onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-21 02:37:16 +01:00
Code Issues Releases Wiki Activity
fwbuilder/test/ipfw/objects-for-regression-tests.fwb
Vadim Kurland 41d6790592 compiler for ipfw works with getAddressPtr
2008-05-19 23:06:34 +00:00

4999 lines
234 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="6" id="root">
<Library color="#FFFFFF" comment="" id="id40D07E7A" name="LAX" ro="False">
<ObjectGroup id="id40D07E7B" name="Objects">
<ObjectGroup id="id40D07E7B_og_ats_1" name="Address Tables"/>
<ObjectGroup id="id40D07E7B_og_dnsn_1" name="DNS Names"/>
<ObjectGroup id="id40D07E7C" name="Addresses">
<IPv4 address="10.1.10.10" comment="" id="id40E238E6" name="laxftp1" netmask="255.255.255.255"/>
<IPv4 address="10.1.10.11" comment="" id="id40E238E7" name="laxweb1" netmask="255.255.255.255"/>
</ObjectGroup>
<ObjectGroup id="id40D07E7D" name="Groups">
<ObjectGroup comment="" id="id40E23565" name="LAX Servers"/>
</ObjectGroup>
<ObjectGroup id="id40D07E7E" name="Hosts"/>
<ObjectGroup id="id40D07E7F" name="Networks"/>
<ObjectGroup id="id40D07E80" name="Address Ranges"/>
</ObjectGroup>
<ServiceGroup id="id40D07E81" name="Services">
<ServiceGroup id="id40D07E81_og_tag_1" name="TagServices"/><ServiceGroup id="id40D07E82" name="Groups"/><ServiceGroup id="id40D07E83" name="ICMP"/><ServiceGroup id="id40D07E84" name="IP"/><ServiceGroup id="id40D07E85" name="TCP"/><ServiceGroup id="id40D07E86" name="UDP"/><ServiceGroup id="id40D07E87" name="Custom"/>
<ServiceGroup id="id40D07E81_userservices" name="User"/>
</ServiceGroup>
<ObjectGroup id="id40D07E88" name="Firewalls"/>
<IntervalGroup id="id40D07E89" name="Time"/>
</Library>
<Library color="#d2ffd0" comment="User defined objects" id="syslib001" name="User">
<ObjectGroup id="stdid01_1" name="Objects">
<ObjectGroup id="stdid01_1_og_ats_1" name="Address Tables"/>
<ObjectGroup id="stdid01_1_og_dnsn_1" name="DNS Names">
<DNSName comment="an example of a local host" dnsrec="buildmaster" id="id43869E8E18346" name="buildmaster (ct)" run_time="False"/>
<DNSName comment="an example of a local host" dnsrec="buildmaster" id="id43869E8F18346" name="buildmaster (rt)" run_time="True"/>
<DNSName comment="" dnsrec="www.cnn.com" id="id43869E8C18346" name="cnn (ct)" run_time="False"/>
<DNSName comment="" dnsrec="www.cnn.com" id="id43869E8D18346" name="cnn (rt)" run_time="True"/>
<DNSName comment="" dnsrec="www.google.com" id="id4387287918346" name="google (ct)" run_time="False"/>
<DNSName comment="" dnsrec="www.google.com" id="id4387287A18346" name="google (rt)" run_time="True"/>
</ObjectGroup>
<ObjectGroup id="stdid16_1" name="Addresses"/>
<ObjectGroup id="stdid04_1" name="Groups">
<ObjectGroup id="id3B4572AF" name="group1">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
</ObjectGroup>
<ObjectGroup id="id3B4572B5" name="platform">
<ObjectRef ref="id3AFC0F70"/>
<ObjectRef ref="id3AFC191C"/>
</ObjectGroup>
<ObjectGroup id="id3BBC0EFC" name="netgroup1">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3B022266"/>
</ObjectGroup>
<ObjectGroup id="id3CD87A9A" name="group-range-1">
<ObjectRef ref="id3CD87A53"/>
<ObjectRef ref="id3CD87A5E"/>
<ObjectRef ref="id3CD87A6D"/>
<ObjectRef ref="id3CD87A7C"/>
<ObjectRef ref="id3CD87A8B"/>
</ObjectGroup>
<ObjectGroup id="id3D8FF5EC" name="group2">
<ObjectRef ref="host-hostA"/>
</ObjectGroup>
<ObjectGroup id="id3DEA7FEE" name="lb group">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
<ObjectRef ref="id3D58227A"/>
</ObjectGroup>
</ObjectGroup>
<ObjectGroup id="stdid02_1" name="Hosts">
<Host comment="broadcast on internal subnet" id="id3B64FFAC" name="broadcast">
<Interface bridgeport="False" dyn="False" id="id3B64FFAC-i" name="unknown" security_level="100" unnum="False">
<IPv4 address="192.168.1.255" id="id3B64FFAC-i-ipv4" name="address" netmask="255.255.255.255"/>
</Interface>
<HostOptions>
<Option name="use_mac_addr_filter">false</Option>
</HostOptions>
</Host>
<Host comment="" id="id3D265845" name="fw2-dmz-iface">
<Interface bridgeport="False" dyn="False" id="id3D265845-i" name="interface-1" security_level="0" unnum="False">
<IPv4 address="192.168.2.1" id="id3D265845-i-1-addr" name="address" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.2.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr">false</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host comment="the same address as internal iface of firewall1" id="id3AFC191C" name="fw2-int-iface">
<Interface bridgeport="False" dyn="False" id="id3AFC191C-i" name="unknown" security_level="100" unnum="False">
<IPv4 address="192.168.1.1" id="id3AFC191C-i-ipv4" name="address" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.1.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host comment="host on the DMZ net" id="id3D265477" name="host-dmz1">
<Interface bridgeport="False" dyn="False" id="id3D265477-i" name="interface-1" security_level="0" unnum="False">
<IPv4 address="192.168.2.10" id="id3D265477-i-1-addr" name="address" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.2.10">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr">false</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host comment="" id="id3D26547B" name="host-dmz1-NAT">
<Interface bridgeport="False" dyn="False" id="id3D26547B-i" name="interface-1" security_level="0" unnum="False">
<IPv4 address="22.22.22.24" id="id3D26547B-i-1-addr" name="address" netmask="255.255.255.255"/>
</Interface>
<Management address="22.22.22.24">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr">false</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host id="id3DEA665F" name="host-ext1">
<Interface bridgeport="False" dyn="False" id="id3DEA6663" name="interface1" security_level="0" unnum="False">
<IPv4 address="22.22.22.24" id="id3DEA6664" name="host-ext1" netmask="255.255.255.255"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr">false</Option>
</HostOptions>
</Host>
<Host comment="this host has the same IP address as firewall1 and firewall2" id="id3AFC0F70" name="host-fw2">
<Interface bridgeport="False" dyn="False" id="id3AFC0F70-i" name="unknown" security_level="100" unnum="False">
<IPv4 address="22.22.22.22" id="id3AFC0F70-i-ipv4" name="address" netmask="255.255.255.255"/>
</Interface>
<HostOptions>
<Option name="use_mac_addr_filter">false</Option>
</HostOptions>
</Host>
<Host comment="" id="id3BF1B3E1" name="host-with_mac">
<Interface bridgeport="False" dyn="False" id="id3BF1B3E2" label="" name="unknown" security_level="100" unnum="False">
<IPv4 address="192.168.1.10" id="id3BF1B3E2-ipv4" name="address" netmask="255.255.255.0"/>
<physAddress address="00:10:4b:de:e9:6f" id="id3BF1B3E2-pa" name="unknown-pa"/>
</Interface>
<Management address="192.168.1.10">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr_filter">True</Option>
</HostOptions>
</Host>
<Host comment="" id="id3BF1B3E7" name="host-with_mac-2">
<Interface bridgeport="False" dyn="False" id="id3BF1B3E8" label="" name="unknown" security_level="100" unnum="False">
<IPv4 address="0.0.0.0" id="id3BF1B3E8-ipv4" name="address" netmask="0.0.0.0"/>
<physAddress address="00:10:4b:de:e9:6f" id="id3BF1B3E8-pa" name="unknown-pa"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr_filter">True</Option>
</HostOptions>
</Host>
<Host comment="" id="host-hostA" name="hostA">
<Interface bridgeport="False" comment="" dyn="False" id="host-hostA-i" label="" mgmt="False" name="int1" security_level="100" unnum="False">
<IPv4 address="192.168.1.10" comment="" id="host-hostA-i-ipv4" name="hostA:int1" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.1.10">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr_filter">false</Option>
</HostOptions>
</Host>
<Host comment="" id="id3B3D5A3B" name="hostA">
<Interface bridgeport="False" dyn="False" id="id3B3D5A3B-i" name="unknown" security_level="100" unnum="False">
<IPv4 address="192.168.1.10" id="id3B3D5A3B-i-ipv4" name="address" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.1.10">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr_filter">false</Option>
</HostOptions>
</Host>
<Host comment="translated address for hostA" id="id3AFADBF9" name="hostA-NAT">
<Interface bridgeport="False" dyn="False" id="id3AFADBF9-i" name="unknown" security_level="100" unnum="False">
<IPv4 address="22.22.22.23" id="id3AFADBF9-i-ipv4" name="address" netmask="255.255.255.255"/>
</Interface>
<HostOptions>
<Option name="use_mac_addr_filter">false</Option>
</HostOptions>
</Host>
<Host comment="" id="host-hostB" name="hostB">
<Interface bridgeport="False" dyn="False" id="host-hostB-i" name="unknown" security_level="100" unnum="False">
<IPv4 address="192.168.1.20" id="host-hostB-i-ipv4" name="address" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.1.20">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr_filter">false</Option>
</HostOptions>
</Host>
<Host comment="" id="id3BD6736B" name="hostB-NAT">
<Interface bridgeport="False" dyn="False" id="id3BD6736B-i" name="unknown" security_level="100" unnum="False">
<IPv4 address="22.22.23.24" id="id3BD6736B-i-ipv4" name="address" netmask="255.255.255.255"/>
</Interface>
<HostOptions>
<Option name="use_mac_addr_filter">false</Option>
</HostOptions>
</Host>
<Host comment="" id="id3D58227A" name="hostC">
<Interface bridgeport="False" dyn="False" id="id3D58227A-i" name="interface-1" security_level="0" unnum="False">
<IPv4 address="192.168.1.100" id="id3D58227A-i-1-addr" name="address" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.1.100">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr">false</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host comment="" id="id3D58227E" name="hostC-1">
<Interface bridgeport="False" comment="" dyn="False" id="id3D582282" label="" name="eth0" security_level="0" unnum="False">
<IPv4 address="192.168.1.100" comment="" id="id3D582283" name="hostC-1:eth0" netmask="255.255.255.0"/>
</Interface>
<Management address="192.168.1.100">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr">false</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host comment="" id="id3CD87A53" name="n192.168.1.11">
<Interface bridgeport="False" dyn="False" id="id3CD87A53-i" name="interface-1" security_level="0" unnum="False">
<IPv4 address="192.168.1.11" id="id3CD87A53-i-1-addr" name="address" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.1.11">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr">False</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host comment="" id="id3CD87A5E" name="n192.168.1.12">
<Interface bridgeport="False" dyn="False" id="id3CD87A5E-i" name="interface-1" security_level="0" unnum="False">
<IPv4 address="192.168.1.12" id="id3CD87A5E-i-1-addr" name="address" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.1.12">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr">False</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host comment="" id="id3CD87A6D" name="n192.168.1.13">
<Interface bridgeport="False" dyn="False" id="id3CD87A6D-i" name="interface-1" security_level="0" unnum="False">
<IPv4 address="192.168.1.13" id="id3CD87A6D-i-1-addr" name="address" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.1.13">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr">False</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host comment="" id="id3CD87A7C" name="n192.168.1.14">
<Interface bridgeport="False" dyn="False" id="id3CD87A7C-i" name="interface-1" security_level="0" unnum="False">
<IPv4 address="192.168.1.14" id="id3CD87A7C-i-1-addr" name="address" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.1.14">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr">False</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host comment="" id="id3CD87A8B" name="n192.168.1.15">
<Interface bridgeport="False" dyn="False" id="id3CD87A8B-i" name="interface-1" security_level="0" unnum="False">
<IPv4 address="192.168.1.15" id="id3CD87A8B-i-1-addr" name="address" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.1.15">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr">False</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host comment="some host outside our network" id="id3B19C5EB" name="outside-host">
<Interface bridgeport="False" dyn="False" id="id3B19C5EB-i" name="unknown" security_level="100" unnum="False">
<IPv4 address="200.200.200.200" id="id3B19C5EB-i-ipv4" name="address" netmask="255.255.255.255"/>
</Interface>
<HostOptions>
<Option name="use_mac_addr_filter">false</Option>
</HostOptions>
</Host>
<Host comment="" id="host-secondary1-com" name="secondary1.com">
<Interface bridgeport="False" dyn="False" id="host-secondary1-com-i" name="unknown" security_level="100" unnum="False">
<IPv4 address="211.11.11.11" id="host-secondary1-com-i-ipv4" name="address" netmask="255.255.255.255"/>
</Interface>
<Management address="211.11.11.11">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr_filter">false</Option>
</HostOptions>
</Host>
<Host comment="" id="host-secondary2-com" name="secondary2.com">
<Interface bridgeport="False" dyn="False" id="host-secondary2-com-i" name="unknown" security_level="100" unnum="False">
<IPv4 address="211.22.22.22" id="host-secondary2-com-i-ipv4" name="address" netmask="255.255.255.255"/>
</Interface>
<Management address="211.22.22.22">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr_filter">false</Option>
</HostOptions>
</Host>
<Host comment="" id="id3BF23930" name="z-host">
<Interface bridgeport="False" dyn="False" id="id3BF23931" label="" name="unknown" security_level="100" unnum="False">
<IPv4 address="0.0.0.0" id="id3BF23931-ipv4" name="address" netmask="0.0.0.0"/>
<physAddress address="00:a0:24:53:06:8c" id="id3BF23931-pa" name="unknown-pa"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host id="id3D850651" name="zero address">
<Interface bridgeport="False" dyn="False" id="id3D850655" name="interface1" security_level="0" unnum="False">
<IPv4 address="0.0.0.0" id="id3D850656" name="zero address" netmask="255.0.0.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr">false</Option>
</HostOptions>
</Host>
</ObjectGroup>
<ObjectGroup id="stdid03_1" name="Networks">
<Network comment="" id="net-Internal_net" name="Internal_net" address="192.168.1.0" netmask="255.255.255.0"/>
<Network comment="DMZ net - using NAT" id="id3B022266" name="dmz_net" address="192.168.2.0" netmask="255.255.255.0"/>
<Network comment="" id="id3B665641" name="external_net" address="22.22.22.0" netmask="255.255.255.0"/>
<Network comment="" id="id3B665643" name="foreign_net" address="33.33.33.0" netmask="255.255.255.0"/>
</ObjectGroup>
<ObjectGroup id="stdid15_1" name="Address Ranges">
<AddressRange comment="" id="id3CD8769F" name="test_range_1" start_address="192.168.1.11" end_address="192.168.1.15"/>
<AddressRange comment="" id="id3D98E5AD" name="test_range_2" start_address="192.168.1.11" end_address="192.168.1.11"/>
</ObjectGroup>
</ObjectGroup>
<ServiceGroup id="stdid05_1" name="Services">
<ServiceGroup id="stdid05_1_og_tag_1" name="TagServices"/><ServiceGroup id="stdid10_1" name="Groups">
<ServiceGroup id="id3B457567" name="svcgroup1">
<ServiceRef ref="id3B457561"/>
<ServiceRef ref="ip-IPSEC"/>
</ServiceGroup>
<ServiceGroup id="id3C1A66C9" name="large group TCP">
<ServiceRef ref="id3B20468D"/>
<ServiceRef ref="tcp-IRC"/>
<ServiceRef ref="id3B5009F7"/>
<ServiceRef ref="tcp-Auth"/>
<ServiceRef ref="tcp-DNS_zone_transf"/>
<ServiceRef ref="tcp-FTP"/>
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="tcp-NNTP"/>
<ServiceRef ref="tcp-SMTP"/>
<ServiceRef ref="tcp-SSH"/>
<ServiceRef ref="tcp-Telnet"/>
<ServiceRef ref="tcp-uucp"/>
<ServiceRef ref="id3C1A66EF"/>
<ServiceRef ref="id3AEDBE6E"/>
<ServiceRef ref="id3B4FEDA3"/>
<ServiceRef ref="id3B4FED69"/>
<ServiceRef ref="id3AECF776"/>
<ServiceRef ref="id3B4FED9F"/>
<ServiceRef ref="id3B4FF13C"/>
<ServiceRef ref="id3B4FEE21"/>
<ServiceRef ref="id3B4FEE23"/>
<ServiceRef ref="id3AECF778"/>
<ServiceRef ref="id3B4FF000"/>
<ServiceRef ref="id3B4FEEEE"/>
<ServiceRef ref="id3B4FEE7A"/>
<ServiceRef ref="id3B4FEE1D"/>
<ServiceRef ref="id3B4FF0EA"/>
<ServiceRef ref="id3AECF782"/>
<ServiceRef ref="id3B4FEF7C"/>
<ServiceRef ref="id3AECF77A"/>
<ServiceRef ref="id3AECF77C"/>
<ServiceRef ref="id3AECF77E"/>
<ServiceRef ref="id3B4FEF34"/>
<ServiceRef ref="id3B4FF04C"/>
<ServiceRef ref="id3B4FEE76"/>
<ServiceRef ref="id3AEDBE00"/>
<ServiceRef ref="id3B4FF1B8"/>
</ServiceGroup>
<ServiceGroup id="id3CD878C8" name="small group TCP">
<ServiceRef ref="tcp-Auth"/>
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="tcp-SMTP"/>
<ServiceRef ref="tcp-SSH"/>
<ServiceRef ref="tcp-uucp"/>
<ServiceRef ref="id3B4FED69"/>
<ServiceRef ref="id3AECF776"/>
</ServiceGroup>
</ServiceGroup><ServiceGroup id="stdid07_1" name="ICMP">
<ICMPService code="-1" comment="" id="id3C1A5D46" name="any ICMP" type="-1"/>
</ServiceGroup><ServiceGroup id="stdid06_1" name="IP">
<IPService comment="" fragm="False" id="id3B457561" lsrr="False" name="ICMP" protocol_num="1" rr="False" short_fragm="False" ssrr="False" ts="False"/>
<IPService comment="" fragm="False" id="id3B6659A5" lsrr="False" name="TS" protocol_num="0" rr="False" short_fragm="False" ssrr="False" ts="True"/>
</ServiceGroup><ServiceGroup id="stdid09_1" name="TCP">
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="70" dst_range_start="70" fin_flag="False" fin_flag_mask="False" id="id3C1A66EF" name="gopher" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="6667" dst_range_start="6667" fin_flag="False" fin_flag_mask="False" id="tcp-IRC" name="irc" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3128" dst_range_start="3128" fin_flag="False" fin_flag_mask="False" id="id3B5009F7" name="squid" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="port range" dst_range_end="11000" dst_range_start="10000" fin_flag="False" fin_flag_mask="False" id="id3B20468D" name="test-TCP" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="True" ack_flag_mask="True" comment="" dst_range_end="0" dst_range_start="0" fin_flag="True" fin_flag_mask="True" id="id3B58E3F1" name="xmas-tree" psh_flag="False" psh_flag_mask="True" rst_flag="True" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="1024" dst_range_start="1" fin_flag="False" fin_flag_mask="False" id="id3E51B08E" name="priveleged tcp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="True" ack_flag_mask="True" comment="" dst_range_end="0" dst_range_start="0" fin_flag="True" fin_flag_mask="True" id="id3E51B0E3" name="bad tcp" psh_flag="True" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="True" syn_flag_mask="True" urg_flag="True" urg_flag_mask="True"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="0" dst_range_start="0" established="True" fin_flag="False" fin_flag_mask="False" id="id463FF6C310755" name="tcp established" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="0" dst_range_start="0" established="True" fin_flag="False" fin_flag_mask="False" id="id4640031410755" name="http established" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="80" src_range_start="80" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
</ServiceGroup><ServiceGroup id="stdid08_1" name="UDP">
<UDPService comment="" dst_range_end="500" dst_range_start="500" id="id3DEA6281" name="ISAKMP" src_range_end="0" src_range_start="0"/>
</ServiceGroup><ServiceGroup id="stdid13_1" name="Custom_Services">
<CustomService comment="Talk support" id="id3B64FE22" name="talk">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="iptables">-m ip_conntrack_talk -m ip_nat_talk</CustomServiceCommand>
</CustomService>
<CustomService comment="" id="id3F162C44" name="establ">
<CustomServiceCommand platform="fwsm"/>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfw">if established</CustomServiceCommand>
<CustomServiceCommand platform="iptables"/>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
</CustomService>
</ServiceGroup>
<ServiceGroup id="stdid05_1_userservices" name="User"/>
</ServiceGroup>
<ObjectGroup id="stdid12_1" name="Firewalls">
<Firewall comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" host_OS="freebsd" id="fw-firewall2" lastCompiled="0" lastInstalled="0" lastModified="0" name="firewall" platform="ipfw" version="">
<NAT id="nat-firewall2" name="NAT">
<NATRule comment="" disabled="False" id="nat-firewall2-0" position="0">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="fw-firewall2"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="" disabled="False" id="nat-firewall2-1" position="1">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="fw-firewall2"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SMTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="tcp-SMTP"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id3CDB43B8" position="2">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="fw-firewall2"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3B4FF09A"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id3D7581A7" position="3">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="id3B4FED69"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="if-FW-firewall2-eth0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3B4FF09A"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="" disabled="False" id="id3D75843D" position="4">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="id3B4FED69"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="if-FW-firewall2-eth1"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3B4FF09A"/>
</TSrv>
<NATRuleOptions/>
</NATRule></NAT>
<Policy id="pol-firewall2" name="Policy">
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id3B09D29D" log="True" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="fw-firewall2"/>
</Dst><Srv neg="False">
<ServiceRef ref="ip-IP_Fragments"/>
</Srv><Itf neg="False">
<ObjectRef ref="if-FW-firewall2-eth1"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="Automatically generated rule blocking short fragments" direction="Inbound" disabled="False" id="pol-firewall2-0" log="True" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="ip-IP_Fragments"/>
</Srv><Itf neg="False">
<ObjectRef ref="if-FW-firewall2-eth1"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="Automatically generated anti-spoofing rule" direction="Inbound" disabled="False" id="pol-firewall2-1" log="True" position="2">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="fw-firewall2"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="if-FW-firewall2-eth1"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3B92DFC5" log="False" position="3">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src><Dst neg="False">
<ObjectRef ref="fw-firewall2"/>
</Dst><Srv neg="False">
<ServiceRef ref="udp-DNS"/>
</Srv><Itf neg="False">
<ObjectRef ref="if-FW-firewall2-eth0"/>
</Itf>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" comment="" direction="Inbound" disabled="False" id="id3C4E4C38" log="True" position="4">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="id3B64FFAC"/>
</Dst><Srv neg="False">
<ServiceRef ref="udp-DNS"/>
</Srv><Itf neg="False">
<ObjectRef ref="if-FW-firewall2-eth0"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3B58E39D" log="True" position="5">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="tcp-TCP-SYN"/>
<ServiceRef ref="id3B58E3F1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_value">0</Option>
<Option name="log_limit_suffix"/>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Reject" direction="Both" disabled="False" id="id3B6659FC" log="True" position="6">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="ip-RR"/>
<ServiceRef ref="ip-SRR"/>
<ServiceRef ref="id3B6659A5"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="ipf_keep_frags">False</Option>
<Option name="ipf_return_icmp_as_dest">True</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Reject" direction="Both" disabled="False" id="id3CE74D81" log="False" position="7">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="fw-firewall2"/>
</Dst><Srv neg="False">
<ServiceRef ref="ip-IPSEC"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="True" id="id3BF1B45E" log="False" position="8">
<Src neg="False">
<ObjectRef ref="id3BF1B3E1"/>
</Src><Dst neg="False">
<ObjectRef ref="host-hostA"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="True" id="id3BF1B44E" log="False" position="9">
<Src neg="False">
<ObjectRef ref="id3BF1B3E7"/>
</Src><Dst neg="False">
<ObjectRef ref="host-hostA"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="pol-firewall2-3" log="False" position="10">
<Src neg="False">
<ObjectRef ref="host-secondary1-com"/>
<ObjectRef ref="host-secondary2-com"/>
</Src><Dst neg="False">
<ObjectRef ref="host-hostA"/>
</Dst><Srv neg="False">
<ServiceRef ref="tcp-DNS_zone_transf"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="int-afterhours"/>
<IntervalRef ref="id3C63479C"/>
<IntervalRef ref="id3C63479E"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="pol-firewall2-2" log="False" position="11">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="host-hostA"/>
</Dst><Srv neg="False">
<ServiceRef ref="id3C1A66C9"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3D98E652" log="False" position="12">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="id3D98E5AD"/>
</Dst><Srv neg="False">
<ServiceRef ref="id3CD878C8"/>
<ServiceRef ref="id3B5009F7"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3CD8770E" log="False" position="13">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="id3CD8769F"/>
</Dst><Srv neg="False">
<ServiceRef ref="id3CD878C8"/>
<ServiceRef ref="id3B5009F7"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3CD87B1E" log="False" position="14">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="id3CD87A9A"/>
</Dst><Srv neg="False">
<ServiceRef ref="id3CD878C8"/>
<ServiceRef ref="id3B5009F7"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="pol-firewall2-4" log="False" position="15">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="net-Internal_net"/>
</Dst><Srv neg="False">
<ServiceRef ref="sg-Useful_ICMP"/>
<ServiceRef ref="id3B5009F7"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id41D514D2" log="False" position="16">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="net-Internal_net"/>
</Dst><Srv neg="False">
<ServiceRef ref="sg-Useful_ICMP"/>
<ServiceRef ref="id3B5009F7"/>
<ServiceRef ref="id3D703C82"/>
<ServiceRef ref="tcp-FTP_data"/>
<ServiceRef ref="id3C1A66C9"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3B58E180" log="True" position="17">
<Src neg="False">
<ObjectRef ref="fw-firewall2"/>
</Src><Dst neg="False">
<ObjectRef ref="fw-firewall2"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="Automatically generated 'masquerading' rule" direction="Both" disabled="False" id="pol-firewall2-5" log="False" position="18">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="fw-firewall2"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="Automatically generated 'catch all' rule" direction="Both" disabled="False" id="pol-firewall2-7" log="True" position="19">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_limit_suffix"/>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="fw-firewall2-routing" name="Routing">
</Routing>
<Interface bridgeport="False" dyn="False" id="if-FW-firewall2-eth1" name="eth1" security_level="0" unnum="False">
<IPv4 address="222.222.222.222" id="if-FW-firewall2-eth1-ipv4" name="address" netmask="255.255.255.0"/>
</Interface><Interface bridgeport="False" dyn="False" id="if-FW-firewall2-eth0" name="eth0" security_level="100" unnum="False">
<IPv4 address="192.168.1.1" comment="" id="if-FW-firewall2-eth0-ipv4" name="firewall" netmask="255.255.255.0"/>
</Interface>
<Management address="192.168.1.1">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">False</Option>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="action_on_reject">ICMP port unreachable</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline">-v</Option>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">True</Option>
<Option name="dyn_addr">False</Option>
<Option name="eliminate_duplicates">True</Option>
<Option name="epilog_script"/>
<Option name="firewall_dir"/>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward"/>
<Option name="freebsd_ip_redirect"/>
<Option name="freebsd_ip_sourceroute"/>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipfw">/usr/sbin/ipfw</Option>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="ignore_empty_groups">True</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="ipf_log_body">False</Option>
<Option name="ipf_log_facility"/>
<Option name="ipf_log_level"/>
<Option name="ipf_log_or_block">False</Option>
<Option name="ipf_nat_ftp_proxy">False</Option>
<Option name="ipf_nat_h323_proxy">False</Option>
<Option name="ipf_nat_ipsec_proxy">False</Option>
<Option name="ipf_nat_raudio_proxy">False</Option>
<Option name="ipf_nat_rcmd_proxy">False</Option>
<Option name="ipf_return_icmp_as_dest">True</Option>
<Option name="limit_suffix">/second</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">True</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr">192.168.1.100</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="openbsd_ip_directed_broadcast">0</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="openbsd_ip_redirect">0</Option>
<Option name="openbsd_ip_sourceroute">0</Option>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="platform">iptables</Option>
<Option name="prolog_script"/>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_numeric_log_levels">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="this object is used to test all kinds of negation in policy rules&#10;&#10;Currently negation in NAT is not supported for ipf, therefore all rules in NAT with&#10;negation are disabled&#10;" host_OS="freebsd" id="id3AF5AA0A" lastCompiled="0" lastInstalled="0" lastModified="0" name="firewall1" platform="ipfw">
<NAT id="id3AF5AA0D" name="NAT">
<NATRule disabled="True" id="id3C98491C" position="0">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3B022266"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id3AFADC09" position="1">
<OSrc neg="False">
<ObjectRef ref="host-hostA"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AFADBF9"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="True" id="id3CD23959" position="2">
<OSrc neg="True">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3B19C5EB"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AFADBF9"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id3B1328FB" position="3">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AF5AA0A"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="True" id="id3AF5AAD3" position="4">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="True">
<ObjectRef ref="id3B022266"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AF5AA0A"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="" disabled="True" id="id3CCA1B57" position="5">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="True">
<ObjectRef ref="id3BBC0EFC"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AF5AA0A"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="True" id="id3B50F7CB" position="6">
<OSrc neg="True">
<ObjectRef ref="id3B022266"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AF5AA0A"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="True" id="id3BD8D94B" position="7">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="True">
<ObjectRef ref="id3AF5AA0A"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3AF5AA0A"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3B5009F7"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="True" id="id3BD8D9DD" position="8">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="True">
<ObjectRef ref="id3AFC191C"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3AF5AA0A"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3B5009F7"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="True" id="id3BBC0EA4" position="9">
<OSrc neg="False">
<ObjectRef ref="id3B4572AF"/>
</OSrc>
<ODst neg="True">
<ObjectRef ref="id3BBC0EFC"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3AF5AA0A"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3B5009F7"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="True" id="id3BBC0F93" position="10">
<OSrc neg="True">
<ObjectRef ref="id3B4572AF"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3BBC0EFC"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3AF5AA0A"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3B5009F7"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="True" id="id3BC6BCE5" position="11">
<OSrc neg="True">
<ObjectRef ref="host-hostA"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3AF5AA0A"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3B5009F7"/>
</TSrv>
<NATRuleOptions/>
</NATRule></NAT>
<Policy id="id3AF5AA0C" name="Policy">
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3C5987DC" log="True" position="0">
<Src neg="False">
<ObjectRef ref="id3B4572B5"/>
</Src><Dst neg="True">
<ObjectRef ref="id3B4572B5"/>
</Dst><Srv neg="False">
<ServiceRef ref="id3B457567"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3AF5AA96"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3CD34BEF" log="False" position="1">
<Src neg="False">
<ObjectRef ref="id3B4572AF"/>
</Src><Dst neg="True">
<ObjectRef ref="id3B4572AF"/>
</Dst><Srv neg="False">
<ServiceRef ref="id3B457567"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3AF5AA96"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Inbound" disabled="False" id="id3AF5AAB4" log="True" position="2">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3AF5AA0A"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3AF5AA99"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Outbound" disabled="False" id="id3AF5AAAB" log="True" position="3">
<Src neg="True">
<ObjectRef ref="net-Internal_net"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3AF5AA99"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3CDDF2FA" log="False" position="4">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3B0B4D35"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" comment="" direction="Both" disabled="False" id="id3CCA26E4" log="True" position="5">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="tcp-TCP-SYN"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="True" id="id3B9AB902" log="True" position="6">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="True">
<ServiceRef ref="tcp-TCP-SYN"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="hostF has the same IP address as firewal." direction="Both" disabled="False" id="id3AFC0F90" log="True" position="7">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="id3AFC191C"/>
</Dst><Srv neg="False">
<ServiceRef ref="icmp-ping_request"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" comment="testing negation in the policy rule" direction="Both" disabled="False" id="id3B021E10" log="True" position="8">
<Src neg="True">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="icmp-Unreachables"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix">/minute</Option>
<Option name="limit_value">10</Option>
<Option name="log_prefix"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="" direction="Both" disabled="False" id="id3B0B4A13" log="True" position="9">
<Src neg="True">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
</Src><Dst neg="False">
<ObjectRef ref="id3AF5AA0A"/>
</Dst><Srv neg="False">
<ServiceRef ref="icmp-Unreachables"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3B5535B7" log="True" position="10">
<Src neg="True">
<ObjectRef ref="id3B022266"/>
<ObjectRef ref="id3AF5AA0A"/>
</Src><Dst neg="False">
<ObjectRef ref="net-Internal_net"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3FB82A69" log="False" position="11">
<Src neg="True">
<ObjectRef ref="id3B665641"/>
<ObjectRef ref="id3B665643"/>
</Src><Dst neg="False">
<ObjectRef ref="host-hostA"/>
</Dst><Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3B11F63D" log="True" position="12">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3B022266"/>
</Src><Dst neg="True">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="" direction="Both" disabled="False" id="id3CDDF0AA" log="False" position="13">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="True">
<ObjectRef ref="id3AF5AA0A"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="testing negation in service field" direction="Both" disabled="True" id="id3B021E6F" log="True" position="14">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
</Dst><Srv neg="True">
<ServiceRef ref="tcp-SMTP"/>
<ServiceRef ref="tcp-SSH"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="testing negation in service field" direction="Both" disabled="True" id="id3CCA2CF4" log="True" position="15">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
</Dst><Srv neg="True">
<ServiceRef ref="tcp-SMTP"/>
<ServiceRef ref="tcp-SSH"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3B45739A" log="True" position="16">
<Src neg="False">
<ObjectRef ref="id3B4572B5"/>
</Src><Dst neg="True">
<ObjectRef ref="id3B4572B5"/>
</Dst><Srv neg="False">
<ServiceRef ref="id3B457567"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="'masquerading' rule" direction="Both" disabled="False" id="id3AF5AAC8" log="False" position="17">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" comment="'catch all' rule" direction="Both" disabled="False" id="id3AF5AAE3" log="True" position="18">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3AF5AA0A-routing" name="Routing">
</Routing>
<Interface bridgeport="False" dyn="False" id="id3AF5AA96" name="eth0" security_level="100" unnum="False">
<IPv4 address="192.168.1.1" id="id3AF5AA96-ipv4" name="address" netmask="255.255.255.0"/>
</Interface><Interface bridgeport="False" dyn="False" id="id3AF5AA99" name="eth1" security_level="0" unnum="False">
<IPv4 address="22.22.22.22" id="id3AF5AA99-ipv4" name="address" netmask="255.255.255.0"/>
</Interface><Interface bridgeport="False" dyn="False" id="id3B0B4BC8" name="eth2" security_level="100" unnum="False">
<IPv4 address="192.168.2.1" id="id3B0B4BC8-ipv4" name="address" netmask="255.255.255.0"/>
</Interface><Interface bridgeport="False" dyn="False" id="id3B0B4D35" name="lo" security_level="100" unnum="False">
<IPv4 address="127.0.0.1" id="id3B0B4D35-ipv4" name="address" netmask="255.0.0.0"/>
</Interface><Interface bridgeport="False" dyn="False" id="id3B11F434" name="eth3" security_level="0" unnum="False">
<IPv4 address="22.22.23.23" id="id3B11F434-ipv4" name="address" netmask="255.255.255.0"/>
</Interface>
<Management address="22.22.23.23">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="eliminate_duplicates">True</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward"/>
<Option name="freebsd_ip_redirect"/>
<Option name="freebsd_ip_sourceroute"/>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipfw">/Library/Application Support/PeerGuardian/ipfwFast</Option>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="ipf_log_body">False</Option>
<Option name="ipf_log_facility"/>
<Option name="ipf_log_level"/>
<Option name="ipf_log_or_block">False</Option>
<Option name="ipf_nat_ftp_proxy">False</Option>
<Option name="ipf_nat_raudio_proxy">False</Option>
<Option name="ipf_nat_rcmd_proxy">False</Option>
<Option name="ipf_return_icmp_as_dest">False</Option>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="pass_all_out">False</Option>
<Option name="platform">iptables</Option>
<Option name="proxy_arp">False</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_ip_tool">False</Option>
<Option name="use_numeric_log_levels">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " host_OS="freebsd" id="id3AFB66C6" lastCompiled="0" lastInstalled="0" lastModified="1178589993" name="firewall2" platform="ipfw">
<NAT id="id3AFB66C7" name="NAT">
<NATRule disabled="False" id="id3AFB66C8" position="0">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AFB66C6"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="id"/>
</NATRuleOptions>
</NATRule><NATRule disabled="False" id="id3AFB66D6" position="1">
<OSrc neg="False">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="id3B4572AF"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AFADBF9"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="id"/>
</NATRuleOptions>
</NATRule><NATRule disabled="False" id="id3DE9CA86" position="2">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
<ServiceRef ref="tcp-FTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AFB66C6"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="" disabled="False" id="id3DE9CD88" position="3">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AFB6706"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="" disabled="False" id="id3DEA6375" position="4">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id3DEA6281"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AFB6706"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id3CABE6DF" position="5">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="id3B4572AF"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AFC191C"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id3AFB69BD" position="6">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AFADBF9"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="tcp-NNTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="load balancing rule" disabled="False" id="id3DEA6769" position="7">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AFADBF9"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
<ObjectRef ref="id3D58227A"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="load balancing rule" disabled="False" id="id3DEA8105" position="8">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AFADBF9"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3DEA7FEE"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id3D265545" position="9">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3D265477"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3D265845"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id3D265556" position="10">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3D26547B"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D265477"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id3BEEF6D2" position="11">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AFC0F70"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-NNTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id3BD67563" position="12">
<OSrc neg="False">
<ObjectRef ref="host-hostB"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3BD6736B"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="id"/>
</NATRuleOptions>
</NATRule><NATRule disabled="True" id="id3BD6757E" position="13">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3BD6736B"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostB"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="NETMAP " disabled="False" id="id3B66568B" position="14">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3B665641"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="NETMAP" disabled="True" id="id3B6656EF" position="15">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3B665641"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="net-Internal_net"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id3AFB69F7" position="16">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AFB66C6"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id3B20468D"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3B20468D"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id3B7313C4" position="17">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AFADBF9"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="tcp-SMTP"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id3DF6D103" position="18">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3B022266"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-FTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="" disabled="False" id="id3DF6D242" position="19">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3B022266"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-FTP"/>
<ServiceRef ref="id3AEDBEAC"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule></NAT>
<Policy id="id3AFB66E4" name="Policy">
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id41D4F848" log="False" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="stdid14_1"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3AFB6706"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id463FF6C410755" log="False" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="id463FF6C310755"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3AFB6706"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id4640031510755" log="False" position="2">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="id4640031410755"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3AFB6706"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Inbound" disabled="False" id="id3AFB6708" log="True" position="3">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3AFB66C6"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3AFB6706"/>
</Itf>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Outbound" disabled="False" id="id3AFB6710" log="True" position="4">
<Src neg="True">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3AFB66C6"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3AFB6706"/>
</Itf>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="block fragments" direction="Both" disabled="False" id="id3AFB66E5" log="True" position="5">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="ip-IP_Fragments"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Reject" comment="sends TCP RST and makes custom record in the log" direction="Both" disabled="False" id="id3B0C6FD2" log="True" position="6">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="tcp-Auth"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject">TCP RST</Option>
<Option name="ipf_keep_frags">False</Option>
<Option name="ipf_return_icmp_as_dest">False</Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix">IDENT</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Reject" comment="sends TCP RST and makes custom record in the log" direction="Both" disabled="False" id="id3D333A66" log="True" position="7">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="udp-SNMP"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="ipf_keep_frags">False</Option>
<Option name="ipf_return_icmp_as_dest">False</Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="log_prefix">IDENT</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3D8FF63F" log="False" position="8">
<Src neg="False">
<ObjectRef ref="id3B4572AF"/>
<ObjectRef ref="id3D8FF5EC"/>
</Src><Dst neg="False">
<ObjectRef ref="id3B19C5EB"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3D8FF660" log="False" position="9">
<Src neg="False">
<ObjectRef ref="id3B19C5EB"/>
</Src><Dst neg="False">
<ObjectRef ref="id3B4572AF"/>
<ObjectRef ref="id3D8FF5EC"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="'masquerading' rule" direction="Both" disabled="False" id="id3AFB66EF" log="False" position="10">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="id"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="host-fw2 has the same address as &#10; one of the firewall's interfaces" direction="Both" disabled="False" id="id3C447B8D" log="True" position="11">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="id3AFC0F70"/>
</Dst><Srv neg="False">
<ServiceRef ref="tcp-FTP"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3C447BCB" log="True" position="12">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="id3AFB66C6"/>
</Dst><Srv neg="False">
<ServiceRef ref="tcp-FTP"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" comment="'catch all' rule" direction="Both" disabled="False" id="id3AFB66F9" log="True" position="13">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3AFB66C6-routing" name="Routing">
</Routing>
<Interface bridgeport="False" dyn="False" id="id3AFB6703" name="eth0" security_level="100" unnum="False">
<IPv4 address="192.168.1.1" id="id3AFB6703-ipv4" name="address" netmask="255.255.255.0"/>
</Interface><Interface bridgeport="False" dyn="False" id="id3AFB6706" name="eth1" security_level="0" unnum="False">
<IPv4 address="22.22.22.22" id="id3AFB6706-ipv4" name="address" netmask="255.255.255.0"/>
</Interface><Interface bridgeport="False" dyn="False" id="id3AFB68D2" name="eth3" security_level="0" unnum="False">
<IPv4 address="22.22.23.23" id="id3AFB68D2-ipv4" name="address" netmask="255.255.255.0"/>
</Interface><Interface bridgeport="False" dyn="False" id="id3B0221F1" name="eth2" security_level="100" unnum="False">
<IPv4 address="192.168.2.1" id="id3B0221F1-ipv4" name="address" netmask="255.255.255.0"/>
</Interface><Interface bridgeport="False" dyn="False" id="id3CD2449F" label="" name="lo" security_level="100" unnum="False">
<IPv4 address="127.0.0.1" id="id3CD2449F-ipv4" name="address" netmask="255.0.0.0"/>
</Interface>
<Management address="127.0.0.1">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="eliminate_duplicates">True</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="id"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="ipf_log_body">False</Option>
<Option name="ipf_log_facility"/>
<Option name="ipf_log_level"/>
<Option name="ipf_log_or_block">False</Option>
<Option name="ipf_nat_ftp_proxy">True</Option>
<Option name="ipf_nat_h323_proxy">True</Option>
<Option name="ipf_nat_ipsec_proxy">True</Option>
<Option name="ipf_nat_raudio_proxy">True</Option>
<Option name="ipf_nat_rcmd_proxy">True</Option>
<Option name="ipf_return_icmp_as_dest">True</Option>
<Option name="limit_suffix">/second</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_accept_redirects">0</Option>
<Option name="linux24_accept_source_route">0</Option>
<Option name="linux24_icmp_echo_ignore_all">1</Option>
<Option name="linux24_icmp_ignore_bogus_error_responses">1</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="linux24_log_martians">1</Option>
<Option name="linux24_rp_filter">1</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">True</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix">RULE %N - %A **</Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="pass_all_out">False</Option>
<Option name="pf_return_icmp_as_dest">True</Option>
<Option name="platform">iptables</Option>
<Option name="proxy_arp">True</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_ip_tool">True</Option>
<Option name="use_numeric_log_levels">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="this object is used to test a configuration where firewall has dynamic address " host_OS="freebsd" id="id3B0C6380" lastCompiled="0" lastInstalled="0" lastModified="0" name="firewall4" platform="ipfw">
<NAT id="id3B0C6381" name="NAT">
<NATRule disabled="False" id="id3B0C6382" position="0">
<OSrc neg="False">
<ObjectRef ref="host-hostA"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3B0C6380"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="id"/>
</NATRuleOptions>
</NATRule><NATRule comment="" disabled="False" id="id3D758531" position="1">
<OSrc neg="False">
<ObjectRef ref="host-hostA"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3CD88A77"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="id"/>
</NATRuleOptions>
</NATRule><NATRule comment="" disabled="False" id="id3D75869D" position="2">
<OSrc neg="False">
<ObjectRef ref="host-hostA"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3CD88A77-ipv4"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="id"/>
</NATRuleOptions>
</NATRule><NATRule comment="" disabled="False" id="id3D7586D1" position="3">
<OSrc neg="False">
<ObjectRef ref="host-hostA"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3B0C63E1"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="id"/>
</NATRuleOptions>
</NATRule><NATRule comment="negation in NAT is not supported&#10;in ipf yet" disabled="True" id="id3B0C6390" position="4">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="True">
<ObjectRef ref="id3B022266"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3B0C6380"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="id"/>
</NATRuleOptions>
</NATRule><NATRule disabled="False" id="id3B202AFF" position="5">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3B0C6380"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="" disabled="False" id="id3D757CC5" position="6">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="id3B4FED69"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3B0C63F3-ipv4"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3B4FF09A"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="" disabled="False" id="id3D757E01" position="7">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="id3B4FED69"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3B0C63F3"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3B4FF09A"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="" disabled="False" id="id3D757F29" position="8">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="id3B4FED69"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3B0C6380"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3B4FF09A"/>
</TSrv>
<NATRuleOptions/>
</NATRule></NAT>
<Policy id="id3B0C639E" name="Policy">
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Inbound" disabled="False" id="id3B0C63E3" log="True" position="13">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3B0C6380"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3B0C63E1"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Outbound" disabled="False" id="id3B0C63EB" log="True" position="14">
<Src neg="True">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3B0C6380"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3B0C63E1"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3B54C977" log="True" position="15">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="icmp-ping_request"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3B0C63E1"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3B54F071" log="True" position="16">
<Src neg="True">
<ObjectRef ref="id3B022266"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="icmp-ping_request"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3B0C63E1"/>
</Itf>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="hostF has the same IP address as firewal." direction="Both" disabled="False" id="id3B0C639F" log="True" position="4">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="id3AFC191C"/>
</Dst><Srv neg="False">
<ServiceRef ref="icmp-ping_request"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="id"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="testing negation in the policy rule" direction="Both" disabled="False" id="id3B0C63A9" log="True" position="5">
<Src neg="True">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="icmp-Unreachables"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="" direction="Both" disabled="False" id="id3B0C63B4" log="True" position="6">
<Src neg="True">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
</Src><Dst neg="False">
<ObjectRef ref="id3B0C6380"/>
</Dst><Srv neg="False">
<ServiceRef ref="icmp-Unreachables"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" comment="testing negation in service field" direction="Both" disabled="True" id="id3B0C63BF" log="True" position="7">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
</Dst><Srv neg="True">
<ServiceRef ref="tcp-SMTP"/>
<ServiceRef ref="tcp-SSH"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="'masquerading' rule" direction="Both" disabled="False" id="id3B0C63CB" log="False" position="8">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="id"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="True" id="id3D85069A" log="True" position="9">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="id3D850651"/>
<ObjectRef ref="id3D58227E"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" comment="'catch all' rule" direction="Both" disabled="False" id="id3B0C63D5" log="True" position="10">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="id"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3B0C6380-routing" name="Routing">
</Routing>
<Interface bridgeport="False" dyn="False" id="id3B0C63DF" name="eth0" security_level="100" unnum="False">
<IPv4 address="192.168.1.1" id="id3B0C63DF-ipv4" name="address" netmask="255.255.255.0"/>
</Interface><Interface bridgeport="False" dyn="True" id="id3B0C63E1" label="" name="eth1" security_level="0" unnum="False">
<IPv4 address="0.0.0.0" comment="" id="id3B0C63E1-ipv4" name="firewall4:eth1" netmask="0.0.0.0"/>
</Interface><Interface bridgeport="False" dyn="False" id="id3B0C63F3" name="eth2" security_level="100" unnum="False">
<IPv4 address="192.168.2.1" comment="" id="id3B0C63F3-ipv4" name="firewall4:eth2" netmask="255.255.255.0"/>
</Interface><Interface bridgeport="False" dyn="False" id="id3B0C63F5" name="lo" security_level="100" unnum="False">
<IPv4 address="127.0.0.1" id="id3B0C63F5-ipv4" name="address" netmask="255.0.0.0"/>
</Interface><Interface bridgeport="False" dyn="False" id="id3CD88A77" label="" name="eth3" security_level="0" unnum="False">
<IPv4 address="222.222.222.222" comment="" id="id3CD88A77-ipv4" name="firewall4:eth3" netmask="255.255.255.0"/>
</Interface>
<Management address="222.222.222.222">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">False</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="eliminate_duplicates">True</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_path_ipf">/usr/sbin/ipf</Option>
<Option name="freebsd_path_ipnat">/usr/sbin/ipnat</Option>
<Option name="freebsd_path_sysctl"/>
<Option name="id"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="ipf_log_body">False</Option>
<Option name="ipf_log_facility"/>
<Option name="ipf_log_level"/>
<Option name="ipf_log_or_block">False</Option>
<Option name="ipf_nat_ftp_proxy">False</Option>
<Option name="ipf_nat_raudio_proxy">False</Option>
<Option name="ipf_nat_rcmd_proxy">False</Option>
<Option name="ipf_return_icmp_as_dest">False</Option>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="pass_all_out">False</Option>
<Option name="platform">iptables</Option>
<Option name="proxy_arp">False</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_numeric_log_levels">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing rules with broadcasts" host_OS="freebsd" id="id3C69BD4F" lastCompiled="0" lastInstalled="0" lastModified="0" name="firewall7" platform="ipfw">
<NAT id="id3C69BD50" name="NAT">
</NAT>
<Policy id="id3C69BD51" name="Policy">
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id3C69BDE1" log="True" position="17">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="id3B64FFAC"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3C69BD5C"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id3CF5B373" log="True" position="18">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="id3C69BD4F"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3C69BD5E"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3C69BF13" log="False" position="2">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="id3B64FFAC"/>
</Dst><Srv neg="False">
<ServiceRef ref="udp-bootpc"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
</Policy>
<Routing id="id3C69BD4F-routing" name="Routing">
</Routing>
<Interface bridgeport="False" dyn="False" id="id3C69BD5C" name="eth0" security_level="100" unnum="False">
<IPv4 address="192.168.1.1" id="id3C69BD5C-ipv4" name="address" netmask="255.255.255.0"/>
</Interface><Interface bridgeport="False" dyn="False" id="id3C69BD5E" name="eth1" security_level="0" unnum="False">
<IPv4 address="22.22.22.22" id="id3C69BD5E-ipv4" name="address" netmask="255.255.255.0"/>
</Interface><Interface bridgeport="False" dyn="False" id="id3C69BD68" name="eth2" security_level="100" unnum="False">
<IPv4 address="192.168.2.1" id="id3C69BD68-ipv4" name="address" netmask="255.255.255.0"/>
</Interface><Interface bridgeport="False" dyn="False" id="id3C69BD6A" name="lo" security_level="100" unnum="False">
<IPv4 address="127.0.0.1" id="id3C69BD6A-ipv4" name="address" netmask="255.0.0.0"/>
</Interface><Interface bridgeport="False" dyn="False" id="id3C69BD6C" name="eth3" security_level="0" unnum="False">
<IPv4 address="22.22.23.23" id="id3C69BD6C-ipv4" name="address" netmask="255.255.255.0"/>
</Interface>
<Management address="22.22.23.23">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="eliminate_duplicates">True</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="ipf_log_body">False</Option>
<Option name="ipf_log_facility"/>
<Option name="ipf_log_level"/>
<Option name="ipf_log_or_block">False</Option>
<Option name="ipf_nat_ftp_proxy">False</Option>
<Option name="ipf_nat_raudio_proxy">False</Option>
<Option name="ipf_nat_rcmd_proxy">False</Option>
<Option name="ipf_return_icmp_as_dest">False</Option>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="pass_all_out">False</Option>
<Option name="platform">iptables</Option>
<Option name="proxy_arp">False</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_ip_tool">False</Option>
<Option name="use_numeric_log_levels">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="firewall protects host it is running on" host_OS="freebsd" id="id3AF5A2BA" lastCompiled="0" lastInstalled="0" lastModified="0" name="host" platform="ipfw">
<NAT id="id3AF5A2BD" name="NAT">
</NAT>
<Policy id="id3AF5A2BC" name="Policy">
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3BD8ECD0" log="True" position="19">
<Src neg="False">
<ObjectRef ref="id3AF5A2BA"/>
</Src><Dst neg="False">
<ObjectRef ref="id3AF5A2BA"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3AF5A2CB"/>
</Itf>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="allow everything on loopback" direction="Inbound" disabled="False" id="id3AFB70C7" log="False" position="20">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="id3AF5A2BA"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3AFB7090"/>
</Itf>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="allow everything on loopback" direction="Outbound" disabled="False" id="id3AFB70CF" log="False" position="21">
<Src neg="False">
<ObjectRef ref="id3AF5A2BA"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3AFB7090"/>
</Itf>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3BD8ECC6" log="True" position="22">
<Src neg="False">
<ObjectRef ref="id3AF5A2BA"/>
</Src><Dst neg="False">
<ObjectRef ref="id3AF5A2BA"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3AFB7090"/>
</Itf>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" comment="block fragments" direction="Both" disabled="False" id="id3AF5A74B" log="True" position="4">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="id3AF5A2BA"/>
</Dst><Srv neg="False">
<ServiceRef ref="ip-IP_Fragments"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3AF5A73A" log="False" position="5">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="id3AF5A2BA"/>
</Dst><Srv neg="False">
<ServiceRef ref="tcp-SMTP"/>
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="tcp-SSH"/>
<ServiceRef ref="tcp-FTP"/>
<ServiceRef ref="tcp-Telnet"/>
<ServiceRef ref="icmp-Unreachables"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="allow all outgoing connections" direction="Both" disabled="False" id="id3AF5A757" log="False" position="6">
<Src neg="False">
<ObjectRef ref="id3AF5A2BA"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" comment="'catch all' rule" direction="Both" disabled="False" id="id3AF5A762" log="True" position="7">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3AF5A2BA-routing" name="Routing">
</Routing>
<Interface bridgeport="False" dyn="False" id="id3AF5A2CB" name="eth0" security_level="0" unnum="False">
<IPv4 address="22.22.22.22" id="id3AF5A2CB-ipv4" name="address" netmask="255.255.255.0"/>
</Interface><Interface bridgeport="False" dyn="False" id="id3AFB7090" name="lo" security_level="100" unnum="False">
<IPv4 address="127.0.0.1" id="id3AFB7090-ipv4" name="address" netmask="255.0.0.0"/>
</Interface>
<Management address="127.0.0.1">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP host prohibited</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="ipf_log_body">False</Option>
<Option name="ipf_log_facility"/>
<Option name="ipf_log_level"/>
<Option name="ipf_log_or_block">False</Option>
<Option name="ipf_nat_ftp_proxy">False</Option>
<Option name="ipf_nat_raudio_proxy">False</Option>
<Option name="ipf_nat_rcmd_proxy">False</Option>
<Option name="ipf_return_icmp_as_dest">False</Option>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix"/>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"/>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">False</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="pass_all_out">False</Option>
<Option name="platform">iptables</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_ip_tool">False</Option>
<Option name="use_numeric_log_levels">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="" host_OS="freebsd" id="id3D582236" lastCompiled="0" lastInstalled="0" lastModified="0" name="firewall8" platform="ipfw">
<NAT id="id3D58223A" name="NAT">
<NATRule disabled="False" id="id3D58237B" position="0">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3D582236"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="" disabled="False" id="id3D5823A5" position="1">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3D582242"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="" disabled="False" id="id3D5823B9" position="2">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3D582244"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id3D58245E" position="3">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3D582236"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D58227A"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id3D58236D" position="4">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3D582236"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D58227E"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id3D58235F" position="5">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3D582236"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D582282"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id3D582472" position="6">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3D582236"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D582283"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="" disabled="False" id="id3D58249D" position="7">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3D582242"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D582283"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="" disabled="False" id="id3D5825CC" position="8">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3D582245"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D582283"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule></NAT>
<Policy id="id3D582239" name="Policy">
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3D5822AA" log="False" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="id3D582236"/>
</Dst><Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3D5822B5" log="False" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="id3D582242"/>
</Dst><Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3D582294" log="False" position="2">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="id3D582244"/>
</Dst><Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3D58228A" log="False" position="3">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="id3D582245"/>
</Dst><Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3D5822A0" log="True" position="4">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3D582236-routing" name="Routing">
</Routing>
<Interface bridgeport="False" comment="" dyn="False" id="id3D58223F" label="" name="eth0" security_level="100" unnum="False">
<IPv4 address="192.168.1.1" comment="" id="id3D582241" name="firewall8:eth0" netmask="255.255.255.0"/>
</Interface><Interface bridgeport="False" comment="" dyn="False" id="id3D582242" label="" name="eth1" security_level="0" unnum="False">
<IPv4 address="33.33.33.33" comment="" id="id3D582244" name="firewall8:eth1:0" netmask="255.255.255.0"/>
<IPv4 address="33.33.33.34" comment="" id="id3D582245" name="firewall8:eth1:1" netmask="255.255.255.0"/>
</Interface>
<Management address="33.33.33.33">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="action_on_reject">ICMP host prohibited</Option>
<Option name="check_shading">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="debug">False</Option>
<Option name="eliminate_duplicates">True</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="ipf_log_body">False</Option>
<Option name="ipf_log_facility"/>
<Option name="ipf_log_level"/>
<Option name="ipf_log_or_block">False</Option>
<Option name="ipf_nat_ftp_proxy">False</Option>
<Option name="ipf_nat_raudio_proxy">False</Option>
<Option name="ipf_nat_rcmd_proxy">False</Option>
<Option name="ipf_return_icmp_as_dest">False</Option>
<Option name="manage_virtual_addr">False</Option>
<Option name="pass_all_out">False</Option>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
</FirewallOptions>
</Firewall>
<Firewall comment="" host_OS="freebsd" id="id3DF3D0AD" lastCompiled="0" lastInstalled="0" lastModified="0" name="firewall9" platform="ipfw">
<NAT id="id3DF3D0AE" name="NAT">
<NATRule disabled="False" id="id3DF3D0AF" position="0">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3DF3D0AD"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="" disabled="False" id="id3DF3D0BD" position="1">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3DF3D163"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="" disabled="False" id="id3DF3D0CB" position="2">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id3DF3D0D9" position="3">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3DF3D0AD"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D58227A"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id3DF3D0E7" position="4">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3DF3D0AD"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D58227E"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id3DF3D0F5" position="5">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3DF3D0AD"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3DF3D160"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id3DF3D103" position="6">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3DF3D0AD"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D582283"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="" disabled="False" id="id3DF3D111" position="7">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3DF3D163"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D582283"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="" disabled="False" id="id3DF3D11F" position="8">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D582283"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule></NAT>
<Policy id="id3DF3D12D" name="Policy">
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id3DF3DFB0" log="True" position="23">
<Src neg="True">
<ObjectRef ref="id3B665643"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3DF3D163"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id3DF3E09E" log="False" position="24">
<Src neg="False">
<ObjectRef ref="id3B665643"/>
</Src><Dst neg="False">
<ObjectRef ref="host-hostA"/>
</Dst><Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
<ServiceRef ref="sg-Useful_ICMP"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3DF3D163"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id3DF3D16E" log="False" position="25">
<Src neg="True">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3DF3D0AD"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3DF3D163"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accounting" direction="Both" disabled="False" id="id3E5F2E4C" log="False" position="3">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accounting" direction="Both" disabled="False" id="id3E5F2E42" log="True" position="4">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3DF3D12E" log="False" position="5">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="id3DF3D0AD"/>
</Dst><Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3DF3D563" log="False" position="6">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3F162CE1" log="False" position="7">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="id3F162C44"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3DF3D156" log="True" position="8">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3DF3D0AD-routing" name="Routing">
</Routing>
<Interface bridgeport="False" comment="" dyn="False" id="id3DF3D160" label="" mgmt="False" name="firewall9:eth0" security_level="100" unnum="False">
<IPv4 address="192.168.1.1" comment="" id="id3DF3D161" name="firewall9:eth0" netmask="255.255.255.0"/>
</Interface><Interface bridgeport="False" comment="" dyn="False" id="id3DF3D163" label="" mgmt="False" name="firewall9:eth1" security_level="0" unnum="False">
<IPv4 address="22.22.22.22" comment="" id="id3DF3D164" name="firewall9:eth1:0" netmask="255.255.255.0"/>
</Interface>
<Management address="22.22.22.22">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="action_on_reject">ICMP host prohibited</Option>
<Option name="check_shading">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="debug">False</Option>
<Option name="eliminate_duplicates">True</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="ipf_log_body">False</Option>
<Option name="ipf_log_facility"/>
<Option name="ipf_log_level"/>
<Option name="ipf_log_or_block">False</Option>
<Option name="ipf_nat_ftp_proxy">False</Option>
<Option name="ipf_nat_h323_proxy">False</Option>
<Option name="ipf_nat_ipsec_proxy">False</Option>
<Option name="ipf_nat_raudio_proxy">False</Option>
<Option name="ipf_nat_rcmd_proxy">False</Option>
<Option name="ipf_return_icmp_as_dest">False</Option>
<Option name="manage_virtual_addr">False</Option>
<Option name="pass_all_out">False</Option>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
</FirewallOptions>
</Firewall>
<Firewall comment="" host_OS="macosx" id="id3E51AF8E" lastCompiled="0" lastInstalled="0" lastModified="0" name="mac" platform="ipfw" version="">
<NAT id="id3E51AF92" name="NAT">
</NAT>
<Policy id="id3E51AF91" name="Policy">
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3E51AFA1" log="False" position="26">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="id3E51AF99"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id41D4F998" log="False" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="id3E51AF8E"/>
</Dst><Srv neg="False">
<ServiceRef ref="stdid14_1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3E51B0B0" log="True" position="2">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="ip-IP_Fragments"/>
<ServiceRef ref="id3E51B0E3"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3E51B025" log="False" position="3">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="id3E51AF8E"/>
</Dst><Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
<ServiceRef ref="sg-Useful_ICMP"/>
<ServiceRef ref="tcp-SMTP"/>
<ServiceRef ref="udp-All_UDP"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3E51BD2E" log="False" position="4">
<Src neg="False">
<ObjectRef ref="id3E51AF8E"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="udp-DNS"/>
<ServiceRef ref="sg-Useful_ICMP"/>
<ServiceRef ref="sg-DHCP"/>
<ServiceRef ref="tcp-All_TCP"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3E51B010" log="True" position="5">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3E51AF8E-routing" name="Routing">
</Routing>
<Interface bridgeport="False" dyn="False" id="id3E51AF99" label="" name="lo0" security_level="100" unnum="False">
<IPv4 address="127.0.0.1" id="id3E51AF9B" name="mac:lo0(ip)" netmask="255.0.0.0"/>
</Interface><Interface bridgeport="False" dyn="False" id="id3E51AF9C" label="" name="en0" security_level="0" unnum="False">
<IPv4 address="10.3.14.30" comment="" id="id3E51AF9E" name="mac:en0(ip)" netmask="255.255.255.0"/>
</Interface>
<Management address="10.2.1.100">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="action_on_reject">ICMP host prohibited</Option>
<Option name="check_shading">True</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="debug">True</Option>
<Option name="eliminate_duplicates">True</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="ipf_log_body">False</Option>
<Option name="ipf_log_facility"/>
<Option name="ipf_log_level"/>
<Option name="ipf_log_or_block">False</Option>
<Option name="ipf_nat_ftp_proxy">False</Option>
<Option name="ipf_nat_h323_proxy">False</Option>
<Option name="ipf_nat_ipsec_proxy">False</Option>
<Option name="ipf_nat_raudio_proxy">False</Option>
<Option name="ipf_nat_rcmd_proxy">False</Option>
<Option name="ipf_return_icmp_as_dest">False</Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="macosx_ip_redirect">0</Option>
<Option name="macosx_ip_sourceroute">0</Option>
<Option name="macosx_path_ipfw"/>
<Option name="macosx_path_sysctl"/>
<Option name="manage_virtual_addr">False</Option>
<Option name="pass_all_out">False</Option>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
</FirewallOptions>
</Firewall>
<Firewall comment="testing DNSName object" host_OS="freebsd" id="id43867C1018346" lastCompiled="0" lastInstalled="0" lastModified="0" name="firewall33" platform="ipfw" version="">
<NAT id="id43867C4818346" name="NAT">
<NATRule disabled="False" id="id43876E2618346" position="0">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id43869E8C18346"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id43867C5818346"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="" disabled="False" id="id43876E5218346" position="1">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id43869E8D18346"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id43867C5818346"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id43876E6918346" position="2">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id43869E8D18346"/>
<ObjectRef ref="id4387287A18346"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id43867C5818346"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id43876E7B18346" position="3">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="True">
<ObjectRef ref="id43869E8D18346"/>
<ObjectRef ref="id4387287A18346"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id43867C5818346"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule></NAT>
<Policy id="id43867C1618346" name="Policy">
<PolicyRule action="Accept" direction="Both" disabled="False" id="id43867C2418346" log="False" position="0">
<Src neg="False">
<ObjectRef ref="id43869E8C18346"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id43869E9018346" log="False" position="1">
<Src neg="False">
<ObjectRef ref="id43869E8D18346"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id43869E9E18346" log="False" position="2">
<Src neg="False">
<ObjectRef ref="id43869E8E18346"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id43869EAA18346" log="False" position="3">
<Src neg="False">
<ObjectRef ref="id43869E8F18346"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4386E38318346" log="False" position="4">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="True">
<ObjectRef ref="id43869E8C18346"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4386E37718346" log="False" position="5">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="True">
<ObjectRef ref="id43869E8D18346"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id43867C3018346" log="False" position="6">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="True">
<ObjectRef ref="id43869E8E18346"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4386C10D18346" log="False" position="7">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="True">
<ObjectRef ref="id43869E8F18346"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id438728A918346" log="False" position="8">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="True">
<ObjectRef ref="id43869E8C18346"/>
<ObjectRef ref="id4387287918346"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id438728BA18346" log="False" position="9">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="True">
<ObjectRef ref="id43869E8D18346"/>
<ObjectRef ref="id4387287A18346"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id438728CD18346" log="False" position="10">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="True">
<ObjectRef ref="id43869E8C18346"/>
<ObjectRef ref="id4387287A18346"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id43867C3C18346" log="True" position="11">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id43867C5718346" name="Routing">
</Routing>
<Interface bridgeport="False" comment="VLAN interface" dyn="True" id="id43867C5818346" label="" mgmt="False" name="eth0.100" security_level="0" unnum="False"/><Interface bridgeport="False" dyn="False" id="id43867C5918346" name="lo" security_level="100" unnum="False">
<IPv4 address="127.0.0.1" id="id43867C5B18346" name="firewall33:lo:ip" netmask="255.0.0.0"/>
</Interface><Interface bridgeport="False" comment="" dyn="False" id="id43867C5C18346" label="" mgmt="True" name="eth1" security_level="100" unnum="False">
<IPv4 address="192.168.1.100" comment="" id="id43867C5E18346" name="firewall33:eth1:ip" netmask="255.255.255.0"/>
</Interface>
<Management address="192.168.1.100">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="epilog_script"/>
<Option name="firewall_dir"/>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="inst_cmdline"/>
<Option name="inst_script"/>
<Option name="install_script"/>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_accept_redirects"/>
<Option name="linux24_accept_source_route"/>
<Option name="linux24_icmp_echo_ignore_all"/>
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
<Option name="linux24_ip_dynaddr"/>
<Option name="linux24_ip_forward"/>
<Option name="linux24_log_martians"/>
<Option name="linux24_path_ip"/>
<Option name="linux24_path_iptables"/>
<Option name="linux24_path_logger"/>
<Option name="linux24_path_lsmod"/>
<Option name="linux24_path_modprobe"/>
<Option name="linux24_rp_filter"/>
<Option name="linux24_tcp_ecn"/>
<Option name="linux24_tcp_fack"/>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="linux24_tcp_sack"/>
<Option name="linux24_tcp_syncookies"/>
<Option name="linux24_tcp_timestamps"/>
<Option name="linux24_tcp_window_scaling"/>
<Option name="load_modules">False</Option>
<Option name="local_nat">False</Option>
<Option name="log_all">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_invalid">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix">RULE %N -- %A on %I </Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="output_file"/>
<Option name="platform">iptables</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"/>
<Option name="proxy_arp">False</Option>
<Option name="script_env_path"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="use_ULOG">False</Option>
<Option name="use_ip_tool">False</Option>
<Option name="use_iptables_restore">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="Testing actions Pipe, Classify, Custom" host_OS="freebsd" id="id43F7AAE423738" inactive="False" lastCompiled="1160203243" lastInstalled="0" lastModified="1160203225" name="firewall34" platform="ipfw" version="">
<NAT id="id43F7AB2723738" name="NAT">
<NATRule disabled="False" id="id43F7AB2823738" position="0">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id43F7AAE423738"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="" disabled="False" id="id43F7AB3623738" position="1">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id43F7ABAA23738"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="" disabled="False" id="id43F7AB4423738" position="2">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id43F7ABAD23738"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id43F7AB5223738" position="3">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id43F7AAE423738"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D58227A"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id43F7AB6023738" position="4">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id43F7AAE423738"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D58227E"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id43F7AB6E23738" position="5">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id43F7AAE423738"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D582282"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule disabled="False" id="id43F7AB7C23738" position="6">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id43F7AAE423738"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D582283"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="" disabled="False" id="id43F7AB8A23738" position="7">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id43F7ABAA23738"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D582283"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule><NATRule comment="" disabled="False" id="id43F7AB9823738" position="8">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id43F7ABAE23738"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SSH"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3D582283"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule></NAT>
<Policy id="id43F7AAEA23738" name="Policy">
<PolicyRule action="Pipe" comment="port 8668 is natd" direction="Both" disabled="False" id="id43F7AAEB23738" log="False" position="0">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="id43F7ABAA23738"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="classify_str"/>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="ipf_route_option">Route through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">8668</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_mark_prerouting">False</Option>
<Option name="ipt_oif"/>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_opt_addr"/>
<Option name="pf_route_opt_if"/>
<Option name="pf_route_option">Route through</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
<Option name="tagvalue"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Custom" comment="rule doing divert to natd (8668) should go before check-state&#10;" direction="Both" disabled="False" id="id45275D7A5394" log="False" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="classify_str"/>
<Option name="custom_str">check-state</Option>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="ipf_route_option">Route through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_mark_prerouting">False</Option>
<Option name="ipt_oif"/>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_opt_addr"/>
<Option name="pf_route_opt_if"/>
<Option name="pf_route_option">Route through</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Pipe" comment="" direction="Both" disabled="False" id="id452299478881" log="False" position="2">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="classify_str"/>
<Option name="custom_str"/>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">1234</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
<Option name="tagvalue"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Classify" comment="" direction="Both" disabled="False" id="id43F7AC9D23738" log="False" position="3">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="classify_str"/>
<Option name="custom_str"/>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_method">1</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">2</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
<Option name="tagvalue"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Classify" comment="" direction="Both" disabled="False" id="id43F7ACAE23738" log="False" position="4">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="classify_str"/>
<Option name="custom_str"/>
<Option name="ipfw_classify_method">1</Option>
<Option name="ipfw_classify_port_num">1</Option>
<Option name="ipfw_pipe_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">1</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
<Option name="tagvalue"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Custom" direction="Both" disabled="False" id="id43F7C4D723738" log="True" position="5">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="classify_str"/>
<Option name="custom_str">prob .80</Option>
<Option name="ipfw_pipe_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
<Option name="tagvalue"/>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Deny" direction="Both" disabled="False" id="id43F7AB1B23738" log="True" position="6">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src><Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst><Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv><Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf><When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id43F7ABA623738" name="Routing">
</Routing>
<Interface bridgeport="False" comment="" dyn="False" id="id43F7ABA723738" label="" mgmt="False" name="rl0" security_level="100" unnum="False">
<IPv4 address="192.168.1.1" comment="" id="id43F7ABA923738" name="firewall34:rl0:ip" netmask="255.255.255.0"/>
</Interface><Interface bridgeport="False" comment="" dyn="False" id="id43F7ABAA23738" label="" mgmt="False" name="rl1" security_level="0" unnum="False">
<IPv4 address="33.33.33.33" comment="" id="id43F7ABAD23738" name="firewall34:rl1:ip1" netmask="255.255.255.0"/>
<IPv4 address="33.33.33.34" comment="" id="id43F7ABAE23738" name="firewall34:rl1:ip2" netmask="255.255.255.0"/>
</Interface>
<Management address="33.33.33.33">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="action_on_reject">ICMP host prohibited</Option>
<Option name="activationCmd"/>
<Option name="add_check_state_rule">False</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">True</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="eliminate_duplicates">True</Option>
<Option name="epilog_script"/>
<Option name="firewall_dir">/etc</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="ipf_log_body">False</Option>
<Option name="ipf_log_facility"/>
<Option name="ipf_log_level"/>
<Option name="ipf_log_or_block">False</Option>
<Option name="ipf_nat_ftp_proxy">False</Option>
<Option name="ipf_nat_raudio_proxy">False</Option>
<Option name="ipf_nat_rcmd_proxy">False</Option>
<Option name="ipf_return_icmp_as_dest">False</Option>
<Option name="manage_virtual_addr">False</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="prolog_script"/>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="sshArgs"/>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="stdid11_1" name="Time"/>
</Library>
<Library id="sysid99" name="Deleted Objects" ro="False">
<ServiceRef ref="sysid1"/>
<Library color="#FFFFFF" comment="" id="id40E233F3" name="West Coast" ro="False">
<ObjectGroup id="id40E233F4" name="Objects">
<ObjectGroup id="id40E233F4_og_ats_1" name="Address Tables"/>
<ObjectGroup id="id40E233F4_og_dnsn_1" name="DNS Names"/>
<ObjectGroup id="id40E233F5" name="Addresses"/>
<ObjectGroup id="id40E233F6" name="Groups">
<ObjectGroup comment="" id="id40E23403" name="West Coast Servers">
<ObjectRef ref="id40E23565"/>
</ObjectGroup>
</ObjectGroup>
<ObjectGroup id="id40E233F7" name="Hosts"/>
<ObjectGroup id="id40E233F8" name="Networks"/>
<ObjectGroup id="id40E233F9" name="Address Ranges"/>
</ObjectGroup>
<ServiceGroup id="id40E233FA" name="Services">
<ServiceGroup id="id40E233FA_og_tag_1" name="TagServices"/><ServiceGroup id="id40E233FB" name="Groups"/><ServiceGroup id="id40E233FC" name="ICMP"/><ServiceGroup id="id40E233FD" name="IP"/><ServiceGroup id="id40E233FE" name="TCP"/><ServiceGroup id="id40E233FF" name="UDP"/><ServiceGroup id="id40E23400" name="Custom"/>
<ServiceGroup id="id40E233FA_userservices" name="User"/>
</ServiceGroup>
<ObjectGroup id="id40E23401" name="Firewalls"/>
<IntervalGroup id="id40E23402" name="Time"/>
</Library>
<Library color="#FFFFFF" comment="" id="id40C3E07E" name="SFO" ro="False">
<ObjectGroup id="id40C3E07F" name="Objects">
<ObjectGroup id="id40C3E07F_og_ats_1" name="Address Tables"/>
<ObjectGroup id="id40C3E07F_og_dnsn_1" name="DNS Names"/>
<ObjectGroup id="id40C3E081" name="Groups">
<ObjectGroup comment="" id="id40E23562" name="SFO Servers"/>
</ObjectGroup>
<ObjectGroup id="id40C3E080" name="Addresses">
<IPv4 address="10.2.10.11" comment="" id="id40E238E9" name="sfoweb1" netmask="255.255.255.255"/>
<IPv4 address="10.2.10.10" comment="" id="id40E238E8" name="sfoftp1" netmask="255.255.255.255"/>
</ObjectGroup>
</ObjectGroup>
</Library>
</Library>
<Library color="#FFFFFF" comment="" id="id4387B43718346" name="transfer">
<ObjectGroup id="id4387B43818346" name="Objects">
<ObjectGroup id="id4387B43918346" name="Addresses"/>
<ObjectGroup id="id4387B43A18346" name="DNS Names"/>
<ObjectGroup id="id4387B43B18346" name="Address Tables"/>
<ObjectGroup id="id4387B43C18346" name="Groups"/>
<ObjectGroup id="id4387B43D18346" name="Hosts"/>
<ObjectGroup id="id4387B43E18346" name="Networks"/>
<ObjectGroup id="id4387B43F18346" name="Address Ranges"/>
</ObjectGroup>
<ServiceGroup id="id4387B44018346" name="Services">
<ServiceGroup id="id4387B44018346_og_tag_1" name="TagServices"/><ServiceGroup id="id4387B44118346" name="Groups"/><ServiceGroup id="id4387B44218346" name="ICMP"/><ServiceGroup id="id4387B44318346" name="IP"/><ServiceGroup id="id4387B44418346" name="TCP"/><ServiceGroup id="id4387B44518346" name="UDP"/><ServiceGroup id="id4387B44618346" name="Custom"/>
<ServiceGroup id="id4387B44018346_userservices" name="User"/>
</ServiceGroup>
<ObjectGroup id="id4387B44718346" name="Firewalls"/>
<IntervalGroup id="id4387B44818346" name="Time"/>
</Library>
<Library color="#d4f8ff" comment="Standard objects" id="syslib000" name="Standard" ro="False">
<ServiceGroup id="stdid05" name="Services">
<ServiceGroup id="stdid06" name="IP">
<IPService comment="IPSEC Encapsulating Security Payload Protocol" fragm="False" id="ip-IPSEC" lsrr="False" name="ESP" protocol_num="50" rr="False" short_fragm="False" ssrr="False" ts="False"/>
<IPService comment="'Short' fragments" fragm="False" id="ip-IP_Fragments" lsrr="False" name="ip_fragments" protocol_num="0" rr="False" short_fragm="True" ssrr="False" ts="False"/>
<IPService comment="Route recording packets" fragm="False" id="ip-RR" lsrr="False" name="RR" protocol_num="0" rr="True" short_fragm="False" ssrr="False" ts="False"/>
<IPService comment="All sorts of Source Routing Packets" fragm="False" id="ip-SRR" lsrr="True" name="SRR" protocol_num="0" rr="False" short_fragm="False" ssrr="True" ts="False"/>
</ServiceGroup><ServiceGroup id="stdid09" name="TCP">
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="113" dst_range_start="113" fin_flag="False" fin_flag_mask="False" id="tcp-Auth" name="auth" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="53" dst_range_start="53" fin_flag="False" fin_flag_mask="False" id="tcp-DNS_zone_transf" name="dns-tcp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="21" dst_range_start="21" fin_flag="False" fin_flag_mask="False" id="tcp-FTP" name="ftp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="80" dst_range_start="80" fin_flag="False" fin_flag_mask="False" id="tcp-HTTP" name="http" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="119" dst_range_start="119" fin_flag="False" fin_flag_mask="False" id="tcp-NNTP" name="nntp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="25" dst_range_start="25" fin_flag="False" fin_flag_mask="False" id="tcp-SMTP" name="smtp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="22" dst_range_start="22" fin_flag="False" fin_flag_mask="False" id="tcp-SSH" name="ssh" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="23" dst_range_start="23" fin_flag="False" fin_flag_mask="False" id="tcp-Telnet" name="telnet" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="540" dst_range_start="540" fin_flag="False" fin_flag_mask="False" id="tcp-uucp" name="uucp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="13" dst_range_start="13" fin_flag="False" fin_flag_mask="False" id="id3AEDBE6E" name="daytime" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="2105" dst_range_start="2105" fin_flag="False" fin_flag_mask="False" id="id3B4FEDA3" name="eklogin" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="443" dst_range_start="443" fin_flag="False" fin_flag_mask="False" id="id3B4FED69" name="https" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="143" dst_range_start="143" fin_flag="False" fin_flag_mask="False" id="id3AECF776" name="imap" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="993" dst_range_start="993" fin_flag="False" fin_flag_mask="False" id="id3B4FED9F" name="imaps" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="6667" dst_range_start="6667" fin_flag="False" fin_flag_mask="False" id="id3B4FF13C" name="irc" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="543" dst_range_start="543" fin_flag="False" fin_flag_mask="False" id="id3B4FEE21" name="klogin" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="544" dst_range_start="544" fin_flag="False" fin_flag_mask="False" id="id3B4FEE23" name="ksh" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="389" dst_range_start="389" fin_flag="False" fin_flag_mask="False" id="id3AECF778" name="ldap" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="98" dst_range_start="98" fin_flag="False" fin_flag_mask="False" id="id3B4FF000" name="linuxconf" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3306" dst_range_start="3306" fin_flag="False" fin_flag_mask="False" id="id3B4FEEEE" name="mysql" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="2049" dst_range_start="2049" fin_flag="False" fin_flag_mask="False" id="id3B4FEE7A" name="nfs" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="110" dst_range_start="110" fin_flag="False" fin_flag_mask="False" id="id3B4FEE1D" name="pop3" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="5432" dst_range_start="5432" fin_flag="False" fin_flag_mask="False" id="id3B4FF0EA" name="postgres" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="515" dst_range_start="515" fin_flag="False" fin_flag_mask="False" id="id3AECF782" name="printer" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="26000" dst_range_start="26000" fin_flag="False" fin_flag_mask="False" id="id3B4FEF7C" name="quake" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="512" dst_range_start="512" fin_flag="False" fin_flag_mask="False" id="id3AECF77A" name="rexec" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="513" dst_range_start="513" fin_flag="False" fin_flag_mask="False" id="id3AECF77C" name="rlogin" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="514" dst_range_start="514" fin_flag="False" fin_flag_mask="False" id="id3AECF77E" name="rshell" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="4321" dst_range_start="4321" fin_flag="False" fin_flag_mask="False" id="id3B4FEF34" name="rwhois" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="465" dst_range_start="465" fin_flag="False" fin_flag_mask="False" id="id3B4FF04C" name="smtps" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="1080" dst_range_start="1080" fin_flag="False" fin_flag_mask="False" id="id3B4FEE76" name="socks" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="111" dst_range_start="111" fin_flag="False" fin_flag_mask="False" id="id3AEDBE00" name="sunrpc" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="7100" dst_range_start="7100" fin_flag="False" fin_flag_mask="False" id="id3B4FF1B8" name="xfs" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="True" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="True" id="tcp-TCP-SYN" name="tcp-syn" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="X Window System" dst_range_end="6063" dst_range_start="6000" fin_flag="False" fin_flag_mask="False" id="id3D703C82" name="X11" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="FTP data channel.&#10; Note: FTP protocol does not really require server to use source port 20 for the data channel, &#10; but many ftp server implementations do so." dst_range_end="65535" dst_range_start="1024" fin_flag="False" fin_flag_mask="False" id="tcp-FTP_data" name="ftp data" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="20" src_range_start="20" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3128" dst_range_start="3128" fin_flag="False" fin_flag_mask="False" id="id3B4FF09A" name="squid" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="1720" dst_range_start="1720" fin_flag="False" fin_flag_mask="False" id="id3AEDBEAC" name="H323" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="False" id="tcp-All_TCP" name="All TCP" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
</ServiceGroup><ServiceGroup id="stdid08" name="UDP">
<UDPService comment="" dst_range_end="53" dst_range_start="53" id="udp-DNS" name="domain" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="161" dst_range_start="161" id="udp-SNMP" name="snmp" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="68" dst_range_start="68" id="udp-bootpc" name="bootpc" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="0" dst_range_start="0" id="udp-All_UDP" name="All UDP" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="67" dst_range_start="67" id="udp-bootps" name="bootps" src_range_end="0" src_range_start="0"/>
</ServiceGroup><ServiceGroup id="stdid10" name="Groups">
<ServiceGroup comment="" id="sg-Useful_ICMP" name="Useful_ICMP">
<ServiceRef ref="icmp-Time_exceeded"/>
<ServiceRef ref="icmp-Time_exceeded_in_transit"/>
<ServiceRef ref="icmp-ping_reply"/>
<ServiceRef ref="icmp-Unreachables"/>
</ServiceGroup>
<ServiceGroup comment="" id="sg-DHCP" name="DHCP">
<ServiceRef ref="udp-bootpc"/>
<ServiceRef ref="udp-bootps"/>
</ServiceGroup>
</ServiceGroup><ServiceGroup id="stdid07" name="ICMP">
<ICMPService code="0" comment="" id="icmp-ping_request" name="ping request" type="8"/>
<ICMPService code="-1" comment="" id="icmp-Unreachables" name="all ICMP unreachables" type="3"/>
<ICMPService code="0" comment="ICMP messages of this type are needed for traceroute" id="icmp-Time_exceeded" name="time exceeded" type="11"/>
<ICMPService code="1" comment="" id="icmp-Time_exceeded_in_transit" name="time exceeded in transit" type="11"/>
<ICMPService code="0" comment="" id="icmp-ping_reply" name="ping reply" type="0"/>
</ServiceGroup><CustomService comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." id="stdid14_1" name="ESTABLISHED">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="fwsm"/>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
</CustomService>
<ServiceGroup id="stdid05_userservices" name="User"/>
</ServiceGroup>
<AnyNetwork comment="Any Network" id="sysid0" name="Any" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyInterval comment="Any Interval" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" id="sysid2" name="Any" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1"/>
<AnyIPService comment="Any IP Service" id="sysid1" name="Any" protocol_num="0"/>
<IntervalGroup id="stdid11" name="Time">
<Interval comment="any day 6:00pm - 12:00am" from_day="-1" from_hour="18" from_minute="0" from_month="-1" from_weekday="-1" from_year="-1" id="int-afterhours" name="afterhours" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="-1" to_year="-1"/>
<Interval comment="" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" id="id3C63479C" name="Sat" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="6" to_year="-1"/>
<Interval comment="" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="0" from_year="-1" id="id3C63479E" name="Sun" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1"/>
</IntervalGroup>
</Library>
</FWObjectDatabase>
Reference in New Issue View Git Blame Copy Permalink