.5" start_address="22.22.22.1" end_address="22.22.22.5"/>
</ObjectGroup>
<ObjectGroup id="id4386458A18448" name="DNS Names">
<DNSName comment="an example of a local host" dnsrec="buildmaster" dnsrectype="A" id="id43869E8E18346" name="buildmaster (ct)" run_time="False"/>
<DNSName comment="an example of a local host" dnsrec="buildmaster" dnsrectype="A" id="id43869E8F18346" name="buildmaster (rt)" run_time="True"/>
<DNSName comment="" dnsrec="www.cnn.com" dnsrectype="A" id="id43869E8C18346" name="cnn (ct)" run_time="False"/>
<DNSName comment="" dnsrec="www.cnn.com" dnsrectype="A" id="id43869E8D18346" name="cnn (rt)" run_time="True"/>
<DNSName comment="" dnsrec="www.google.com" dnsrectype="A" id="id4387287918346" name="google (ct)" run_time="False"/>
<DNSName comment="" dnsrec="www.google.com" dnsrectype="A" id="id4387287A18346" name="google (rt)" run_time="True"/>
<DNSName comment="" dnsrec="www.heise.de" dnsrectype="A" id="id44EC181D8791" name="heise" run_time="True"/>
</ObjectGroup>
</ObjectGroup>
<ServiceGroup id="stdid05_1" name="Services">
<ServiceGroup id="stdid05_1_og_tag_1" name="TagServices">
<TagService comment="" id="id43EC6B892355" name="ipsec_tag" tagcode="ipsec_tag"/>
<TagService comment="" id="id43F4556A28869" name="INTNET" tagcode="INTNET"/>
</ServiceGroup>
<ServiceGroup id="stdid10_1" name="Groups">
<ServiceGroup id="id3B457567" name="svcgroup1">
<ServiceRef ref="id3B457561"/>
<ServiceRef ref="ip-IPSEC"/>
</ServiceGroup>
<ServiceGroup id="id3C1A66C9" name="large group TCP">
<ServiceRef ref="id3B20468D"/>
<ServiceRef ref="tcp-IRC"/>
<ServiceRef ref="id3B5009F7"/>
<ServiceRef ref="tcp-Auth"/>
<ServiceRef ref="tcp-DNS_zone_transf"/>
<ServiceRef ref="tcp-FTP"/>
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="tcp-NNTP"/>
<ServiceRef ref="tcp-SMTP"/>
<ServiceRef ref="tcp-SSH"/>
<ServiceRef ref="tcp-Telnet"/>
<ServiceRef ref="tcp-uucp"/>
<ServiceRef ref="id3C1A66EF"/>
<ServiceRef ref="id3AEDBE6E"/>
<ServiceRef ref="id3B4FEDA3"/>
<ServiceRef ref="id3B4FED69"/>
<ServiceRef ref="id3AECF776"/>
<ServiceRef ref="id3B4FED9F"/>
<ServiceRef ref="id3B4FF13C"/>
<ServiceRef ref="id3B4FEE21"/>
<ServiceRef ref="id3B4FEE23"/>
<ServiceRef ref="id3AECF778"/>
<ServiceRef ref="id3B4FF000"/>
<ServiceRef ref="id3B4FEEEE"/>
<ServiceRef ref="id3B4FEE7A"/>
<ServiceRef ref="id3B4FEE1D"/>
<ServiceRef ref="id3B4FF0EA"/>
<ServiceRef ref="id3AECF782"/>
<ServiceRef ref="id3B4FEF7C"/>
<ServiceRef ref="id3AECF77A"/>
<ServiceRef ref="id3AECF77C"/>
<ServiceRef ref="id3AECF77E"/>
<ServiceRef ref="id3B4FEF34"/>
<ServiceRef ref="id3B4FF04C"/>
<ServiceRef ref="id3B4FEE76"/>
<ServiceRef ref="id3AEDBE00"/>
<ServiceRef ref="id3B4FF1B8"/>
</ServiceGroup>
<ServiceGroup id="id3CD878C8" name="small group TCP">
<ServiceRef ref="tcp-Auth"/>
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="tcp-SMTP"/>
<ServiceRef ref="tcp-SSH"/>
<ServiceRef ref="tcp-uucp"/>
<ServiceRef ref="id3B4FED69"/>
<ServiceRef ref="id3AECF776"/>
</ServiceGroup>
<ServiceGroup id="id3DE6946C" name="sgroup"/>
</ServiceGroup>
<ServiceGroup id="stdid07_1" name="ICMP">
<ICMPService code="-1" comment="" id="id3C1A5D46" name="any ICMP" type="-1"/>
<ICMPService code="-1" comment="" id="id3D0E95E4" name="Any unreach." type="3"/>
</ServiceGroup>
<ServiceGroup id="stdid06_1" name="IP">
<IPService comment="" fragm="False" id="id3B457561" lsrr="False" name="ICMP" protocol_num="1" rr="False" short_fragm="False" ssrr="False" ts="False"/>
<IPService comment="" fragm="False" id="id3B6659A5" lsrr="False" name="TS" protocol_num="0" rr="False" short_fragm="False" ssrr="False" ts="True"/>
</ServiceGroup>
<ServiceGroup id="stdid09_1" name="TCP">
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="6667" dst_range_start="6667" fin_flag="False" fin_flag_mask="False" id="tcp-IRC" name="irc" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="port range" dst_range_end="11000" dst_range_start="10000" fin_flag="False" fin_flag_mask="False" id="id3B20468D" name="test-TCP" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3128" dst_range_start="3128" fin_flag="False" fin_flag_mask="False" id="id3B5009F7" name="squid" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="True" ack_flag_mask="True" comment="" dst_range_end="0" dst_range_start="0" fin_flag="True" fin_flag_mask="True" id="id3B58E3F1" name="xmas-tree" psh_flag="False" psh_flag_mask="True" rst_flag="True" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="70" dst_range_start="70" fin_flag="False" fin_flag_mask="False" id="id3C1A66EF" name="gopher" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="1080" dst_range_start="1080" fin_flag="False" fin_flag_mask="False" id="id3E59AD29" name="tcp-1080" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
</ServiceGroup>
<ServiceGroup id="stdid08_1" name="UDP"/>
<ServiceGroup id="stdid13_1" name="Custom">
<CustomService comment="Talk support" id="id3B64FE22" name="talk">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="iptables">-m ip_conntrack_talk -m ip_nat_talk</CustomServiceCommand>
</CustomService>
<CustomService comment="" id="id41F9FFBA" name="natproto">
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables"/>
<CustomServiceCommand platform="pf">proto {tcp udp icmp gre}</CustomServiceCommand>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
</CustomService>
</ServiceGroup>
<ServiceGroup id="stdid05_1_userservices" name="Users"/>
</ServiceGroup>
<ObjectGroup id="stdid12_1" name="Firewalls">
<Firewall comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" host_OS="openbsd" id="fw-firewall2" inactive="False" lastCompiled="1157930800" lastInstalled="0" lastModified="1202682308" name="firewall" platform="pf" ro="False" version="">
<NAT id="nat-firewall2" name="NAT">
<NATRule comment="" disabled="False" id="nat-firewall2-0" position="0">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="fw-firewall2"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="illegal rule - host 'dyn host' has dynamic address" disabled="True" id="id3EE25AA2" position="1">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="fw-firewall2"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SMTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3EE25A56"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="" disabled="False" id="nat-firewall2-1" position="2">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="fw-firewall2"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SMTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="tcp-SMTP"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3CDB43B8" position="3">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="fw-firewall2"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3B4FF09A"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="pol-firewall2" name="Policy">
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id3B09D29D" log="True" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="fw-firewall2"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="ip-IP_Fragments"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="if-FW-firewall2-eth1"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="Automatically generated rule blocking short fragments" direction="Inbound" disabled="False" id="pol-firewall2-0" log="True" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="ip-IP_Fragments"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="if-FW-firewall2-eth1"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="Automatically generated anti-spoofing rule" direction="Inbound" disabled="False" id="pol-firewall2-1" log="True" position="2">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="fw-firewall2"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="if-FW-firewall2-eth1"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3B92DFC5" log="False" position="3">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="fw-firewall2"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="udp-DNS"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="if-FW-firewall2-eth0"/>
</Itf>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" comment="code should go into INPUT chain with &#10;address in destination for comparison" direction="Inbound" disabled="False" id="id3C4E4C38" log="True" position="4">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3B64FFAC"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="udp-DNS"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="if-FW-firewall2-eth0"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="" direction="Both" disabled="False" id="id3CE59C76" log="True" position="5">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-TCP-SYN"/>
<ServiceRef ref="id3B58E3F1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_value">0</Option>
<Option name="log_limit_suffix"/>
<Option name="log_prefix">** RULE %N</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3B6659FC" log="True" position="6">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="ip-RR"/>
<ServiceRef ref="ip-SRR"/>
<ServiceRef ref="id3B6659A5"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="True" id="id3BF1B45E" log="False" position="7">
<Src neg="False">
<ObjectRef ref="id3BF1B3E1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="host-hostA"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="True" id="id3BF1B44E" log="False" position="8">
<Src neg="False">
<ObjectRef ref="id3BF1B3E7"/>
</Src>
<Dst neg="False">
<ObjectRef ref="host-hostA"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="this rule is limited to 4 simultaneous&#10;connections by rule options" direction="Both" disabled="False" id="pol-firewall2-3" log="False" position="9">
<Src neg="False">
<ObjectRef ref="host-secondary1-com"/>
<ObjectRef ref="host-secondary2-com"/>
</Src>
<Dst neg="False">
<ObjectRef ref="host-hostA"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-DNS_zone_transf"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="int-afterhours"/>
<IntervalRef ref="id3C63479C"/>
<IntervalRef ref="id3C63479E"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="pf_rule_max_state">4</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id4250E683" log="False" position="10">
<Src neg="False">
<ObjectRef ref="id3B665643"/>
</Src>
<Dst neg="False">
<ObjectRef ref="host-hostA"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-FTP_data"/>
<ServiceRef ref="id3CD878C8"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="pf_max_src_nodes">10</Option>
<Option name="pf_max_src_states">10</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="pol-firewall2-2" log="False" position="11">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="host-hostA"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id3C1A66C9"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">3</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">15</Option>
<Option name="pf_max_src_nodes">10</Option>
<Option name="pf_max_src_states">10</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">True</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3CD8770E" log="False" position="12">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3CD8769F"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id3CD878C8"/>
<ServiceRef ref="id3B5009F7"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="pf_max_src_nodes">75</Option>
<Option name="pf_max_src_states">2</Option>
<Option name="pf_rule_max_state">10</Option>
<Option name="pf_source_tracking">True</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="testing rule shading - this rule is exactly &#10;the same as pervious one, but uses group &#10;instead of address range" direction="Both" disabled="True" id="id3CD87B1E" log="False" position="13">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3CD87A9A"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id3CD878C8"/>
<ServiceRef ref="id3B5009F7"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="pol-firewall2-4" log="False" position="14">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="net-Internal_net"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sg-Useful_ICMP"/>
<ServiceRef ref="id3B5009F7"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="this rule and the next one can be&#10;used to test shading" direction="Both" disabled="True" id="id3CE597E3" log="False" position="15">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="net-Internal_net"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3CE591F6" log="False" position="16">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3B3D5A3B"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="illegal rule - object firewall8 has&#10;dynamic interface" direction="Both" disabled="True" id="id3EE2579E" log="False" position="17">
<Src neg="False">
<ObjectRef ref="fw-firewall2"/>
<ObjectRef ref="id3D581152"/>
</Src>
<Dst neg="False">
<ObjectRef ref="fw-firewall2"/>
<ObjectRef ref="id3D581152"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="Automatically generated 'masquerading' rule" direction="Both" disabled="False" id="pol-firewall2-5" log="False" position="18">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="fw-firewall2"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="Automatically generated 'catch all' rule" direction="Both" disabled="False" id="pol-firewall2-7" log="True" position="19">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_limit_suffix"/>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="fw-firewall2-routing" name="Routing"/>
<Interface bridgeport="False" dyn="False" id="if-FW-firewall2-eth1" name="eth1" security_level="0" unnum="False" unprotected="False">
<IPv4 id="if-FW-firewall2-eth1-ipv4" name="address" address="222.222.222.222" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="if-FW-firewall2-eth0" name="eth0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="if-FW-firewall2-eth0-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id3E5F1D39" label="" mgmt="False" name="lo" security_level="0" unnum="False" unprotected="False">
<IPv4 comment="" id="id3E5F1D3B" name="firewall:lo(ip)" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="127.0.0.1">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">False</Option>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="epilog_script"/>
<Option name="fallback_log">True</Option>
<Option name="firewall_dir"/>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/second</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">True</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix">RULE %N - %A</Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr">192.168.1.100</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="modulate_state">True</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_ip_directed_broadcast">0</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="openbsd_ip_redirect">0</Option>
<Option name="openbsd_ip_sourceroute">0</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">12000</Option>
<Option name="pf_adaptive_start">6000</Option>
<Option name="pf_do_limit_frags">True</Option>
<Option name="pf_do_limit_src_nodes">True</Option>
<Option name="pf_do_limit_states">True</Option>
<Option name="pf_do_limit_table_entries">True</Option>
<Option name="pf_do_limit_tables">True</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_do_timeout_frag">True</Option>
<Option name="pf_do_timeout_interval">True</Option>
<Option name="pf_icmp_error">10</Option>
<Option name="pf_icmp_first">10</Option>
<Option name="pf_limit_frags">4000</Option>
<Option name="pf_limit_src_nodes">1000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">1000000</Option>
<Option name="pf_limit_tables">1000</Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">10</Option>
<Option name="pf_other_multiple">10</Option>
<Option name="pf_other_single">10</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">True</Option>
<Option name="pf_set_icmp_error">True</Option>
<Option name="pf_set_icmp_first">True</Option>
<Option name="pf_set_other_first">True</Option>
<Option name="pf_set_other_multiple">True</Option>
<Option name="pf_set_other_single">True</Option>
<Option name="pf_set_tcp_closed">True</Option>
<Option name="pf_set_tcp_closing">True</Option>
<Option name="pf_set_tcp_established">True</Option>
<Option name="pf_set_tcp_finwait">True</Option>
<Option name="pf_set_tcp_first">True</Option>
<Option name="pf_set_tcp_opening">True</Option>
<Option name="pf_set_udp_first">True</Option>
<Option name="pf_set_udp_multiple">True</Option>
<Option name="pf_set_udp_single">True</Option>
<Option name="pf_tcp_closed">30</Option>
<Option name="pf_tcp_closing">60</Option>
<Option name="pf_tcp_established">86400</Option>
<Option name="pf_tcp_finwait">60</Option>
<Option name="pf_tcp_first">120</Option>
<Option name="pf_tcp_opening">120</Option>
<Option name="pf_timeout_frag">40</Option>
<Option name="pf_timeout_interval">15</Option>
<Option name="pf_udp_first">10</Option>
<Option name="pf_udp_multiple">10</Option>
<Option name="pf_udp_single">10</Option>
<Option name="platform">iptables</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script">echo 'This is prolog script'
</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="sshArgs"/>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="this object is used to test all kinds of negation in policy rules&#10;Also using interface policy on eth1 to test specific case with negation and&#10;rule shading depection&#10;" host_OS="openbsd" id="id3AF5AA0A" inactive="False" lastCompiled="1157930802" lastInstalled="0" lastModified="1200415171" name="firewall1" platform="pf" ro="False" version="">
<NAT id="id3AF5AA0D" name="NAT">
<NATRule disabled="False" id="id3C98491C" position="0">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3B022266"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3AFADC09" position="1">
<OSrc neg="False">
<ObjectRef ref="host-hostA"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AFADBF9"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3CD23959" position="2">
<OSrc neg="True">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3B19C5EB"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AFADBF9"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3B1328FB" position="3">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AF5AA0A"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="" disabled="False" id="id3E7ABBCD" position="4">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AF5AA99"/>
<ObjectRef ref="id3B11F434"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="more examples&#10;of NAT rules with&#10;multiple objects in TSrc&#10;in firewall3" disabled="False" id="id3E7ABFA4" position="5">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3E7ABEC4"/>
<ObjectRef ref="id3E7ABECA"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3AF5AAD3" position="6">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="True">
<ObjectRef ref="id3B022266"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AF5AA0A"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="" disabled="False" id="id3CCA1B57" position="7">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="True">
<ObjectRef ref="id3BBC0EFC"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AF5AA0A"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3B50F7CB" position="8">
<OSrc neg="True">
<ObjectRef ref="id3B022266"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AF5AA0A"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3BD8D94B" position="9">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="True">
<ObjectRef ref="id3AF5AA0A"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3AF5AA0A"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3B5009F7"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3BD8D9DD" position="10">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="True">
<ObjectRef ref="id3AFC191C"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3AF5AA0A"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3B5009F7"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3BBC0EA4" position="11">
<OSrc neg="False">
<ObjectRef ref="id3B4572AF"/>
</OSrc>
<ODst neg="True">
<ObjectRef ref="id3BBC0EFC"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3AF5AA0A"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3B5009F7"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3BBC0F93" position="12">
<OSrc neg="True">
<ObjectRef ref="id3B4572AF"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3BBC0EFC"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3AF5AA0A"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3B5009F7"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3BC6BCE5" position="13">
<OSrc neg="True">
<ObjectRef ref="host-hostA"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3AF5AA0A"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3B5009F7"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3FDCD893" position="14">
<OSrc neg="False">
<ObjectRef ref="id3B665643"/>
<ObjectRef ref="id3FDCD983"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AF5AA99"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id3AF5AA0C" name="Policy">
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3C5987DC" log="True" position="0">
<Src neg="False">
<ObjectRef ref="id3B4572B5"/>
</Src>
<Dst neg="True">
<ObjectRef ref="id3B4572B5"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id3B457567"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3AF5AA96"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3CD34BEF" log="False" position="1">
<Src neg="False">
<ObjectRef ref="id3B4572AF"/>
</Src>
<Dst neg="True">
<ObjectRef ref="id3B4572AF"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id3B457567"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3AF5AA96"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Inbound" disabled="False" id="id3AF5AAB4" log="True" position="2">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3AF5AA0A"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3AF5AA99"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Outbound" disabled="False" id="id3AF5AAAB" log="True" position="3">
<Src neg="True">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3AF5AA99"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="testing rule shading: this rule is not&#10;shaded by rule #1" direction="Inbound" disabled="False" id="id3D58886F" log="False" position="4">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="icmp-ping_request"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3AF5AA99"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" comment="" direction="Both" disabled="False" id="id3CCA26E4" log="True" position="5">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-TCP-SYN"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="True" id="id3B9AB902" log="True" position="6">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="True">
<ServiceRef ref="tcp-TCP-SYN"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="hostF has the same IP address as firewal." direction="Both" disabled="False" id="id3AFC0F90" log="True" position="7">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3AFC191C"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="icmp-ping_request"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" comment="testing negation in the policy rule" direction="Both" disabled="False" id="id4119961C" log="True" position="8">
<Src neg="True">
<ObjectRef ref="host-hostA"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="icmp-Unreachables"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix">/minute</Option>
<Option name="limit_value">10</Option>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="testing negation in the policy rule" direction="Both" disabled="False" id="id3B021E10" log="True" position="9">
<Src neg="True">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="icmp-Unreachables"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix">/minute</Option>
<Option name="limit_value">10</Option>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="this rule is shaded by rule above." direction="Both" disabled="False" id="id3B0B4A13" log="True" position="10">
<Src neg="True">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3AF5AA0A"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="icmp-Unreachables"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="this rule shades rule below" direction="Both" disabled="False" id="id3B5535B7" log="True" position="11">
<Src neg="True">
<ObjectRef ref="id3B022266"/>
<ObjectRef ref="id3AF5AA0A"/>
</Src>
<Dst neg="False">
<ObjectRef ref="net-Internal_net"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3B11F63D" log="True" position="12">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3B022266"/>
</Src>
<Dst neg="True">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Reject" comment="testing negation in the policy rule" direction="Both" disabled="False" id="id41199643" log="True" position="13">
<Src neg="False">
<ObjectRef ref="host-hostA"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix">/minute</Option>
<Option name="limit_value">10</Option>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="testing negation in service field" direction="Both" disabled="True" id="id3B021E6F" log="True" position="14">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
</Dst>
<Srv neg="True">
<ServiceRef ref="tcp-SMTP"/>
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="testing negation in service field" direction="Both" disabled="True" id="id3CCA2CF4" log="True" position="15">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
</Dst>
<Srv neg="True">
<ServiceRef ref="tcp-SMTP"/>
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3B45739A" log="True" position="16">
<Src neg="False">
<ObjectRef ref="id3B4572B5"/>
</Src>
<Dst neg="True">
<ObjectRef ref="id3B4572B5"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id3B457567"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="'masquerading' rule" direction="Both" disabled="False" id="id3AF5AAC8" log="False" position="17">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" comment="'catch all' rule" direction="Both" disabled="False" id="id3AF5AAE3" log="True" position="18">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3AF5AA0A-routing" name="Routing"/>
<Interface bridgeport="False" dyn="False" id="id3AF5AA96" name="eth0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3AF5AA96-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3AF5AA99" name="eth1" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3AF5AA99-ipv4" name="address" address="22.22.22.22" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3B0B4BC8" name="eth2" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3B0B4BC8-ipv4" name="address" address="192.168.2.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3B0B4D35" name="lo" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3B0B4D35-ipv4" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3B11F434" name="eth3" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3B11F434-ipv4" name="address" address="22.22.23.23" netmask="255.255.255.0"/>
</Interface>
<Management address="22.22.23.23">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir"/>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">1000</Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_limits">True</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_timeouts">True</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="platform">iptables</Option>
<Option name="prolog_place">pf_file_top</Option>
<Option name="prolog_script"># prolog:
# some pf command at the very top of the .conf file goes here
</Option>
<Option name="proxy_arp">False</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="sshArgs"/>
<Option name="use_ip_tool">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing detection of empty groups" host_OS="openbsd" id="id3DE69291" inactive="False" lastCompiled="1157930804" lastInstalled="0" lastModified="1193632387" name="firewall13" platform="pf" ro="False" version="">
<NAT id="id3DE69292" name="NAT">
<NATRule comment="" disabled="False" id="id3DE69752" position="0">
<OSrc neg="False">
<ObjectRef ref="id3DE69469"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AFADBF9"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-IRC"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="" disabled="False" id="id3DE697CD" position="1">
<OSrc neg="False">
<ObjectRef ref="id3DE69469"/>
<ObjectRef ref="id3B19C5EB"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AFADBF9"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-IRC"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="" disabled="False" id="id3DE69866" position="2">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AFADBF9"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id3DE6946C"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id3DE692BD" name="Policy">
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3DE6946F" log="False" position="0">
<Src neg="False">
<ObjectRef ref="id3DE6946A"/>
<ObjectRef ref="id3B19C5EB"/>
</Src>
<Dst neg="False">
<ObjectRef ref="host-hostA"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3DE6947B" log="False" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="host-hostA"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id3DE6946C"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3DE69487" log="True" position="2">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3DE69291-routing" name="Routing"/>
<Interface bridgeport="False" dyn="False" id="id3DE6935E" name="eth1" security_level="0" unnum="False" unprotected="False">
<IPv4 comment="" id="id3DE6935F" name="address" address="22.22.22.22" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3DE6937E" name="eth0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3DE6937F" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Management address="192.168.1.1">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">False</Option>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="firewall_dir"/>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="ignore_empty_groups">True</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/second</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">True</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="modulate_state">True</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_ip_directed_broadcast">0</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="openbsd_ip_redirect">0</Option>
<Option name="openbsd_ip_sourceroute">0</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_optimization"/>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="platform">iptables</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " host_OS="openbsd" id="id3AFB66C6" inactive="False" lastCompiled="1157930805" lastInstalled="0" lastModified="1210452316" name="firewall2" platform="pf" ro="False" version="">
<NAT id="id3AFB66C7" name="NAT">
<NATRule disabled="False" id="id3AFB66C8" position="0">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AFB66C6"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="id"/>
</NATRuleOptions>
</NATRule>
<NATRule disabled="False" id="id3AFB66D6" position="1">
<OSrc neg="False">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="id3B4572AF"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AFADBF9"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="id"/>
</NATRuleOptions>
</NATRule>
<NATRule disabled="False" id="id3CABE6DF" position="2">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="id3B4572AF"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AFC191C"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="color">#C0BA44</Option>
</NATRuleOptions>
</NATRule>
<NATRule comment="" disabled="False" id="id40E9A827" position="3">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AFB66C6"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="id"/>
</NATRuleOptions>
</NATRule>
<NATRule comment="" disabled="False" id="id40E9A83B" position="4">
<OSrc neg="False">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="id3B4572AF"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AFADBF9"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="id"/>
</NATRuleOptions>
</NATRule>
<NATRule comment="" disabled="False" id="id40E9A850" position="5">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="id3B4572AF"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AFC191C"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="color">#C0BA44</Option>
</NATRuleOptions>
</NATRule>
<NATRule comment="" disabled="False" id="id40E9A8DE" position="6">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id3D703C8F"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AFB66C6"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="id"/>
</NATRuleOptions>
</NATRule>
<NATRule comment="" disabled="False" id="id40E9A8F2" position="7">
<OSrc neg="False">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="id3B4572AF"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id3C20EEB5"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AFADBF9"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="id"/>
</NATRuleOptions>
</NATRule>
<NATRule comment="" disabled="False" id="id40E9A907" position="8">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="id3B4572AF"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="udp-DNS"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AFC191C"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="color">#C0BA44</Option>
</NATRuleOptions>
</NATRule>
<NATRule comment="" disabled="False" id="id431BEFED" position="9">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AFADBF9"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3AFB69BD" position="10">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AFADBF9"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="tcp-NNTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3BEEF6D2" position="11">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AFC0F70"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-NNTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3BD67563" position="12">
<OSrc neg="False">
<ObjectRef ref="host-hostB"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3BD6736B"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="id"/>
</NATRuleOptions>
</NATRule>
<NATRule disabled="True" id="id3BD6757E" position="13">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3BD6736B"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostB"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="NETMAP " disabled="True" id="id3B66568B" position="14">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3B665641"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="NETMAP" disabled="True" id="id3B6656EF" position="15">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3B665641"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="net-Internal_net"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="" disabled="False" id="id431C0728" position="16">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AFB66C6"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="" disabled="False" id="id431C0714" position="17">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AFB6706"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="" disabled="False" id="id431C0700" position="18">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AFB6706-ipv4"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="" disabled="False" id="id431C355F" position="19">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AFB66C6"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id3D703C8F"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3AFB69F7" position="20">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AFB66C6"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id3B20468D"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3B20468D"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="" disabled="False" id="id414BEA12" position="21">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AFB6706"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id3B20468D"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3B20468D"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="" disabled="False" id="id414BEC22" position="22">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AFB6706-ipv4"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id3B20468D"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3B20468D"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3B7313C4" position="23">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AFADBF9"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="tcp-SMTP"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="" disabled="False" id="id3E59ADF3" position="24">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3AFB66C6"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="" disabled="False" id="id40ECF000" position="25">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3AFB6703"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3E59AC6D" position="26">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AFB66C6"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id3E59AD29"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3AFB66C6"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id41F9FFBB" position="27">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id41F9FFBA"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AFB6706-ipv4"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="" disabled="False" id="id41FA0A82" position="28">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id3D703C8F"/>
<ServiceRef ref="id3C20EEB5"/>
<ServiceRef ref="tcp-All_TCP"/>
<ServiceRef ref="udp-All_UDP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AFB6706-ipv4"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id3AFB66E4" name="Policy">
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id41451D62" log="True" position="0">
<Src neg="True">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3AFB6703"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Inbound" disabled="False" id="id3AFB6708" log="True" position="1">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3AFB66C6"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3AFB6706"/>
</Itf>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="rules 2,3,4 test group&#10;usage in interface&#10;all three rules should yield&#10;the same config" direction="Inbound" disabled="False" id="id465385F321432" log="True" position="2">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3AFB66C6"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4653861721432"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Inbound" disabled="False" id="id4653B74421432" log="True" position="3">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3AFB66C6"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4653B74121432"/>
<ObjectRef ref="id3AFB68D2"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Inbound" disabled="False" id="id4653860421432" log="True" position="4">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3AFB66C6"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3AFB6706"/>
<ObjectRef ref="id3AFB68D2"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Outbound" disabled="False" id="id3AFB6710" log="True" position="5">
<Src neg="True">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3AFB66C6"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3AFB6706"/>
</Itf>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="block fragments" direction="Both" disabled="False" id="id3AFB66E5" log="True" position="6">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="ip-IP_Fragments"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Reject" comment="sends TCP RST and makes custom record in the log" direction="Both" disabled="False" id="id3B0C6FD2" log="True" position="7">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-Auth"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject">TCP RST</Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix">IDENT</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3D8FEDA9" log="False" position="8">
<Src neg="False">
<ObjectRef ref="id3B4572AF"/>
<ObjectRef ref="id3D8FED30"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3B19C5EB"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3D8FEE11" log="False" position="9">
<Src neg="False">
<ObjectRef ref="id3B19C5EB"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3B4572AF"/>
<ObjectRef ref="id3D8FED30"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="'masquerading' rule" direction="Both" disabled="False" id="id3AFB66EF" log="False" position="10">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="id"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="host-fw2 has the same address as &#10; one of the firewall's interfaces" direction="Both" disabled="True" id="id3C447B8D" log="True" position="11">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3AFC0F70"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-FTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3C447BCB" log="False" position="12">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3AFB66C6"/>
<ObjectRef ref="host-hostA"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-FTP"/>
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="tcp-SMTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" comment="'catch all' rule" direction="Both" disabled="False" id="id3AFB66F9" log="True" position="13">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3AFB66C6-routing" name="Routing"/>
<Interface bridgeport="False" dyn="False" id="id3AFB6703" name="eth0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3AFB6703-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3AFB6706" name="eth1" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3AFB6706-ipv4" name="address" address="22.22.22.22" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3AFB68D2" name="eth3" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3AFB68D2-ipv4" name="address" address="22.22.23.23" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id3B0221F1" label="" mgmt="True" name="eth2" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3B0221F1-ipv4" name="address" address="192.168.2.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3CD2449F" label="" name="lo" security_level="100" unnum="False" unprotected="False">
<IPv4 comment="" id="id3CD2449F-ipv4" name="lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="192.168.2.1">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir"/>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="id"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/second</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_accept_redirects">0</Option>
<Option name="linux24_accept_source_route">0</Option>
<Option name="linux24_icmp_echo_ignore_all">1</Option>
<Option name="linux24_icmp_ignore_bogus_error_responses">1</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="linux24_log_martians">1</Option>
<Option name="linux24_rp_filter">1</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">True</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix">RULE %N - %A **</Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr">192.168.1.100</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">True</Option>
<Option name="pf_do_limit_src_nodes">False</Option>
<Option name="pf_do_limit_states">True</Option>
<Option name="pf_do_limit_table_entries">False</Option>
<Option name="pf_do_limit_tables">False</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_src_nodes">0</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization">Aggressive</Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">32</Option>
<Option name="pf_scrub_no_df">True</Option>
<Option name="pf_scrub_random_id">True</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">True</Option>
<Option name="pf_scrub_use_minttl">True</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">True</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">True</Option>
<Option name="pf_set_tcp_opening">True</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">10</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">5</Option>
<Option name="pf_tcp_opening">5</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="platform">iptables</Option>
<Option name="prolog_place">pf_file_after_set</Option>
<Option name="prolog_script"># prolog
# prolog commands go after set commands
</Option>
<Option name="proxy_arp">True</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="sshArgs"/>
<Option name="use_ip_tool">True</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="this object is used to test a configuration where firewall has dynamic address " host_OS="openbsd" id="id3B0C6380" inactive="False" lastCompiled="1157930815" lastInstalled="0" lastModified="1200415196" name="firewall4" platform="pf" ro="False" version="">
<NAT id="id3B0C6381" name="NAT">
<NATRule disabled="False" id="id3B0C6382" position="0">
<OSrc neg="False">
<ObjectRef ref="host-hostA"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3B0C6380"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="id"/>
</NATRuleOptions>
</NATRule>
<NATRule disabled="False" id="id3B0C6390" position="1">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="True">
<ObjectRef ref="id3B022266"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3B0C6380"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="id"/>
</NATRuleOptions>
</NATRule>
<NATRule disabled="False" id="id3B202AFF" position="2">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3B0C6380"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="SDNAT rule&#10;" disabled="False" id="id3E797EFF" position="3">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3CD88A77"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3B0C63DF"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id3B0C639E" name="Policy">
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3B54F071" log="True" position="0">
<Src neg="True">
<ObjectRef ref="id3B022266"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="icmp-ping_request"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3B0C63E1"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Inbound" disabled="False" id="id3B0C63E3" log="True" position="1">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3B0C6380"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3B0C63E1"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Outbound" disabled="False" id="id3B0C63EB" log="True" position="2">
<Src neg="True">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3B0C6380"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3B0C63E1"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="hostF has the same IP address as firewal." direction="Both" disabled="False" id="id3B0C639F" log="True" position="3">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3AFC191C"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="icmp-ping_request"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="id"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="" direction="Both" disabled="False" id="id3B0C63B4" log="True" position="4">
<Src neg="True">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3B0C6380"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="icmp-Unreachables"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="testing negation in the policy rule" direction="Both" disabled="False" id="id3B0C63A9" log="True" position="5">
<Src neg="True">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="icmp-Unreachables"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="testing negation in service field" direction="Both" disabled="True" id="id3B0C63BF" log="True" position="6">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
</Dst>
<Srv neg="True">
<ServiceRef ref="tcp-SMTP"/>
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="'masquerading' rule" direction="Both" disabled="False" id="id3B0C63CB" log="False" position="7">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="id"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="'catch all' rule" direction="Both" disabled="False" id="id3B0C63D5" log="True" position="8">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3B0C6380-routing" name="Routing"/>
<Interface bridgeport="False" dyn="False" id="id3B0C63DF" name="eth0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3B0C63DF-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="True" id="id3B0C63E1" label="" name="eth1" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3B0C63E1-ipv4" name="address" address="0.0.0.0" netmask="0.0.0.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3B0C63F3" name="eth2" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3B0C63F3-ipv4" name="address" address="192.168.2.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3B0C63F5" name="lo" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3B0C63F5-ipv4" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3CD88A77" label="" name="eth3" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3CD88A77-ipv4" name="address" address="222.222.222.222" netmask="255.255.255.0"/>
</Interface>
<Management address="222.222.222.222">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">False</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir"/>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="id"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_scrub">False</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="platform">iptables</Option>
<Option name="prolog_place">pf_file_after_tables</Option>
<Option name="prolog_script"># prolog commands go after table definitions
</Option>
<Option name="proxy_arp">False</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="sshArgs"/>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_tables">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing IP fragments and scrub" host_OS="openbsd" id="id3E1FC43C" inactive="False" lastCompiled="1157930819" lastInstalled="0" lastModified="1200415199" name="firewall5" platform="pf" ro="False" version="">
<NAT id="id3E1FC43D" name="NAT">
<NATRule disabled="True" id="id3E1FC8FC" position="0">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3E1FC43C"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id3E1FC469" name="Policy">
<PolicyRule action="Deny" comment="" direction="Both" disabled="False" id="id3E1FC62E" log="True" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="ip-IP_Fragments"/>
<ServiceRef ref="ip-IPSEC"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_value">0</Option>
<Option name="log_limit_suffix"/>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="" direction="Both" disabled="False" id="id3E1FC7B6" log="True" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="ip-IP_Fragments"/>
<ServiceRef ref="id3B58E3F1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_value">0</Option>
<Option name="log_limit_suffix"/>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3E1FC47F" log="True" position="2">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3E1FC43C-routing" name="Routing"/>
<Interface bridgeport="False" dyn="False" id="id3E1FC489" name="eth1" security_level="0" unnum="False" unprotected="False">
<IPv4 comment="" id="id3E1FC48A" name="address" address="22.22.22.22" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3E1FC48C" name="eth0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3E1FC48D" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id3E5F1D4C" label="" mgmt="False" name="lo" security_level="0" unnum="False" unprotected="False">
<IPv4 comment="" id="id3E5F1D4E" name="firewall5:lo(ip)" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="127.0.0.1">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">False</Option>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="firewall_dir"/>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="ignore_empty_groups">True</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/second</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">True</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="modulate_state">True</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_ip_directed_broadcast">0</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="openbsd_ip_redirect">0</Option>
<Option name="openbsd_ip_sourceroute">0</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_do_scrub">False</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_optimization"/>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="platform">iptables</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing rule with firewall in dst and negation" host_OS="openbsd" id="id3C698F1D" inactive="False" lastCompiled="1157930821" lastInstalled="0" lastModified="1200415203" name="firewall6" platform="pf" ro="False" version="">
<NAT id="id3C698F1E" name="NAT"/>
<Policy id="id3C698F9D" name="Policy">
<PolicyRule action="Deny" comment="" direction="Inbound" disabled="False" id="id3C699028" log="True" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="True">
<ObjectRef ref="id3C698F1D"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3C69901D"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3C698FB2" log="False" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="True">
<ObjectRef ref="id3C698F1D"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3C698F1D-routing" name="Routing"/>
<Interface bridgeport="False" dyn="False" id="id3C699013" name="eth0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3C699013-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3C69901D" name="eth1" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3C69901D-ipv4" name="address" address="22.22.22.22" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3C699030" name="eth2" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3C699030-ipv4" name="address" address="192.168.2.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3C699032" name="lo" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3C699032-ipv4" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3C699034" name="eth3" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3C699034-ipv4" name="address" address="22.22.23.23" netmask="255.255.255.0"/>
</Interface>
<Management address="22.22.23.23">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="firewall_dir"/>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_optimization"/>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="platform">iptables</Option>
<Option name="proxy_arp">False</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_ip_tool">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing rules with broadcasts" host_OS="openbsd" id="id3C69BD4F" inactive="False" lastCompiled="1157930822" lastInstalled="0" lastModified="1200415209" name="firewall7" platform="pf" ro="False" version="">
<NAT id="id3C69BD50" name="NAT"/>
<Policy id="id3C69BD51" name="Policy">
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id3C69BDE1" log="True" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3B64FFAC"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3C69BD5C"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3C69BF13" log="False" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3B64FFAC"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="udp-bootpc"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id3C69BD4F-routing" name="Routing"/>
<Interface bridgeport="False" dyn="False" id="id3C69BD5C" name="eth0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3C69BD5C-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3C69BD5E" name="eth1" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3C69BD5E-ipv4" name="address" address="22.22.22.22" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3C69BD68" name="eth2" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3C69BD68-ipv4" name="address" address="192.168.2.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3C69BD6A" name="lo" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3C69BD6A-ipv4" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3C69BD6C" name="eth3" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3C69BD6C-ipv4" name="address" address="22.22.23.23" netmask="255.255.255.0"/>
</Interface>
<Management address="22.22.23.23">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="firewall_dir"/>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_optimization"/>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="platform">iptables</Option>
<Option name="proxy_arp">False</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_ip_tool">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="" host_OS="openbsd" id="id3D581152" inactive="False" lastCompiled="1157930823" lastInstalled="0" lastModified="1200415211" name="firewall8" platform="pf" ro="False" version="">
<NAT id="id3D581156" name="NAT">
<NATRule disabled="False" id="id3D58164E" position="0">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3D581152"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3D58163D" position="1">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3D58115B"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3D5812BC" position="2">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3D58115E"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3D581322" position="3">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3D581152"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D58118B"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3D5812AE" position="4">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3D58115D"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D58118B"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3D5812CC" position="5">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3D58115D"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D58118F"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="" disabled="False" id="id3D5812FA" position="6">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3D58115D"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D581193"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="" disabled="False" id="id3D58130E" position="7">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3D58115D"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D581194"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id40ECF00B" position="8">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D58115B"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id3D581155" name="Policy">
<PolicyRule action="Accounting" direction="Both" disabled="False" id="id3E5F239B" log="False" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accounting" direction="Both" disabled="False" id="id3E5F2391" log="True" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3D5811A5" log="False" position="2">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3D58115E"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3D58119B" log="False" position="3">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3D58115D"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3D5811FB" log="False" position="4">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3D58115B"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3D5811B1" log="True" position="5">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3D581152-routing" name="Routing"/>
<Interface bridgeport="False" comment="" dyn="False" id="id3D58115B" label="" name="eth1" security_level="0" unnum="False" unprotected="False">
<IPv4 comment="" id="id3D58115D" name="firewall8:eth1:1" address="33.33.33.34" netmask="255.255.255.0"/>
<IPv4 comment="" id="id3D58115E" name="firewall8:eth1:0" address="33.33.33.33" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id3D581188" label="" name="eth0" security_level="100" unnum="False" unprotected="False">
<IPv4 comment="" id="id3D58118A" name="firewall8:eth0" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id3E5F18E9" label="" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
<IPv4 comment="" id="id3E5F18EB" name="firewall8:lo(ip)" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="True" id="id3EE256C2" label="" mgmt="False" name="ppp0" security_level="0" unnum="False" unprotected="False"/>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="check_shading">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="log_prefix"/>
<Option name="manage_virtual_addr">False</Option>
<Option name="modulate_state">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="openbsd_path_pfctl">/usr/sbin/pfctl</Option>
<Option name="openbsd_path_sysctl">/usr/sbin/sysctl</Option>
<Option name="pass_all_out">False</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_optimization"/>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing rules with broadcasts" host_OS="freebsd" id="id3E853CBE" inactive="False" lastCompiled="1157930825" lastInstalled="0" lastModified="1200415214" name="firewall9" platform="pf" ro="False" version="">
<NAT id="id3E853CBF" name="NAT">
<NATRule disabled="True" id="id3E853EF8" position="0">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3E853CD8"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id3E853F16" position="1">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3E853CBE"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id3E853CC0" name="Policy">
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id3E853CCE" log="True" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3B64FFAC"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3E853CCB"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3E853CEF" log="False" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3E853CDE"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="True" id="id3E853D1B" log="False" position="2">
<Src neg="False">
<ObjectRef ref="id3E853CD8"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3E853CC1" log="False" position="3">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3B64FFAC"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="udp-bootpc"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3E853D26" log="True" position="4">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3E853CBE-routing" name="Routing"/>
<Interface bridgeport="False" dyn="False" id="id3E853CCB" name="eth0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3E853CCC" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id3E853CD8" label="" mgmt="False" name="enc0" security_level="0" unnum="True" unprotected="False"/>
<Interface bridgeport="False" dyn="False" id="id3E853CDE" name="lo" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3E853CDF" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="127.0.0.1">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="firewall_dir"/>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_optimization"/>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="platform">iptables</Option>
<Option name="proxy_arp">False</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_ip_tool">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing DNSName object" host_OS="freebsd" id="id43867C1018346" inactive="False" lastCompiled="1157930808" lastInstalled="0" lastModified="1193632397" name="firewall33" platform="pf" ro="False" version="">
<NAT id="id43867C4818346" name="NAT">
<NATRule disabled="False" id="id43876E2618346" position="0">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id43869E8C18346"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id43867C5818346"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="" disabled="False" id="id43876E5218346" position="1">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id43869E8D18346"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id43867C5818346"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id43876E6918346" position="2">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id43869E8D18346"/>
<ObjectRef ref="id4387287A18346"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id43867C5818346"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id43876E7B18346" position="3">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="True">
<ObjectRef ref="id43869E8D18346"/>
<ObjectRef ref="id4387287A18346"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id43867C5818346"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id43867C1618346" name="Policy">
<PolicyRule action="Accept" direction="Both" disabled="False" id="id43867C2418346" log="False" position="0">
<Src neg="False">
<ObjectRef ref="id43869E8C18346"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id43869E9018346" log="False" position="1">
<Src neg="False">
<ObjectRef ref="id43869E8D18346"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id43869E9E18346" log="False" position="2">
<Src neg="False">
<ObjectRef ref="id43869E8E18346"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id43869EAA18346" log="False" position="3">
<Src neg="False">
<ObjectRef ref="id43869E8F18346"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4386E38318346" log="False" position="4">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="True">
<ObjectRef ref="id43869E8C18346"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4386E37718346" log="False" position="5">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="True">
<ObjectRef ref="id43869E8D18346"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id43867C3018346" log="False" position="6">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="True">
<ObjectRef ref="id43869E8E18346"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4386C10D18346" log="False" position="7">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="True">
<ObjectRef ref="id43869E8F18346"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id438728A918346" log="False" position="8">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="True">
<ObjectRef ref="id43869E8C18346"/>
<ObjectRef ref="id4387287918346"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id438728BA18346" log="False" position="9">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="True">
<ObjectRef ref="id43869E8D18346"/>
<ObjectRef ref="id4387287A18346"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id438728CD18346" log="False" position="10">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="True">
<ObjectRef ref="id43869E8C18346"/>
<ObjectRef ref="id4387287A18346"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id43867C3C18346" log="True" position="11">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id43867C5718346" name="Routing"/>
<Interface bridgeport="False" comment="VLAN interface" dyn="True" id="id43867C5818346" label="" mgmt="False" name="eth0.100" security_level="0" unnum="False" unprotected="False"/>
<Interface bridgeport="False" dyn="False" id="id43867C5918346" name="lo" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id43867C5B18346" name="firewall33:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id43867C5C18346" label="" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
<IPv4 comment="" id="id43867C5E18346" name="firewall33:eth1:ip" address="192.168.1.100" netmask="255.255.255.0"/>
</Interface>
<Management address="192.168.1.100">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="epilog_script"/>
<Option name="firewall_dir"/>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_accept_redirects"/>
<Option name="linux24_accept_source_route"/>
<Option name="linux24_icmp_echo_ignore_all"/>
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
<Option name="linux24_ip_dynaddr"/>
<Option name="linux24_ip_forward"/>
<Option name="linux24_log_martians"/>
<Option name="linux24_path_ip"/>
<Option name="linux24_path_iptables"/>
<Option name="linux24_path_logger"/>
<Option name="linux24_path_lsmod"/>
<Option name="linux24_path_modprobe"/>
<Option name="linux24_rp_filter"/>
<Option name="linux24_tcp_ecn"/>
<Option name="linux24_tcp_fack"/>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="linux24_tcp_sack"/>
<Option name="linux24_tcp_syncookies"/>
<Option name="linux24_tcp_timestamps"/>
<Option name="linux24_tcp_window_scaling"/>
<Option name="load_modules">False</Option>
<Option name="local_nat">False</Option>
<Option name="log_all">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_invalid">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix">RULE %N -- %A on %I </Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="output_file"/>
<Option name="platform">iptables</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"/>
<Option name="proxy_arp">False</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="use_ULOG">False</Option>
<Option name="use_ip_tool">False</Option>
<Option name="use_iptables_restore">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing AddressTable object" host_OS="openbsd" id="id4389EDAE18346" inactive="False" lastCompiled="1210047001" lastInstalled="0" lastModified="1210046836" name="firewall34" platform="pf" ro="False" version="">
<NAT id="id4389EE4818346" name="NAT">
<NATRule disabled="False" id="id4389EEB018346" position="0">
<OSrc neg="True">
<ObjectRef ref="id4389EE9118346"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id4389EE8418346"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SMTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id446FDDE610619" position="1">
<OSrc neg="False">
<ObjectRef ref="id4390C25525682"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id4389EE8418346"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SMTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id43891B6E674" position="2">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="True">
<ObjectRef ref="id4389EE9118346"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id4389EE8418346"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id467A0FE823947" position="3">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id4389EE8418346"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SMTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id4389EE9018346"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="" disabled="False" id="id467A0FF823947" position="4">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id4389EE8418346"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id4389EE9018346"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id467A209B23947" position="5">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id4389EE9118346"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="" disabled="False" id="id467A20AD23947" position="6">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id4389EE9118346"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id4389EE8518346"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id4389EDB418346" name="Policy">
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4389EDB518346" log="False" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4389EE9018346"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4388CFEA674" log="True" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4389EE9118346"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4390C25825682" log="True" position="2">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4390C25525682"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id446FB0ED10619" log="True" position="3">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id446FB0EA10619"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id452762A85348" log="True" position="4">
<Src neg="False">
<ObjectRef ref="id452762A75348"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4389EDC118346" log="False" position="5">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4389EE9118346"/>
<ObjectRef ref="id4388C37D674"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SMTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4388CFF8674" log="True" position="6">
<Src neg="False">
<ObjectRef ref="id4389EE9118346"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4388C36F674" log="True" position="7">
<Src neg="False">
<ObjectRef ref="id4389EE9118346"/>
<ObjectRef ref="id4388C37D674"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="True" id="id4388F5A9674" log="False" position="8">
<Src neg="True">
<ObjectRef ref="id4389EE9118346"/>
<ObjectRef ref="id4388C37D674"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4389EEA118346" log="False" position="9">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="host-hostA"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SMTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_prefix"/>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">5</Option>
<Option name="pf_max_src_conn_flush">True</Option>
<Option name="pf_max_src_conn_global">True</Option>
<Option name="pf_max_src_conn_overload_table">spammers</Option>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4389EDCD18346" log="False" position="10">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4389EE3C18346" log="True" position="11">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id4389EE8318346" name="Routing"/>
<Interface bridgeport="False" comment="VLAN interface" dyn="True" id="id4389EE8418346" label="" mgmt="False" name="eth0.100" security_level="0" unnum="False" unprotected="False"/>
<Interface bridgeport="False" dyn="False" id="id4389EE8518346" name="lo" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id4389EE8718346" name="firewall34:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id4389EE8818346" label="" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
<IPv4 comment="" id="id4389EE8A18346" name="firewall34:eth1:ip" address="192.168.1.100" netmask="255.255.255.0"/>
</Interface>
<Management address="192.168.1.100">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="epilog_script"/>
<Option name="firewall_dir"/>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_accept_redirects"/>
<Option name="linux24_accept_source_route"/>
<Option name="linux24_icmp_echo_ignore_all"/>
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
<Option name="linux24_ip_dynaddr"/>
<Option name="linux24_ip_forward"/>
<Option name="linux24_log_martians"/>
<Option name="linux24_path_ip"/>
<Option name="linux24_path_iptables"/>
<Option name="linux24_path_logger"/>
<Option name="linux24_path_lsmod"/>
<Option name="linux24_path_modprobe"/>
<Option name="linux24_rp_filter"/>
<Option name="linux24_tcp_ecn"/>
<Option name="linux24_tcp_fack"/>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="linux24_tcp_sack"/>
<Option name="linux24_tcp_syncookies"/>
<Option name="linux24_tcp_timestamps"/>
<Option name="linux24_tcp_window_scaling"/>
<Option name="load_modules">False</Option>
<Option name="local_nat">False</Option>
<Option name="log_all">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_invalid">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix">RULE %N -- %A on %I </Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="output_file"/>
<Option name="platform">iptables</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"/>
<Option name="proxy_arp">False</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="use_ULOG">False</Option>
<Option name="use_ip_tool">False</Option>
<Option name="use_iptables_restore">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing rules with tag service" host_OS="freebsd" id="id43EC5DDC2355" inactive="False" lastCompiled="1157930811" lastInstalled="0" lastModified="1190517707" name="firewall38" platform="pf" ro="False" version="">
<NAT id="id43EC5E1F2355" name="NAT">
<NATRule disabled="False" id="id43EC5E2E2355" position="0">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id43EC5DDC2355"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="" disabled="False" id="id43EC5E6E2355" position="1">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id43EC6B892355"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id43EC5DDC2355"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id43EC5DE22355" name="Policy">
<PolicyRule action="Tag" direction="Inbound" disabled="False" id="id43EC5DE32355" log="False" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id43EC5E3D2355"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="classify_str"/>
<Option name="custom_str"/>
<Option name="ipfw_pipe_method">0</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="rule_name_accounting"/>
<Option name="tagobject_id">id43F4556A28869</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id43F447F228869" log="False" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id43F447EB28869"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Outbound" disabled="False" id="id43F4555D28869" log="False" position="2">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id43F4556A28869"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id43EC5E402355"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Outbound" disabled="False" id="id43F462CA28869" log="False" position="3">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id43EC5E402355"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id43EC5DEF2355" log="False" position="4">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id43EC5E412355"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id43EC6B8B2355" log="False" position="5">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id43EC6B892355"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="True" id="id43EC6BAF2355" log="False" position="6">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="True">
<ServiceRef ref="id43EC6B892355"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id43EC6BC02355" log="False" position="7">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id43EC6B892355"/>
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="True" id="id43EC6BEA2355" log="False" position="8">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="True">
<ServiceRef ref="id43EC6B892355"/>
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Classify" direction="Both" disabled="False" id="id43F4407F28542" log="False" position="9">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SMTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="classify_str">mail</Option>
<Option name="custom_str"/>
<Option name="ipfw_pipe_method">0</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
<Option name="tagvalue"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id43EC5E132355" log="True" position="10">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id43EC5E3C2355" name="Routing"/>
<Interface bridgeport="False" comment="" dyn="False" id="id43EC5E3D2355" label="int_if" mgmt="False" name="le0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id43EC5E3F2355" name="firewall38:le0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id43EC5E402355" label="ext_if" mgmt="False" name="enc0" security_level="0" unnum="True" unprotected="False"/>
<Interface bridgeport="False" dyn="False" id="id43EC5E412355" name="lo" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id43EC5E432355" name="firewall38:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id43F447EB28869" label="wifi_int" mgmt="False" name="enc1" security_level="0" unnum="False" unprotected="False">
<IPv4 comment="" id="id43F447EC28869" name="firewall38:enc1:ip" address="192.168.2.1" netmask="255.255.255.0"/>
</Interface>
<Management address="127.0.0.1">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir"/>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="platform">iptables</Option>
<Option name="prolog_script"/>
<Option name="proxy_arp">False</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="sshArgs"/>
<Option name="use_ip_tool">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing NAT rules with multiple objects in TSrc and TDst and NAT rule options" host_OS="openbsd" id="id43F7DBEE31316" inactive="False" lastCompiled="1157930807" lastInstalled="0" lastModified="1200415192" name="firewall3" platform="pf" ro="False" version="">
<NAT id="id43F7DC6531316" name="NAT">
<NATRule disabled="False" id="id43F7DC6631316" position="0">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id43F7DCEB31316"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="pf_bitmask">False</Option>
<Option name="pf_pool_type_none">True</Option>
<Option name="pf_random">False</Option>
<Option name="pf_round_robin">False</Option>
<Option name="pf_source_hash">False</Option>
<Option name="pf_static_port">False</Option>
</NATRuleOptions>
</NATRule>
<NATRule comment="" disabled="False" id="id43F7DCC331316" position="1">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id43F7DC7531316"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="nat_bitmask">True</Option>
<Option name="nat_random">False</Option>
<Option name="nat_round_robin">False</Option>
<Option name="nat_source_hash">False</Option>
<Option name="nat_static_port">False</Option>
<Option name="pf_bitmask">True</Option>
<Option name="pf_pool_type_none">False</Option>
<Option name="pf_random">False</Option>
<Option name="pf_round_robin">False</Option>
<Option name="pf_source_hash">False</Option>
<Option name="pf_static_port">False</Option>
</NATRuleOptions>
</NATRule>
<NATRule comment="" disabled="False" id="id43F7DCD731316" position="2">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id43F7DCF631316"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="pf_bitmask">False</Option>
<Option name="pf_pool_type_none">False</Option>
<Option name="pf_random">False</Option>
<Option name="pf_round_robin">False</Option>
<Option name="pf_source_hash">True</Option>
<Option name="pf_static_port">False</Option>
</NATRuleOptions>
</NATRule>
<NATRule comment="" disabled="False" id="id43F7DD1431316" position="3">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id43F7DCF831316"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="pf_bitmask">False</Option>
<Option name="pf_pool_type_none">False</Option>
<Option name="pf_random">False</Option>
<Option name="pf_round_robin">True</Option>
<Option name="pf_source_hash">False</Option>
<Option name="pf_static_port">True</Option>
</NATRuleOptions>
</NATRule>
<NATRule disabled="False" id="id43F7E942514" position="4">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id43F7DCEB31316"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="pf_bitmask">False</Option>
<Option name="pf_pool_type_none">False</Option>
<Option name="pf_random">False</Option>
<Option name="pf_round_robin">True</Option>
<Option name="pf_source_hash">False</Option>
<Option name="pf_static_port">False</Option>
</NATRuleOptions>
</NATRule>
</NAT>
<Policy id="id43F7DBF431316" name="Policy">
<PolicyRule action="Deny" comment="All other attempts to connect to&#10;the firewall are denied and logged" direction="Both" disabled="False" id="id43F7DC4131316" log="True" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id43F7DBEE31316"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id43F7DC4D31316" log="False" position="1">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_prefix"/>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_rule_max_state">1000</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id43F7DC7431316" name="Routing"/>
<Interface bridgeport="False" comment="" dyn="False" id="id43F7DC7531316" label="" mgmt="False" name="le0" security_level="0" unnum="False" unprotected="False">
<IPv4 comment="" id="id43F7DCEB31316" name="firewall3:le0:ip-1" address="22.22.22.21" netmask="255.255.255.0"/>
<IPv4 comment="" id="id43F7DCEC31316" name="firewall3:le0:ip-2" address="22.22.22.22" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id43F7DC7631316" label="" mgmt="True" name="le1" security_level="100" unnum="False" unprotected="False">
<IPv4 comment="" id="id43F7DC7831316" name="firewall3:le1:ip" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id43F7DC7931316" label="" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
<IPv4 comment="" id="id43F7DC7B31316" name="firewall3:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">True</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">true</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
<Option name="local_nat">false</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_scrub">False</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">0</Option>
<Option name="pf_scrub_no_df">True</Option>
<Option name="pf_scrub_random_id">True</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">pf_file_after_scrub</Option>
<Option name="prolog_script"># prolog
# prolog commands go after scrub commands
</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing branching rules" host_OS="freebsd" id="id445DB34232739" inactive="False" lastCompiled="1157930813" lastInstalled="0" lastModified="1190517710" name="firewall39" platform="pf" ro="False" version="">
<NAT id="id445DB3CF32739" name="NAT">
<NATRule disabled="False" id="id445DB3D032739" position="0">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id445DB34232739"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="" disabled="False" id="id445DB3DE32739" position="1">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id43EC6B892355"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id445DB34232739"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id445DB34832739" name="Policy">
<PolicyRule action="Tag" direction="Inbound" disabled="False" id="id445DB34932739" log="False" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id445DB3ED32739"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="classify_str"/>
<Option name="custom_str"/>
<Option name="ipfw_pipe_method">0</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="rule_name_accounting"/>
<Option name="tagobject_id">id43F4556A28869</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id445DB35532739" log="False" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id445DB3F432739"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Branch" comment="logging is not allowed with 'anchor'&#10;compiler should not generate 'log' keyword&#10;" direction="Inbound" disabled="False" id="id445DB36132739" log="True" position="2">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id3CB1279B"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id445DB3F032739"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="branch_name">rule2_branch</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Branch" direction="Inbound" disabled="False" id="id445DB36D32739" log="False" position="3">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id445DB3F032739"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="branch_name">rule3_branch</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id445DB37932739" log="False" position="4">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id445DB3F132739"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Branch" direction="Both" disabled="False" id="id445DB38532739" log="False" position="5">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id3CB1279B"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="branch_name">rule5_branch</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id445DB39132739" log="False" position="6">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id3CB1279B"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id445DB39D32739" log="False" position="7">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id43EC6B892355"/>
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="True" id="id445DB3AA32739" log="False" position="8">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="True">
<ServiceRef ref="id43EC6B892355"/>
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Classify" direction="Both" disabled="False" id="id445DB3B732739" log="False" position="9">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SMTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="classify_str">mail</Option>
<Option name="custom_str"/>
<Option name="ipfw_pipe_method">0</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
<Option name="tagvalue"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id445DB3C332739" log="True" position="10">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Policy id="id445DB3FE32739" name="rule2_branch">
<PolicyRule action="Accept" direction="Both" disabled="False" id="id445DB40A32739" log="False" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id445DB34232739"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id445DB42332739" log="True" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Policy id="id445DB3FF32739" name="rule3_branch">
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id445DB41632739" log="False" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="host-hostA"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id445DB43032739" log="False" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="True">
<ObjectRef ref="id3CD87A53"/>
<ObjectRef ref="id3CD87A5E"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id445DB43E32739" log="True" position="2">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Policy id="id445DB40032739" name="rule5_branch"/>
<Routing id="id445DB3EC32739" name="Routing"/>
<Interface bridgeport="False" comment="" dyn="False" id="id445DB3ED32739" label="int_if" mgmt="False" name="le0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id445DB3EF32739" name="firewall39:le0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id445DB3F032739" label="ext_if" mgmt="False" name="enc0" security_level="0" unnum="True" unprotected="False"/>
<Interface bridgeport="False" dyn="False" id="id445DB3F132739" name="lo" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id445DB3F332739" name="firewall39:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id445DB3F432739" label="wifi_int" mgmt="False" name="enc1" security_level="0" unnum="False" unprotected="False">
<IPv4 comment="" id="id445DB3F632739" name="firewall39:enc1:ip" address="192.168.2.1" netmask="255.255.255.0"/>
</Interface>
<Management address="127.0.0.1">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir"/>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="platform">iptables</Option>
<Option name="prolog_script"/>
<Option name="proxy_arp">False</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="sshArgs"/>
<Option name="use_ip_tool">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing Route action&#10;" host_OS="openbsd" id="id44948F9F2976" inactive="False" lastCompiled="1157930816" lastInstalled="0" lastModified="1193632410" name="firewall40" platform="pf" ro="False" version="">
<NAT id="id449490392976" name="NAT">
<NATRule comment="Translate source address&#10;for outgoing connections" disabled="False" id="id449490482976" position="0">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id449490662976"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="Translate source address&#10;for outgoing connections" disabled="False" id="id4494A6FF3539" position="1">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id4494906F2976"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id44948FA52976" name="Policy">
<PolicyRule action="Accept" direction="Both" disabled="False" id="id44957E2D3539" log="False" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4494906C2976"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_prefix"/>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id44957E3A3539" log="False" position="1">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id449490692976"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_prefix"/>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="" direction="Inbound" disabled="False" id="id449490212976" log="False" position="2">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="tcp-SMTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id449490692976"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="branch_anchor_name"/>
<Option name="branch_chain_name"/>
<Option name="classify_str"/>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"/>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_opt_addr">192.0.2.10</Option>
<Option name="pf_route_opt_if">le1</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="" direction="Inbound" disabled="False" id="id4494AF342976" log="False" position="3">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id449490692976"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="branch_anchor_name"/>
<Option name="branch_chain_name"/>
<Option name="classify_str"/>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"/>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_opt_addr">192.0.3.10</Option>
<Option name="pf_route_opt_if">le2</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Outbound" disabled="False" id="id44958DBE3539" log="False" position="4">
<Src neg="False">
<ObjectRef ref="id44948F9F2976"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" disabled="False" id="id4494902D2976" log="True" position="5">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id449490652976" name="Routing"/>
<Interface bridgeport="False" comment="" dyn="False" id="id449490662976" label="" mgmt="False" name="le1" security_level="0" unnum="False" unprotected="False">
<IPv4 comment="This is a test address, change it to your real one" id="id449490682976" name="firewall40:le1:ip" address="192.0.2.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id449490692976" label="" mgmt="True" name="fxp0" security_level="100" unnum="False" unprotected="False">
<IPv4 comment="" id="id4494906B2976" name="firewall40:fxp0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id4494906C2976" label="" mgmt="False" name="lo0" security_level="100" unnum="False" unprotected="False">
<IPv4 comment="" id="id4494906E2976" name="firewall40:lo0:ip" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id4494906F2976" label="" mgmt="False" name="le2" security_level="0" unnum="False" unprotected="False">
<IPv4 comment="" id="id449490712976" name="firewall40:le2:ip" address="192.0.3.1" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">True</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">true</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
<Option name="local_nat">false</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">True</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_scrub">False</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">0</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_script"/>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing rule shadowing with run-time objects, rules with such objects should be ignored&#10;&#10;" host_OS="freebsd" id="id44EC18128791" inactive="False" lastCompiled="1157930818" lastInstalled="0" lastModified="1193632413" name="firewall41" platform="pf" ro="False" version="">
<NAT id="id44EC18168791" name="NAT"/>
<Policy id="id44EC18158791" name="Policy">
<PolicyRule action="Accept" direction="Both" disabled="False" id="id44EC181E8791" log="True" position="0">
<Src neg="False">
<ObjectRef ref="id44EC18128791"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id44EC181D8791"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id44F7056428576" log="True" position="1">
<Src neg="False">
<ObjectRef ref="id44EC18128791"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4389EE9018346"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id44F707E428576" log="True" position="2">
<Src neg="False">
<ObjectRef ref="id44EC18128791"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id44F7082928576"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id44EC18178791" name="Routing"/>
<Interface bridgeport="False" dyn="False" id="id44EC18188791" label="ext" name="eth0" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id44EC18198791" name="firewall41:eth0:ip" address="1.1.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id44EC181A8791" label="int" name="eth1" security_level="50" unnum="False" unprotected="False">
<IPv4 id="id44EC181B8791" name="firewall41:eth1:ip" address="2.2.2.2" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="check_shading">true</Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">true</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="in_out_code">true</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
<Option name="local_nat">false</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="PF 3.x, testing &#10;&quot;flags S/SA keep state&quot;" host_OS="openbsd" id="id4699449021967" inactive="False" lastCompiled="1202682006" lastInstalled="0" lastModified="1202681966" name="firewall10-1" platform="pf" ro="False" version="3.x">
<NAT id="id469944D321967" name="NAT">
<NATRule disabled="True" id="id469944D421967" position="0">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id469944F421967"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id469944E221967" position="1">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id4699449021967"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id4699449621967" name="Policy">
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id4699449721967" log="False" position="0">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id469944F121967"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id469944A321967" log="False" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id469944F521967"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_prefix"/>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="via ipsec" direction="Both" disabled="False" id="id469944AF21967" log="False" position="2">
<Src neg="False">
<ObjectRef ref="id3B665643"/>
</Src>
<Dst neg="False">
<ObjectRef ref="net-Internal_net"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id469944F421967"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_prefix"/>
<Option name="pf_keep_state">True</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id469944C721967" log="True" position="3">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id469944F021967" name="Routing"/>
<Interface bridgeport="False" dyn="False" id="id469944F121967" name="eth0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id469944F321967" name="firewall10-1:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id469944F421967" label="" mgmt="False" name="enc0" security_level="0" unnum="True" unprotected="False"/>
<Interface bridgeport="False" comment="" dyn="False" id="id469944F521967" label="" mgmt="False" name="lo0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id469944F721967" name="firewall10-1:lo0:ip" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="127.0.0.1">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir"/>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr">192.168.1.100</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_src_nodes">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_limit_table_entries">False</Option>
<Option name="pf_do_limit_tables">False</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_src_nodes">0</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="platform">iptables</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="proxy_arp">False</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="sshArgs"/>
<Option name="use_ip_tool">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="PF 4.x, testing &#10;&quot;flags S/SA keep state&quot;" host_OS="openbsd" id="id4699570022254" inactive="False" lastCompiled="1202682007" lastInstalled="0" lastModified="1202682031" name="firewall10-2" platform="pf" ro="False" version="4.x">
<NAT id="id4699573822254" name="NAT">
<NATRule disabled="True" id="id4699573922254" position="0">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id4699575922254"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id4699574722254" position="1">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id4699570022254"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id4699570622254" name="Policy">
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id4699570722254" log="False" position="0">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4699575622254"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4699571422254" log="False" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4699575A22254"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_prefix"/>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="via ipsec" direction="Both" disabled="False" id="id4699572022254" log="False" position="2">
<Src neg="False">
<ObjectRef ref="id3B665643"/>
</Src>
<Dst neg="False">
<ObjectRef ref="net-Internal_net"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4699575922254"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_prefix"/>
<Option name="pf_keep_state">True</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4699572C22254" log="True" position="3">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id4699575522254" name="Routing"/>
<Interface bridgeport="False" dyn="False" id="id4699575622254" name="eth0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id4699575822254" name="firewall10-2:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id4699575922254" label="" mgmt="False" name="enc0" security_level="0" unnum="True" unprotected="False"/>
<Interface bridgeport="False" comment="" dyn="False" id="id4699575A22254" label="" mgmt="False" name="lo0" security_level="100" unnum="False" unprotected="True">
<IPv4 id="id4699575C22254" name="firewall10-2:lo0:ip" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="127.0.0.1">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir"/>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr">192.168.1.100</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_src_nodes">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_limit_table_entries">False</Option>
<Option name="pf_do_limit_tables">False</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_src_nodes">0</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="platform">iptables</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="proxy_arp">False</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="sshArgs"/>
<Option name="use_ip_tool">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="PF 3.x, testing &#10;&quot;flags S/SA keep state&quot;&#10;&quot;Accept tcp sessions opened&#10;prior to restart&quot; ON&#10;" host_OS="openbsd" id="id469948EA22616" inactive="False" lastCompiled="1202682008" lastInstalled="0" lastModified="1202681977" name="firewall10-3" platform="pf" ro="False" version="3.x">
<NAT id="id4699492222616" name="NAT">
<NATRule disabled="True" id="id4699492322616" position="0">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id4699494322616"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id4699493122616" position="1">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id469948EA22616"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id469948F022616" name="Policy">
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id469948F122616" log="False" position="0">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4699494022616"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id469948FE22616" log="False" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4699494422616"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_prefix"/>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="via ipsec" direction="Both" disabled="False" id="id4699490A22616" log="False" position="2">
<Src neg="False">
<ObjectRef ref="id3B665643"/>
</Src>
<Dst neg="False">
<ObjectRef ref="net-Internal_net"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4699494322616"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_prefix"/>
<Option name="pf_keep_state">True</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4699491622616" log="True" position="3">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id4699493F22616" name="Routing"/>
<Interface bridgeport="False" dyn="False" id="id4699494022616" name="eth0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id4699494222616" name="firewall10-3:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id4699494322616" label="" mgmt="False" name="enc0" security_level="0" unnum="True" unprotected="False"/>
<Interface bridgeport="False" comment="" dyn="False" id="id4699494422616" label="" mgmt="False" name="lo0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id4699494622616" name="firewall10-3:lo0:ip" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="127.0.0.1">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir"/>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr">192.168.1.100</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_src_nodes">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_limit_table_entries">False</Option>
<Option name="pf_do_limit_tables">False</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_src_nodes">0</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="platform">iptables</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="proxy_arp">False</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="sshArgs"/>
<Option name="use_ip_tool">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="PF 4.x, testing &#10;&quot;flags S/SA keep state&quot;&#10;&quot;Accept tcp sessions opened&#10;prior to restart&quot; is ON&#10;" host_OS="openbsd" id="id4699494C22616" inactive="False" lastCompiled="1202682010" lastInstalled="0" lastModified="1202681983" name="firewall10-4" platform="pf" ro="False" version="4.x">
<NAT id="id4699498422616" name="NAT">
<NATRule disabled="True" id="id4699498522616" position="0">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id469949A522616"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id4699499322616" position="1">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id4699494C22616"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id4699495222616" name="Policy">
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id4699495322616" log="False" position="0">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id469949A222616"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4699496022616" log="False" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id469949A622616"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_prefix"/>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="via ipsec" direction="Both" disabled="False" id="id4699496C22616" log="False" position="2">
<Src neg="False">
<ObjectRef ref="id3B665643"/>
</Src>
<Dst neg="False">
<ObjectRef ref="net-Internal_net"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id469949A522616"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_prefix"/>
<Option name="pf_keep_state">True</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4699497822616" log="True" position="3">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id469949A122616" name="Routing"/>
<Interface bridgeport="False" dyn="False" id="id469949A222616" name="eth0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id469949A422616" name="firewall10-4:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id469949A522616" label="" mgmt="False" name="enc0" security_level="0" unnum="True" unprotected="False"/>
<Interface bridgeport="False" comment="" dyn="False" id="id469949A622616" label="" mgmt="False" name="lo0" security_level="100" unnum="False" unprotected="True">
<IPv4 id="id469949A822616" name="firewall10-4:lo0:ip" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="127.0.0.1">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir"/>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr">192.168.1.100</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_src_nodes">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_limit_table_entries">False</Option>
<Option name="pf_do_limit_tables">False</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_src_nodes">0</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="platform">iptables</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="proxy_arp">False</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="sshArgs"/>
<Option name="use_ip_tool">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="PF 3.x, testing &#10;&quot;flags S/SA keep state&quot;&#10;&quot;Accept tcp sessions opened&#10;prior to restart&quot; ON&#10;Using &quot;pass all outgoing&quot;&#10;" host_OS="openbsd" id="id46F605DE10002" inactive="False" lastCompiled="1202682011" lastInstalled="0" lastModified="1202681989" name="firewall10-5" platform="pf" ro="False" version="3.x">
<NAT id="id46F6061610002" name="NAT">
<NATRule disabled="True" id="id46F6061710002" position="0">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id46F6063710002"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id46F6062510002" position="1">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id46F605DE10002"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id46F605E410002" name="Policy">
<PolicyRule action="Accept" comment="This adds &quot;pass out ... keep state&quot; &#10;rule that compiler 2.1.14&#10;does not add automatically for pf 3.x&#10;Note that checkbox &quot;add 'keep state'&quot;&#10;is on in options&#10;" direction="Outbound" disabled="False" id="id46F6520210002" log="False" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id46F6063710002"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_prefix"/>
<Option name="pf_keep_state">True</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id46F605E510002" log="False" position="1">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id46F6063410002"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id46F605F210002" log="False" position="2">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id46F6063810002"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_prefix"/>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="via ipsec" direction="Both" disabled="False" id="id46F605FE10002" log="False" position="3">
<Src neg="False">
<ObjectRef ref="id3B665643"/>
</Src>
<Dst neg="False">
<ObjectRef ref="net-Internal_net"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id46F6063710002"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_prefix"/>
<Option name="pf_keep_state">True</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id46F6060A10002" log="True" position="4">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id46F6063310002" name="Routing"/>
<Interface bridgeport="False" dyn="False" id="id46F6063410002" name="eth0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id46F6063610002" name="firewall10-5:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id46F6063710002" label="" mgmt="False" name="enc0" security_level="0" unnum="True" unprotected="False"/>
<Interface bridgeport="False" comment="" dyn="False" id="id46F6063810002" label="" mgmt="False" name="lo0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id46F6063A10002" name="firewall10-5:lo0:ip" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="127.0.0.1">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir"/>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">False</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr">192.168.1.100</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="pass_all_out">True</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_src_nodes">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_limit_table_entries">False</Option>
<Option name="pf_do_limit_tables">False</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_src_nodes">0</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="platform">iptables</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="proxy_arp">False</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="sshArgs"/>
<Option name="use_ip_tool">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="PF 4.x, testing &#10;&quot;flags S/SA keep state&quot;&#10;&quot;Accept tcp sessions opened&#10;prior to restart&quot; is ON&#10;Using &quot;pass all outgoing&quot;&#10;" host_OS="openbsd" id="id46F6064010002" inactive="False" lastCompiled="1202682012" lastInstalled="0" lastModified="1202681995" name="firewall10-6" platform="pf" ro="False" version="4.x">
<NAT id="id46F6067810002" name="NAT">
<NATRule disabled="True" id="id46F6067910002" position="0">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id46F6069910002"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id46F6068710002" position="1">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id46F6064010002"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id46F6064610002" name="Policy">
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id46F6064710002" log="False" position="0">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id46F6069610002"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id46F6065410002" log="False" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id46F6069A10002"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_prefix"/>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="via ipsec" direction="Both" disabled="False" id="id46F6066010002" log="False" position="2">
<Src neg="False">
<ObjectRef ref="id3B665643"/>
</Src>
<Dst neg="False">
<ObjectRef ref="net-Internal_net"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id46F6069910002"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_prefix"/>
<Option name="pf_keep_state">True</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id46F6066C10002" log="True" position="3">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id46F6069510002" name="Routing"/>
<Interface bridgeport="False" dyn="False" id="id46F6069610002" name="eth0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id46F6069810002" name="firewall10-6:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id46F6069910002" label="" mgmt="False" name="enc0" security_level="0" unnum="True" unprotected="False"/>
<Interface bridgeport="False" comment="" dyn="False" id="id46F6069A10002" label="" mgmt="False" name="lo0" security_level="100" unnum="False" unprotected="True">
<IPv4 id="id46F6069C10002" name="firewall10-6:lo0:ip" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="127.0.0.1">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir"/>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">False</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr">192.168.1.100</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="pass_all_out">True</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_src_nodes">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_limit_table_entries">False</Option>
<Option name="pf_do_limit_tables">False</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_src_nodes">0</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="platform">iptables</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="proxy_arp">False</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="sshArgs"/>
<Option name="use_ip_tool">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing Route action&#10;with load balancing&#10;" host_OS="openbsd" id="id476458AA9697" inactive="False" lastCompiled="1157930816" lastInstalled="0" lastModified="1197750649" name="firewall40-1" platform="pf" ro="False" version="">
<NAT id="id476458FA9697" name="NAT">
<NATRule comment="Translate source address&#10;for outgoing connections" disabled="False" id="id476458FB9697" position="0">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id476459189697"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="Translate source address&#10;for outgoing connections" disabled="False" id="id476459099697" position="1">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id476459219697"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id476458B09697" name="Policy">
<PolicyRule action="Route" comment="" direction="Inbound" disabled="False" id="id47646C979697" log="False" position="0">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="branch_anchor_name"/>
<Option name="branch_chain_name"/>
<Option name="classify_str"/>
<Option name="color">#8BC065</Option>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"/>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"/>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">random</Option>
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
<Option name="pf_route_opt_if">le1</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="" direction="Inbound" disabled="False" id="id47646C869697" log="False" position="1">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="branch_anchor_name"/>
<Option name="branch_chain_name"/>
<Option name="classify_str"/>
<Option name="color">#8BC065</Option>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"/>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"/>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">round_robin</Option>
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
<Option name="pf_route_opt_if">le2</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="" direction="Inbound" disabled="False" id="id47646C759697" log="False" position="2">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="branch_anchor_name"/>
<Option name="branch_chain_name"/>
<Option name="classify_str"/>
<Option name="color">#8BC065</Option>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"/>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"/>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">round_robin</Option>
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
<Option name="pf_route_opt_if">le2</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="" direction="Inbound" disabled="False" id="id476480059697" log="False" position="3">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="branch_anchor_name"/>
<Option name="branch_chain_name"/>
<Option name="classify_str"/>
<Option name="color">#7694C0</Option>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"/>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"/>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">round_robin</Option>
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
<Option name="pf_route_opt_if">le1</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="" direction="Inbound" disabled="False" id="id476480169697" log="False" position="4">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="branch_anchor_name"/>
<Option name="branch_chain_name"/>
<Option name="classify_str"/>
<Option name="color">#7694C0</Option>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"/>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"/>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">round_robin</Option>
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
<Option name="pf_route_opt_if">le2</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="" direction="Inbound" disabled="False" id="id476480279697" log="False" position="5">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="branch_anchor_name"/>
<Option name="branch_chain_name"/>
<Option name="classify_str"/>
<Option name="color">#7694C0</Option>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"/>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"/>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">round_robin</Option>
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
<Option name="pf_route_opt_if">le2</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="" direction="Inbound" disabled="False" id="id476458C99697" log="False" position="6">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="branch_anchor_name"/>
<Option name="branch_chain_name"/>
<Option name="classify_str"/>
<Option name="color">#C0BA44</Option>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"/>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"/>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">random</Option>
<Option name="pf_route_opt_addr">192.0.2.0/24</Option>
<Option name="pf_route_opt_if">le1</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="" direction="Inbound" disabled="False" id="id476458D69697" log="False" position="7">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="branch_anchor_name"/>
<Option name="branch_chain_name"/>
<Option name="classify_str"/>
<Option name="color">#C0BA44</Option>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"/>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"/>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">source_hash</Option>
<Option name="pf_route_opt_addr">192.0.2.0/24</Option>
<Option name="pf_route_opt_if">le2</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="" direction="Inbound" disabled="False" id="id4764592B9697" log="False" position="8">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="branch_anchor_name"/>
<Option name="branch_chain_name"/>
<Option name="classify_str"/>
<Option name="color">#C0BA44</Option>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"/>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"/>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">round_robin</Option>
<Option name="pf_route_opt_addr">192.0.2.0/255.255.255.0</Option>
<Option name="pf_route_opt_if">le2</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="this should fail because&#10;it has one address for the next&#10;hop and it is /32.&#10;Run compiler with&#10;command line argument -xt&#10;to convert errors to warnings&#10;and make it generate .conf &#10;file anyway" direction="Inbound" disabled="False" id="id4764BABB9697" log="False" position="9">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="branch_anchor_name"/>
<Option name="branch_chain_name"/>
<Option name="classify_str"/>
<Option name="color">#C86E6E</Option>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"/>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"/>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">round_robin</Option>
<Option name="pf_route_opt_addr">192.0.2.1</Option>
<Option name="pf_route_opt_if">le2</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="this should fail because&#10;it has one address for the next&#10;hop and it is /32.&#10;" direction="Inbound" disabled="False" id="id4764BACC9697" log="False" position="10">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="branch_anchor_name"/>
<Option name="branch_chain_name"/>
<Option name="classify_str"/>
<Option name="color">#C86E6E</Option>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"/>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"/>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">round_robin</Option>
<Option name="pf_route_opt_addr">192.0.2.1/32</Option>
<Option name="pf_route_opt_if">le2</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="this should fail because&#10;it ip address in next hop&#10;is illegal" direction="Inbound" disabled="False" id="id476509419697" log="False" position="11">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="branch_anchor_name"/>
<Option name="branch_chain_name"/>
<Option name="classify_str"/>
<Option name="color">#C86E6E</Option>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"/>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"/>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"/>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"/>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">round_robin</Option>
<Option name="pf_route_opt_addr">192.0.300.1/32</Option>
<Option name="pf_route_opt_if">le2</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id476459179697" name="Routing"/>
<Interface bridgeport="False" comment="" dyn="False" id="id476459189697" label="" mgmt="False" name="le1" security_level="0" unnum="False" unprotected="False">
<IPv4 comment="This is a test address, change it to your real one" id="id4764591A9697" name="firewall40-1:le1:ip" address="192.0.2.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id4764591B9697" label="" mgmt="True" name="fxp0" security_level="100" unnum="False" unprotected="False">
<IPv4 comment="" id="id4764591D9697" name="firewall40-1:fxp0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id4764591E9697" label="" mgmt="False" name="lo0" security_level="100" unnum="False" unprotected="False">
<IPv4 comment="" id="id476459209697" name="firewall40-1:lo0:ip" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id476459219697" label="" mgmt="False" name="le2" security_level="0" unnum="False" unprotected="False">
<IPv4 comment="" id="id476459239697" name="firewall40-1:le2:ip" address="192.0.3.1" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">True</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">true</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
<Option name="local_nat">false</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">True</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_scrub">False</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">0</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_script"/>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="" host_OS="freebsd" id="id4833F62B6131" inactive="False" lastCompiled="1212115999" lastInstalled="0" lastModified="1212272477" name="firewall-ipv6-1" platform="pf" ro="False" version="">
<NAT id="id4833F62F6131" name="NAT"/>
<Policy id="id483F5B7623190" name="Policy_ipv4"/>
<Policy id="id4833F62E6131" name="Policy">
<PolicyRule action="Accept" direction="Both" disabled="False" group="" id="id4841FADE30813" log="False" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4841FADB30813"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="this rule shadows the next.&#10;Note that we add command line&#10;flag -xt to the compiler" direction="Both" disabled="False" group="" id="id4837BFE628819" log="False" position="1">
<Src neg="False">
<ObjectRef ref="id4834B9206131"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4833F6316131"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id4834578B6131" log="False" position="2">
<Src neg="False">
<ObjectRef ref="id48416A7216880"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4833F6316131"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4834577C6131" log="True" position="3">
<Src neg="False">
<ObjectRef ref="id48416A7116880"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4833F62B6131"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" group="" id="id4834D3038571" log="True" position="4">
<Src neg="False">
<ObjectRef ref="id4834A2238571"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4833F6316131"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" group="" id="id4834D3108571" log="True" position="5">
<Src neg="False">
<ObjectRef ref="id4834A2278571"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4833F6316131"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" group="" id="id4835040E8571" log="True" position="6">
<Src neg="False">
<ObjectRef ref="id4834A2238571"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4833F62B6131"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" group="" id="id4835041F8571" log="True" position="7">
<Src neg="False">
<ObjectRef ref="id4834A2278571"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4833F62B6131"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id4834576F6131" log="True" position="8">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4833F62B6131"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4834B9216131" log="True" position="9">
<Src neg="False">
<ObjectRef ref="id4834B9206131"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id483566468571" log="True" position="10">
<Src neg="False">
<ObjectRef ref="id4834A2238571"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id483566548571" log="True" position="11">
<Src neg="False">
<ObjectRef ref="id4834A2278571"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id4833F6306131" name="Routing"/>
<Interface bridgeport="False" dyn="False" id="id4833F6316131" label="" name="eth0" security_level="50" unnum="False" unprotected="False">
<IPv4 id="id4833F6326131" name="firewall-ipv6-1:eth0:ip" address="1.1.1.1" netmask="255.255.255.0"/>
<IPv6 comment="" id="id4833F6346131" name="firewall-ipv6-1:eth0:ipv6" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id4841FADB30813" label="" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
<IPv4 comment="" id="id4841FADC30813" name="firewall-ipv6-1:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
<IPv6 comment="" id="id4841FADD30813" name="firewall-ipv6-1:lo:ipv6" address="::1" netmask="128"/>
</Interface>
<Management address="1.1.1.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline">-xt</Option>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="enable_ipv6">True</Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_include_comments">true</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
<Option name="local_nat">False</Option>
<Option name="log_all">False</Option>
<Option name="log_invalid">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="no_ipv6_default_policy">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_src_nodes">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_limit_table_entries">False</Option>
<Option name="pf_do_limit_tables">False</Option>
<Option name="pf_do_scrub">False</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_src_nodes">0</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">0</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="use_ULOG">False</Option>
<Option name="use_iptables_restore">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="stdid11_1" name="Time"/>
<ObjectRef ref="id483F5B7623190"/>
<ObjectRef ref="id4833F6316131"/>
<ObjectRef ref="id4833F62E6131"/>
<ObjectRef ref="id4833F62F6131"/>
<ObjectRef ref="id4833F6306131"/>
</Library>
<Library id="sysid99" name="Deleted Objects" ro="False">
<ObjectRef ref="host-hostB"/>
<Library color="#FFFFFF" comment="" id="id40E233F3" name="West Coast" ro="False">
<ObjectGroup id="id40E233F4" name="Objects">
<ObjectGroup id="id40E233F4_og_ats_1" name="Address Tables"/>
<ObjectGroup id="id40E233F5" name="Addresses"/>
<ObjectGroup id="id40E233F6" name="Groups">
<ObjectGroup comment="" id="id40E23403" name="West Coast Servers"/>
</ObjectGroup>
<ObjectGroup id="id40E233F7" name="Hosts"/>
<ObjectGroup id="id40E233F8" name="Networks"/>
<ObjectGroup id="id40E233F9" name="Address Ranges"/>
</ObjectGroup>
<ServiceGroup id="id40E233FA" name="Services">
<ServiceGroup id="id40E233FA_og_tag_1" name="TagServices">
</ServiceGroup>
<ServiceGroup id="id40E233FB" name="Groups"/>
<ServiceGroup id="id40E233FC" name="ICMP"/>
<ServiceGroup id="id40E233FD" name="IP"/>
<ServiceGroup id="id40E233FE" name="TCP"/>
<ServiceGroup id="id40E233FF" name="UDP"/>
<ServiceGroup id="id40E23400" name="Custom"/>
<ServiceGroup id="id40E233FA_userservices" name="Users"/>
</ServiceGroup>
<ObjectGroup id="id40E23401" name="Firewalls"/>
<IntervalGroup id="id40E23402" name="Time"/>
</Library>
<Library color="#FFFFFF" comment="" id="id40D07E7A" name="LAX" ro="False">
<ObjectGroup id="id40D07E7B" name="Objects">
<ObjectGroup id="id40D07E7B_og_ats_1" name="Address Tables"/>
<ObjectGroup id="id40D07E7C" name="Addresses">
<IPv4 comment="" id="id40E238E6" name="laxftp1" address="10.1.10.10" netmask="255.255.255.255"/>
<IPv4 comment="" id="id40E238E7" name="laxweb1" address="10.1.10.11" netmask="255.255.255.255"/>
</ObjectGroup>
<ObjectGroup id="id40D07E7D" name="Groups">
<ObjectGroup comment="" id="id40E23565" name="LAX Servers"/>
</ObjectGroup>
<ObjectGroup id="id40D07E7E" name="Hosts"/>
<ObjectGroup id="id40D07E7F" name="Networks"/>
<ObjectGroup id="id40D07E80" name="Address Ranges"/>
</ObjectGroup>
<ServiceGroup id="id40D07E81" name="Services">
<ServiceGroup id="id40D07E81_og_tag_1" name="TagServices">
</ServiceGroup>
<ServiceGroup id="id40D07E82" name="Groups"/>
<ServiceGroup id="id40D07E83" name="ICMP"/>
<ServiceGroup id="id40D07E84" name="IP"/>
<ServiceGroup id="id40D07E85" name="TCP"/>
<ServiceGroup id="id40D07E86" name="UDP"/>
<ServiceGroup id="id40D07E87" name="Custom"/>
<ServiceGroup id="id40D07E81_userservices" name="Users"/>
</ServiceGroup>
<ObjectGroup id="id40D07E88" name="Firewalls"/>
<IntervalGroup id="id40D07E89" name="Time"/>
</Library>
<Library color="#FFFFFF" comment="" id="id40C3E07E" name="SFO" ro="False">
<ObjectGroup id="id40C3E07F" name="Objects">
<ObjectGroup id="id40C3E07F_og_ats_1" name="Address Tables"/>
<ObjectGroup id="id40C3E081" name="Groups">
<ObjectGroup comment="" id="id40E23562" name="SFO Servers"/>
</ObjectGroup>
<ObjectGroup id="id40C3E080" name="Addresses">
<IPv4 comment="" id="id40E238E9" name="sfoweb1" address="10.2.10.11" netmask="255.255.255.255"/>
<IPv4 comment="" id="id40E238E8" name="sfoftp1" address="10.2.10.10" netmask="255.255.255.255"/>
</ObjectGroup>
</ObjectGroup>
</Library>
<Library color="#d2ffd0" comment="" id="id44EC13FB8791" name="tmp" ro="False">
<ObjectGroup id="id44EC13FC8791" name="Objects">
<ObjectGroup id="id44EC13FD8791" name="Addresses"/>
<ObjectGroup id="id44EC13FE8791" name="DNS Names"/>
<ObjectGroup id="id44EC13FF8791" name="Address Tables"/>
<ObjectGroup id="id44EC14008791" name="Groups"/>
<ObjectGroup id="id44EC14018791" name="Hosts"/>
<ObjectGroup id="id44EC14028791" name="Networks"/>
<ObjectGroup id="id44EC14038791" name="Address Ranges"/>
</ObjectGroup>
<ServiceGroup id="id44EC14048791" name="Services">
<ServiceGroup id="id44EC14058791" name="Groups"/>
<ServiceGroup id="id44EC14068791" name="ICMP"/>
<ServiceGroup id="id44EC14078791" name="IP"/>
<ServiceGroup id="id44EC14088791" name="TCP"/>
<ServiceGroup id="id44EC14098791" name="UDP"/>
<ServiceGroup id="id44EC140A8791" name="Custom"/>
<ServiceGroup id="id44EC140B8791" name="TagServices">
</ServiceGroup>
<ServiceGroup id="id44EC14048791_userservices" name="Users"/>
</ServiceGroup>
<ObjectGroup id="id44EC140C8791" name="Firewalls"/>
<IntervalGroup id="id44EC140D8791" name="Time"/>
</Library>
<AddressTable comment="" filename="/home/vadim/tmp/bug-1544488/addr-table-1.tbl" id="id44F7056328576" name="atbl" run_time="True"/>
<Interface bridgeport="False" comment="" dyn="False" id="id45DE9D012560" label="" mgmt="False" name="pcn1" security_level="100" unnum="False" unprotected="False">
<IPv4 comment="" id="id45DE9D032560" name="openbsd-4.0:pcn1:ip" address="10.1.1.1" netmask="255.255.255.0"/>
</Interface>
</Library>
<Library color="#FFFFFF" comment="" id="id415276C8" name="lab" ro="False">
<ObjectGroup id="id415276C9" name="Objects">
<ObjectGroup id="id415276C9_og_ats_1" name="Address Tables"/>
<ObjectGroup id="id415276CA" name="Addresses">
<IPv4 comment="" id="id4144D59F" name="hst1" address="10.3.14.10" netmask="255.255.255.255"/>
<IPv4 comment="" id="id4144D5A0" name="hst2" address="10.3.14.40" netmask="255.255.255.255"/>
</ObjectGroup>
<ObjectGroup id="id415276CB" name="Groups"/>
<ObjectGroup id="id415276CC" name="Hosts"/>
<ObjectGroup id="id415276CD" name="Networks">
<Network comment="" id="id414C5C51" name="n-10.3.14" address="10.3.14.0" netmask="255.255.255.0"/>
<Network comment="" id="id414C70BE" name="labnet" address="10.1.1.0" netmask="255.255.255.0"/>
<Network comment="" id="id414C7BA7" name="n-10.1.2" address="10.1.2.0" netmask="255.255.255.0"/>
</ObjectGroup>
<ObjectGroup id="id415276CE" name="Address Ranges"/>
<ObjectGroup id="id4386458B18448" name="DNS Names"/>
</ObjectGroup>
<ServiceGroup id="id415276CF" name="Services">
<ServiceGroup id="id415276CF_og_tag_1" name="TagServices">
<TagService comment="" id="id4847247323126" name="INTNET" tagcode="INTNET"/>
</ServiceGroup>
<ServiceGroup id="id415276D0" name="Groups"/>
<ServiceGroup id="id415276D1" name="ICMP"/>
<ServiceGroup id="id415276D2" name="IP"/>
<ServiceGroup id="id415276D3" name="TCP"/>
<ServiceGroup id="id415276D4" name="UDP"/>
<ServiceGroup id="id415276D5" name="Custom"/>
<ServiceGroup id="id415276CF_userservices" name="Users"/>
</ServiceGroup>
<ObjectGroup id="id415276D6" name="Firewalls">
<Firewall comment="firewall protects host it is running on&#10;&#10;Note that we set output file name to /tmp/labfw.fw to test what compiler is going to do (since it generates three files rather than one), as well as to test installer in this case&#10;" host_OS="openbsd" id="id3AF5A2BA" inactive="False" lastCompiled="1172032243" lastInstalled="1172032344" lastModified="1212609898" name="labfw-openbsd" platform="pf" ro="False" version="">
<NAT id="id3AF5A2BD" name="NAT">
<NATRule disabled="False" id="id414E693E" position="0">
<OSrc neg="False">
<ObjectRef ref="id414C70BE"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AF5A2CB"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id414E7DF6" position="1">
<OSrc neg="False">
<ObjectRef ref="id414C70BE"/>
<ObjectRef ref="id414C5C51"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id414C5C51"/>
<ObjectRef ref="id414C70BE"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id3AF5A2BC" name="Policy">
<PolicyRule action="Tag" direction="Both" disabled="False" group="" id="id48472A0C23126" log="False" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="classify_str"/>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"/>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"/>
<Option name="pf_route_opt_if"/>
<Option name="pf_route_option">route_through</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">False</Option>
<Option name="tagobject_id">id4847247323126</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id414C70C1" log="True" position="1">
<Src neg="False">
<ObjectRef ref="id414C70BE"/>
<ObjectRef ref="id414C7BA7"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3AF5A2CB"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Outbound" disabled="False" id="id414C47E4" log="True" position="2">
<Src neg="True">
<ObjectRef ref="id3AF5A2BA"/>
<ObjectRef ref="id414C70BE"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3AF5A2CB"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id41441D4F" log="False" position="3">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3AFB7090"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Branch" direction="Inbound" disabled="False" id="id445E76C726850" log="False" position="4">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3AF5A2BA"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3AF5A2CB"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="branch_name">rule3_branch</Option>
<Option name="color">#C0BA44</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id414E7E0E" log="False" position="5">
<Src neg="False">
<ObjectRef ref="id414C5C51"/>
<ObjectRef ref="id414C70BE"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id414C70BE"/>
<ObjectRef ref="id414C5C51"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="allow all outgoing connections" direction="Both" disabled="False" id="id3AF5A757" log="False" position="6">
<Src neg="False">
<ObjectRef ref="id3AF5A2BA"/>
<ObjectRef ref="id414C70BE"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" comment="'catch all' rule" direction="Both" disabled="False" id="id3AF5A762" log="True" position="7">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Policy id="id445E76D326850" name="rule3_branch">
<PolicyRule action="Deny" comment="block fragments" direction="Both" disabled="False" id="id445E77D326850" log="True" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3AF5A2BA"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="ip-IP_Fragments"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id445E77BB26850" log="False" position="1">
<Src neg="True">
<ObjectRef ref="id4144D59F"/>
<ObjectRef ref="id4144D5A0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3AF5A2BA"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SMTP"/>
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="tcp-SSH"/>
<ServiceRef ref="tcp-FTP"/>
<ServiceRef ref="tcp-Telnet"/>
<ServiceRef ref="icmp-Unreachables"/>
<ServiceRef ref="icmp-ping_request"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id3AF5A2BA-routing" name="Routing"/>
<Interface bridgeport="False" comment="" dyn="False" id="id3AF5A2CB" label="" mgmt="True" name="pcn0" security_level="0" unnum="False" unprotected="False">
<IPv4 comment="" id="id3AF5A2CB-ipv4" name="labfw-openbsd:pcn0:ip" address="10.3.14.120" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3AFB7090" name="lo" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3AFB7090-ipv4" name="labfw-openbsd:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id414C70BB" label="" mgmt="False" name="pcn1" security_level="100" unnum="False" unprotected="False">
<IPv4 comment="" id="id414C70BD" name="labfw-openbsd:pcn1:ip" address="10.1.1.1" netmask="255.255.255.0"/>
</Interface>
<Management address="10.3.14.120">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP host prohibited</Option>
<Option name="activationCmd"/>
<Option name="admUser">root</Option>
<Option name="altAddress">labfw</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc/fw</Option>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix"/>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">False</Option>
<Option name="mgmt_addr">10.3.14.40</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_ip_directed_broadcast"/>
<Option name="openbsd_ip_forward">1</Option>
<Option name="openbsd_ip_redirect"/>
<Option name="openbsd_ip_sourceroute"/>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="platform">iptables</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="sshArgs"/>
<Option name="use_ip_tool">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="" host_OS="freebsd" id="id42B5D8FC" inactive="True" lastCompiled="1157930826" lastInstalled="0" lastModified="1147032998" name="labfw-fbsd" platform="pf" ro="False" version="">
<NAT id="id42B5D93E" name="NAT">
<NATRule disabled="False" id="id42B5D93F" position="0">
<OSrc neg="False">
<ObjectRef ref="id414C70BE"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id42B5D95D"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id42B5D901" name="Policy">
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id42B5D977" log="True" position="0">
<Src neg="False">
<ObjectRef ref="id414C70BE"/>
<ObjectRef ref="id42B5D8FC"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id42B5D95D"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Outbound" disabled="False" id="id42B5D982" log="True" position="1">
<Src neg="True">
<ObjectRef ref="id42B5D8FC"/>
<ObjectRef ref="id414C70BE"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id42B5D95D"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id42B5D99C" log="False" position="2">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id42B5D98E"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" comment="block fragments" direction="Both" disabled="False" id="id42B5D902" log="True" position="3">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id42B5D8FC"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="ip-IP_Fragments"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="need this because PF consults&#10;policy rules after nat as well" direction="Both" disabled="False" id="id42B5D929" log="False" position="4">
<Src neg="False">
<ObjectRef ref="id42B5D8FC"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="allow all outgoing connections" direction="Both" disabled="False" id="id42B612DC" log="False" position="5">
<Src neg="False">
<ObjectRef ref="id414C70BE"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" comment="'catch all' rule" direction="Both" disabled="False" id="id42B5D934" log="True" position="6">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id42B5D8FC-routing" name="Routing"/>
<Interface bridgeport="False" comment="" dyn="False" id="id42B5D95D" label="" mgmt="True" name="lnc0" security_level="0" unnum="False" unprotected="False">
<IPv4 comment="" id="id42B5D98D" name="labfw-fbsd:lnc0:ip" address="10.3.14.121" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id42B5D98E" label="" mgmt="False" name="lo0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id42B5D9A6" name="labfw-fbsd:lo0:ip" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id42B5D9A7" label="" mgmt="False" name="lnc1" security_level="100" unnum="False" unprotected="False">
<IPv4 comment="" id="id42B5D9AB" name="labfw-fbsd:lnc1:ip" address="10.1.1.1" netmask="255.255.255.0"/>
</Interface>
<Management address="10.3.14.121">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP host prohibited</Option>
<Option name="activationCmd"/>
<Option name="admUser">root</Option>
<Option name="altAddress">10.3.14.121</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc/fw</Option>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="freebsd_ip_redirect"/>
<Option name="freebsd_ip_sourceroute"/>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipfw"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix"/>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">False</Option>
<Option name="mgmt_addr">10.3.14.40</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_ip_directed_broadcast"/>
<Option name="openbsd_ip_forward">1</Option>
<Option name="openbsd_ip_redirect"/>
<Option name="openbsd_ip_sourceroute"/>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="platform">iptables</Option>
<Option name="prolog_script"/>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="sshArgs"/>
<Option name="use_ip_tool">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="firewall protects host it is running on&#10;&#10;Note that we set output file name to /tmp/labfw.fw to test what compiler is going to do (since it generates three files rather than one), as well as to test installer in this case&#10;" host_OS="openbsd" id="id45DE9C5B2560" inactive="False" lastCompiled="1202683169" lastInstalled="1202683190" lastModified="1202683163" name="openbsd-4.0" platform="pf" ro="False" version="ge_3.7">
<NAT id="id45DE9CDB2560" name="NAT"/>
<Policy id="id45DE9C612560" name="Policy">
<PolicyRule action="Accept" direction="Both" disabled="True" id="id47B0069F19082" log="False" position="0">
<Src neg="False">
<ObjectRef ref="id4144D5A0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id45DE9C5B2560"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Outbound" disabled="False" id="id45DE9C6F2560" log="True" position="1">
<Src neg="True">
<ObjectRef ref="id45DE9C5B2560"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id45DE9CFB2560"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id45DE9C7C2560" log="False" position="2">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id45DE9CFE2560"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Branch" direction="Inbound" disabled="False" id="id45DE9C882560" log="False" position="3">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id45DE9C5B2560"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id45DE9CFB2560"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="branch_name">rule3_branch</Option>
<Option name="color">#C0BA44</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="allow all outgoing connections" direction="Both" disabled="False" id="id45DE9CC22560" log="False" position="4">
<Src neg="False">
<ObjectRef ref="id45DE9C5B2560"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" comment="'catch all' rule" direction="Both" disabled="False" id="id45DE9CCF2560" log="True" position="5">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Policy id="id45DE9C942560" name="rule3_branch">
<PolicyRule action="Deny" comment="block fragments" direction="Both" disabled="False" id="id45DE9C952560" log="True" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id45DE9C5B2560"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="ip-IP_Fragments"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id45DE9CA12560" log="False" position="1">
<Src neg="True">
<ObjectRef ref="id4144D59F"/>
<ObjectRef ref="id4144D5A0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id45DE9C5B2560"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SMTP"/>
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="tcp-SSH"/>
<ServiceRef ref="tcp-FTP"/>
<ServiceRef ref="tcp-Telnet"/>
<ServiceRef ref="icmp-Unreachables"/>
<ServiceRef ref="icmp-ping_request"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id45DE9CFA2560" name="Routing"/>
<Interface bridgeport="False" comment="" dyn="False" id="id45DE9CFB2560" label="" mgmt="True" name="pcn0" security_level="0" unnum="False" unprotected="False">
<IPv4 comment="" id="id45DE9CFD2560" name="openbsd-4.0:pcn0:ip" address="10.3.14.54" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id45DE9CFE2560" name="lo" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id45DE9D002560" name="openbsd-4.0:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="10.3.14.54">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP host prohibited</Option>
<Option name="activationCmd"/>
<Option name="admUser">root</Option>
<Option name="altAddress"/>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">True</Option>
<Option name="dyn_addr">False</Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc/fw</Option>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix"/>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">False</Option>
<Option name="mgmt_addr">10.3.14.40</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_ip_directed_broadcast"/>
<Option name="openbsd_ip_forward">1</Option>
<Option name="openbsd_ip_redirect"/>
<Option name="openbsd_ip_sourceroute"/>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="platform">iptables</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="sshArgs"/>
<Option name="use_ip_tool">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="firewall protects host it is running on&#10;&#10;Note that we set output file name to /tmp/labfw.fw to test what compiler is going to do (since it generates three files rather than one), as well as to test installer in this case&#10;" host_OS="openbsd" id="id47B07CD419082" inactive="False" lastCompiled="1202686003" lastInstalled="1202686020" lastModified="1202685992" name="openbsd-4.2" platform="pf" ro="False" version="4.x">
<NAT id="id47B07D4319082" name="NAT"/>
<Policy id="id47B07CDA19082" name="Policy">
<PolicyRule action="Accept" direction="Both" disabled="True" id="id47B07CDB19082" log="False" position="0">
<Src neg="False">
<ObjectRef ref="id4144D5A0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id47B07CD419082"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Outbound" disabled="False" id="id47B07CE719082" log="True" position="1">
<Src neg="True">
<ObjectRef ref="id47B07CD419082"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id47B07D4519082"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id47B07CF319082" log="False" position="2">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id47B07D4819082"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Branch" direction="Inbound" disabled="False" id="id47B07CFF19082" log="False" position="3">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id47B07CD419082"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id47B07D4519082"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="branch_name">rule3_branch</Option>
<Option name="color">#C0BA44</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="allow all outgoing connections" direction="Both" disabled="False" id="id47B07D2B19082" log="False" position="4">
<Src neg="False">
<ObjectRef ref="id47B07CD419082"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" comment="'catch all' rule" direction="Both" disabled="False" id="id47B07D3719082" log="True" position="5">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Policy id="id47B07D0B19082" name="rule3_branch">
<PolicyRule action="Deny" comment="block fragments" direction="Both" disabled="False" id="id47B07D0C19082" log="True" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id47B07CD419082"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="ip-IP_Fragments"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id47B07D1819082" log="False" position="1">
<Src neg="True">
<ObjectRef ref="id4144D59F"/>
<ObjectRef ref="id4144D5A0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id47B07CD419082"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SMTP"/>
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="tcp-SSH"/>
<ServiceRef ref="tcp-FTP"/>
<ServiceRef ref="tcp-Telnet"/>
<ServiceRef ref="icmp-Unreachables"/>
<ServiceRef ref="icmp-ping_request"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id47B07D4419082" name="Routing"/>
<Interface bridgeport="False" comment="" dyn="False" id="id47B07D4519082" label="" mgmt="True" name="pcn0" security_level="0" unnum="False" unprotected="False">
<IPv4 comment="" id="id47B07D4719082" name="openbsd-4.2:pcn0:ip" address="10.3.14.50" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id47B07D4819082" name="lo" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id47B07D4A19082" name="openbsd-4.2:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="10.3.14.50">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP host prohibited</Option>
<Option name="activationCmd"/>
<Option name="admUser">root</Option>
<Option name="altAddress"/>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">True</Option>
<Option name="dyn_addr">False</Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc/fw</Option>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix"/>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">False</Option>
<Option name="mgmt_addr">10.3.14.42</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_ip_directed_broadcast"/>
<Option name="openbsd_ip_forward">1</Option>
<Option name="openbsd_ip_redirect"/>
<Option name="openbsd_ip_sourceroute"/>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_src_nodes">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_limit_table_entries">False</Option>
<Option name="pf_do_limit_tables">False</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_src_nodes">0</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="platform">iptables</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="sshArgs"/>
<Option name="use_ip_tool">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="id415276D7" name="Time"/>
</Library>
<Library color="#FFFFFF" comment="" id="id4387B43718346" name="transfer" ro="False">
<ObjectGroup id="id4387B43818346" name="Objects">
<ObjectGroup id="id4387B43918346" name="Addresses"/>
<ObjectGroup id="id4387B43A18346" name="DNS Names"/>
<ObjectGroup id="id4387B43B18346" name="Address Tables"/>
<ObjectGroup id="id4387B43C18346" name="Groups"/>
<ObjectGroup id="id4387B43D18346" name="Hosts"/>
<ObjectGroup id="id4387B43E18346" name="Networks"/>
<ObjectGroup id="id4387B43F18346" name="Address Ranges"/>
</ObjectGroup>
<ServiceGroup id="id4387B44018346" name="Services">
<ServiceGroup id="id4387B44018346_og_tag_1" name="TagServices">
</ServiceGroup>
<ServiceGroup id="id4387B44118346" name="Groups"/>
<ServiceGroup id="id4387B44218346" name="ICMP"/>
<ServiceGroup id="id4387B44318346" name="IP"/>
<ServiceGroup id="id4387B44418346" name="TCP"/>
<ServiceGroup id="id4387B44518346" name="UDP"/>
<ServiceGroup id="id4387B44618346" name="Custom"/>
<ServiceGroup id="id4387B44018346_userservices" name="Users"/>
</ServiceGroup>
<ObjectGroup id="id4387B44718346" name="Firewalls"/>
<IntervalGroup id="id4387B44818346" name="Time"/>
</Library>
<Library color="#d4f8ff" comment="Standard objects" id="syslib000" name="Standard" ro="True">
<ServiceGroup id="stdid05" name="Services">
<ServiceGroup id="stdid06" name="IP">
<IPService comment="IPSEC Encapsulating Security Payload Protocol" fragm="False" id="ip-IPSEC" lsrr="False" name="ESP" protocol_num="50" rr="False" short_fragm="False" ssrr="False" ts="False"/>
<IPService comment="'Short' fragments" fragm="False" id="ip-IP_Fragments" lsrr="False" name="ip_fragments" protocol_num="0" rr="False" short_fragm="True" ssrr="False" ts="False"/>
<IPService comment="Route recording packets" fragm="False" id="ip-RR" lsrr="False" name="RR" protocol_num="0" rr="True" short_fragm="False" ssrr="False" ts="False"/>
<IPService comment="All sorts of Source Routing Packets" fragm="False" id="ip-SRR" lsrr="True" name="SRR" protocol_num="0" rr="False" short_fragm="False" ssrr="True" ts="False"/>
<IPService comment="Generic Routing Encapsulation&#10;" fragm="False" id="id3D703C8F" lsrr="False" name="GRE" protocol_num="47" rr="False" short_fragm="False" ssrr="False" ts="False"/>
<IPService comment="IPSEC Authentication Header Protocol" fragm="False" id="id3CB12797" lsrr="False" name="AH" protocol_num="51" rr="False" short_fragm="False" ssrr="False" ts="False"/>
</ServiceGroup>
<ServiceGroup id="stdid09" name="TCP">
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="113" dst_range_start="113" fin_flag="False" fin_flag_mask="False" id="tcp-Auth" name="auth" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="53" dst_range_start="53" fin_flag="False" fin_flag_mask="False" id="tcp-DNS_zone_transf" name="dns-tcp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="21" dst_range_start="21" fin_flag="False" fin_flag_mask="False" id="tcp-FTP" name="ftp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="80" dst_range_start="80" fin_flag="False" fin_flag_mask="False" id="tcp-HTTP" name="http" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="119" dst_range_start="119" fin_flag="False" fin_flag_mask="False" id="tcp-NNTP" name="nntp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="25" dst_range_start="25" fin_flag="False" fin_flag_mask="False" id="tcp-SMTP" name="smtp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="22" dst_range_start="22" fin_flag="False" fin_flag_mask="False" id="tcp-SSH" name="ssh" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="23" dst_range_start="23" fin_flag="False" fin_flag_mask="False" id="tcp-Telnet" name="telnet" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="540" dst_range_start="540" fin_flag="False" fin_flag_mask="False" id="tcp-uucp" name="uucp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="13" dst_range_start="13" fin_flag="False" fin_flag_mask="False" id="id3AEDBE6E" name="daytime" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="2105" dst_range_start="2105" fin_flag="False" fin_flag_mask="False" id="id3B4FEDA3" name="eklogin" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="443" dst_range_start="443" fin_flag="False" fin_flag_mask="False" id="id3B4FED69" name="https" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="143" dst_range_start="143" fin_flag="False" fin_flag_mask="False" id="id3AECF776" name="imap" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="993" dst_range_start="993" fin_flag="False" fin_flag_mask="False" id="id3B4FED9F" name="imaps" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="6667" dst_range_start="6667" fin_flag="False" fin_flag_mask="False" id="id3B4FF13C" name="irc" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="543" dst_range_start="543" fin_flag="False" fin_flag_mask="False" id="id3B4FEE21" name="klogin" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="544" dst_range_start="544" fin_flag="False" fin_flag_mask="False" id="id3B4FEE23" name="ksh" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="389" dst_range_start="389" fin_flag="False" fin_flag_mask="False" id="id3AECF778" name="ldap" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="98" dst_range_start="98" fin_flag="False" fin_flag_mask="False" id="id3B4FF000" name="linuxconf" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3306" dst_range_start="3306" fin_flag="False" fin_flag_mask="False" id="id3B4FEEEE" name="mysql" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="2049" dst_range_start="2049" fin_flag="False" fin_flag_mask="False" id="id3B4FEE7A" name="nfs" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="110" dst_range_start="110" fin_flag="False" fin_flag_mask="False" id="id3B4FEE1D" name="pop3" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="5432" dst_range_start="5432" fin_flag="False" fin_flag_mask="False" id="id3B4FF0EA" name="postgres" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="515" dst_range_start="515" fin_flag="False" fin_flag_mask="False" id="id3AECF782" name="printer" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="26000" dst_range_start="26000" fin_flag="False" fin_flag_mask="False" id="id3B4FEF7C" name="quake" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="512" dst_range_start="512" fin_flag="False" fin_flag_mask="False" id="id3AECF77A" name="rexec" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="513" dst_range_start="513" fin_flag="False" fin_flag_mask="False" id="id3AECF77C" name="rlogin" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="514" dst_range_start="514" fin_flag="False" fin_flag_mask="False" id="id3AECF77E" name="rshell" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="4321" dst_range_start="4321" fin_flag="False" fin_flag_mask="False" id="id3B4FEF34" name="rwhois" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="465" dst_range_start="465" fin_flag="False" fin_flag_mask="False" id="id3B4FF04C" name="smtps" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="1080" dst_range_start="1080" fin_flag="False" fin_flag_mask="False" id="id3B4FEE76" name="socks" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="111" dst_range_start="111" fin_flag="False" fin_flag_mask="False" id="id3AEDBE00" name="sunrpc" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="7100" dst_range_start="7100" fin_flag="False" fin_flag_mask="False" id="id3B4FF1B8" name="xfs" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="True" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="True" id="tcp-TCP-SYN" name="tcp-syn" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="FTP data channel.&#10; Note: FTP protocol does not really require server to use source port 20 for the data channel, &#10; but many ftp server implementations do so." dst_range_end="65535" dst_range_start="1024" fin_flag="False" fin_flag_mask="False" id="tcp-FTP_data" name="ftp data" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="20" src_range_start="20" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3128" dst_range_start="3128" fin_flag="False" fin_flag_mask="False" id="id3B4FF09A" name="squid" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="False" id="tcp-All_TCP" name="All TCP" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
</ServiceGroup>
<ServiceGroup id="stdid08" name="UDP">
<UDPService comment="" dst_range_end="53" dst_range_start="53" id="udp-DNS" name="domain" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="0" dst_range_start="0" id="udp-All_UDP" name="All UDP" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="68" dst_range_start="68" id="udp-bootpc" name="bootpc" src_range_end="0" src_range_start="0"/>
</ServiceGroup>
<ServiceGroup id="stdid10" name="Groups">
<ServiceGroup comment="" id="sg-Useful_ICMP" name="Useful_ICMP">
<ServiceRef ref="icmp-Time_exceeded"/>
<ServiceRef ref="icmp-Time_exceeded_in_transit"/>
<ServiceRef ref="icmp-ping_reply"/>
<ServiceRef ref="icmp-Unreachables"/>
</ServiceGroup>
<ServiceGroup id="id3CB1279B" name="IPSEC">
<ServiceRef ref="id3CB12797"/>
<ServiceRef ref="ip-IPSEC"/>
</ServiceGroup>
</ServiceGroup>
<ServiceGroup id="stdid07" name="ICMP">
<ICMPService code="0" comment="" id="icmp-ping_request" name="ping request" type="8"/>
<ICMPService code="-1" comment="" id="icmp-Unreachables" name="all ICMP unreachables" type="3"/>
<ICMPService code="-1" comment="" id="id3C20EEB5" name="any ICMP" type="-1"/>
<ICMPService code="0" comment="ICMP messages of this type are needed for traceroute" id="icmp-Time_exceeded" name="time exceeded" type="11"/>
<ICMPService code="1" comment="" id="icmp-Time_exceeded_in_transit" name="time exceeded in transit" type="11"/>
<ICMPService code="0" comment="" id="icmp-ping_reply" name="ping reply" type="0"/>
</ServiceGroup>
</ServiceGroup>
<AnyNetwork comment="Any Network" id="sysid0" name="Any" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyInterval comment="Any Interval" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" id="sysid2" name="Any" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1"/>
<AnyIPService comment="Any IP Service" id="sysid1" name="Any" protocol_num="0"/>
<IntervalGroup id="stdid11" name="Time">
<Interval comment="any day 6:00pm - 12:00am" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="18" from_minute="0" from_month="-1" from_weekday="-1" from_year="-1" id="int-afterhours" name="afterhours" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="-1" to_year="-1"/>
<Interval comment="" days_of_week="6" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" id="id3C63479C" name="Sat" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="6" to_year="-1"/>
<Interval comment="" days_of_week="0" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="0" from_year="-1" id="id3C63479E" name="Sun" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1"/>
</IntervalGroup>
<ObjectGroup id="stdid01" name="Objects">
<ObjectGroup id="stdid03" name="Networks">
<Network comment="192.168.1.0/24 - Address often used for home and small office networks.&#10;" id="id3DC75CE7-1" name="net-192.168.1.0" address="192.168.1.0" netmask="255.255.255.0"/>
</ObjectGroup>
</ObjectGroup>
</Library>
</FWObjectDatabase>
Reference in New Issue View Git Blame Copy Permalink