mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-18 17:27:20 +01:00
60802 lines
2.6 MiB
60802 lines
2.6 MiB
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
|
|
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="19" lastModified="1302483417" id="root">
|
|
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
|
|
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
|
|
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
|
|
<AnyInterval id="sysid2" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1" name="Any" comment="Any Interval" ro="False"/>
|
|
<ObjectGroup id="stdid01" name="Objects" comment="" ro="False">
|
|
<ObjectGroup id="stdid16" name="Addresses" comment="" ro="False">
|
|
<IPv4 id="id2001X88798" name="all-hosts" comment="" ro="False" address="224.0.0.1" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2002X88798" name="all-routers" comment="" ro="False" address="224.0.0.2" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2003X88798" name="all DVMRP" comment="" ro="False" address="224.0.0.4" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2117X88798" name="OSPF (all routers)" comment="RFC2328" ro="False" address="224.0.0.5" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2128X88798" name="OSPF (designated routers)" comment="RFC2328" ro="False" address="224.0.0.6" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2430X88798" name="RIP" comment="RFC1723" ro="False" address="224.0.0.9" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2439X88798" name="EIGRP" comment="" ro="False" address="224.0.0.10" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2446X88798" name="DHCP server, relay agent" comment="RFC 1884" ro="False" address="224.0.0.12" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2455X88798" name="PIM" comment="" ro="False" address="224.0.0.13" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2462X88798" name="RSVP" comment="" ro="False" address="224.0.0.14" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2469X88798" name="VRRP" comment="RFC3768" ro="False" address="224.0.0.18" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2777X88798" name="IGMP" comment="" ro="False" address="224.0.0.22" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2784X88798" name="OSPFIGP-TE" comment="RFC4973" ro="False" address="224.0.0.24" netmask="0.0.0.0"/>
|
|
<IPv4 id="id3094X88798" name="HSRP" comment="" ro="False" address="224.0.0.102" netmask="0.0.0.0"/>
|
|
<IPv4 id="id3403X88798" name="mDNS" comment="" ro="False" address="224.0.0.251" netmask="0.0.0.0"/>
|
|
<IPv4 id="id3410X88798" name="LLMNR" comment="Link-Local Multicast Name Resolution, RFC4795" ro="False" address="224.0.0.252" netmask="0.0.0.0"/>
|
|
<IPv4 id="id3411X88798" name="Teredo" comment="" ro="False" address="224.0.0.253" netmask="0.0.0.0"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid17" name="DNS Names" comment="" ro="False"/>
|
|
<ObjectGroup id="stdid18" name="Address Tables" comment="" ro="False"/>
|
|
<ObjectGroup id="stdid04" name="Groups" comment="" ro="False">
|
|
<ObjectGroup id="id3DC75CE8" name="rfc1918-nets" comment="" ro="False">
|
|
<ObjectRef ref="id3DC75CE5"/>
|
|
<ObjectRef ref="id3DC75CE6"/>
|
|
<ObjectRef ref="id3DC75CE7"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3292X75851" name="ipv6 private" comment="These are various ipv6 networks that should not be routed on the Internet " ro="False">
|
|
<ObjectRef ref="id2088X75851"/>
|
|
<ObjectRef ref="id2986X75851"/>
|
|
<ObjectRef ref="id2383X75851"/>
|
|
</ObjectGroup>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid02" name="Hosts" comment="" ro="False">
|
|
<Host id="id3D84EECE" name="internal server" comment="This host is used in examples and template objects" ro="False">
|
|
<Interface id="id3D84EED2" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3D84EED3" name="ip" comment="" ro="False" address="192.168.1.10" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3D84EECF" name="server on dmz" comment="This host is used in examples and template objects" ro="False">
|
|
<Interface id="id3D84EEE3" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3D84EEE4" name="ip" comment="" ro="False" address="192.168.2.10" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.2.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid03" name="Networks" comment="" ro="False">
|
|
<Network id="id3DC75CEC" name="all multicasts" comment="224.0.0.0/4 - This block, formerly known as the Class D address space, is allocated for use in IPv4 multicast address assignments. The IANA guidelines for assignments from this space are described in [RFC3171]. " ro="False" address="224.0.0.0" netmask="240.0.0.0"/>
|
|
<Network id="id3F4ECE3E" name="link-local" comment="169.254.0.0/16 - This is the "link local" block. It is allocated for communication between hosts on a single link. Hosts obtain these addresses by auto-configuration, such as when a DHCP server may not be found. " ro="False" address="169.254.0.0" netmask="255.255.0.0"/>
|
|
<Network id="id3F4ECE3D" name="loopback-net" comment="127.0.0.0/8 - This block is assigned for use as the Internet host loopback address. A datagram sent by a higher level protocol to an address anywhere within this block should loop back inside the host. This is ordinarily implemented using only 127.0.0.1/32 for loopback, but no addresses within this block should ever appear on any network anywhere [RFC1700, page 5]. " ro="False" address="127.0.0.0" netmask="255.0.0.0"/>
|
|
<Network id="id3DC75CE5" name="net-10.0.0.0" comment="10.0.0.0/8 - This block is set aside for use in private networks. Its intended use is documented in [RFC1918]. Addresses within this block should not appear on the public Internet." ro="False" address="10.0.0.0" netmask="255.0.0.0"/>
|
|
<Network id="id3DC75CE7" name="net-172.16.0.0" comment="172.16.0.0/12 - This block is set aside for use in private networks. Its intended use is documented in [RFC1918]. Addresses within this block should not appear on the public Internet. " ro="False" address="172.16.0.0" netmask="255.240.0.0"/>
|
|
<Network id="id3DC75CE6" name="net-192.168.0.0" comment="192.168.0.0/16 - This block is set aside for use in private networks. Its intended use is documented in [RFC1918]. Addresses within this block should not appear on the public Internet. " ro="False" address="192.168.0.0" netmask="255.255.0.0"/>
|
|
<Network id="id3F4ECE3F" name="test-net" comment="192.0.2.0/24 - This block is assigned as "TEST-NET" for use in documentation and example code. It is often used in conjunction with domain names example.com or example.net in vendor and protocol documentation. Addresses within this block should not appear on the public Internet. " ro="False" address="192.0.2.0" netmask="255.255.255.0"/>
|
|
<Network id="id3F4ECE40" name="this-net" comment="0.0.0.0/8 - Addresses in this block refer to source hosts on "this" network. Address 0.0.0.0/32 may be used as a source address for this host on this network; other addresses within 0.0.0.0/8 may be used to refer to specified hosts on this network [RFC1700, page 4]." ro="False" address="0.0.0.0" netmask="255.0.0.0"/>
|
|
<Network id="id3DC75CE7-1" name="net-192.168.1.0" comment="192.168.1.0/24 - Address often used for home and small office networks. " ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
|
|
<Network id="id3DC75CE7-2" name="net-192.168.2.0" comment="192.168.2.0/24 - Address often used for home and small office networks. " ro="False" address="192.168.2.0" netmask="255.255.255.0"/>
|
|
<NetworkIPv6 id="id2088X75851" name="documentation net" comment="RFC3849" ro="False" address="2001:db8::" netmask="32"/>
|
|
<NetworkIPv6 id="id2383X75851" name="link-local ipv6" comment="RFC4291 Link-local unicast net" ro="False" address="fe80::" netmask="10"/>
|
|
<NetworkIPv6 id="id2685X75851" name="multicast ipv6" comment="RFC4291 ipv6 multicast addresses" ro="False" address="ff00::" netmask="8"/>
|
|
<NetworkIPv6 id="id2986X75851" name="experimental ipv6" comment="RFC2928, RFC4773 "The block of Sub-TLA IDs assigned to the IANA (i.e., 2001:0000::/29 - 2001:01F8::/29) is for assignment for testing and experimental usage to support activities such as the 6bone, and for new approaches like exchanges." [RFC2928] " ro="False" address="2001::" netmask="23"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid15" name="Address Ranges" comment="" ro="False">
|
|
<AddressRange id="id3F6D115C" name="broadcast" comment="" ro="False" start_address="255.255.255.255" end_address="255.255.255.255"/>
|
|
<AddressRange id="id3F6D115D" name="old-broadcast" comment="" ro="False" start_address="0.0.0.0" end_address="0.0.0.0"/>
|
|
</ObjectGroup>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
|
|
<CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="Undefined"/>
|
|
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfilter"/>
|
|
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
|
|
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
|
|
</CustomService>
|
|
<CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
|
|
<CustomServiceCommand platform="Undefined"/>
|
|
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfilter"/>
|
|
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
|
|
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
|
|
</CustomService>
|
|
<ServiceGroup id="stdid10" name="Groups" comment="" ro="False">
|
|
<ServiceGroup id="sg-DHCP" name="DHCP" comment="" ro="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3F530CC8" name="DNS" comment="" ro="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
<ServiceRef ref="tcp-DNS"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3CB1279B" name="IPSEC" comment="" ro="False">
|
|
<ServiceRef ref="id3CB12797"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="sg-NETBIOS" name="NETBIOS" comment="" ro="False">
|
|
<ServiceRef ref="udp-netbios-dgm"/>
|
|
<ServiceRef ref="udp-netbios-ns"/>
|
|
<ServiceRef ref="id3E755609"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3CB131CC" name="PCAnywhere" comment="" ro="False">
|
|
<ServiceRef ref="id3CB131CA"/>
|
|
<ServiceRef ref="id3CB131C8"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="sg-Useful_ICMP" name="Useful_ICMP" comment="" ro="False">
|
|
<ServiceRef ref="icmp-Time_exceeded"/>
|
|
<ServiceRef ref="icmp-Time_exceeded_in_transit"/>
|
|
<ServiceRef ref="icmp-ping_reply"/>
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id1569X4889" name="Ipv6 unreachable messages" comment="" ro="False">
|
|
<ServiceRef ref="idE0D27650"/>
|
|
<ServiceRef ref="idCFE27650"/>
|
|
<ServiceRef ref="idE0B27650"/>
|
|
<ServiceRef ref="id1519Z388"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3B4FEDD9" name="kerberos" comment="" ro="False">
|
|
<ServiceRef ref="id3B4FEDA5"/>
|
|
<ServiceRef ref="id3B4FEDA9"/>
|
|
<ServiceRef ref="id3B4FEDA7"/>
|
|
<ServiceRef ref="id3B4FEDAB"/>
|
|
<ServiceRef ref="id3B4FEDA3"/>
|
|
<ServiceRef ref="id3B4FEE21"/>
|
|
<ServiceRef ref="id3B4FEE23"/>
|
|
<ServiceRef ref="id3E7E3EA2"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3B4FF35E" name="nfs" comment="" ro="False">
|
|
<ServiceRef ref="id3B4FEE7A"/>
|
|
<ServiceRef ref="id3B4FEE78"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3B4FEFFA" name="quake" comment="" ro="False">
|
|
<ServiceRef ref="id3B4FEF7C"/>
|
|
<ServiceRef ref="id3B4FEF7E"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3D703C9A" name="Real Player" comment="" ro="False">
|
|
<ServiceRef ref="id3D703C99"/>
|
|
<ServiceRef ref="id3D703C8B"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3E7E3E95" name="WinNT" comment="" ro="False">
|
|
<ServiceRef ref="sg-NETBIOS"/>
|
|
<ServiceRef ref="id3DC8C8BB"/>
|
|
<ServiceRef ref="id3E7E3D58"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3E7E3E9A" name="Win2000" comment="" ro="False">
|
|
<ServiceRef ref="id3E7E3E95"/>
|
|
<ServiceRef ref="udp-DNS"/>
|
|
<ServiceRef ref="id3DC8C8BC"/>
|
|
<ServiceRef ref="id3E7E3EA2"/>
|
|
<ServiceRef ref="id3AECF778"/>
|
|
<ServiceRef ref="id3D703C90"/>
|
|
<ServiceRef ref="id3E7E4039"/>
|
|
<ServiceRef ref="id3E7E403A"/>
|
|
<ServiceRef ref="id3B4FEDA5"/>
|
|
<ServiceRef ref="tcp-DNS"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id41291786" name="UPnP" comment="" ro="False">
|
|
<ServiceRef ref="id41291784"/>
|
|
<ServiceRef ref="id41291785"/>
|
|
<ServiceRef ref="id41291783"/>
|
|
<ServiceRef ref="id412Z18A9"/>
|
|
</ServiceGroup>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid07" name="ICMP" comment="" ro="False">
|
|
<ICMPService id="icmp-Unreachables" code="-1" type="3" name="all ICMP unreachables" comment="" ro="False"/>
|
|
<ICMPService id="id3C20EEB5" code="-1" type="-1" name="any ICMP" comment="" ro="False"/>
|
|
<ICMPService id="icmp-Host_unreach" code="1" type="3" name="host_unreach" comment="" ro="False"/>
|
|
<ICMPService id="icmp-ping_reply" code="0" type="0" name="ping reply" comment="" ro="False"/>
|
|
<ICMPService id="icmp-ping_request" code="0" type="8" name="ping request" comment="" ro="False"/>
|
|
<ICMPService id="icmp-Port_unreach" code="3" type="3" name="port unreach" comment="Port unreachable" ro="False"/>
|
|
<ICMPService id="icmp-Time_exceeded" code="0" type="11" name="time exceeded" comment="ICMP messages of this type are needed for traceroute" ro="False"/>
|
|
<ICMPService id="icmp-Time_exceeded_in_transit" code="1" type="11" name="time exceeded in transit" comment="" ro="False"/>
|
|
<ICMP6Service id="ipv6-icmp-ping_request" code="0" type="128" name="ipv6 ping request" comment="IPv6 ping request" ro="False"/>
|
|
<ICMP6Service id="ipv6-icmp-ping_reply" code="0" type="129" name="ipv6 ping reply" comment="IPv6 ping reply" ro="False"/>
|
|
<ICMP6Service id="ipv6-icmp-routersol" code="0" type="133" name="ipv6 routersol" comment="IPv6 router solicitation" ro="False"/>
|
|
<ICMP6Service id="ipv6-icmp-routeradv" code="0" type="134" name="ipv6 routeradv" comment="IPv6 router advertisement" ro="False"/>
|
|
<ICMP6Service id="ipv6-icmp-neighbrsol" code="0" type="135" name="ipv6 neighbrsol" comment="IPv6 neighbor solicitation" ro="False"/>
|
|
<ICMP6Service id="ipv6-icmp-neighbradv" code="0" type="136" name="ipv6 neighbradv" comment="IPv6 neighbor advertisement" ro="False"/>
|
|
<ICMP6Service id="ipv6-icmp-redir" code="0" type="137" name="ipv6 redir" comment="IPv6 redirect: shorter route exists" ro="False"/>
|
|
<ICMP6Service id="id1519Z388" code="-1" type="4" name="ipv6 parameter problem" comment="IPv6 Parameter Problem: RFC4443" ro="False"/>
|
|
<ICMP6Service id="idCFE27650" code="0" type="3" name="ipv6 time exceeded" comment="Time exceeded in transit" ro="False"/>
|
|
<ICMP6Service id="idCFF27650" code="1" type="3" name="ipv6 time exceeded in reassembly" comment="Time exceeded in reassembly" ro="False"/>
|
|
<ICMP6Service id="idE0B27650" code="-1" type="2" name="ipv6 packet too big" comment="" ro="False"/>
|
|
<ICMP6Service id="idE0D27650" code="-1" type="1" name="ipv6 all dest unreachable" comment="All icmpv6 codes for type "destination unreachable" " ro="False"/>
|
|
<ICMP6Service id="idCFE27660" code="-1" type="-1" name="ipv6 any ICMP6" comment="any ICMPv6" ro="False"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid06" name="IP" comment="" ro="False">
|
|
<IPService id="id3CB12797" fragm="False" lsrr="False" protocol_num="51" rr="False" short_fragm="False" ssrr="False" ts="False" name="AH" comment="IPSEC Authentication Header Protocol" ro="False"/>
|
|
<IPService id="ip-IPSEC" fragm="False" lsrr="False" protocol_num="50" rr="False" short_fragm="False" ssrr="False" ts="False" name="ESP" comment="IPSEC Encapsulating Security Payload Protocol" ro="False"/>
|
|
<IPService id="ip-RR" fragm="False" lsrr="False" protocol_num="0" rr="True" short_fragm="False" ssrr="False" ts="False" name="RR" comment="Route recording packets" ro="False"/>
|
|
<IPService id="ip-SRR" fragm="False" lsrr="True" protocol_num="0" rr="False" short_fragm="False" ssrr="True" ts="False" name="SRR" comment="All sorts of Source Routing Packets" ro="False"/>
|
|
<IPService id="ip-IP_Fragments" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="True" ssrr="False" ts="False" name="ip_fragments" comment="'Short' fragments" ro="False"/>
|
|
<IPService id="id3D703C8E" fragm="False" lsrr="False" protocol_num="57" rr="False" short_fragm="False" ssrr="False" ts="False" name="SKIP" comment="IPSEC Simple Key Management for Internet Protocols" ro="False"/>
|
|
<IPService id="id3D703C8F" fragm="False" lsrr="False" protocol_num="47" rr="False" short_fragm="False" ssrr="False" ts="False" name="GRE" comment="Generic Routing Encapsulation " ro="False"/>
|
|
<IPService id="id3D703C95" fragm="False" lsrr="False" protocol_num="112" rr="False" short_fragm="False" ssrr="False" ts="False" name="vrrp" comment="Virtual Router Redundancy Protocol" ro="False"/>
|
|
<IPService id="ip-IGMP" fragm="False" lsrr="False" protocol_num="2" rr="False" rtralt="True" rtralt_value="0" short_fragm="False" ssrr="False" ts="False" name="IGMP" comment="Internet Group Management Protocol, Version 3, RFC 3376" ro="False"/>
|
|
<IPService id="ip-PIM" fragm="False" lsrr="False" protocol_num="103" rr="False" rtralt="False" rtralt_value="0" short_fragm="False" ssrr="False" ts="False" name="PIM" comment="Protocol Independent Multicast - Dense Mode (PIM-DM), RFC 3973, or Protocol Independent Multicast-Sparse Mode (PIM-SM) RFC 2362" ro="False"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid09" name="TCP" comment="" ro="False">
|
|
<TCPService id="tcp-ALL_TCP_Masqueraded" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ALL TCP Masqueraded" comment="ipchains used to use this range of port numbers for masquerading. " ro="False" src_range_start="61000" src_range_end="65095" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id3D703C94" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="AOL" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5190" dst_range_end="5190"/>
|
|
<TCPService id="tcp-All_TCP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="All TCP" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id3CB131C4" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Citrix-ICA" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1494" dst_range_end="1494"/>
|
|
<TCPService id="id3D703C91" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Entrust-Admin" comment="Entrust CA Administration Service" ro="False" src_range_start="0" src_range_end="0" dst_range_start="709" dst_range_end="709"/>
|
|
<TCPService id="id3D703C92" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Entrust-KeyMgmt" comment="Entrust CA Key Management Service" ro="False" src_range_start="0" src_range_end="0" dst_range_start="710" dst_range_end="710"/>
|
|
<TCPService id="id3AEDBEAC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="H323" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1720" dst_range_end="1720"/>
|
|
<TCPService id="id412Z18A9" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="icslap" comment="Sometimes this protocol is called icslap, but Microsoft does not call it that and just says that DSPP uses port 2869 in Windows XP SP2" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2869" dst_range_end="2869"/>
|
|
<TCPService id="id3E7E4039" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="LDAP GC" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3268" dst_range_end="3268"/>
|
|
<TCPService id="id3E7E403A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="LDAP GC SSL" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3269" dst_range_end="3269"/>
|
|
<TCPService id="id3D703C83" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="OpenWindows" comment="Open Windows" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2000" dst_range_end="2000"/>
|
|
<TCPService id="id3CB131C8" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="PCAnywhere-data" comment="data channel for PCAnywhere v7.52 and later " ro="False" src_range_start="0" src_range_end="0" dst_range_start="5631" dst_range_end="5631"/>
|
|
<TCPService id="id3D703C8B" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Real-Audio" comment="RealNetworks PNA Protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="7070" dst_range_end="7070"/>
|
|
<TCPService id="id3D703C93" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="RealSecure" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2998" dst_range_end="2998"/>
|
|
<TCPService id="id3DC8C8BC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="SMB" comment="SMB over TCP (without NETBIOS) " ro="False" src_range_start="0" src_range_end="0" dst_range_start="445" dst_range_end="445"/>
|
|
<TCPService id="id3D703C8D" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="TACACSplus" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="49" dst_range_end="49"/>
|
|
<TCPService id="id3D703C84" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="TCP high ports" comment="TCP high ports" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1024" dst_range_end="65535"/>
|
|
<TCPService id="id3E7E3D58" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="WINS replication" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="42" dst_range_end="42"/>
|
|
<TCPService id="id3D703C82" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="X11" comment="X Window System" ro="False" src_range_start="0" src_range_end="0" dst_range_start="6000" dst_range_end="6063"/>
|
|
<TCPService id="tcp-Auth" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="auth" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="113" dst_range_end="113"/>
|
|
<TCPService id="id3AEDBE6E" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="daytime" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="13" dst_range_end="13"/>
|
|
<TCPService id="tcp-DNS" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="domain" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
|
|
<TCPService id="id3B4FEDA3" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="eklogin" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2105" dst_range_end="2105"/>
|
|
<TCPService id="id3AECF774" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="finger" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="79" dst_range_end="79"/>
|
|
<TCPService id="tcp-FTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ftp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="21" dst_range_end="21"/>
|
|
<TCPService id="tcp-FTP_data" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ftp data" comment="FTP data channel. Note: FTP protocol does not really require server to use source port 20 for the data channel, but many ftp server implementations do so." ro="False" src_range_start="20" src_range_end="20" dst_range_start="1024" dst_range_end="65535"/>
|
|
<TCPService id="id3E7553BC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ftp data passive" comment="FTP data channel for passive mode transfers " ro="False" src_range_start="0" src_range_end="0" dst_range_start="20" dst_range_end="20"/>
|
|
<TCPService id="tcp-HTTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="http" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="80" dst_range_end="80"/>
|
|
<TCPService id="id3B4FED69" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="https" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="443" dst_range_end="443"/>
|
|
<TCPService id="id3AECF776" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="imap" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="143" dst_range_end="143"/>
|
|
<TCPService id="id3B4FED9F" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="imaps" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="993" dst_range_end="993"/>
|
|
<TCPService id="id3B4FF13C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="irc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="6667" dst_range_end="6667"/>
|
|
<TCPService id="id3E7E3EA2" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="kerberos" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="88" dst_range_end="88"/>
|
|
<TCPService id="id3B4FEE21" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="klogin" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="543" dst_range_end="543"/>
|
|
<TCPService id="id3B4FEE23" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ksh" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="544" dst_range_end="544"/>
|
|
<TCPService id="id3AECF778" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ldap" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="389" dst_range_end="389"/>
|
|
<TCPService id="id3D703C90" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ldaps" comment="Lightweight Directory Access Protocol over TLS/SSL" ro="False" src_range_start="0" src_range_end="0" dst_range_start="636" dst_range_end="636"/>
|
|
<TCPService id="id3B4FF000" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="linuxconf" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="98" dst_range_end="98"/>
|
|
<TCPService id="id3D703C97" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="lpr" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="515" dst_range_end="515"/>
|
|
<TCPService id="id3DC8C8BB" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="microsoft-rpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="135" dst_range_end="135"/>
|
|
<TCPService id="id3D703C98" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ms-sql" comment="Microsoft SQL Server" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1433" dst_range_end="1433"/>
|
|
<TCPService id="id3B4FEEEE" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="mysql" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3306" dst_range_end="3306"/>
|
|
<TCPService id="id3E755609" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="netbios-ssn" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="139" dst_range_end="139"/>
|
|
<TCPService id="id3B4FEE7A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nfs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2049" dst_range_end="2049"/>
|
|
<TCPService id="tcp-NNTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nntp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="119" dst_range_end="119"/>
|
|
<TCPService id="id3E7553BB" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nntps" comment="NNTP over SSL" ro="False" src_range_start="0" src_range_end="0" dst_range_start="563" dst_range_end="563"/>
|
|
<TCPService id="id3B4FEE1D" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="pop3" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="110" dst_range_end="110"/>
|
|
<TCPService id="id3E7553BA" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="pop3s" comment="POP-3 over SSL" ro="False" src_range_start="0" src_range_end="0" dst_range_start="995" dst_range_end="995"/>
|
|
<TCPService id="id3B4FF0EA" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="postgres" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5432" dst_range_end="5432"/>
|
|
<TCPService id="id3AECF782" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="printer" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="515" dst_range_end="515"/>
|
|
<TCPService id="id3B4FEF7C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="quake" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="26000" dst_range_end="26000"/>
|
|
<TCPService id="id3AECF77A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rexec" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="512" dst_range_end="512"/>
|
|
<TCPService id="id3AECF77C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rlogin" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="513" dst_range_end="513"/>
|
|
<TCPService id="id3AECF77E" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rshell" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="514" dst_range_end="514"/>
|
|
<TCPService id="id3D703C99" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rtsp" comment="Real Time Streaming Protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="554" dst_range_end="554"/>
|
|
<TCPService id="id3B4FEF34" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rwhois" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4321" dst_range_end="4321"/>
|
|
<TCPService id="id3D703C89" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="securidprop" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5510" dst_range_end="5510"/>
|
|
<TCPService id="tcp-SMTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="smtp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="25" dst_range_end="25"/>
|
|
<TCPService id="id3B4FF04C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="smtps" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="465" dst_range_end="465"/>
|
|
<TCPService id="id3B4FEE76" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="socks" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1080" dst_range_end="1080"/>
|
|
<TCPService id="id3D703C87" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="sqlnet1" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1521" dst_range_end="1521"/>
|
|
<TCPService id="id3B4FF09A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="squid" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3128" dst_range_end="3128"/>
|
|
<TCPService id="tcp-SSH" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ssh" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/>
|
|
<TCPService id="id3AEDBE00" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="sunrpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="111" dst_range_end="111"/>
|
|
<TCPService id="tcp-TCP-SYN" ack_flag="False" ack_flag_mask="True" fin_flag="False" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" name="tcp-syn" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="tcp-Telnet" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="telnet" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="23" dst_range_end="23"/>
|
|
<TCPService id="tcp-uucp" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="uucp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="540" dst_range_end="540"/>
|
|
<TCPService id="id3CB131C6" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="winterm" comment="Windows Terminal Services" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3389" dst_range_end="3389"/>
|
|
<TCPService id="id3B4FF1B8" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xfs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="7100" dst_range_end="7100"/>
|
|
<TCPService id="id3C685B2B" ack_flag="True" ack_flag_mask="True" fin_flag="True" fin_flag_mask="True" psh_flag="True" psh_flag_mask="True" rst_flag="True" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="True" urg_flag_mask="True" name="xmas scan - full" comment="This service object matches TCP packet with all six flags set." ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id4127E949" ack_flag="False" ack_flag_mask="True" fin_flag="True" fin_flag_mask="True" psh_flag="True" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="False" syn_flag_mask="True" urg_flag="True" urg_flag_mask="True" name="xmas scan" comment="This service object matches TCP packet with flags FIN, PSH and URG set and other flags cleared. This is a "christmas scan" as defined in snort rules. Nmap can generate this scan, too." ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id4127EA72" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rsync" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="873" dst_range_end="873"/>
|
|
<TCPService id="id4127EBAC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="distcc" comment="distributed compiler" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3632" dst_range_end="3632"/>
|
|
<TCPService id="id4127ECF1" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="cvspserver" comment="CVS client/server operations" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2401" dst_range_end="2401"/>
|
|
<TCPService id="id4127ECF2" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="cvsup" comment="CVSup file transfer/John Polstra/FreeBSD" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5999" dst_range_end="5999"/>
|
|
<TCPService id="id4127ED5E" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="afp" comment="AFP (Apple file sharing) over TCP" ro="False" src_range_start="0" src_range_end="0" dst_range_start="548" dst_range_end="548"/>
|
|
<TCPService id="id4127EDF6" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="whois" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="43" dst_range_end="43"/>
|
|
<TCPService id="id4127F04F" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="bgp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="179" dst_range_end="179"/>
|
|
<TCPService id="id4127F146" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="radius" comment="Radius protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1812" dst_range_end="1812"/>
|
|
<TCPService id="id4127F147" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="radius acct" comment="Radius Accounting" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1813" dst_range_end="1813"/>
|
|
<TCPService id="id41291784" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="upnp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5000" dst_range_end="5000"/>
|
|
<TCPService id="id41291785" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="upnp-5431" comment="Although UPnP specification say it should use TCP port 5000, Linksys running Sveasoft firmware listens on port 5431" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5431" dst_range_end="5431"/>
|
|
<TCPService id="id41291787" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-java-0" comment="Java VNC viewer, display 0" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5800" dst_range_end="5800"/>
|
|
<TCPService id="id41291788" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-0" comment="Regular VNC viewer, display 0" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5900" dst_range_end="5900"/>
|
|
<TCPService id="id41291887" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-java-1" comment="Java VNC viewer, display 1" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5801" dst_range_end="5801"/>
|
|
<TCPService id="id41291888" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-1" comment="Regular VNC viewer, display 1" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5901" dst_range_end="5901"/>
|
|
<TCPService id="id463FE5FE11008" ack_flag="False" ack_flag_mask="False" established="True" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="All TCP established" comment="Some firewall platforms can match TCP packets with flags ACK or RST set; the option is usually called "established". Note that you can use this object only in the policy rules of the firewall that supports this option. If you need to match reply packets for a specific TCP service and wish to use option "established", make a copy of this object and set source port range to match the service. " ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id1577X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rtmp" comment="Real Time Messaging Protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1935" dst_range_end="1935"/>
|
|
<TCPService id="id1590X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xmpp-client" comment="Extensible Messaging and Presence Protocol (XMPP) RFC3920 " ro="False" src_range_start="0" src_range_end="0" dst_range_start="5222" dst_range_end="5222"/>
|
|
<TCPService id="id1609X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xmpp-server" comment="Extensible Messaging and Presence Protocol (XMPP) RFC3920 " ro="False" src_range_start="0" src_range_end="0" dst_range_start="5269" dst_range_end="5269"/>
|
|
<TCPService id="id1622X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xmpp-client-ssl" comment="Extensible Messaging and Presence Protocol (XMPP) RFC3920 " ro="False" src_range_start="0" src_range_end="0" dst_range_start="5223" dst_range_end="5223"/>
|
|
<TCPService id="id1631X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xmpp-server-ssl" comment="Extensible Messaging and Presence Protocol (XMPP) RFC3920 " ro="False" src_range_start="0" src_range_end="0" dst_range_start="5270" dst_range_end="5270"/>
|
|
<TCPService id="id1644X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nrpe" comment="NRPE add-on for Nagios http://www.nagios.org/ " ro="False" src_range_start="0" src_range_end="0" dst_range_start="5666" dst_range_end="5666"/>
|
|
<TCPService id="tcp-DNS_zone_transf" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="dns-tcp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid08" name="UDP" comment="" ro="False">
|
|
<UDPService id="udp-ALL_UDP_Masqueraded" name="ALL UDP Masqueraded" comment="ipchains used to use this port range for masqueraded packets" ro="False" src_range_start="61000" src_range_end="65095" dst_range_start="0" dst_range_end="0"/>
|
|
<UDPService id="udp-All_UDP" name="All UDP" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<UDPService id="id3D703C96" name="ICQ" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4000" dst_range_end="4000"/>
|
|
<UDPService id="id3CB129D2" name="IKE" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="500" dst_range_end="500"/>
|
|
<UDPService id="id3CB131CA" name="PCAnywhere-status" comment="status channel for PCAnywhere v7.52 and later" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5632" dst_range_end="5632"/>
|
|
<UDPService id="id3AED0D6B" name="RIP" comment="routing protocol RIP" ro="False" src_range_start="0" src_range_end="0" dst_range_start="520" dst_range_end="520"/>
|
|
<UDPService id="id3D703C8C" name="Radius" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1645" dst_range_end="1645"/>
|
|
<UDPService id="id3D703C85" name="UDP high ports" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1024" dst_range_end="65535"/>
|
|
<UDPService id="id3D703C86" name="Who" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="513" dst_range_end="513"/>
|
|
<UDPService id="id3B4FEDA1" name="afs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="7000" dst_range_end="7009"/>
|
|
<UDPService id="udp-bootpc" name="bootpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="68" dst_range_end="68"/>
|
|
<UDPService id="udp-bootps" name="bootps" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="67" dst_range_end="67"/>
|
|
<UDPService id="id3AEDBE70" name="daytime" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="13" dst_range_end="13"/>
|
|
<UDPService id="udp-DNS" name="domain" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
|
|
<UDPService id="id3D703C8A" name="interphone" comment="VocalTec Internet Phone" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22555" dst_range_end="22555"/>
|
|
<UDPService id="id3B4FEDA5" name="kerberos" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="88" dst_range_end="88"/>
|
|
<UDPService id="id3B4FEDA9" name="kerberos-adm" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="749" dst_range_end="750"/>
|
|
<UDPService id="id3B4FEDA7" name="kpasswd" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="464" dst_range_end="464"/>
|
|
<UDPService id="id3B4FEDAB" name="krb524" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4444" dst_range_end="4444"/>
|
|
<UDPService id="id3F865B0D" name="microsoft-rpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="135" dst_range_end="135"/>
|
|
<UDPService id="udp-netbios-dgm" name="netbios-dgm" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="138" dst_range_end="138"/>
|
|
<UDPService id="udp-netbios-ns" name="netbios-ns" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="137" dst_range_end="137"/>
|
|
<UDPService id="udp-netbios-ssn" name="netbios-ssn" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="139" dst_range_end="139"/>
|
|
<UDPService id="id3B4FEE78" name="nfs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2049" dst_range_end="2049"/>
|
|
<UDPService id="udp-ntp" name="ntp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="123" dst_range_end="123"/>
|
|
<UDPService id="id3B4FEF7E" name="quake" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="26000" dst_range_end="26000"/>
|
|
<UDPService id="id3D703C88" name="secureid-udp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1024" dst_range_end="1024"/>
|
|
<UDPService id="udp-SNMP" name="snmp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="161" dst_range_end="161"/>
|
|
<UDPService id="id3AED0D69" name="snmp-trap" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="162" dst_range_end="162"/>
|
|
<UDPService id="id3AEDBE19" name="sunrpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="111" dst_range_end="111"/>
|
|
<UDPService id="id3AECF780" name="syslog" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="514" dst_range_end="514"/>
|
|
<UDPService id="id3AED0D67" name="tftp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="69" dst_range_end="69"/>
|
|
<UDPService id="id3AED0D8C" name="traceroute" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="33434" dst_range_end="33524"/>
|
|
<UDPService id="id4127EA73" name="rsync" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="873" dst_range_end="873"/>
|
|
<UDPService id="id41291783" name="SSDP" comment="Simple Service Discovery Protocol (used for UPnP)" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1900" dst_range_end="1900"/>
|
|
<UDPService id="id41291883" name="OpenVPN" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1194" dst_range_end="1194"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid13" name="Custom" comment="" ro="False">
|
|
<CustomService id="id3B64EEA8" name="rpc" comment="works in iptables and requires patch-o-matic. For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="Undefined"/>
|
|
<CustomServiceCommand platform="ipf"/>
|
|
<CustomServiceCommand platform="ipfilter"/>
|
|
<CustomServiceCommand platform="ipfw"/>
|
|
<CustomServiceCommand platform="iptables">-m record_rpc</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"/>
|
|
<CustomServiceCommand platform="pix"/>
|
|
<CustomServiceCommand platform="unknown"/>
|
|
</CustomService>
|
|
<CustomService id="id3B64EF4E" name="irc-conn" comment="IRC connection tracker, supports DCC. Works on iptables and requires patch-o-matic. For more information look for patch-o-matic on http://www.netfilter.org/ " ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="Undefined"/>
|
|
<CustomServiceCommand platform="ipf"/>
|
|
<CustomServiceCommand platform="ipfilter"/>
|
|
<CustomServiceCommand platform="ipfw"/>
|
|
<CustomServiceCommand platform="iptables">-m irc</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"/>
|
|
<CustomServiceCommand platform="pix"/>
|
|
<CustomServiceCommand platform="unknown"/>
|
|
</CustomService>
|
|
<CustomService id="id3B64EF50" name="psd" comment="Port scan detector, works only on iptables and requires patch-o-matic For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="Undefined"/>
|
|
<CustomServiceCommand platform="ipf"/>
|
|
<CustomServiceCommand platform="ipfilter"/>
|
|
<CustomServiceCommand platform="ipfw"/>
|
|
<CustomServiceCommand platform="iptables">-m psd --psd-weight-threshold 5 --psd-delay-threshold 10000</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"/>
|
|
<CustomServiceCommand platform="pix"/>
|
|
<CustomServiceCommand platform="unknown"/>
|
|
</CustomService>
|
|
<CustomService id="id3B64EF52" name="string" comment="Matches a string in a whole packet, works in iptables and requires patch-o-matic. For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="Undefined"/>
|
|
<CustomServiceCommand platform="ipf"/>
|
|
<CustomServiceCommand platform="ipfilter"/>
|
|
<CustomServiceCommand platform="ipfw"/>
|
|
<CustomServiceCommand platform="iptables">-m string --string test_pattern</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"/>
|
|
<CustomServiceCommand platform="pix"/>
|
|
<CustomServiceCommand platform="unknown"/>
|
|
</CustomService>
|
|
<CustomService id="id3B64EF54" name="talk" comment="Talk protocol support. Works in iptables and requires patch-o-matic. For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="Undefined"/>
|
|
<CustomServiceCommand platform="ipf"/>
|
|
<CustomServiceCommand platform="ipfilter"/>
|
|
<CustomServiceCommand platform="ipfw"/>
|
|
<CustomServiceCommand platform="iptables">-m talk</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"/>
|
|
<CustomServiceCommand platform="pix"/>
|
|
<CustomServiceCommand platform="unknown"/>
|
|
</CustomService>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid19" name="TagServices" comment="" ro="False"/>
|
|
<ServiceGroup id="stdid20" name="UserServices" comment="" ro="False"/>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="stdid12" name="Firewalls" comment="" ro="False"/>
|
|
<ObjectGroup id="stdid21" name="Clusters" comment="" ro="False"/>
|
|
<IntervalGroup id="stdid11" name="Time" comment="" ro="False">
|
|
<Interval id="int-workhours" days_of_week="1,2,3,4,5" from_day="-1" from_hour="9" from_minute="0" from_month="-1" from_weekday="1" from_year="-1" to_day="-1" to_hour="17" to_minute="0" to_month="-1" to_weekday="5" to_year="-1" name="workhours" comment="any day, 9:00am through 5:00pm" ro="False"/>
|
|
<Interval id="int-weekends" days_of_week="6,0" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1" name="weekends" comment="weekends: Saturday 0:00 through Sunday 23:59 " ro="False"/>
|
|
<Interval id="int-afterhours" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="18" from_minute="0" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="-1" to_year="-1" name="afterhours" comment="any day 6:00pm - 12:00am" ro="False"/>
|
|
<Interval id="id3C63479C" days_of_week="6" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="6" to_year="-1" name="Sat" comment="" ro="False"/>
|
|
<Interval id="id3C63479E" days_of_week="0" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="0" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1" name="Sun" comment="" ro="False"/>
|
|
</IntervalGroup>
|
|
</Library>
|
|
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
|
|
<ICMP6Service id="idE0C27650" code="0" type="1" name="ipv6 dest unreachable" comment="No route to destination" ro="False"/>
|
|
<IPv4 id="id41D295E2" name="firewall30:ppp.200*:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<Firewall id="id41D294BB" host_OS="linux24" lastCompiled="0" lastInstalled="0" lastModified="0" platform="iptables" version="" name="firewall30" comment="dynamic wildcard interface with a dot in the name" ro="False">
|
|
<NAT id="id41D2953D" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id41D2953E" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id41D2954C" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id41D2955A" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id41D29568" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id41D294C0" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id41D295AE" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="ppp clients get addresses on 10.1.1.0">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3EFBCCBA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id41D29576"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41D295B8" disabled="False" group="" log="True" position="1" action="Deny" direction="Inbound" comment="ppp clients can not connect to the firewall">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id41D29576"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41D295C2" disabled="False" group="" log="True" position="2" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id41D29576"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41D295CC" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="ppp clients can only connect to the mail server and web proxy on DMZ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id41D29576"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41D295D7" disabled="False" group="" log="True" position="4" action="Deny" direction="Inbound" comment="ppp clients can not connect to anything else on DMZ and internal net">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id41D29576"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41D295F6" disabled="False" group="" log="True" position="5" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id41D295E8"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41D294C1" disabled="False" group="" log="True" position="6" action="Accept" direction="Both" comment="hostF has the same IP address as firewal.">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41D294CB" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41D294D5" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41D294DF" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19BF58"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41D294E9" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41D294F4" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41D294FF" disabled="False" group="" log="True" position="12" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41D2950A" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="firewall is part of Any, so compiler should generate code in both FORWARD and OUTPUT chains">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41D29514" disabled="False" group="" log="False" position="14" action="Accept" direction="Both" comment="firewall is part of Any, compiler should generate code for both FORWARD and INPUT chains">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41D2951E" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="because firewall has interface on network internal_net, compiler should generate code for both FORWARD and INPUT chains">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41D29528" disabled="False" group="" log="False" position="16" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41D29533" disabled="False" group="" log="True" position="17" action="Deny" direction="Both" comment="Automatically generated 'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="id"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id41D294BB-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id41D29576" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp.200*" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id41D295E3" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id41D295E7" name="firewall30:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id41D295E8" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id41D29600" name="firewall30:eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"/>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_limit_suffix"/>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Interface id="id41F62C5C" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id41F62C60" name="firewall30:eth3:ip" comment="" ro="False" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id41F62C52" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id41F62C56" name="firewall30:eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id429910E6" dedicated_failover="False" dyn="False" label="fw8:eth2" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id429910EA" name="firewall31:eth2:ip" comment="" ro="False" address="192.168.100.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id43868A7E1434" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0.200" comment="VLAN interface" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4492FF5124380" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id4492FF5324380" name="firewall40:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<IPv4 id="id4492FF5F24380" name="firewall40:eth0:ip-1" comment="" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
|
|
<Library id="id44EC13FB8791" color="#d2ffd0" name="tmp" comment="" ro="False">
|
|
<ObjectGroup id="id44EC13FC8791_clusters" name="Clusters" comment="" ro="False"/>
|
|
<ObjectGroup id="id44EC13FC8791" name="Objects" comment="" ro="False">
|
|
<ObjectGroup id="id44EC13FD8791" name="Addresses" comment="" ro="False"/>
|
|
<ObjectGroup id="id44EC13FE8791" name="DNS Names" comment="" ro="False"/>
|
|
<ObjectGroup id="id44EC13FF8791" name="Address Tables" comment="" ro="False"/>
|
|
<ObjectGroup id="id44EC14008791" name="Groups" comment="" ro="False"/>
|
|
<ObjectGroup id="id44EC14018791" name="Hosts" comment="" ro="False"/>
|
|
<ObjectGroup id="id44EC14028791" name="Networks" comment="" ro="False"/>
|
|
<ObjectGroup id="id44EC14038791" name="Address Ranges" comment="" ro="False"/>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="id44EC14048791" name="Services" comment="" ro="False">
|
|
<ServiceGroup id="id44EC14048791_userservices" name="Users" comment="" ro="False"/>
|
|
<ServiceGroup id="id44EC14058791" name="Groups" comment="" ro="False"/>
|
|
<ServiceGroup id="id44EC14068791" name="ICMP" comment="" ro="False"/>
|
|
<ServiceGroup id="id44EC14078791" name="IP" comment="" ro="False"/>
|
|
<ServiceGroup id="id44EC14088791" name="TCP" comment="" ro="False"/>
|
|
<ServiceGroup id="id44EC14098791" name="UDP" comment="" ro="False"/>
|
|
<ServiceGroup id="id44EC140A8791" name="Custom" comment="" ro="False"/>
|
|
<ServiceGroup id="id44EC140B8791" name="TagServices" comment="" ro="False"/>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="id44EC140C8791" name="Firewalls" comment="" ro="False"/>
|
|
<IntervalGroup id="id44EC140D8791" name="Time" comment="" ro="False"/>
|
|
</Library>
|
|
<Interface id="id46EFBE4D31183" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id46EFBE4F31183" name="firewall42:eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id46EFBE5331183" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id46EFBE5531183" name="firewall42:eth3:ip" comment="" ro="False" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<IPv4 id="id46EFBE4931183" name="firewall42:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<Interface id="id4848A43B4626" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<IPv4 id="id30492X26784" name="firewall20-ipv6:ppp*:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<Policy id="id55978X87590" name="Policy_ipv6" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="False">
|
|
<PolicyRule id="id55979X87590" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="for bug 2047082 ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id55972X87590"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id55991X87590" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id47CBF5D129252"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56003X87590" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id30841X361"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56015X87590" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="INPUT, OUTPUT, FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56027X87590" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="INPUT, OUTPUT, FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56039X87590" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id55972X87590"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idCFE27660"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56051X87590" disabled="False" group="" log="False" position="6" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id55972X87590"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idCFE27660"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56063X87590" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idCFE27660"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56075X87590" disabled="False" group="" log="False" position="8" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id56355X87590"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Interface id="id78170X59595" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id78158X59595" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id78160X59595" name="firewall70:eth2:ip" comment="" ro="False" address="66.66.66.1" netmask="255.255.255.128"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id42484X60089" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp*" comment="" ro="False">
|
|
<IPv4 id="id42486X60089" name="firewall71:ppp*:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<IPv6 id="id42610X47974" name="firewall-ipv6-5:eth0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<IPv6 id="id100945X48026" name="firewall-ipv6-5:eth1:ipv6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<IPv6 id="id197751X48026" name="firewall-ipv6-5:eth0:ipv6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<IPv6 id="id178394X48026" name="firewall-ipv6-6:eth1:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<IPv6 id="id42754X3791" name="ipv4-ipv6-host-1:eth0:ip6" comment="" ro="False" address="e80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<Policy id="id45077X92250" name="GOOD_GUYS" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id45078X92250" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id86936X27543"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Interface id="id45379X92250" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id45381X92250" name="firewall72-base:eth3:ip" comment="" ro="False" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id45373X92250" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id45375X92250" name="firewall72-base:eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id854459X92250" dedicated_failover="False" dyn="True" label="fw8:ppp0" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id854456X92250" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id854458X92250" name="firewall72-1.4.3:eth2:ip" comment="" ro="False" address="192.168.100.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Firewall id="id854441X92250" host_OS="linux24" inactive="False" lastCompiled="1247604459" lastInstalled="0" lastModified="1247615570" platform="iptables" version="1.4.3" name="firewall72-1.4.3-delete" comment="this firewall is used to test a rule in the global policy of object "firewall" " ro="False">
|
|
<NAT id="id854448X92250" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id854447X92250" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id107593X8629" disabled="False" group="" log="False" position="0" action="Deny" direction="Outbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107576X8629" disabled="False" group="" log="False" position="1" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107559X8629" disabled="False" group="" log="False" position="2" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107542X8629" disabled="False" group="" log="False" position="3" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107525X8629" disabled="False" group="" log="False" position="4" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="icmp-Host_unreach"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107508X8629" disabled="False" group="" log="False" position="5" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="icmp-Host_unreach"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107491X8629" disabled="False" group="" log="False" position="6" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3D703C8F"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107474X8629" disabled="False" group="" log="False" position="7" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107457X8629" disabled="False" group="" log="False" position="8" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id43EC877332486"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107440X8629" disabled="False" group="" log="False" position="9" action="Deny" direction="Inbound" comment="Should use ! -i eth1 eventually ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107423X8629" disabled="False" group="" log="False" position="10" action="Deny" direction="Inbound" comment="Should use ! -i eth1 eventually ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107406X8629" disabled="False" group="" log="False" position="11" action="Deny" direction="Outbound" comment="Should use ! -i eth1 eventually ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107389X8629" disabled="False" group="" log="False" position="12" action="Deny" direction="Both" comment="Should use ! -i eth1 eventually ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107372X8629" disabled="False" group="" log="False" position="13" action="Deny" direction="Inbound" comment="Should use ! -i eth1 eventually ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1080690X92250" disabled="False" group="" log="False" position="14" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id4849253720246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id854449X92250" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id854450X92250" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id854452X92250" name="firewall72-1.4.3-delete:eth0:ip" comment="" ro="False" address="33.33.33.33" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id854453X92250" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id854455X92250" name="firewall72-1.4.3-delete:eth1:ip" comment="" ro="False" address="172.16.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.100.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id44530X92250" host_OS="linux24" inactive="False" lastCompiled="1247604231" lastInstalled="0" lastModified="1247615721" platform="iptables" version="1.4.3" name="firewall72-base" comment="this object is used to test all kinds of single object negation in policy and NAT rules Iptables version 1.4.3 for extrapositioned negation " ro="False">
|
|
<NAT id="id45091X92250" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id45120X92250" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id45134X92250" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id45177X92250" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id45191X92250" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id45205X92250" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3BBC0EFC"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id45262X92250" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id44536X92250" name="fw72-base-policy" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id44574X92250" disabled="False" group="" log="False" position="0" action="Deny" direction="Outbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id150670X92250" disabled="False" group="" log="False" position="1" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44599X92250" disabled="False" group="" log="False" position="2" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id150690X92250" disabled="False" group="" log="False" position="3" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id171783X92250" disabled="False" group="" log="False" position="4" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="icmp-Host_unreach"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id171746X92250" disabled="False" group="" log="False" position="5" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="icmp-Host_unreach"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id171764X92250" disabled="False" group="" log="False" position="6" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3D703C8F"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id709484X92250" disabled="False" group="" log="False" position="7" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id709502X92250" disabled="False" group="" log="False" position="8" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id43EC877332486"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44611X92250" disabled="False" group="" log="False" position="9" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45295X8629" disabled="False" group="" log="False" position="10" action="Deny" direction="Inbound" comment="Should use ! -i eth1 eventually ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id65906X8629" disabled="False" group="" log="False" position="11" action="Deny" direction="Outbound" comment="Should use ! -i eth1 eventually ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id65923X8629" disabled="False" group="" log="False" position="12" action="Deny" direction="Both" comment="Should use ! -i eth1 eventually ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45312X8629" disabled="False" group="" log="False" position="13" action="Deny" direction="Inbound" comment="Should use ! -i eth1 eventually ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id45366X92250" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id45367X92250" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id45369X92250" name="firewall72-base:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id45370X92250" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id45372X92250" name="firewall72-base:eth1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id45376X92250" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id45378X92250" name="firewall72-base:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">after_interfaces</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Interface id="id46852X38889" dedicated_failover="False" dyn="False" label="fw8:eth2" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id46854X38889" name="firewall73:eth2:ip" comment="" ro="False" address="192.168.100.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id46855X38889" dedicated_failover="False" dyn="True" label="fw8:ppp0" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<IPv4 id="id48995X39861" name="Address" comment="" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
|
|
<Interface id="id48789X29790" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0.200" comment="VLAN interface" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<IPv4 id="id50186X27203" name="fw2:eth3:0" comment="" ro="False" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
<IPv4 id="id50187X27203" name="fw2:eth3:1" comment="" ro="False" address="22.22.25.50" netmask="255.255.255.0"/>
|
|
<IPv4 id="id433944X83572" name="firewall2-5:eth2:ip-1" comment="" ro="False" address="192.168.2.40" netmask="255.255.255.0"/>
|
|
<Interface id="id440C062D14846" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="eth21" comment="this interface is part of the bridge" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id440C063914846" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="eth31" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<IPv4 id="id2999494X89754" name="fw2:eth2:1" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<IPv4 id="id2999495X89754" name="fw2:eth2:2" comment="" ro="False" address="192.168.2.40" netmask="255.255.255.0"/>
|
|
<Interface id="id2999483X89754" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id2999487X89754" name="fw2:eth3:0" comment="" ro="False" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
<IPv4 id="id2999488X89754" name="fw2:eth3:1" comment="" ro="False" address="22.22.25.50" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Firewall id="id2999465X89754" host_OS="linux24" inactive="False" lastCompiled="1251648690" lastInstalled="1142003872" lastModified="1270840550" platform="iptables" version="" name="firewall2-6" comment="this object has several interfaces and tests different SNAT rules. This object also has unnumbered interface ipsec0 " ro="False">
|
|
<NAT id="id2999876X89754" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id2999877X89754" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id2999891X89754" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id2999906X89754" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
<ServiceRef ref="id3F3E9EFC"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id2999923X89754" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id2999937X89754" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id2999951X89754" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id48356E0A14854"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id2999965X89754" disabled="False" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id2999979X89754" disabled="False" group="" position="7" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DE47B6C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
<Option name="ipt_nat_random">True</Option>
|
|
<Option name="ipt_snat_random">True</Option>
|
|
<Option name="ipt_use_snat_instead_of_masq">False</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id2999993X89754" disabled="False" group="" position="8" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="id3D8FC56A"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000008X89754" disabled="False" group="" position="9" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000022X89754" disabled="False" group="" position="10" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000036X89754" disabled="False" group="" position="11" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
<ObjectRef ref="id3D151947"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000054X89754" disabled="False" group="" position="12" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3D151943"/>
|
|
<ObjectRef ref="id3D151947"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000070X89754" disabled="False" group="" position="13" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
<ServiceRef ref="id3F3E9EFC"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000088X89754" disabled="False" group="" position="14" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000104X89754" disabled="False" group="" position="15" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000119X89754" disabled="False" group="" position="16" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000135X89754" disabled="True" group="" position="17" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000150X89754" disabled="False" group="" position="18" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DE47B6C"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000165X89754" disabled="False" group="" position="19" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFC0F70"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000179X89754" disabled="False" group="" position="20" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3BD6736B"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3000193X89754" disabled="False" group="" position="21" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3BD6736B"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000207X89754" disabled="False" group="" position="22" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4368AD8615884"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000221X89754" disabled="False" group="" position="23" action="Translate" comment="NETMAP ">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000235X89754" disabled="False" group="" position="24" action="Translate" comment="NETMAP">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000249X89754" disabled="False" group="" position="25" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000263X89754" disabled="False" group="" position="26" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000278X89754" disabled="False" group="" position="27" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000292X89754" disabled="False" group="" position="28" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="id3B4FED69"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000307X89754" disabled="False" group="" position="29" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000321X89754" disabled="False" group="" position="30" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3CD87A5E"/>
|
|
<ObjectRef ref="id3CD87A6D"/>
|
|
<ObjectRef ref="id3CD87A8B"/>
|
|
<ObjectRef ref="id3CD87A7C"/>
|
|
<ObjectRef ref="id3CD87A53"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000339X89754" disabled="False" group="" position="31" action="Translate" comment="transparent proxy rule">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000353X89754" disabled="True" group="" position="32" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000368X89754" disabled="False" group="" position="33" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000382X89754" disabled="False" group="" position="34" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000396X89754" disabled="False" group="" position="35" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000410X89754" disabled="False" group="" position="36" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000424X89754" disabled="False" group="" position="37" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id40F195D2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id40F195D2"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000438X89754" disabled="False" group="" position="38" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="True">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000452X89754" disabled="False" group="" position="39" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3000466X89754" disabled="False" group="" position="40" action="Translate" comment="this is the "exception" rule used in support req. originally">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C08B5A</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3000480X89754" disabled="False" group="" position="41" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C08B5A</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3000494X89754" disabled="False" group="" position="42" action="Translate" comment=""exception" rule in the pair from a support req.">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3000508X89754" disabled="False" group="" position="43" action="Translate" comment="testing transparent proxy roules for a support req.">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3000522X89754" disabled="False" group="" position="44" action="Translate" comment="testing transparent proxy roules for a support req.">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3000536X89754" disabled="False" group="" position="45" action="Translate" comment="testing transparent proxy roules for a support req.">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3000550X89754" disabled="False" group="" position="46" action="Translate" comment=""exception" rule in the pair from a support req.">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3000564X89754" disabled="False" group="" position="47" action="Translate" comment="testing transparent proxy roules for a support req.">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id40F195D2"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3000578X89754" disabled="False" group="" position="48" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id69385X25753"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id69386X25753"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id2999502X89754" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3000593X89754" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id2999473X89754" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id2999476X89754" name="fw2:eth0:ip - internal" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id2999478X89754" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id2999481X89754" name="fw2:eth1:ip - external" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id2999490X89754" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="True" unprotected="False" name="ipsec0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id2999497X89754" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id2999500X89754" name="address" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"/>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">5</Option>
|
|
<Option name="linux24_accept_redirects">0</Option>
|
|
<Option name="linux24_accept_source_route">0</Option>
|
|
<Option name="linux24_icmp_echo_ignore_all">1</Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses">1</Option>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_log_martians">1</Option>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter">1</Option>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N - %A **</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">after_flush</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">True</Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="useULOG">False</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_ip_tool">True</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Policy id="id2843857X67928" name="Policy_3" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id2843931X67928" disabled="False" position="0" direction="Outbound" action="Continue" log="True" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagobject_id">id449328D924380</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id711459X72329" name="Policy_3_mangle_only" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id711461X72329" disabled="False" position="0" direction="Outbound" action="Continue" log="True" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagobject_id">id449328D924380</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions>
|
|
<Option name="mangle_only_rule_set">True</Option>
|
|
</RuleSetOptions>
|
|
</Policy>
|
|
<Policy id="id54793X99373" name="fw71_policy_2" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id54794X99373" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id54807X99373" name="mangle_ruleset" comment="Pure mangle rule set. Checking that there will be only one COMMIT" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<IPv4 id="id58766X17179" name="firewall93:eth0:ip-1" comment="" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
|
|
<IPv4 id="id1908543X19416" name="firewall2-7:eth1:ip" comment="" ro="False" address="222.222.222.222" netmask="255.255.255.0"/>
|
|
<Interface id="id1908540X19416" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Policy id="id464C29A83999" name="rule0_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id464C29BA3999" name="rule1_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id464C29CC3999" name="rule2_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id464C58AC3999" name="rule3_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id464C29DE3999" name="rule3_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id464C58BE3999" name="rule3_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id464C29F03999" name="rule4_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id464C2A023999" name="rule5_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Interface id="id99413X18910" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="Interface" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
</Library>
|
|
<Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
|
|
<ObjectGroup id="stdid01_1_clusters" name="Clusters" comment="" ro="False"/>
|
|
<ObjectGroup id="stdid01_1" name="Objects" comment="" ro="False">
|
|
<ObjectGroup id="stdid01_1_og_ats_1" name="Address Tables" comment="" ro="False">
|
|
<AddressTable id="id4385C1081434" filename="addr-table-1.tbl" run_time="False" name="addrtbl 1" comment="" ro="False"/>
|
|
<AddressTable id="id4389EE9018346" filename="addr-table-1.tbl" run_time="False" name="addr-table-1" comment="" ro="False"/>
|
|
<AddressTable id="id4389EE9118346" filename="block-hosts.tbl" run_time="True" name="block these" comment="this is run-time table" ro="False"/>
|
|
<AddressTable id="id44F7056328576" filename="addr-table-1.tbl" run_time="True" name="atbl.1" comment="the name contains character that is special to shell" ro="False"/>
|
|
<AddressTable id="id459673BE7794" filename="emtpy-table.tbl" run_time="False" name="empty table" comment="" ro="False"/>
|
|
<AddressTable id="id50108X1683" filename="this_table_does_not_exist.tbl" run_time="False" name="missing table" comment="" ro="False"/>
|
|
<AddressTable id="id89715X31706" filename="addr-table-1.tbl" run_time="True" name="addr-table-1:a" comment="some invalid characters in the name" ro="False"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid01_1_og_dnsn_1" name="DNS Names" comment="" ro="False">
|
|
<DNSName id="id43869E8C18346" dnsrec="www.cnn.com" dnsrectype="A" run_time="False" name="cnn (ct)" comment="" ro="False"/>
|
|
<DNSName id="id43869E8D18346" dnsrec="www.cnn.com" dnsrectype="A" run_time="True" name="cnn (rt)" comment="" ro="False"/>
|
|
<DNSName id="id43869E8E18346" dnsrec="buildmaster" dnsrectype="A" run_time="False" name="buildmaster (ct)" comment="an example of a local host" ro="False"/>
|
|
<DNSName id="id43869E8F18346" dnsrec="buildmaster" dnsrectype="A" run_time="True" name="buildmaster (rt)" comment="an example of a local host" ro="False"/>
|
|
<DNSName id="id4387287918346" dnsrec="www.google.com" dnsrectype="A" run_time="False" name="google (ct)" comment="" ro="False"/>
|
|
<DNSName id="id4387287A18346" dnsrec="www.google.com" dnsrectype="A" run_time="True" name="google (rt)" comment="" ro="False"/>
|
|
<DNSName id="id44EC181D8791" dnsrec="www.heise.de" dnsrectype="A" run_time="True" name="heise" comment="" ro="False"/>
|
|
<DNSName id="id30878X4903" dnsrec="6bone.net" dnsrectype="A" run_time="False" name="6bone.net (ct)" comment="there are both A and AAAA records for this name " ro="False"/>
|
|
<DNSName id="id44749X4903" dnsrec="6bone.net" dnsrectype="A" run_time="True" name="6bone.net (rt)" comment="there are both A and AAAA records for this name " ro="False"/>
|
|
<DNSName id="id44910X6795" dnsrec="ny6ix.net" dnsrectype="A" run_time="False" name="ny6ix.net (ct)" comment="" ro="False"/>
|
|
<DNSName id="id44911X6795" dnsrec="ny6ix.net" dnsrectype="A" run_time="True" name="ny6ix.net (rt)" comment="" ro="False"/>
|
|
<DNSName id="id50136X10982" dnsrec="does_not_resolve.local" dnsrectype="A" run_time="False" name="does not resolve" comment="" ro="False"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid16_1" name="Addresses" comment="" ro="False">
|
|
<IPv4 id="id417B3641" name="net_address" comment="" ro="False" address="192.168.1.0" netmask="255.255.255.255"/>
|
|
<IPv4 id="id4388C37D674" name="sapmhost1" comment="" ro="False" address="61.150.47.112" netmask="255.255.255.255"/>
|
|
<IPv4 id="id44C0695713221" name="this_host" comment="" ro="False" address="0.0.0.0" netmask="255.255.255.255"/>
|
|
<IPv4 id="id44F7082928576" name="some address" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.255"/>
|
|
<IPv4 id="id45D61A0923626" name="VRRP" comment="" ro="False" address="224.0.0.18" netmask="255.255.255.255"/>
|
|
<IPv6 id="id483426D06131" name="ipv6-1" comment="" ro="False" address="fe80::aaaa:bbbb:cccc:1" netmask="128"/>
|
|
<IPv6 id="id483426D16131" name="ipv6-2" comment="" ro="False" address="fe80::aaaa:bbbb:cccc:2" netmask="128"/>
|
|
<IPv6 id="id48416A7116880" name="altavista" comment="" ro="False" address="3ffe:1200:2001:1:8000::1" netmask="128"/>
|
|
<IPv6 id="id48416A7216880" name="6bone.net" comment="" ro="False" address="2001:5c0:0:2::24" netmask="128"/>
|
|
<IPv4 id="id40860X98946" name="internal gw" comment="" ro="False" address="192.168.1.254" netmask="0.0.0.0"/>
|
|
<IPv4 id="id118625X9876" name="ext gateway" comment="" ro="False" address="192.0.2.100" netmask="0.0.0.0"/>
|
|
<IPv4 id="id45813X95438" name="h-10.3.14.40" comment="Imported from "c3620" 10.3.14.40/255.255.255.255" ro="False" address="10.3.14.40" netmask="255.255.255.255"/>
|
|
<IPv4 id="id45817X95438" name="h-192.168.171.2" comment="Imported from "c3620" 192.168.171.2/255.255.255.255" ro="False" address="192.168.171.2" netmask="255.255.255.255"/>
|
|
<IPv4 id="id45847X95438" name="h-10.3.14.201" comment="Imported from "c3620" 10.3.14.201/255.255.255.255" ro="False" address="10.3.14.201" netmask="255.255.255.255"/>
|
|
<IPv4 id="id46523X95438" name="a-192.168.1.10" comment="" ro="False" address="192.168.1.10" netmask="0.0.0.0"/>
|
|
<IPv4 id="id1971809X83572" name="fw2-5-eth1" comment="" ro="False" address="222.222.222.222" netmask="0.0.0.0"/>
|
|
<IPv4 id="id55195X40565" name="gw_200" comment="" ro="False" address="200.200.200.200" netmask="0.0.0.0"/>
|
|
<IPv4 id="id55215X40565" name="gw_001" comment="" ro="False" address="192.168.1.200" netmask="0.0.0.0"/>
|
|
<IPv4 id="id55235X40565" name="gw_002" comment="" ro="False" address="192.168.2.200" netmask="0.0.0.0"/>
|
|
<IPv4 id="id55255X40565" name="gw_011" comment="" ro="False" address="192.168.11.200" netmask="0.0.0.0"/>
|
|
<IPv4 id="id55275X40565" name="gw_201" comment="" ro="False" address="192.168.201.200" netmask="0.0.0.0"/>
|
|
<IPv4 id="id55295X40565" name="gw_202" comment="" ro="False" address="192.168.202.200" netmask="0.0.0.0"/>
|
|
<IPv4 id="id55476X84465" name="fw35_dyn_intf_broadcast" comment="this address represents broadcast on the subnet where dynamic interface eth0.100 of fw35 is located" ro="False" address="192.168.222.255" netmask="0.0.0.0"/>
|
|
<IPv6 id="id3110516X16199" name="addr on fw-ipv6-8 local net" comment="this address belongs to the subnet of interface eth0 of firewall-ipv6-8" ro="False" address="fe80::21d:9ff:fe8b:aaaa" netmask="128"/>
|
|
<IPv4 id="id58601X22302" name="Address" comment="comment foo bar " ro="False" address="192.0.2.100" netmask="0.0.0.0"/>
|
|
<IPv4 id="id1880621X8221" name="addr-222.222.222.40" comment="" ro="False" address="222.222.222.40" netmask="0.0.0.0"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid04_1" name="Groups" comment="" ro="False">
|
|
<ObjectGroup id="id3B4572AF" name="group1" comment="" ro="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3B4572B5" name="platform" comment="" ro="False">
|
|
<ObjectRef ref="id3AFC0F70"/>
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3BBC0EFC" name="netgroup1" comment="" ro="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3CD87A9A" name="group-range-1" comment="" ro="False">
|
|
<ObjectRef ref="id3CD87A53"/>
|
|
<ObjectRef ref="id3CD87A5E"/>
|
|
<ObjectRef ref="id3CD87A6D"/>
|
|
<ObjectRef ref="id3CD87A7C"/>
|
|
<ObjectRef ref="id3CD87A8B"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3D41A435" name="fw-group" comment="" ro="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3D71A1BA" name="tst1" comment="" ro="False">
|
|
<ObjectRef ref="id3CD8769F"/>
|
|
<ObjectRef ref="id3D41A435"/>
|
|
<ObjectRef ref="id3D151943"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
<ObjectRef ref="if-FW-firewall2-eth0"/>
|
|
<ObjectRef ref="if-FW-firewall2-eth0-ipv4"/>
|
|
<ObjectRef ref="id3D151947-i-1-addr"/>
|
|
<ObjectRef ref="id3DECF62C"/>
|
|
<ObjectRef ref="id3DECF4EC"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3D8FC56A" name="group2" comment="" ro="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3DB0B356" name="hosts with mac" comment="" ro="False">
|
|
<ObjectRef ref="id3BF1B3E1"/>
|
|
<ObjectRef ref="id3BF1B3E7"/>
|
|
<ObjectRef ref="id3DB0B350"/>
|
|
<ObjectRef ref="id3E0BD747"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3DE689FE" name="empty Ogroup" comment="" ro="False"/>
|
|
<ObjectGroup id="id3DE68A00" name="empty Ogroup2" comment="" ro="False">
|
|
<ObjectRef ref="id3DE689FE"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3EC69DA8" name="broadcasts" comment="" ro="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3F1B9C18" name="recursive group" comment="" ro="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="id3F1B9C18"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id40F57E7C" name="netgroup2" comment="" ro="False">
|
|
<ObjectRef ref="id3CEBFCAE"/>
|
|
<ObjectRef ref="id3B665643"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id4390C25525682" name="at group" comment="this group is a combination of a regular address object and an address table in run-time mode" ro="False">
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id445F52ED31658" name="external hosts 1" comment="" ro="False">
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
<ObjectRef ref="id445F59D831658"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id45969FEC7794" name="combined group" comment="" ro="False">
|
|
<ObjectRef ref="id459673BE7794"/>
|
|
<ObjectRef ref="id3B665641"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id4653B4A820440" name="fw2i1,3" comment="" ro="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
<ObjectRef ref="id3AFB68D2"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id47CBF5D129252" name="DNS objects" comment="a group of run-time dns objects that have both A and AAAA records" ro="False">
|
|
<ObjectRef ref="id44749X4903"/>
|
|
<ObjectRef ref="id44911X6795"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id4834A2238571" name="ipv6 addresses" comment="" ro="False">
|
|
<ObjectRef ref="id48416A7016880"/>
|
|
<ObjectRef ref="id48416A7216880"/>
|
|
<ObjectRef ref="id48416A7116880"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id4834A2278571" name="ipv4 ipv6 addresses" comment="" ro="False">
|
|
<ObjectRef ref="id417B3641"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
<ObjectRef ref="id48416A7216880"/>
|
|
<ObjectRef ref="id48416A7116880"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id30841X361" name="DNS objects compile time" comment="a group of run-time dns objects that have both A and AAAA records" ro="False">
|
|
<ObjectRef ref="id30878X4903"/>
|
|
<ObjectRef ref="id44910X6795"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id263935X33852" name="fw1group" comment="" ro="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="if-FW-firewall2-eth1-ipv4"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id6396817X14495" name="fw2-6-eth0-eth2" comment="" ro="False">
|
|
<ObjectRef ref="id1431005X8221"/>
|
|
<ObjectRef ref="id1431020X8221"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id6396847X14495" name="fw2-6-eth1-eth3" comment="" ro="False">
|
|
<ObjectRef ref="id1431010X8221"/>
|
|
<ObjectRef ref="id1431015X8221"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id552849X28023" name="fw29-eth0.100-eth0.200" comment="" ro="False">
|
|
<ObjectRef ref="id41D294A9"/>
|
|
<ObjectRef ref="id41D29492"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3310453X8688" name="hosts with ip and mac" comment="" ro="False">
|
|
<ObjectRef ref="id3BF1B3E1"/>
|
|
<ObjectRef ref="id3E0F3FC8"/>
|
|
</ObjectGroup>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid02_1" name="Hosts" comment="" ro="False">
|
|
<Host id="id3A84EECE" name="DHCP-Servers (multicast)" comment="multicast address which is _not_ local link multicast " ro="False">
|
|
<Interface id="id3D8ZEED2" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
|
|
<IPv4 id="id3D84EEDA" name="DHCP-Servers (multicast)" comment="" ro="False" address="224.0.1.141" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="224.0.1.141">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3CFBE20C" name="broadcast" comment="" ro="False">
|
|
<Interface id="id3CFBE20C-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
|
|
<IPv4 id="id3CFBE20C-i-1-addr" name="broadcast:address" comment="" ro="False" address="255.255.255.255" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="255.255.255.255">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3D151943" name="dmzhost1" comment="" ro="False">
|
|
<Interface id="id3D151943-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
|
|
<IPv4 id="id3D151943-i-1-addr" name="address" comment="" ro="False" address="192.168.2.10" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.2.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3D151947" name="dmzhost2" comment="" ro="False">
|
|
<Interface id="id3D151947-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
|
|
<IPv4 id="id3D151947-i-1-addr" name="address" comment="" ro="False" address="192.168.2.11" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.2.11">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3DE7223E" name="h-fw14-eth1-1" comment="this host is used in firewall14" ro="False">
|
|
<Interface id="id3DE72244" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
|
|
<IPv4 id="id3DE72245" name="h-fw14-eth1-1" comment="" ro="False" address="22.22.23.22" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="22.22.23.160">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3DE72236" name="h-fw14-eth1-2" comment="this host is used in firewall14" ro="False">
|
|
<Interface id="id3DE7223A" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
|
|
<IPv4 id="id3DE7223B" name="h-fw14-eth1-2" comment="" ro="False" address="22.22.23.160" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="22.22.23.160">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3DE722F1" name="h-fw14-eth1-N" comment="this host is used in firewall14" ro="False">
|
|
<Interface id="id3DE722F7" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
|
|
<IPv4 id="id3DE722F8" name="h-fw14-eth1-1" comment="" ro="False" address="22.22.23.40" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="22.22.23.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3AFC0F70" name="host-fw2" comment="this host has the same IP address as firewall1 and firewall2" ro="False">
|
|
<Interface id="id3AFC0F70-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="id3AFC0F70-i-ipv4" name="address" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3BF1B3E1" name="host-with-mac-1" comment="" ro="False">
|
|
<Interface id="id3BF1B3E2" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="host-with-mac-1:1" comment="" ro="False">
|
|
<IPv4 id="id3BF1B3E2-ipv4" name="host-with-mac-1/addr" comment="" ro="False" address="192.168.1.10" netmask="255.255.255.0"/>
|
|
<physAddress id="id3BF1B3E2-pa" address="00:10:4b:de:e9:6f" name="host-with-mac-1:1-pa" comment="" ro="False"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr_filter">True</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3BF1B3E7" name="host-with-mac-2" comment="" ro="False">
|
|
<Interface id="id3BF1B3E8" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="host-with-mac-2:1" comment="" ro="False">
|
|
<physAddress id="id3BF1B3E8-pa" address="00:10:4b:de:e9:70" name="host-with-mac-2:1-pa" comment="" ro="False"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr_filter">True</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3DB0B350" name="host-with-mac-3" comment="" ro="False">
|
|
<Interface id="id3DB0B351" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="host-with-mac-3:1" comment="" ro="False">
|
|
<physAddress id="id3DB0B351-pa" address="00:10:4b:de:e9:71" name="host-with-mac-3:1-pa" comment="" ro="False"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr_filter">True</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3E0BD747" name="host-with-mac-4" comment="this host has an interface with both IP address and MAC address chld objects, but both are empty. This helps us find possible problems caused by such objects." ro="False">
|
|
<Interface id="id3E0BD748" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="host-with-mac-4:1" comment="" ro="False">
|
|
<physAddress id="id3E0BD74A" address="" name="host-with-mac-4:1-pa" comment="" ro="False"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr_filter">True</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3E0F3FC8" name="host-with-mac-5" comment="this host has an interface with both IP address and MAC address chld objects, but option "turn on MAC address matching" is NOT activated" ro="False">
|
|
<Interface id="id3E0F3FC9" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="host-with-mac-5:1" comment="" ro="False">
|
|
<IPv4 id="id3E0F3FCA" name="host-with-mac-5/addr" comment="" ro="False" address="192.168.1.15" netmask="255.255.255.0"/>
|
|
<physAddress id="id3E0F3FCB" address="aa:bb:cc:dd:ee:ff" name="host-with-mac-5:1-pa" comment="" ro="False"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.15">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr_filter">True</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="host-hostA" name="hostA" comment="" ro="False">
|
|
<Interface id="host-hostA-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="host-hostA-i-ipv4" name="address" comment="" ro="False" address="192.168.1.10" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3AFADBF9" name="hostA-NAT" comment="translated address for hostA" ro="False">
|
|
<Interface id="id3AFADBF9-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="id3AFADBF9-i-ipv4" name="address" comment="" ro="False" address="22.22.22.23" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="host-hostB" name="hostB" comment="" ro="False">
|
|
<Interface id="host-hostB-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="host-hostB-i-ipv4" name="address" comment="" ro="False" address="192.168.1.20" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.20">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3BD6736B" name="hostB-NAT" comment="" ro="False">
|
|
<Interface id="id3BD6736B-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="id3BD6736B-i-ipv4" name="address" comment="" ro="False" address="22.22.23.24" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3AFC191C" name="hostF-int" comment="the same address as internal iface of firewall1" ro="False">
|
|
<Interface id="id3AFC191C-i" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3AFC191C-i-ipv4" name="hostF-int:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3DECF4EB" name="hostM-outside" comment="this host has multiple interfaces" ro="False">
|
|
<Interface id="id3DECF4EC" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="hostM-iface" comment="" ro="False">
|
|
<IPv4 id="id3DECF4ED" name="address" comment="" ro="False" address="222.222.222.40" netmask="255.255.255.0"/>
|
|
<IPv4 id="id3DECF62C" name="hostM-outside" comment="" ro="False" address="222.222.222.41" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="22.22.22.23">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3DECF622" name="hostN-outside" comment="this host has multiple interfaces" ro="False">
|
|
<Interface id="id3DECF623" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="id3DECF624" name="address" comment="" ro="False" address="222.222.222.40" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3DECF62A" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="id3DECF62B" name="hostM-outside" comment="" ro="False" address="222.222.222.41" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="222.222.222.41">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3DE47B6C" name="hostZ-outside" comment="host on subnet 22.22.22.0 with several addresses" ro="False">
|
|
<Interface id="id3DE47B6D" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3DE47B6E" name="hZ-eth0" comment="" ro="False" address="22.22.22.23" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3DE47B76" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3DE47B77" name="hZ-eth1" comment="" ro="False" address="22.22.22.24" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3DE47B78" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id3DE47B79" name="hZ-eth2" comment="" ro="False" address="22.22.22.25" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="22.22.22.23">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3B64FFAC" name="local-bcast" comment="broadcast on internal subnet" ro="False">
|
|
<Interface id="id3B64FFAC-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="id3B64FFAC-i-ipv4" name="local-bcast:addess" comment="" ro="False" address="192.168.1.255" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.255">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3CD87A53" name="h192.168.1.11" comment="" ro="False">
|
|
<Interface id="id3CD87A53-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
|
|
<IPv4 id="id3CD87A53-i-1-addr" name="address" comment="" ro="False" address="192.168.1.11" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.11">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3CD87A5E" name="h192.168.1.12" comment="" ro="False">
|
|
<Interface id="id3CD87A5E-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
|
|
<IPv4 id="id3CD87A5E-i-1-addr" name="address" comment="" ro="False" address="192.168.1.12" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.12">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3CD87A6D" name="h192.168.1.13" comment="" ro="False">
|
|
<Interface id="id3CD87A6D-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
|
|
<IPv4 id="id3CD87A6D-i-1-addr" name="address" comment="" ro="False" address="192.168.1.13" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.13">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3CD87A7C" name="h192.168.1.14" comment="" ro="False">
|
|
<Interface id="id3CD87A7C-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
|
|
<IPv4 id="id3CD87A7C-i-1-addr" name="address" comment="" ro="False" address="192.168.1.14" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.14">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3CD87A8B" name="h192.168.1.15" comment="" ro="False">
|
|
<Interface id="id3CD87A8B-i" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface-1" comment="" ro="False">
|
|
<IPv4 id="id3CD87A8B-i-1-addr" name="address" comment="" ro="False" address="192.168.1.15" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.15">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3D84EEC8" name="ospf routers (multicast)" comment="local link multicast address" ro="False">
|
|
<Interface id="id3D84EECC" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
|
|
<IPv4 id="id3D84EECD" name="ospf routers (multicast)" comment="" ro="False" address="224.0.0.5" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="224.0.0.5">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3B19C5EB" name="outside-host" comment="some host outside our network" ro="False">
|
|
<Interface id="id3B19C5EB-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="id3B19C5EB-i-ipv4" name="address" comment="" ro="False" address="200.200.200.200" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="host-secondary1-com" name="secondary1.com" comment="" ro="False">
|
|
<Interface id="host-secondary1-com-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="host-secondary1-com-i-ipv4" name="address" comment="" ro="False" address="211.11.11.11" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="211.11.11.11">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="host-secondary2-com" name="secondary2.com" comment="" ro="False">
|
|
<Interface id="host-secondary2-com-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="host-secondary2-com-i-ipv4" name="address" comment="" ro="False" address="211.22.22.22" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="211.22.22.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3BF23930" name="z-host" comment="" ro="False">
|
|
<Interface id="id3BF23931" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
|
|
<IPv4 id="id3BF23931-ipv4" name="address" comment="" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
|
|
<physAddress id="id3BF23931-pa" address="00:a0:24:53:06:8c" name="unknown-pa" comment="" ro="False"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3D84F6D7" name="zero address" comment="" ro="False">
|
|
<Interface id="id3D84F6DB" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
|
|
<IPv4 id="id3D84F6DC" name="zero addr(ip)" comment="" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
|
|
<physAddress id="id3E192A36" address="00:00:00:00:00:00" name="zero addr(MAC)" comment="" ro="False"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3E9870D1" name="like fw5" comment="" ro="False">
|
|
<Interface id="id3E9870D7" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3E9870D8" name="like fw5:eth0(ip)" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3E9870D9" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3E9870DA" name="like fw5:eth1(ip)" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3E9BC536" name="squid-box" comment="" ro="False">
|
|
<Interface id="id3E9BC538" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
|
|
<IPv4 id="id3E9BC539" name="squid-box:interface1(ip)" comment="" ro="False" address="192.168.1.100" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3EE4CC6E" name="like fw18(eth1)" comment="" ro="False">
|
|
<Interface id="id3EE4CC70" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
|
|
<IPv4 id="id3EE4CC71" name="like fw18(eth1):interface1(ip)" comment="" ro="False" address="66.66.66.130" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3F14DFB8" name="fw-with-mac-1" comment="this host has the same IP address as firewall 'firewall', plus it has MAC address. Testing for a combination of "--mac --source-mac" in the OUTPUT chain. " ro="False">
|
|
<Interface id="id3F14DFB9" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="host-with-mac-1:1" comment="" ro="False">
|
|
<IPv4 id="id3F14DFBA" name="host-with-mac-1/addr" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<physAddress id="id3F14DFBB" address="00:10:4b:de:e9:6f" name="host-with-mac-1:1-pa" comment="" ro="False"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr_filter">True</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3F14E244" name="fw-with-mac-2" comment="this host has the same IP address as firewall 'firewall', plus it has MAC address. Testing for a combination of "--mac --source-mac" in the OUTPUT chain. " ro="False">
|
|
<Interface id="id3F14E245" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="host-with-mac-1:1" comment="" ro="False">
|
|
<IPv4 id="id3F14E246" name="host-with-mac-1/addr" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<physAddress id="id3F14E247" address="00:10:4b:de:e9:6f" name="host-with-mac-1:1-pa" comment="" ro="False"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr_filter">True</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id40236C4D" name="dhcpserver" comment="usef in fw7 " ro="False">
|
|
<Interface id="id40236C4F" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
|
|
<IPv4 id="id40236C50" name="dhcpserver:interface1(ip)" comment="" ro="False" address="192.168.2.10" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.2.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id40236C9A" name="unknown" comment="" ro="False">
|
|
<Interface id="id40236C9C" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
|
|
<IPv4 id="id40236C9D" name="unknown:interface1(ip)" comment="" ro="False" address="0.0.0.0" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id40F195D2" name="hostC" comment="" ro="False">
|
|
<Interface id="id40F195D4" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id40F195D6" name="hostC:eth0:ip" comment="" ro="False" address="192.168.1.50" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions/>
|
|
</Host>
|
|
<Host id="id43913DCB25682" name="hostAt" comment="" ro="False">
|
|
<Interface id="id43913DCD25682" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="hostA_eth0" comment="" ro="False">
|
|
<IPv4 id="id43913DCE25682" name="hostAt:hostA_eth0:ip" comment="" ro="False" address="192.168.1.10" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id445F59D831658" name="exthost223" comment="This object represents a PC with a single network interface" ro="False">
|
|
<Interface id="id445F59DA31658" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id445F59DB31658" name="exthost223:eth0:ip" comment="" ro="False" address="223.223.223.223" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id47CD183A7550" name="host with multiple interfaces" comment="" ro="False">
|
|
<Interface id="id47CD183C7550" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id47CD183D7550" name="host with multiple interfaces:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id47CD183E7550" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id47CD183F7550" name="host with multiple interfaces:eth1:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id47CD49057550" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id47CD49067550" name="host with multiple interfaces:eth2:ip" comment="" ro="False" address="77.77.77.77" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id48356E0A14854" name="like fw2(eth3)-1" comment="" ro="False">
|
|
<Interface id="id48356E0C14854" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="interface1" comment="" ro="False">
|
|
<IPv4 id="id48356E0D14854" name="like fw2(eth3)-1:interface1:ip" comment="" ro="False" address="22.22.25.50" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id42703X3768" name="ipv4-ipv6-host" comment="" ro="False">
|
|
<Interface id="id42705X3768" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id42706X3768" name="ipv4-ipv6-host:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id42708X3768" name="ipv4-ipv6-host:eth0:ipv6" comment="" ro="False" address="e80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions/>
|
|
</Host>
|
|
<Host id="id42750X3791" name="ipv4-ipv6-host-1" comment="" ro="False">
|
|
<Interface id="id42752X3791" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id42753X3791" name="ipv4-ipv6-host-1:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id100840X3791" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv6 id="id158924X3791" name="ipv4-ipv6-host-1:eth1:ipv6" comment="" ro="False" address="e80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions/>
|
|
</Host>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid03_1" name="Networks" comment="" ro="False">
|
|
<Network id="net-Internal_net" name="Internal_net" comment="" ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
|
|
<Network id="id3B022266" name="dmz_net" comment="DMZ net - using NAT " ro="False" address="192.168.2.0" netmask="255.255.255.0"/>
|
|
<Network id="id3B665641" name="external_net" comment="" ro="False" address="22.22.22.0" netmask="255.255.255.0"/>
|
|
<Network id="id3B665643" name="foreign_net" comment="" ro="False" address="33.33.33.0" netmask="255.255.255.0"/>
|
|
<Network id="id3CEBFCAE" name="n-222.222.222.0" comment="" ro="False" address="222.222.222.0" netmask="255.255.255.0"/>
|
|
<Network id="id3CEBFDFC" name="n-192.168.1.0" comment="" ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
|
|
<Network id="id3DE71E90" name="fw14-dmz" comment="" ro="False" address="22.22.23.128" netmask="255.255.255.128"/>
|
|
<Network id="id3EFBCCBA" name="ppp-net" comment="" ro="False" address="10.1.1.0" netmask="255.255.255.0"/>
|
|
<Network id="id43913DEA25682" name="Internal_net_t" comment="" ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
|
|
<Network id="id4733FFE419714" name="n-192.168.2.0" comment="" ro="False" address="192.168.2.0" netmask="255.255.255.0"/>
|
|
<NetworkIPv6 id="id4834B9206131" name="net-fe80" comment="" ro="False" address="fe80::" netmask="64"/>
|
|
<NetworkIPv6 id="id48416A7016880" name="DIGITAL-CA-DEC" comment="" ro="False" address="3ffe:1200:2000::" netmask="36"/>
|
|
<NetworkIPv6 id="id48416A7316880" name="HEXAGO-V6-NET1" comment="" ro="False" address="2001:5c0::" netmask="32"/>
|
|
<Network id="id86213X27543" name="net-err" comment="It should be impossible to create network object with netmask 0.0.0.0 in the GUI; this object was created manually and is used to test compiler check for this kind of misconfigured object" ro="False" address="1.2.3.0" netmask="0.0.0.0"/>
|
|
<Network id="id86936X27543" name="net-1.1.1" comment="" ro="False" address="1.1.1.0" netmask="255.255.255.0"/>
|
|
<NetworkIPv6 id="id40507X82687" name="3ffff:ffff::/32" comment="" ro="False" address="3fff:ffff::" netmask="32"/>
|
|
<NetworkIPv6 id="id40508X82687" name="2001:db8::/32" comment="" ro="False" address="2001:db8::" netmask="32"/>
|
|
<NetworkIPv6 id="id169012X82687" name="3ffff:ffff::/16" comment="" ro="False" address="3fff:ffff::" netmask="16"/>
|
|
<Network id="id45876X95438" name="net-10.3.14.0/24" comment="Imported from "c3620" 10.3.14.0/255.255.255.0" ro="False" address="10.3.14.0" netmask="255.255.255.0"/>
|
|
<NetworkIPv6 id="id46155X95438" name="ipv6 net fe80::/64" comment="" ro="False" address="fe80::" netmask="64"/>
|
|
<Network id="id1380862X2261" name="net-33 24/255.255.255.248" comment="" ro="False" address="33.33.33.24" netmask="255.255.255.248"/>
|
|
<Network id="id55211X40565" name="lan_192.168.101" comment="" ro="False" address="192.168.101.0" netmask="255.255.255.0"/>
|
|
<Network id="id55231X40565" name="lan_192.168.102" comment="" ro="False" address="192.168.102.0" netmask="255.255.255.0"/>
|
|
<Network id="id55251X40565" name="lan_192.168.111" comment="" ro="False" address="192.168.111.0" netmask="255.255.255.0"/>
|
|
<Network id="id55271X40565" name="lan_192.168.211" comment="" ro="False" address="192.168.211.0" netmask="255.255.255.0"/>
|
|
<Network id="id55291X40565" name="lan_192.168.212" comment="" ro="False" address="192.168.212.0" netmask="255.255.255.0"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid15_1" name="Address Ranges" comment="" ro="False">
|
|
<AddressRange id="id3CD8769F" name="test_range_1" comment="" ro="False" start_address="192.168.1.11" end_address="192.168.1.15"/>
|
|
<AddressRange id="id3CEBFF26" name="r-192.168.1.0" comment="" ro="False" start_address="192.168.1.10" end_address="192.168.1.100"/>
|
|
<AddressRange id="id3CEBFF28" name="r-222.222.222.0" comment="" ro="False" start_address="222.222.222.10" end_address="222.222.222.100"/>
|
|
<AddressRange id="id3EF40DD0" name="range 255" comment="c" ro="False" start_address="255.255.255.255" end_address="255.255.255.255"/>
|
|
<AddressRange id="id3F6D17F4" name="broadcast" comment="" ro="False" start_address="255.255.255.255" end_address="255.255.255.255"/>
|
|
<AddressRange id="id40D153ED" name="old broadcast" comment="" ro="False" start_address="0.0.0.0" end_address="0.0.0.0"/>
|
|
<AddressRange id="id4368AD8615884" name="ext_range" comment="" ro="False" start_address="22.22.22.100" end_address="22.22.22.110"/>
|
|
<AddressRange id="id42386X35957" name="r-192.168.1.0-include-fw" comment="this range includes address of the interface of firewall2" ro="False" start_address="192.168.1.1" end_address="192.168.1.100"/>
|
|
<AddressRange id="id504951X83572" name="range 33 1-3" comment="" ro="False" start_address="33.33.33.1" end_address="33.33.33.3"/>
|
|
<AddressRange id="id528432X83572" name="range 33 30-33" comment="" ro="False" start_address="33.33.33.30" end_address="33.33.33.33"/>
|
|
<AddressRange id="id528565X83572" name="range 33 1-33" comment="" ro="False" start_address="33.33.33.1" end_address="33.33.33.33"/>
|
|
</ObjectGroup>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="stdid05_1" name="Services" comment="" ro="False">
|
|
<ServiceGroup id="stdid05_1_userservices" name="Users" comment="" ro="False">
|
|
<UserService id="id4849253720246" name="user500" comment="" ro="False" userid="500"/>
|
|
<UserService id="id4849253820246" name="user2000" comment="" ro="False" userid="2000"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid05_1_og_tag_1" name="TagServices" comment="" ro="False">
|
|
<TagService id="id43EC877332486" tagcode="16" name="tag16" comment="" ro="False"/>
|
|
<TagService id="id449328D824380" tagcode="1" name="Tag1" comment="" ro="False"/>
|
|
<TagService id="id449328D924380" tagcode="2" name="Tag2" comment="" ro="False"/>
|
|
<TagService id="id365999" tagcode="8" name="Tag 8" comment="Automatically created for firewall37-1 rule 8" ro="False"/>
|
|
<TagService id="id366232" tagcode="9" name="Tag 9" comment="Automatically created for firewall37-1 rule 9" ro="False"/>
|
|
<TagService id="id342984" tagcode="10" name="Tag 10" comment="Automatically created for firewall37 rule 8" ro="False"/>
|
|
<TagService id="id37422X26379" tagcode="0" name="Tag0" comment="" ro="False"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid10_1" name="Groups" comment="" ro="False">
|
|
<ServiceGroup id="id3B457567" name="svcgroup1" comment="" ro="False">
|
|
<ServiceRef ref="id3B457561"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3C1A66C9" name="large group TCP" comment="" ro="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
<ServiceRef ref="tcp-Auth"/>
|
|
<ServiceRef ref="tcp-DNS_zone_transf"/>
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
<ServiceRef ref="tcp-uucp"/>
|
|
<ServiceRef ref="id3C1A66EF"/>
|
|
<ServiceRef ref="id3AEDBE6E"/>
|
|
<ServiceRef ref="id3B4FEDA3"/>
|
|
<ServiceRef ref="id3B4FED69"/>
|
|
<ServiceRef ref="id3AECF776"/>
|
|
<ServiceRef ref="id3B4FED9F"/>
|
|
<ServiceRef ref="id3B4FF13C"/>
|
|
<ServiceRef ref="id3B4FEE21"/>
|
|
<ServiceRef ref="id3B4FEE23"/>
|
|
<ServiceRef ref="id3AECF778"/>
|
|
<ServiceRef ref="id3B4FF000"/>
|
|
<ServiceRef ref="id3B4FEEEE"/>
|
|
<ServiceRef ref="id3B4FEE7A"/>
|
|
<ServiceRef ref="id3B4FEE1D"/>
|
|
<ServiceRef ref="id3B4FF0EA"/>
|
|
<ServiceRef ref="id3AECF782"/>
|
|
<ServiceRef ref="id3B4FEF7C"/>
|
|
<ServiceRef ref="id3AECF77A"/>
|
|
<ServiceRef ref="id3AECF77C"/>
|
|
<ServiceRef ref="id3AECF77E"/>
|
|
<ServiceRef ref="id3B4FEF34"/>
|
|
<ServiceRef ref="id3B4FF04C"/>
|
|
<ServiceRef ref="id3B4FEE76"/>
|
|
<ServiceRef ref="id3AEDBE00"/>
|
|
<ServiceRef ref="id3B4FF1B8"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3CD878C8" name="small group TCP" comment="" ro="False">
|
|
<ServiceRef ref="tcp-Auth"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-uucp"/>
|
|
<ServiceRef ref="id3B4FED69"/>
|
|
<ServiceRef ref="id3AECF776"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3D34B32B" name="grp-custom-1" comment="" ro="False">
|
|
<ServiceRef ref="id3D34B329"/>
|
|
<ServiceRef ref="id3D34B32A"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3D4DE626" name="combined_srv" comment="combined group of services" ro="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
<ServiceRef ref="udp-DNS"/>
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
<ServiceRef ref="tcp-Auth"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3DE689FF" name="empty Sgroup" comment="" ro="False"/>
|
|
<ServiceGroup id="id3E1FDDBB" name="special combined srv" comment="" ro="False">
|
|
<ServiceRef ref="udp-All_UDP"/>
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id4067B2CD" name="simpleGroup" comment="" ro="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id41D0F023" name="group of 16 TCP services" comment="" ro="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
<ServiceRef ref="tcp-Auth"/>
|
|
<ServiceRef ref="tcp-DNS_zone_transf"/>
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
<ServiceRef ref="tcp-uucp"/>
|
|
<ServiceRef ref="id3C1A66EF"/>
|
|
<ServiceRef ref="id3AEDBE6E"/>
|
|
<ServiceRef ref="id3B4FEDA3"/>
|
|
<ServiceRef ref="id3B4FED69"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id38142X1137" name="user service group" comment="" ro="False">
|
|
<ServiceRef ref="id4849253720246"/>
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</ServiceGroup>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid07_1" name="ICMP" comment="" ro="False">
|
|
<ICMPService id="id3C1A5D46" code="-1" type="-1" name="any ICMP" comment="" ro="False"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid06_1" name="IP" comment="" ro="False">
|
|
<IPService id="id3B457561" fragm="False" lsrr="False" protocol_num="1" rr="False" short_fragm="False" ssrr="False" ts="False" name="ICMP" comment="" ro="False"/>
|
|
<IPService id="id3B6659A5" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="False" ssrr="False" ts="True" name="TS" comment="" ro="False"/>
|
|
<IPService id="id3F3E9EFC" fragm="False" lsrr="False" protocol_num="88" rr="False" short_fragm="False" ssrr="False" ts="False" name="EIGRP" comment="" ro="False"/>
|
|
<IPService id="id419D6869" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="False" ssrr="False" ts="False" name="any protocol" comment="" ro="False"/>
|
|
<IPService id="idAF4D18769" dscp="" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="False" ssrr="False" tos="0x20" ts="False" name="tos 0x20" comment="" ro="False"/>
|
|
<IPService id="idAF4E18769" dscp="0x20" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="False" ssrr="False" tos="" ts="False" name="dscp 0x20" comment="" ro="False"/>
|
|
<IPService id="idAF4F18769" dscp="BE" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="False" ssrr="False" tos="" ts="False" name="dscp BE" comment="" ro="False"/>
|
|
<IPService id="id45790X95438" fragm="True" protocol_num="0" name="ip-0 fragm" comment="Imported from "c3620" protocol 0" ro="False"/>
|
|
<IPService id="id49136X22476" any_opt="True" dscp="" fragm="False" lsrr="False" protocol_num="0" rr="False" rtralt="False" short_fragm="False" ssrr="False" tos="" ts="False" name="any ip opt" comment="" ro="False"/>
|
|
<IPService id="id49146X15005" any_opt="False" dscp="AF4" fragm="False" lsrr="True" protocol_num="0" rr="False" rtralt="True" rtralt_value="0" short_fragm="False" ssrr="False" tos="" ts="False" name="ip options plus DSCP" comment="" ro="False"/>
|
|
<IPService id="id654834X7324" any_opt="False" dscp="" fragm="False" lsrr="False" protocol_num="89" rr="False" rtralt="False" short_fragm="False" ssrr="False" tos="" ts="False" name="OSPF" comment="" ro="False"/>
|
|
<IPService id="id1825835X7324" any_opt="False" dscp="" fragm="False" lsrr="False" protocol_num="0" rr="False" rtralt="False" short_fragm="False" ssrr="False" tos="" ts="False" name="IP Service" comment="" ro="False"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid09_1" name="TCP" comment="" ro="False">
|
|
<TCPService id="id3C1A66EF" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="gopher" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="70" dst_range_end="70"/>
|
|
<TCPService id="tcp-IRC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="irc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="6667" dst_range_end="6667"/>
|
|
<TCPService id="id3B5009F7" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="squid" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3128" dst_range_end="3128"/>
|
|
<TCPService id="id3CE71594" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp-big-src-range" comment="" ro="False" src_range_start="1024" src_range_end="65535" dst_range_start="80" dst_range_end="80"/>
|
|
<TCPService id="id3CE719F3" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp-dst-range" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4000" dst_range_end="4010"/>
|
|
<TCPService id="id3D330B17" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp-dst-range-2" comment="" ro="False" src_range_start="5000" src_range_end="5000" dst_range_start="5000" dst_range_end="5010"/>
|
|
<TCPService id="id3CE717A0" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp-src-53" comment="" ro="False" src_range_start="53" src_range_end="53" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id3CE719F5" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp-src-range" comment="" ro="False" src_range_start="1000" src_range_end="1010" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id3B20468D" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="test-TCP" comment="port range" ro="False" src_range_start="0" src_range_end="0" dst_range_start="10000" dst_range_end="11000"/>
|
|
<TCPService id="id3D330B16" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="test-TCP-2" comment="" ro="False" src_range_start="9000" src_range_end="9000" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id3B58E3F1" ack_flag="True" ack_flag_mask="True" fin_flag="True" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="True" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" name="xmas-tree" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id3DDDE4E4" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp-8080" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="8080" dst_range_end="8080"/>
|
|
<TCPService id="id3E3747AF" ack_flag="False" ack_flag_mask="True" fin_flag="False" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="False" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" name="TCP no flags" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id40038E79" ack_flag="False" ack_flag_mask="True" fin_flag="False" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" name="new AIM connection" comment="TCP packet with dest. port 5190 (AIM) and SYN flag set This is the opening of the new AIM session" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5190" dst_range_end="5190"/>
|
|
<TCPService id="id459E36F110170" ack_flag="True" ack_flag_mask="True" fin_flag="False" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="False" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" name="ack" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id45821X95438" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0-0:22-22" comment="Imported from "c3620" 0-0:22-22" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/>
|
|
<TCPService id="id46355X95438" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="False" name="New TCP Service 1" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1" dst_range_end="1"/>
|
|
<TCPService id="id69385X25753" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ports 3050-3051" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3050" dst_range_end="3051"/>
|
|
<TCPService id="id69386X25753" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="port 700" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="700" dst_range_end="700"/>
|
|
<TCPService id="id1195021X6573" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp-9040" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="9040" dst_range_end="9040"/>
|
|
<TCPService id="id553876X13518" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp-3996-4000" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3996" dst_range_end="4000"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid08_1" name="UDP" comment="" ro="False">
|
|
<UDPService id="id3ED59BF0" name="udp-src-6767" comment="" ro="False" src_range_start="6767" src_range_end="6767" dst_range_start="0" dst_range_end="0"/>
|
|
<UDPService id="id3ED59BF1" name="udp-src-67" comment="" ro="False" src_range_start="67" src_range_end="67" dst_range_start="0" dst_range_end="0"/>
|
|
<UDPService id="id46447X95438" name="sport123" comment="" ro="False" src_range_start="123" src_range_end="123" dst_range_start="0" dst_range_end="0"/>
|
|
<UDPService id="id46457X95438" name="sport5050" comment="" ro="False" src_range_start="5050" src_range_end="5050" dst_range_start="0" dst_range_end="0"/>
|
|
<UDPService id="id46482X95438" name="dport53" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
|
|
<UDPService id="id46492X95438" name="dport1053" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1053" dst_range_end="1053"/>
|
|
<UDPService id="id46617X95438" name="sdport53" comment="" ro="False" src_range_start="1024" src_range_end="65535" dst_range_start="53" dst_range_end="53"/>
|
|
<UDPService id="id46627X95438" name="sdport1053" comment="" ro="False" src_range_start="32767" src_range_end="65535" dst_range_start="1053" dst_range_end="1053"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid13_1" name="Custom" comment="" ro="False">
|
|
<CustomService id="id3B64FE22" name="talk" comment="Talk support" ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="Undefined"/>
|
|
<CustomServiceCommand platform="fwsm"/>
|
|
<CustomServiceCommand platform="iosacl"/>
|
|
<CustomServiceCommand platform="ipf"/>
|
|
<CustomServiceCommand platform="ipfilter"/>
|
|
<CustomServiceCommand platform="ipfw"/>
|
|
<CustomServiceCommand platform="iptables">-m ip_conntrack_talk -m ip_nat_talk</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"/>
|
|
<CustomServiceCommand platform="pix"/>
|
|
<CustomServiceCommand platform="unknown"/>
|
|
</CustomService>
|
|
<CustomService id="id3D34B329" name="test-custom-1" comment="" ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="fwsm"/>
|
|
<CustomServiceCommand platform="iosacl"/>
|
|
<CustomServiceCommand platform="ipf"/>
|
|
<CustomServiceCommand platform="ipfw"/>
|
|
<CustomServiceCommand platform="iptables">-p tcp -m state --state ESTABLISHED --tcp-flags SYN,ACK,RST,URG ACK</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"/>
|
|
<CustomServiceCommand platform="pix"/>
|
|
<CustomServiceCommand platform="unknown"/>
|
|
</CustomService>
|
|
<CustomService id="id3D34B32A" name="test-custom-2" comment="" ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="fwsm"/>
|
|
<CustomServiceCommand platform="iosacl"/>
|
|
<CustomServiceCommand platform="ipf"/>
|
|
<CustomServiceCommand platform="ipfw"/>
|
|
<CustomServiceCommand platform="iptables">-p tcp -m state --state ESTABLISHED --tcp-flags SYN,FIN,RST,URG,PSH RST</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"/>
|
|
<CustomServiceCommand platform="pix"/>
|
|
<CustomServiceCommand platform="unknown"/>
|
|
</CustomService>
|
|
<CustomService id="id3FADE3CC" name="string" comment="" ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="fwsm"/>
|
|
<CustomServiceCommand platform="iosacl"/>
|
|
<CustomServiceCommand platform="ipf">-m string --string test_pattern</CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw"/>
|
|
<CustomServiceCommand platform="iptables">-m string --string test_pattern</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"/>
|
|
<CustomServiceCommand platform="pix"/>
|
|
<CustomServiceCommand platform="unknown"/>
|
|
</CustomService>
|
|
<CustomService id="id4003B1AC" name="old AIM session" comment="" ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="fwsm"/>
|
|
<CustomServiceCommand platform="iosacl"/>
|
|
<CustomServiceCommand platform="ipf"/>
|
|
<CustomServiceCommand platform="ipfw"/>
|
|
<CustomServiceCommand platform="iptables">-p tcp ! --syn -dport 5190 -m state --state NEW</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"/>
|
|
<CustomServiceCommand platform="pix"/>
|
|
<CustomServiceCommand platform="unknown"/>
|
|
</CustomService>
|
|
<CustomService id="id45862X16372" name="ipv6 source route" comment="" ro="False" protocol="any" address_family="ipv6">
|
|
<CustomServiceCommand platform="fwsm"/>
|
|
<CustomServiceCommand platform="iosacl"/>
|
|
<CustomServiceCommand platform="ipf"/>
|
|
<CustomServiceCommand platform="ipfw"/>
|
|
<CustomServiceCommand platform="iptables">-m rt --rt-type 0</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"/>
|
|
<CustomServiceCommand platform="pix"/>
|
|
<CustomServiceCommand platform="unknown"/>
|
|
</CustomService>
|
|
<CustomService id="id45863X16372" name="reject syn-ack" comment="" ro="False" protocol="tcp" address_family="ipv4">
|
|
<CustomServiceCommand platform="fwsm"/>
|
|
<CustomServiceCommand platform="iosacl"/>
|
|
<CustomServiceCommand platform="ipf"/>
|
|
<CustomServiceCommand platform="ipfw"/>
|
|
<CustomServiceCommand platform="iptables">-m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"/>
|
|
<CustomServiceCommand platform="pix"/>
|
|
<CustomServiceCommand platform="unknown"/>
|
|
</CustomService>
|
|
<CustomService id="id57956X8289" name="owner_anonymous tcp" comment="" ro="False" protocol="tcp" address_family="ipv4">
|
|
<CustomServiceCommand platform="fwsm"/>
|
|
<CustomServiceCommand platform="iosacl"/>
|
|
<CustomServiceCommand platform="ipf"/>
|
|
<CustomServiceCommand platform="ipfw"/>
|
|
<CustomServiceCommand platform="iptables">-m owner --uid-owner anonymous</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"/>
|
|
<CustomServiceCommand platform="pix"/>
|
|
<CustomServiceCommand platform="procurve_acl"/>
|
|
<CustomServiceCommand platform="unknown"/>
|
|
</CustomService>
|
|
<CustomService id="id248805X9517" name="owner_anonymous udp" comment="" ro="False" protocol="udp" address_family="ipv4">
|
|
<CustomServiceCommand platform="fwsm"/>
|
|
<CustomServiceCommand platform="iosacl"/>
|
|
<CustomServiceCommand platform="ipf"/>
|
|
<CustomServiceCommand platform="ipfw"/>
|
|
<CustomServiceCommand platform="iptables">-m owner --uid-owner anonymous</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"/>
|
|
<CustomServiceCommand platform="pix"/>
|
|
<CustomServiceCommand platform="procurve_acl"/>
|
|
<CustomServiceCommand platform="unknown"/>
|
|
</CustomService>
|
|
<CustomService id="id631131X9517" name="owner_anonymous" comment="" ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="fwsm"/>
|
|
<CustomServiceCommand platform="iosacl"/>
|
|
<CustomServiceCommand platform="ipf"/>
|
|
<CustomServiceCommand platform="ipfw"/>
|
|
<CustomServiceCommand platform="iptables">-m owner --uid-owner anonymous</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"/>
|
|
<CustomServiceCommand platform="pix"/>
|
|
<CustomServiceCommand platform="procurve_acl"/>
|
|
<CustomServiceCommand platform="unknown"/>
|
|
</CustomService>
|
|
</ServiceGroup>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="stdid12_1" name="Firewalls" comment="" ro="False">
|
|
<Firewall id="fw-firewall2" host_OS="linux24" inactive="False" lastCompiled="1272403934" lastInstalled="1142003872" lastModified="1298874071" platform="iptables" version="" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
|
|
<NAT id="nat-firewall2" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="nat-firewall2-0" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3CEBFE6E" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3CEBFCAE"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3CEBFFA8" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3CEBFF28"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3CECB632" disabled="True" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3CECB708" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3D20E9DB" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3CE719F3"/>
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="nat-firewall2-1" disabled="False" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3F3BCA90" disabled="False" group="" position="7" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3F3BCAD1" disabled="False" group="" position="8" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3CE71A93" disabled="False" group="" position="9" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3CE719F5"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3CE719F5"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3CE71B09" disabled="False" group="" position="10" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3CE719F5"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3CE719F5"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E0AAAF2" disabled="False" group="" position="11" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3BF1B3E2"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E0AADCD" disabled="False" group="" position="12" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3BF1B3E8-pa"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DECF4EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E69B092" disabled="False" group="" position="13" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E0F3FC8"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DECF4EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id1474949X8688" disabled="False" group="" position="14" action="Translate" comment="hsould match mac and ip addresses">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DB0B356"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3310514X8688" disabled="False" group="" position="15" action="Translate" comment="ensure generated rules match different mac addresses ">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3310453X8688"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id445F52DE31658" disabled="False" group="" position="16" action="Translate" comment="should match mac and ip addresses">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DB0B356"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id445F52ED31658"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3CE7198B" disabled="False" group="" position="17" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3CE71594"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3CE71594"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3CE719A3" disabled="False" group="" position="18" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3CE717A0"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3CE717A0"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3CE71AF1" disabled="False" group="" position="19" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3CE719F3"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3CE719F3"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3CE71B86" disabled="False" group="" position="20" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3CE719F3"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3CE719F3"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3EA8DC47" disabled="False" group="" position="21" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3EA8DB2C" disabled="False" group="" position="22" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3EF41DD4" disabled="False" group="" position="23" action="Translate" comment="should use multiport and account for no more than 15 ports per rule">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3C1A66C9"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3EF4288E" disabled="False" group="" position="24" action="Translate" comment="should use multiport and account for no more than 15 ports per rule">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</ODst>
|
|
<OSrv neg="True">
|
|
<ServiceRef ref="id3C1A66C9"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="pol-firewall2" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="pol-firewall2-0" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="Automatically generated rule blocking short fragments">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B09D29D" disabled="False" group="" log="True" position="1" action="Deny" direction="Inbound" comment="тестовый комментарий по-русски. Проверяем конвертацию из/в Utf8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="pol-firewall2-1" disabled="False" group="" log="True" position="2" action="Deny" direction="Inbound" comment="Automatically generated anti-spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47421X33852" disabled="False" group="test for FORWARD chain" log="False" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#7694C0</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id69026X33852" disabled="False" group="test for FORWARD chain" log="False" position="4" action="Accept" direction="Both" comment="rule in FORWARD chain with -o eth1 and dest address of the firewall is pretty much impossible">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1-ipv4"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#7694C0</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id90648X33852" disabled="False" group="test for FORWARD chain" log="False" position="5" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1-ipv4"/>
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#7694C0</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id285604X33852" disabled="False" group="test for FORWARD chain" log="False" position="6" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id263935X33852"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#7694C0</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id112281X33852" disabled="False" group="test for FORWARD chain" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id133926X33852" disabled="False" group="test for FORWARD chain" log="False" position="8" action="Accept" direction="Both" comment="keep FORWARD chain because it is needed for anti-spoofing rules">
|
|
<Src neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1-ipv4"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id133947X33852" disabled="False" group="test for FORWARD chain" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1-ipv4"/>
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B92DFC5" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3C4E4C38" disabled="False" group="" log="True" position="11" action="Deny" direction="Inbound" comment="code should go into INPUT chain with address in destination for comparison">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E021435" disabled="False" group="" log="False" position="12" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id433BF95F26912" disabled="False" group="" log="False" position="13" action="Deny" direction="Inbound" comment="reject using connlimit">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth0"/>
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0C0C0</Option>
|
|
<Option name="connlimit_masklen">24</Option>
|
|
<Option name="connlimit_value">2</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id446828293610" disabled="False" group="" log="False" position="14" action="Deny" direction="Inbound" comment="reject using connlimit">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth0"/>
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0C0C0</Option>
|
|
<Option name="connlimit_masklen">24</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">5</Option>
|
|
<Option name="hashlimit_dstlimit">True</Option>
|
|
<Option name="hashlimit_mode">destip</Option>
|
|
<Option name="hashlimit_suffix">/second</Option>
|
|
<Option name="hashlimit_value">2</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44670E149065" disabled="False" group="" log="False" position="15" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth0"/>
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0C0C0</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id469F1D0830391" disabled="False" group="" log="False" position="16" action="Accept" direction="Outbound" comment="OUTPUT">
|
|
<Src neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id469F1CF730391" disabled="False" group="" log="False" position="17" action="Accept" direction="Inbound" comment="INTPUT with "-i +" "-i +" is redundant if chain is INPUT, optimization removes it">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id469F1CE630391" disabled="False" group="" log="False" position="18" action="Accept" direction="Outbound" comment="OUTPUT + FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id469F1CD530391" disabled="False" group="" log="False" position="19" action="Accept" direction="Inbound" comment="INPUT + FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id469F1CC430391" disabled="False" group="" log="False" position="20" action="Accept" direction="Both" comment="OUTPUT + FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id469F1CB330391" disabled="False" group="" log="False" position="21" action="Accept" direction="Both" comment="INPUT + FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B58E39D" disabled="False" group="" log="True" position="22" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
<ServiceRef ref="id3B58E3F1"/>
|
|
<ServiceRef ref="id3C1A5D46"/>
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B6659FC" disabled="False" group="" log="False" position="23" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-RR"/>
|
|
<ServiceRef ref="ip-SRR"/>
|
|
<ServiceRef ref="id3B6659A5"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id49124X22476" disabled="False" group="" log="False" position="24" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id49136X22476"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id49147X15005" disabled="False" group="" log="False" position="25" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id49146X15005"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D34B4D8" disabled="False" group="" log="True" position="26" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3D34B32B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D0C176B" disabled="True" group="" log="False" position="27" action="Accept" direction="Both" comment="both src and dst have multiple interfaces. this rule is illegal because firewall8 has dynamic interface">
|
|
<Src neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
<ObjectRef ref="id3D0C1E6E"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D0C1E6E"/>
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EE24E9C" disabled="False" group="" log="False" position="28" action="Accept" direction="Both" comment="both src and dst have multiple interfaces">
|
|
<Src neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
<ObjectRef ref="id3D0C1E77"/>
|
|
<ObjectRef ref="id3D0C1E7A"/>
|
|
<ObjectRef ref="id3D0C1E7D"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
<ObjectRef ref="id3D0C1E77"/>
|
|
<ObjectRef ref="id3D0C1E7A"/>
|
|
<ObjectRef ref="id3D0C1E7D"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3BF1B45E" disabled="False" group="" log="False" position="29" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3BF1B3E1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E0AA611" disabled="False" group="" log="False" position="30" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3BF1B3E2"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3BF1B44E" disabled="False" group="" log="False" position="31" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3BF1B3E7"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E0AA504" disabled="False" group="" log="False" position="32" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3BF1B3E8-pa"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E0AA635" disabled="False" group="" log="False" position="33" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3BF1B3E8-pa"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E0F40D5" disabled="False" group="" log="False" position="34" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3E0F3FC8"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E0F452C" disabled="False" group="" log="False" position="35" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3E0F3FCB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3DB0B422" disabled="False" group="" log="False" position="36" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DB0B356"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3DB0B628" disabled="False" group="" log="False" position="37" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DB0B356"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3DE474B7" disabled="False" group="" log="False" position="38" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DB0B356"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CE717A0"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="pol-firewall2-2" disabled="False" group="" log="False" position="39" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DB0B356"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C1A66C9"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445FAA6D31658" disabled="False" group="" log="False" position="40" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DB0B356"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3F14E0F4" disabled="False" group="" log="False" position="41" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3F14DFB8"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="pol-firewall2-3" disabled="False" group="" log="True" position="42" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-secondary1-com"/>
|
|
<ObjectRef ref="host-secondary2-com"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="int-afterhours"/>
|
|
<IntervalRef ref="id3C63479C"/>
|
|
<IntervalRef ref="id3C63479E"/>
|
|
<IntervalRef ref="id3D6864D0"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3FB8455E" disabled="False" group="" log="False" position="43" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-secondary1-com"/>
|
|
<ObjectRef ref="host-secondary2-com"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C1A66C9"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CE71635" disabled="False" group="" log="False" position="44" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CE71594"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CE716F8" disabled="False" group="" log="False" position="45" action="Accept" direction="Both" comment="Rule #20 test: from Rock ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CE71594"/>
|
|
<ServiceRef ref="tcp-DNS_zone_transf"/>
|
|
<ServiceRef ref="id3CE717A0"/>
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="pol-firewall2-4" disabled="False" group="" log="False" position="46" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
<ServiceRef ref="id3B64FE22"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CD8770E" disabled="False" group="" log="False" position="47" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CD8769F"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B64FE22"/>
|
|
<ServiceRef ref="id3CD878C8"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CD87B1E" disabled="False" group="" log="False" position="48" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CD87A9A"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B64FE22"/>
|
|
<ServiceRef ref="id3CD878C8"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E1FD93A" disabled="False" group="" log="False" position="49" action="Accept" direction="Both" comment="group "special combined srv" has couple of UDP services, plus "ALL UDP" service, which has empty ports specs. This is special case for multiport.">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3E1FDDBB"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41D0F052" disabled="False" group="" log="True" position="50" action="Accept" direction="Both" comment="another test case for multiport: this rule has 16 TCP services and should be split onto two rules. If both rules use "-m multiport", then rule with a single service should use "--dports". It may be acceptable to not use multiport in the rule with a single service at all.">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CD8769F"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id41D0F023"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B58E180" disabled="False" group="" log="True" position="51" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D41A4F4" disabled="False" group="" log="False" position="52" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D41A435"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="pol-firewall2-5" disabled="False" group="" log="False" position="53" action="Accept" direction="Both" comment="Automatically generated 'masquerading' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CE894DA" disabled="False" group="" log="False" position="54" action="Accept" direction="Both" comment="similar to a standard 'masquerading' rule, but not so permissive as it does not allow access to the firewall">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id40F1CFA3" disabled="False" group="" log="False" position="55" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id413D6500" disabled="False" group="" log="False" position="56" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3BBC0EFC"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3BBC0EFC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="pol-firewall2-7" disabled="False" group="" log="True" position="57" action="Deny" direction="Both" comment="Automatically generated 'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="fw-firewall2-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="if-FW-firewall2-eth1" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="if-FW-firewall2-eth1-ipv4" name="firewall:eth1:ip" comment="" ro="False" address="222.222.222.222" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="if-FW-firewall2-eth0" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="if-FW-firewall2-eth0-ipv4" name="firewall:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="/usr/bin/fwb_install" enabled="True"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_mgmt_ssh_rule_when_stoped">True</Option>
|
|
<Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="clear_unknown_interfaces">False</Option>
|
|
<Option name="cmdline">-v</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_bonding_interfaces">False</Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">5</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip">/usr/local/sbin/ip</Option>
|
|
<Option name="linux24_path_iptables">/usr/local/sbin/iptables</Option>
|
|
<Option name="linux24_path_logger">/bin/logger</Option>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe">/usr/local/sbin/modprobe</Option>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">CUSTOM LOGGING</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.100</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="script_name_on_firewall"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">True</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3AF5AA0A" host_OS="linux24" inactive="False" lastCompiled="1273779948" lastInstalled="1142003872" lastModified="1279852787" platform="iptables" version="" name="firewall1" comment="this object is used to test all kinds of negation in policy and NAT rules. Assume firewall is part of any is ON" ro="False">
|
|
<NAT id="id3AF5AA0D" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3C98491C" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3AFADC09" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3CD23959" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3D6E78AD" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3B1328FB" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E7ABEEA" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA99"/>
|
|
<ObjectRef ref="id3B11F434"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3AF5AAD3" disabled="False" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3D6E7B3D" disabled="False" group="" position="7" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3CCA1B57" disabled="False" group="" position="8" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3BBC0EFC"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3EB38983" disabled="False" group="" position="9" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3B50F7CB" disabled="False" group="" position="10" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3BD8D94B" disabled="False" group="" position="11" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3BD8D9DD" disabled="False" group="" position="12" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3BBC0EA4" disabled="False" group="" position="13" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3BBC0EFC"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3BBC0F93" disabled="False" group="" position="14" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3BBC0EFC"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3BC6BCE5" disabled="False" group="" position="15" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3D331552" disabled="False" group="" position="16" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3D330B17"/>
|
|
<ServiceRef ref="id3D330B16"/>
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
<ServiceRef ref="id3CE719F3"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3EB38BC6" disabled="False" group="" position="17" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3EB38A91" disabled="False" group="" position="18" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3AF5AA0C" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3C5987DC" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B4572B5"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3B4572B5"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B457567"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA96"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">2</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">True</Option>
|
|
<Option name="hashlimit_mode_srcport">True</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix">/hour</Option>
|
|
<Option name="hashlimit_value">1</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CD34BEF" disabled="False" group="" log="False" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B457567"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA96"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">2</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">True</Option>
|
|
<Option name="hashlimit_mode_dstport">True</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix">/hour</Option>
|
|
<Option name="hashlimit_value">1</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AF5AAB4" disabled="False" group="" log="True" position="2" action="Deny" direction="Inbound" comment="Anti-spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA99"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AF5AAAB" disabled="False" group="" log="True" position="3" action="Deny" direction="Outbound" comment="Anti-spoofing rule">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA99"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id40DBCD36" disabled="False" group="" log="True" position="4" action="Deny" direction="Outbound" comment="Anti-spoofing rule">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA99"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D16D55D" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B0B4BC8"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id435D572226912" disabled="False" group="" log="True" position="6" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="id3B0B4BC8"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id435EA46C26912" disabled="False" group="" log="True" position="7" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B665643"/>
|
|
<ObjectRef ref="id3DE71E90"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="id3AF5AA99"/>
|
|
<ObjectRef ref="id3B11F434"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D16D51D" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B0B4D35"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id433D045026912" disabled="False" group="" log="True" position="9" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA96"/>
|
|
<ObjectRef ref="id3B0B4BC8"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id434D389E26912" disabled="False" group="" log="False" position="10" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B665643"/>
|
|
<ObjectRef ref="id3DE71E90"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA99"/>
|
|
<ObjectRef ref="id3B11F434"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E728AD9" disabled="False" group="" log="False" position="11" action="Accounting" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CCA26E4" disabled="False" group="" log="True" position="12" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B9AB902" disabled="False" group="" log="True" position="13" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AFC0F90" disabled="False" group="" log="True" position="14" action="Accept" direction="Both" comment="hostF has the same IP address as firewal.">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id434B03D526912" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B021E10" disabled="False" group="" log="True" position="16" action="Deny" direction="Both" comment="testing negation in the policy rule">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_suffix">/minute</Option>
|
|
<Option name="limit_value">10</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id40C0D096" disabled="False" group="" log="True" position="17" action="Accounting" direction="Both" comment="testing negation in the policy rule">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="id3B4FED69"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix">/minute</Option>
|
|
<Option name="limit_value">10</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id40C0D10A" disabled="False" group="" log="True" position="18" action="Accept" direction="Both" comment="testing negation in the policy rule">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="id3B4FED69"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix">/minute</Option>
|
|
<Option name="limit_value">10</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0B4A13" disabled="False" group="" log="True" position="19" action="Deny" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B5535B7" disabled="False" group="" log="True" position="20" action="Deny" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id40F1D905" disabled="False" group="" log="True" position="21" action="Deny" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
<ObjectRef ref="id3AF5AA96"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E74DF71" disabled="False" group="" log="True" position="22" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DECF4EB"/>
|
|
<ObjectRef ref="id3DECF622"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B11F63D" disabled="False" group="" log="True" position="23" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B021E6F" disabled="False" group="" log="True" position="24" action="Deny" direction="Both" comment="testing negation in service field">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CCA2CF4" disabled="False" group="" log="True" position="25" action="Accept" direction="Both" comment="testing negation in service field">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EA925F1" disabled="False" group="" log="True" position="26" action="Accept" direction="Both" comment="testing negation in service field">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EA9225C" disabled="False" group="" log="True" position="27" action="Accept" direction="Both" comment="testing negation in service field">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3C1A5D46"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4144E299" disabled="False" group="" log="False" position="28" action="Accept" direction="Both" comment="testing negation in service field">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3C1A5D46"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41449248" disabled="False" group="" log="False" position="29" action="Accept" direction="Both" comment="testing negation in service field">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="int-workhours"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id414532F3" disabled="False" group="" log="False" position="30" action="Accept" direction="Both" comment="testing negation in service field">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="True">
|
|
<IntervalRef ref="int-workhours"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41449257" disabled="False" group="" log="False" position="31" action="Accept" direction="Both" comment="testing negation in service field">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="True">
|
|
<IntervalRef ref="int-workhours"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4368F08A15884" disabled="False" group="" log="False" position="32" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E74D8BB" disabled="False" group="" log="False" position="33" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B45739A" disabled="False" group="" log="True" position="34" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B4572B5"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3B4572B5"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B457567"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4067B2C2" disabled="False" group="" log="True" position="35" action="Deny" direction="Both" comment="double negation rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id4067B2CD"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41A88DF6" disabled="False" group="" log="False" position="36" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3AF5AA96"/>
|
|
<ObjectRef ref="id3B0B4BC8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41B5176E" disabled="False" group="" log="False" position="37" action="Accept" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3AF5AA96"/>
|
|
<ObjectRef ref="id3B0B4BC8"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4143BD3F" disabled="False" group="" log="False" position="38" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="True">
|
|
<IntervalRef ref="id3C63479C"/>
|
|
<IntervalRef ref="id3C63479E"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4143BD1A" disabled="False" group="" log="False" position="39" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="True">
|
|
<IntervalRef ref="int-workhours"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1515316X29460" disabled="False" group="" log="False" position="40" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1515397X29460" disabled="False" group="" log="False" position="41" action="Deny" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id40709X74808" name="GOOD_GUYS" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id40710X74808" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id86936X27543"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3AF5AA0A-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3AF5AA96" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3AF5AA96-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3AF5AA99" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3AF5AA99-ipv4" name="address" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3B0B4BC8" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id3B0B4BC8-ipv4" name="address" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3B0B4D35" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3B0B4D35-ipv4" name="address" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3B11F434" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id3B11F434-ipv4" name="address" comment="" ro="False" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_mgmt_ssh_rule_when_stoped">False</Option>
|
|
<Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="clear_unknown_interfaces">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_bonding_interfaces">False</Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">after_interfaces</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="script_name_on_firewall"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3AFB66C6" host_OS="linux24" inactive="False" lastCompiled="1273779773" lastInstalled="1142003872" lastModified="1282244482" platform="iptables" version="" name="firewall2" comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " ro="False">
|
|
<NAT id="id3AFB66C7" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3AFB66C8" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3F3E9BB6" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3F3E9D62" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
<ServiceRef ref="id3F3E9EFC"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3D8F5820" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB68D2"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3D8F5A56" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3D5DEADC"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id48356E1314854" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id48356E0A14854"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3AFB66D6" disabled="False" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3DE47CAD" disabled="False" group="" position="7" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DE47B6C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
<Option name="ipt_nat_random">True</Option>
|
|
<Option name="ipt_snat_random">True</Option>
|
|
<Option name="ipt_use_snat_instead_of_masq">False</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3CABE6DF" disabled="False" group="" position="8" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="id3D8FC56A"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id42323X29127" disabled="False" group="" position="9" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B0221F1-ipv4"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id42340X29127" disabled="False" group="" position="10" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B0221F1"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3D1519E8" disabled="False" group="" position="11" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
<ObjectRef ref="id3D151947"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3D151BA0" disabled="False" group="" position="12" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3D151943"/>
|
|
<ObjectRef ref="id3D151947"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3AFB69BD" disabled="False" group="" position="13" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
<ServiceRef ref="id3F3E9EFC"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E76DDFF" disabled="False" group="" position="14" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E76DE15" disabled="False" group="" position="15" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3AFB68D2"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E76DF9A" disabled="False" group="" position="16" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3DEA75AF" disabled="True" group="" position="17" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3DE47C72" disabled="False" group="" position="18" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DE47B6C"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3BEEF6D2" disabled="False" group="" position="19" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFC0F70"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3BD67563" disabled="False" group="" position="20" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3BD6736B"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3BD6757E" disabled="False" group="" position="21" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3BD6736B"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id4368AD8715884" disabled="False" group="" position="22" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4368AD8615884"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3B66568B" disabled="False" group="" position="23" action="Translate" comment="NETMAP ">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3B6656EF" disabled="False" group="" position="24" action="Translate" comment="NETMAP">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3AFB69F7" disabled="False" group="" position="25" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id446BA34525148" disabled="False" group="" position="26" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
<ObjectRef ref="id3AFB68D2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6703"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3B7313C4" disabled="False" group="" position="27" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E04C979" disabled="False" group="" position="28" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="id3B4FED69"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E74F756" disabled="False" group="" position="29" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E74F620" disabled="False" group="" position="30" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3CD87A5E"/>
|
|
<ObjectRef ref="id3CD87A6D"/>
|
|
<ObjectRef ref="id3CD87A8B"/>
|
|
<ObjectRef ref="id3CD87A7C"/>
|
|
<ObjectRef ref="id3CD87A53"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3FB3526D" disabled="False" group="" position="31" action="Translate" comment="transparent proxy rule">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id402335CD" disabled="True" group="" position="32" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3FC6531F" disabled="False" group="" position="33" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id40F2F9C1" disabled="False" group="" position="34" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id407EDDBD" disabled="False" group="" position="35" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id407EDE37" disabled="False" group="" position="36" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6703"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id40F195C3" disabled="False" group="" position="37" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id40F195D2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id40F195D2"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id40F1C52F" disabled="False" group="" position="38" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="True">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6703"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id407EDCD5" disabled="False" group="" position="39" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6703"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id46D6DA2024736" disabled="False" group="" position="40" action="Translate" comment="this is the "exception" rule used in support req. originally">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6706-ipv4"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C08B5A</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id46D6DA3124736" disabled="False" group="" position="41" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AFB6703-ipv4"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C08B5A</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id46D49F4824736" disabled="False" group="" position="42" action="Translate" comment=""exception" rule in the pair from a support req.">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6706-ipv4"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id46D67A4324736" disabled="False" group="" position="43" action="Translate" comment="testing transparent proxy roules for a support req.">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AFB6703-ipv4"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id46D67A5924736" disabled="False" group="" position="44" action="Translate" comment="testing transparent proxy roules for a support req.">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AFB6703"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id46D49F3624736" disabled="False" group="" position="45" action="Translate" comment="testing transparent proxy roules for a support req.">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id46D6AA1B24736" disabled="False" group="" position="46" action="Translate" comment=""exception" rule in the pair from a support req.">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6706-ipv4"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id46D6AA2F24736" disabled="False" group="" position="47" action="Translate" comment="testing transparent proxy roules for a support req.">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id40F195D2"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id47662X25753" disabled="False" group="" position="48" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id69385X25753"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id69386X25753"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id1194991X6573" disabled="False" group="" position="49" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id1195021X6573"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id1195021X6573"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id58000X8289" disabled="False" group="" position="50" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id57956X8289"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id1195021X6573"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id248774X9517" disabled="False" group="" position="51" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id248805X9517"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id1195021X6573"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id439713X9517" disabled="False" group="" position="52" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id248805X9517"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3AFB66E4" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3AFB6708" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="Anti-spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AFB6710" disabled="False" group="" log="True" position="1" action="Deny" direction="Outbound" comment="Anti-spoofing rule">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44C0660013221" disabled="False" group="" log="True" position="2" action="Deny" direction="Inbound" comment="testing group in "interface" this rule should be identical to rule 3 ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4653B4A820440"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4653E36120440" disabled="False" group="" log="True" position="3" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
<ObjectRef ref="id3AFB68D2"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44C0691E13221" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="testing choice of chains in case when several interfaces are used and rule matches 'any' or broadcast ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
<ObjectRef ref="id3AFB68D2"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44C0694513221" disabled="False" group="" log="False" position="5" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44C0695713221"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
<ObjectRef ref="id3AFB68D2"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44C092DD13221" disabled="False" group="" log="False" position="6" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
<ObjectRef ref="id3AFB68D2"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D6748D9" disabled="False" group="" log="True" position="7" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AFB66E5" disabled="False" group="" log="True" position="8" action="Deny" direction="Both" comment="block fragments">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C6FD2" disabled="False" group="" log="True" position="9" action="Reject" direction="Both" comment="sends TCP RST and makes custom record in the log">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-Auth"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">IDENT</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D293D84" disabled="False" group="" log="True" position="10" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id39895X70161" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11 ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id39909X70161" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id131093X70161" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CEBFF28"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id131076X70161" disabled="False" group="" log="False" position="14" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CEBFF28"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id57999X70161" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id58016X70161" disabled="False" group="" log="False" position="16" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id76132X70161" disabled="False" group="" log="False" position="17" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
<ObjectRef ref="id417B3641"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id76149X70161" disabled="False" group="" log="False" position="18" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
<ObjectRef ref="id417B3641"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id40876X59595" disabled="False" group="" log="True" position="19" action="Deny" direction="Both" comment="using module iprange if iptables version is >= 1.2.11 also test for bug #2526173">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id40D153ED"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id42387X35957" disabled="False" group="" log="False" position="20" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id42386X35957"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3DD1E1E0" disabled="False" group="" log="True" position="21" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B0221F1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C1A5D46"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D8FC846" disabled="False" group="" log="False" position="22" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
<ObjectRef ref="id3D8FC56A"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-secondary1-com"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D8FC984" disabled="False" group="" log="False" position="23" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-secondary1-com"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
<ObjectRef ref="id3D8FC56A"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3DCBFEA0" disabled="False" group="" log="False" position="24" action="Reject" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3DCBFEAD" disabled="False" group="" log="False" position="25" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3DD4C015" disabled="False" group="" log="True" position="26" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3C447B8D" disabled="False" group="" log="True" position="27" action="Accept" direction="Both" comment="host-fw2 has the same address as one of the firewall's interfaces">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC0F70"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_burst">10</Option>
|
|
<Option name="limit_suffix">/minute</Option>
|
|
<Option name="limit_value">5</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3C447BCB" disabled="False" group="" log="True" position="28" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AFB66F9" disabled="False" group="" log="True" position="29" action="Deny" direction="Both" comment="'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id86213X27543"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3AFB66C6-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3AFB6703" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3AFB6703-ipv4" name="fw2:eth0:ip - internal" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3AFB6706" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3AFB6706-ipv4" name="fw2:eth1:ip - external" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3AFB68D2" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id3AFB68D2-ipv4" name="fw2:eth3:0" comment="" ro="False" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
<IPv4 id="id3D5DEADC" name="fw2:eth3:1" comment="" ro="False" address="22.22.25.50" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3B0221F1" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id3B0221F1-ipv4" name="fw2:eth2:1" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<IPv4 id="id3DD1E161" name="fw2:eth2:2" comment="" ro="False" address="192.168.2.40" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3CD2449F" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3CD2449F-ipv4" name="address" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"/>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">5</Option>
|
|
<Option name="linux24_accept_redirects">0</Option>
|
|
<Option name="linux24_accept_source_route">0</Option>
|
|
<Option name="linux24_icmp_echo_ignore_all">1</Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses">1</Option>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_log_martians">1</Option>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter">1</Option>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N - %A **</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">after_flush</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">True</Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="useULOG">False</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_ip_tool">True</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3B0226B6" host_OS="linux24" inactive="False" lastCompiled="1272404392" lastInstalled="1142003872" lastModified="1268936785" platform="iptables" version="" name="firewall3" comment="this object is used to test negation in policy rules with "Assume firewall is part of 'Any'" turned OFF" ro="False">
|
|
<NAT id="id3B0226B7" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3B0226B8" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B0226B6"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3B0226C6" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3B0226D4" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id44C3826813221" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id465D5AF12072"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B02270E" disabled="False" group="" log="True" position="1" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44C2868B13221" disabled="False" group="" log="True" position="2" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270A"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44C1B5A613221" disabled="False" group="" log="True" position="3" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270A"/>
|
|
<ObjectRef ref="id3B0B57D2"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44C286B713221" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="testing choice of chains in case when several interfaces are used and rule matches on any or broadcast ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270A"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44C1B5B813221" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="testing choice of chains in case when several interfaces are used and rule matches on any or broadcast ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270A"/>
|
|
<ObjectRef ref="id3B0B57D2"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44C286E313221" disabled="False" group="" log="False" position="6" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44C0695713221"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270A"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44C1B5CA13221" disabled="False" group="" log="False" position="7" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44C0695713221"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270A"/>
|
|
<ObjectRef ref="id3B0B57D2"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44C2870F13221" disabled="False" group="" log="False" position="8" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270A"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44C1B5DC13221" disabled="False" group="" log="False" position="9" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270A"/>
|
|
<ObjectRef ref="id3B0B57D2"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B022715" disabled="False" group="" log="True" position="10" action="Deny" direction="Inbound" comment="Anti-spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B0226B6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B02271D" disabled="False" group="" log="True" position="11" action="Deny" direction="Outbound" comment="Anti-spoofing rule">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B0226B6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0226D5" disabled="False" group="" log="True" position="12" action="Accept" direction="Both" comment="hostF has the same IP address as firewal.">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B022A81" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B0226B6"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0226DF" disabled="False" group="" log="True" position="14" action="Deny" direction="Both" comment="testing negation in the policy rule">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id40F57E67" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id40F57E72" disabled="False" group="" log="False" position="16" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id40F57E7C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41A8EF1D" disabled="False" group="" log="False" position="17" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3B02270A"/>
|
|
<ObjectRef ref="id3B0B57D2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0226EA" disabled="False" group="" log="True" position="18" action="Deny" direction="Both" comment="testing negation in service field">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0226F6" disabled="False" group="" log="False" position="19" action="Accept" direction="Both" comment="'masquerading' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B022700" disabled="False" group="" log="True" position="20" action="Deny" direction="Both" comment="'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id440D600617760" disabled="False" group="" log="False" position="21" action="Accept" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B0226B6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id440D880417760" disabled="False" group="" log="False" position="22" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3B0226B6"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id474B57834682" disabled="False" group="" log="False" position="23" action="Accept" direction="Inbound" comment="this rule should go only to the FORWARD chain but should have "-i eth" clause ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270C"/>
|
|
<ObjectRef ref="id3B02270A"/>
|
|
<ObjectRef ref="id3B0B57D2"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3B0226B6-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3B02270A" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3B02270A-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3B02270C" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3B02270C-ipv4" name="address" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3B0B57D2" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id3B0B57D2-ipv4" name="address" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id465D5AF12072" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id465D89B62072" name="firewall3:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">False</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="id"/>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">True</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3B0C6380" host_OS="linux24" inactive="False" lastCompiled="1272404501" lastInstalled="1142003872" lastModified="1247704084" platform="iptables" version="" name="firewall4" comment="this object is used to test a configuration where firewall has dynamic address " ro="False">
|
|
<NAT id="id3B0C6381" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3B0C6382" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3DECF530" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DECF4EB"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3DECF6DA" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DECF622"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3B0C6390" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3DCA1BE7" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B0C63E1"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3B202AFF" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E2529F3" disabled="False" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B0C63E1"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3B0C639E" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3B0C63E3" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="Anti-spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B0C63E1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C63EB" disabled="False" group="" log="True" position="1" action="Deny" direction="Outbound" comment="Anti-spoofing rule">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B0C63E1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B54F071" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B0C63E1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E49FEF2" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B0C63E1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B54C977" disabled="False" group="" log="True" position="4" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B0C63E1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id469EDB0514508" disabled="False" group="" log="False" position="5" action="Accept" direction="Outbound" comment="OUTPUT">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id469F02B014773" disabled="False" group="" log="False" position="6" action="Accept" direction="Inbound" comment="INTPUT with "-i +" the "-i +" option is redundant if chain is INPUT, it should be removed by optimization">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id469FBE8914773" disabled="False" group="" log="False" position="7" action="Accept" direction="Outbound" comment="OUTPUT + FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id469FBE9A14773" disabled="False" group="" log="False" position="8" action="Accept" direction="Inbound" comment="INPUT + FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id469F609414773" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="OUTPUT + FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46A04BD114773" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="INPUT + FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C63B4" disabled="False" group="" log="True" position="11" action="Deny" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C63A9" disabled="False" group="" log="True" position="12" action="Deny" direction="Both" comment="testing negation in the policy rule">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C63BF" disabled="False" group="" log="True" position="13" action="Deny" direction="Both" comment="testing negation in service field">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="id3D6864D0"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45F8C4E113056" disabled="False" group="" log="True" position="14" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="id45F8C4E013056"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E4DD6AD" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="should permit access to all addresses that belong to the firewall, but not to those that are used in NAT rules and are added as virtual addresses">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445880A67646" disabled="True" group="" log="False" position="16" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C63CB" disabled="False" group="" log="False" position="17" action="Accept" direction="Both" comment="'masquerading' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E20A8E1" disabled="False" group="" log="False" position="18" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C63D5" disabled="False" group="" log="True" position="19" action="Deny" direction="Both" comment="'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3B0C6380-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3B0C63DF" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3B0C63DF-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3B0C63E1" dedicated_failover="False" dyn="True" label="" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3B0C63E1-ipv4" name="address" comment="" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3B0C63F3" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id3B0C63F3-ipv4" name="address" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3B0C63F5" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3B0C63F5-ipv4" name="address" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3CD88A77" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id3CD88A77-ipv4" name="address" comment="" ro="False" address="222.222.222.222" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"/>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">64</Option>
|
|
<Option name="ulog_nlgroup">7</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3B19BEE6" host_OS="linux24" inactive="False" lastCompiled="1272404511" lastInstalled="1142003872" lastModified="1264474374" platform="iptables" version="" name="firewall5" comment="testing firewall_is_part_of_any_and_networks. Also testing SNAT and DNAT rules when external interface has dynamic address. dynamic interface ppp0 has an address object attached to it (interface used to be static and had an address, then got converted to dynamic but address object is still there). Compiler should ignore this address object and issue a warning. All "configure interfaces" options are off, testing shell functions for this case." ro="False">
|
|
<NAT id="id3B19BEE7" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3CFD9EE2" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B19BEE6"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E8F5A17" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id47CC86147550" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id47CD183A7550"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3CF5B9DB" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B19BEE6"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3B19BF04" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3E4A05B9" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B19BF3A"/>
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B19BF3A"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E8F5B72" disabled="False" group="" log="True" position="1" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B19BF3A"/>
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3E8F5B6F"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id212010X42308" disabled="False" group="" log="True" position="2" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B19BF3A"/>
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
<ObjectRef ref="id3E8F5B6F"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3E8F5B6F"/>
|
|
<ObjectRef ref="id3B19BF3A"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id896736X42308" disabled="False" group="" log="True" position="3" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B19BF3A"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E8F5B6F"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E4A0473" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19BF3A"/>
|
|
<ObjectRef ref="id3E8F5B6F"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E4A0446" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="hostF has the same IP address as firewal.">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E4A0454" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19BEE6"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E4A054C" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19BF58"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E986FF8" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E987157" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id47CD183A7550"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E9871F4" disabled="False" group="" log="True" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id47CD183A7550"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B19C71F" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="firewall is part of Any, so compiler should generate code in both FORWARD and OUTPUT chains">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B19C72A" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="firewall is part of Any, compiler should generate code for both FORWARD and INPUT chains">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E20A4AB" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="because firewall has interface on network internal_net, compiler should generate code for both FORWARD and INPUT chains">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B19C5CA" disabled="False" group="" log="False" position="14" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B19BF30" disabled="False" group="" log="True" position="15" action="Deny" direction="Both" comment="Automatically generated 'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="id"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3B19BEE6-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3B19BF3A" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp0" comment="" ro="False">
|
|
<IPv4 id="id3EF959F7" name="firewall5:ppp0(ip)" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3B19BF58" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3B19BF58-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3B19C51D" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id3B19C51D-ipv4" name="address" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3E8F5B6F" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp1" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id49862X35079" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="sixxs0" comment="ipv6 tunnel interface. Test for bug #1064" ro="False">
|
|
<IPv6 id="id49900X35079" name="firewall5:sixxs0:ipv6" comment="" ro="False" address="fe80::1" netmask="64"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"/>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_limit_suffix"/>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3AF5A2BA" host_OS="linux24" lastCompiled="1272404585" lastInstalled="1142003872" lastModified="0" platform="iptables" version="" name="host" comment="firewall protects host it is running on" ro="False">
|
|
<NAT id="id3AF5A2BD" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3AF5A2BC" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3BD8ECD0" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5A2CB"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AFB70C7" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="allow everything on loopback">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB7090"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AFB70CF" disabled="False" group="" log="False" position="2" action="Accept" direction="Outbound" comment="allow everything on loopback">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB7090"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3BD8ECC6" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB7090"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AF5A74B" disabled="True" group="" log="True" position="4" action="Deny" direction="Both" comment="block fragments">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AF5A73A" disabled="True" group="" log="False" position="5" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AF5A757" disabled="True" group="" log="False" position="6" action="Accept" direction="Both" comment="allow all outgoing connections">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3FBDC5E7" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AF5A762" disabled="False" group="" log="True" position="8" action="Deny" direction="Both" comment="'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_burst">50</Option>
|
|
<Option name="limit_suffix">/minute</Option>
|
|
<Option name="limit_value">10</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix">CATCH ALL RULE</Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3AF5A2BA-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3AF5A2CB" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3AF5A2CB-ipv4" name="address" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3AFB7090" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3AFB7090-ipv4" name="address" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix"/>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3C698F1D" host_OS="linux24" lastCompiled="1272404522" lastInstalled="1142003872" lastModified="1224350148" platform="iptables" name="firewall6" comment="testing rule with firewall in dst and negation also testing "Destination NAT Onto the Same Network" per Turorial chapter 3.5 testing a rule with src=dst=firewall6 in the global policy (should use all interfaces including loopback)" ro="False">
|
|
<NAT id="id3C698F1E" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3D5C25BE" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3C699013"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3D5C25B0" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3BD6736B"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E7949B6" disabled="False" group="" position="2" action="Translate" comment="this is SDNAT rule, it translates both source and destination this rule should be equivalent to two rules above">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3BD6736B"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3C699013"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E7951E3" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3C69901D"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3C699013"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3CD87A53"/>
|
|
<ObjectRef ref="id3CD87A5E"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E7952DB" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3C69901D"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3C698F1D"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3CD87A53"/>
|
|
<ObjectRef ref="id3CD87A5E"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E795311" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3C698F1D"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3C698F1D"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3CD87A53"/>
|
|
<ObjectRef ref="id3CD87A5E"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E9BC4A7" disabled="False" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3E9BC536"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3C699013"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3E9BC536"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3F9F8382" disabled="False" group="" position="7" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3DECF4EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3C699013"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3E9BC536"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E79538A" disabled="False" group="" position="8" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3C698F1D"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E79539A" disabled="False" group="" position="9" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3C698F1D"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3C698F9D" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3C699028" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3C698F1D"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3C69901D"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3C698FB2" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3C698F1D"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E9C86DD" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3C698F1D"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3C698F1D"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D84F6EA" disabled="True" group="" log="True" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D84F6D7"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id141025X15403" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3DECF4EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3C698F1D-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3C699013" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3C699013-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3C69901D" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3C69901D-ipv4" name="address" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3C699030" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id3C699030-ipv4" name="address" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3C699032" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3C699032-ipv4" name="address" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3C699034" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id3C699034-ipv4" name="address" comment="" ro="False" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A %I</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3C69BD4F" host_OS="linux24" lastCompiled="1272404549" lastInstalled="1142003872" lastModified="1171611268" platform="iptables" version="" name="firewall7" comment="testing rules with broadcasts and multicasts and action-on-reject "TCP reset" testing rules used for DHCP relay running on the firewall between interfaces eth0 and eth2" ro="False">
|
|
<NAT id="id3C69BD50" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3D6BE398" disabled="True" group="" position="0" action="Translate" comment="this is incorrect rule which should be refused by compiler">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3C69BD4F"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3C69BD51" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3C69BDE1" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3C69BD5C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CFBE282" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3C69BD5C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D84EFA8" disabled="False" group="" log="False" position="2" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3A84EECE"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3C69BD5C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id40236CDD" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id40236C9A"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3C69BD5C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id40236B7B" disabled="False" group="" log="False" position="4" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3C69BD5C"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3C69BD5C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id40236C30" disabled="False" group="" log="False" position="5" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3C69BD68"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id40236C4D"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3C69BD68"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id40236C6E" disabled="False" group="" log="False" position="6" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id40236C4D"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3C69BD5C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3C69BD68"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EC69DD5" disabled="False" group="" log="True" position="7" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3EC69DA8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CFBE24A" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="compiler should place rule in INPUT chain because this is broadcast destination">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3C69BF13" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="compiler should place rule in INPUT chain because this is broadcast destination">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3F6D183C" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="compiler should place rule in INPUT chain because this is broadcast destination">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D17F4"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D84EF2B" disabled="False" group="" log="True" position="11" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3A84EECE"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D84EF36" disabled="False" group="" log="True" position="12" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D84EEC8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id418E8918" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D84EEC8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45D61A0A23626" disabled="False" group="" log="False" position="14" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45D61A0923626"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id418E48F8" disabled="False" group="" log="False" position="15" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3DC75CEC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3C69BD4F-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3C69BD5C" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3C69BD5C-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3C69BD5E" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3C69BD5E-ipv4" name="address" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3C69BD68" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id3C69BD68-ipv4" name="address" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3C69BD6A" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3C69BD6A-ipv4" name="address" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3C69BD6C" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id3C69BD6C-ipv4" name="address" comment="" ro="False" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3D0C1E6E" host_OS="linux24" lastCompiled="1272404569" lastInstalled="1142003872" lastModified="0" platform="iptables" name="firewall8" comment="this firewall is used to test a rule in the global policy of object "firewall" " ro="False">
|
|
<NAT id="id3D0C1E72" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3D0C1E71" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3D0C1E6E-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3D0C1E77" dedicated_failover="False" dyn="False" label="fw8:eth0" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3D0C1E77-ipv4" name="address" comment="" ro="False" address="33.33.33.33" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3D0C1E7A" dedicated_failover="False" dyn="False" label="fw8:eth1" mgmt="False" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3D0C1E7A-ipv4" name="address" comment="" ro="False" address="172.16.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3D0C1E7D" dedicated_failover="False" dyn="False" label="fw8:eth2" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id3D0C1E7D-ipv4" name="address" comment="" ro="False" address="192.168.100.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3EE24D62" dedicated_failover="False" dyn="True" label="fw8:ppp0" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.100.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3D4DF34B" host_OS="linux24" lastCompiled="1272404578" lastInstalled="1142003872" lastModified="1230445726" platform="iptables" name="firewall9" comment="testing rules with action-on-reject "TCP reset" " ro="False">
|
|
<NAT id="id3D4DF34C" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3D4DF34D" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3D4DF362" disabled="False" group="" log="True" position="0" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4DF34B"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D4DF36C" disabled="False" group="" log="True" position="1" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4DF34B"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D4DF376" disabled="False" group="" log="True" position="2" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4DF34B"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B457567"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D4DF380" disabled="False" group="" log="True" position="3" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4DF34B"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D4DF38A" disabled="False" group="" log="False" position="4" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4DF34B"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D4DF394" disabled="False" group="" log="False" position="5" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3D4DF34B"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D4DF39E" disabled="False" group="" log="False" position="6" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4DF34B"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D4DF3A8" disabled="False" group="" log="True" position="7" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4DF34B"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4144FF90" disabled="False" group="" log="False" position="8" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4144FFAE" disabled="False" group="" log="False" position="9" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41456B50" disabled="False" group="" log="False" position="10" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41456B75" disabled="False" group="" log="False" position="11" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id77415X37109" disabled="False" group="" log="False" position="12" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id45863X16372"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id206275X37109" disabled="False" group="" log="False" position="13" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id45863X16372"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id206293X37109" disabled="False" group="" log="False" position="14" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id45863X16372"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3D4DF34B-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3D4DF3B2" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3D4DF3B2-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3D4DF3C8" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3D4DF3C8-ipv4" name="address" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3D4DF3CC" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3D4DF3CC-ipv4" name="address" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A %I</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path">/bin:/usr/bin:/sbin:/usr/sbin</Option>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3D4F0A55" host_OS="linux24" inactive="False" lastCompiled="1272404305" lastInstalled="1142003872" lastModified="1219534909" platform="iptables" version="1.2.9" name="firewall10" comment="testing rules with action-on-reject "TCP reset" in this firewall, unlike in firewall9, this option is set globally instead of setting it in the rule options " ro="False">
|
|
<NAT id="id3D4F0A56" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3D4F0A57" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3D4F0A58" disabled="False" group="" log="True" position="0" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4F0A55"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">ICMP admin prohibited</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D4F0A62" disabled="False" group="" log="True" position="1" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4F0A55"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D4F0A6C" disabled="False" group="" log="True" position="2" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4F0A55"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B457567"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D4F0A76" disabled="False" group="" log="True" position="3" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4F0A55"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D4F0A80" disabled="False" group="" log="False" position="4" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4F0A55"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D4F0A8A" disabled="False" group="" log="False" position="5" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3D4F0A55"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D4F0A94" disabled="False" group="" log="False" position="6" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4F0A55"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D4F0A9E" disabled="False" group="" log="True" position="7" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4F0A55"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3D4F0A55-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3D4F0AA8" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3D4F0AA8-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3D4F0AAA" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3D4F0AAA-ipv4" name="address" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3D4F0AAC" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3D4F0AAC-ipv4" name="address" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="enable_ipv6">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path">/bin:/usr/bin:/sbin:/usr/sbin</Option>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3D94D4F8" host_OS="linux24" inactive="False" lastCompiled="1272404308" lastInstalled="1142003872" lastModified="1284500299" platform="iptables" version="" name="firewall11" comment="testing rules with broadcasts and multicasts and action-on-reject 'TCP reset'. This is BRIDGING FIREWALL Firewall is part of any is OFF Interfaces eth0 and eth1 are parts of the bridge; Interface eth2 is external interface (doing NAT and routing on this interface) Interface eth3 is connected to protected network and is used to manage firewall. This is rather realistic configuration for the bridging firewall " ro="False">
|
|
<NAT id="id3D94D4F9" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3E854D22" disabled="True" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3D94D531"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E854D14" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3D94D4F8"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id57837X26254" disabled="False" group="" position="2" action="Translate" comment="see bug #1693 , SF bug 3048516 combination of using SNAT instead of MASQ, source port translation and dynamic interface">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3CE719F5"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E21FC66"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3CE719F5"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="ipt_nat_persistent">False</Option>
|
|
<Option name="ipt_nat_random">False</Option>
|
|
<Option name="ipt_use_snat_instead_of_masq">True</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id58296X15267" disabled="False" group="" position="3" action="Translate" comment="see SF bug 3057503 ">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3E21FC66"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3D94D508" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3D94D534" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3D94D531"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D94D53E" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3D94D531"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47642X56286" disabled="False" group="" log="False" position="2" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3D94D531"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47625X56286" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3D94D531"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D94D548" disabled="False" group="" log="False" position="4" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3A84EECE"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3D94D531"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E21FEC7" disabled="False" group="" log="False" position="5" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3D94D531"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E21FEE5" disabled="False" group="" log="False" position="6" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3D94D531"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id51781X67898" disabled="False" group="bug 1231" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D94D4F8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3E21FC66"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id245055X67898" disabled="False" group="bug 1231" log="False" position="8" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D94D4F8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3E21FC66"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id438373X67898" disabled="False" group="bug 1231" log="False" position="9" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E21FC66"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3E21FC66"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41FCD477" disabled="False" group="" log="True" position="10" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3E21FC66"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="color"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D94D509" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D94D513" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id417B3655" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id417B3641"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D94D51D" disabled="False" group="" log="False" position="14" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3A84EECE"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D94D527" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D84EEC8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45D6A3D223626" disabled="False" group="" log="False" position="16" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45D61A0923626"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E21FE50" disabled="False" group="" log="False" position="17" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E21FE32" disabled="False" group="" log="True" position="18" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3DD4BBC7" disabled="False" group="" log="False" position="19" action="Accept" direction="Both" comment="this rule should generate commands in both INPUT and FORWARD chains because this is a bridging firewall see bug #811860">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D94D4F8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3F28B8DF" disabled="False" group="" log="False" position="20" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D94D4F8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3F28B8EA" disabled="False" group="" log="False" position="21" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F28B886"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E854C89" disabled="True" group="" log="False" position="22" action="Accept" direction="Both" comment="testing processor checkForUnnumbered">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3D94D552"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41FC8F4F" disabled="False" group="" log="True" position="23" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41FCB1DE" disabled="False" group="" log="True" position="24" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3D94D4F8-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3D94D531" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="True" unprotected="False" name="eth0" comment="this interface is part of the bridge" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3D94D552" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3D94D558" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3D94D559" name="address" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3E21FC66" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="br0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3F28B886" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth3" comment="this interface has netmask 255.255.255.255, which is an error but compiler should handle it properly anyway. One typical mistake is to put rules that have fw or its interface in DST into FORWARD chain (shouldbe INPUT chain) This is the management interface of the bridging fw. This interface is connected to the protected subnet. There may be another interface connected to the same subnet, but that interface would be a bridging interface and have no address. " ro="False">
|
|
<IPv4 id="id3F28B88A" name="firewall11:eth3(ip)" comment="" ro="False" address="10.1.1.1" netmask="255.255.255.255"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3F77AFD4" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="True" unprotected="False" name="eth1" comment="this interface is also a part of the bridge" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="10.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_mgmt_ssh_rule_when_stoped">False</Option>
|
|
<Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">True</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="clear_unknown_interfaces">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_bonding_interfaces">False</Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="script_name_on_firewall"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3DDDE6C3" host_OS="linux24" lastCompiled="1244480616" lastInstalled="1142003872" lastModified="1270839660" platform="iptables" name="firewall12" comment="This firewall does not do NAT for addresses, but translates port for a server " ro="False">
|
|
<NAT id="id3DDDE6C7" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3DDDE6D6" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3DE472C4" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DDDE6D3"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3DE47209" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DDDE6D1"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3DE3B872" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DDDE6C3"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3DE3B9B2" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DDDE6C3"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3DDDE6C3"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3DE66C32" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DDDE6C3"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3DDDE6CE"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3ED59A8C" disabled="False" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3ED59B00" disabled="False" group="" position="7" action="Translate" comment="port-only translation">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3ED59BF0"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3ED59BF1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3ED59E9D" disabled="False" group="" position="8" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3ED59BF0"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DDDE6C3"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3ED59BF1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id62195X80061" disabled="False" group="" position="9" action="Translate" comment="port-only translation">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3ED59D48" disabled="False" group="" position="10" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3DDDE6C3"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id46723X95438" disabled="False" group="" position="11" action="Translate" comment="SDNAT ">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id45738X95438"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id45821X95438"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id45738X95438"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id46523X95438"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id46776X95438" disabled="False" group="" position="12" action="Translate" comment="SDNAT with source port">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id45738X95438"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id46447X95438"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id45738X95438"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id46523X95438"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id46457X95438"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id46829X95438" disabled="False" group="" position="13" action="Translate" comment="SDNAT with dest port">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id46482X95438"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id45738X95438"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id46523X95438"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id46492X95438"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id46882X95438" disabled="False" group="" position="14" action="Translate" comment="SDNAT translate src and dst addresses and src and dst ports">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id46617X95438"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id45738X95438"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id46523X95438"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id46627X95438"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id46935X95438" disabled="False" group="" position="15" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id46482X95438"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id46457X95438"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id46988X95438" disabled="False" group="" position="16" action="Translate" comment="invalid rule">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id45821X95438"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id46457X95438"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3DDDE6C6" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3DDDE701" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3DDDE6F7" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3DDDE6C3-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3DDDE6CE" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3DDDE6D0" name="firewall12" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3DDDE6D1" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3DDDE6D3" name="firewall12" comment="" ro="False" address="22.22.23.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="22.22.22.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3DE68A18" host_OS="linux24" lastCompiled="1272404312" lastInstalled="1142003872" lastModified="0" platform="iptables" name="firewall13" comment="Testing empty groups thing " ro="False">
|
|
<NAT id="id3DE68A19" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3DE68AFA" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DE689FE"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DE68A18"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3C1A66EF"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3DE68B5B" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DE68A00"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DE68A18"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3C1A66EF"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3DE68A6E" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3DE68A6F" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DE68A00"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3DE68BA4" disabled="False" group="" log="True" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3DE689FF"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3DE68A79" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3DE68A18-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3DE68A83" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3DE68A84" name="firewall12" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3DE68A86" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3DE68A87" name="firewall12" comment="" ro="False" address="22.22.23.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="22.22.22.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3DE71215" host_OS="linux24" lastCompiled="1272404315" lastInstalled="1142003872" lastModified="0" platform="iptables" name="firewall14" comment="special configuration with overlapping subnets on external and dmz interfaces testing NAT rules (especially choice of interfaces for -o )" ro="False">
|
|
<NAT id="id3DE71216" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3DE71217" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DE71282"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3DE71225" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3DE71E90"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DE71282"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3DE7203A" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DE71E90"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DE7127F"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3DE720E6" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DE71E90"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DE7127D"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3DE72150" disabled="False" group="" position="4" action="Translate" comment="I guess this rule does not make much sense">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DE71E90"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DE71255"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3DE721CA" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DE71E90"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DE7223E"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3DE7236A" disabled="False" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DE71E90"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DE722F1"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3DE71233" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3DE71215-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3DE71252" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3DE71253" name="fe14:eth0" comment="" ro="False" address="192.168.1.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3DE71255" dedicated_failover="False" dyn="False" label="eth1(outside)" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3DE71256" name="fw14:eth1:1" comment="" ro="False" address="22.22.23.22" netmask="255.255.255.0"/>
|
|
<IPv4 id="id3DE71282" name="fw14:eth1:2" comment="this address belongs to subnets of both interfaces - eth1 and eth2" ro="False" address="22.22.23.160" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3DE7127D" dedicated_failover="False" dyn="False" label="eth2(dmz)" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id3DE7127F" name="fw14:eth2" comment="this interface is on the subnet that overlaps with eth1" ro="False" address="22.22.23.132" netmask="255.255.255.128"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3DE9128A" host_OS="linux24" lastCompiled="1272404317" lastInstalled="1142003872" lastModified="0" platform="iptables" name="firewall15" comment="Testing "Accept TCP sessions opened prior to firewall restart flag" in combination with "Assume firewall is part of any" - both flags are OFF here" ro="False">
|
|
<NAT id="id3DE9128B" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3DE912E0" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3E587D17" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="option 'assume firewall is part of any' is off, but this rule should go into INPUT/OUTPUT chains anyway">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3E587D10"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3DE912EB" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3DE9128A-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3DE912F5" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3DE912F6" name="firewall12" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3DE912F8" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3DE912F9" name="firewall12" comment="" ro="False" address="22.22.23.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3E587D10" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3E587D14" name="firewall15:lo(ip)" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="22.22.22.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3E189481" host_OS="linux24" lastCompiled="1272404320" lastInstalled="1142003872" lastModified="0" platform="iptables" version="" name="firewall16" comment="testing translation from outside to the web server on DMZ, need to see what happens if clients on internal net connect to the NATted address of this server. This is a kind of "NAT back to the same subnet" with a twist. This firewall also has option "local NAT" enabled. NAT rules 0,2-7 should generate code in the OUTPUT and POSTROUTING chains. " ro="False">
|
|
<NAT id="id3E189482" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3E189483" disabled="False" group="" position="0" action="Translate" comment="should generate code in both PREROUTING and OUTPUT chain because option "local NAT" is enabled">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3E189481"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E189491" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E189481"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E6988D3" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E189481"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id418A3247" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E189481"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id4188B45D" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E1894ED"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id4188B514" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E1894EE"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id4188D4D7" disabled="False" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E189481"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E1894E9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id418A524D" disabled="False" group="" position="7" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E189481"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E1894E9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id41860063" disabled="False" group="" position="8" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E1894ED"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E1894E9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id41873ACE" disabled="False" group="" position="9" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E1894EE"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E1894EA"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id418933C7" disabled="False" group="" position="10" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E189481"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id418A527D" disabled="False" group="" position="11" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E189481"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id418933E4" disabled="False" group="" position="12" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E1894ED"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id418933D6" disabled="False" group="" position="13" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E1894EE"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3E1894E5" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3E1896E1" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E1896D7" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3E189481-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3E1894E6" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3E1894E7" name="firewall16:eth0:ip" comment="" ro="False" address="192.168.1.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3E1894E9" dedicated_failover="False" dyn="False" label="eth1(outside)" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3E1894EA" name="firewall16:eth1:ip" comment="" ro="False" address="22.22.23.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3E1894ED" dedicated_failover="False" dyn="False" label="eth2(dmz)" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id3E1894EE" name="firewall16:eth2:ip" comment="this interface is on the subnet that overlaps with eth1" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3E1C6B9C" host_OS="linux24" lastCompiled="1272404323" lastInstalled="1142003872" lastModified="0" platform="iptables" name="firewall17" comment="doing SNAT with virtual addresses of two external interface " ro="False">
|
|
<NAT id="id3E1C6B9D" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3E1C6B9E" disabled="False" group="" position="0" action="Translate" comment="compiler should add "-o eth2"">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E1C6BFB"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E1C6D1F" disabled="False" group="" position="1" action="Translate" comment="compiler should add "-o eth2"">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E1C6BFC"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3E1C6BC8" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3E1C6BE3" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3E1C6B9C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3E1C6BE0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E5F1263" disabled="False" group="" log="False" position="1" action="Accounting" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="rule_name_accounting">rule0acct</Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E5F126D" disabled="False" group="" log="True" position="2" action="Accounting" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="rule_name_accounting">rule1acct</Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41FE52C8" disabled="False" group="" log="True" position="3" action="Accounting" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41FA23E1" disabled="False" group="" log="False" position="4" action="Accounting" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CD87A53"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="id3CE719F3"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E1C6BC9" disabled="False" group="" log="True" position="5" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3E1C6B9C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E1C6C13" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3E1C6B9C-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3E1C6BDD" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3E1C6BDE" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3E1C6BE0" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3E1C6BE1" name="address" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<IPv4 id="id3E1C6BFB" name="firewall17:eth1(ip)" comment="" ro="False" address="33.33.33.33" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3E1C6BEB" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id3E1C6BEC" name="address" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3E1C6BEE" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3E1C6BEF" name="address" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3E1C6BF1" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id3E1C6BF2" name="address" comment="" ro="False" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
<IPv4 id="id3E1C6BFC" name="firewall17:eth3(ip)" comment="" ro="False" address="44.44.44.44" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A on interface %I </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3EE4CB81" host_OS="linux24" lastCompiled="1272404326" lastInstalled="1142003872" lastModified="1142003885" platform="iptables" version="" name="firewall18" comment="this firewall translates outgoing connections using address of the particular interface (not external one). Also testing different cmbinations of objects in the policy rules on loopback interface. Finally, testing for a situation when dynamic interface "shades" a rule with old broadcast" ro="False">
|
|
<NAT id="id3EE4CB85" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3EE4CB98" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3EE4CB81"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3EE4CB8E"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3EE4CBC6" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3EE4CB81"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3EE4CB90"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3EE4CBF2" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3EE4CB8E"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3EE4CC1D" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3EE4CB90"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3EE4CCB5" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3EE4CB81"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3EE4CC6E"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3EE4CCDF" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3EE4CC6E"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3EE4CEA6" disabled="False" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3EE4CB88"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3EE4CC6E"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3EE4CB84" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3EF40DDB" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="using address range object 255.255.255.255-255.255.255.255 ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3EF40DD0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EE4CB8B"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EF7F73E" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EE4CB91"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id40D15498" disabled="False" group="" log="True" position="2" action="Deny" direction="Inbound" comment="anti-spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3EE4CB81"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EE4CD4C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id40D154A6" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="but old broadcast is permitted">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id40D153ED"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3EE4CB81"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EE4CD4C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id40D153D9" disabled="False" group="" log="True" position="4" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3EE4CB81-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3EE4CB88" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id3EE4CB8A" name="firewall18:eth2(ip)" comment="" ro="False" address="66.66.66.1" netmask="255.255.255.128"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3EE4CB8B" dedicated_failover="False" dyn="False" label="" security_level="33" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3EE4CB8D" name="firewall18:eth0(ip)" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3EE4CB8E" dedicated_failover="False" dyn="False" label="" security_level="66" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3EE4CB90" name="firewall18:eth1(ip)" comment="" ro="False" address="66.66.66.130" netmask="255.255.255.128"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3EE4CB91" dedicated_failover="False" dyn="False" label="" security_level="99" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3EE4CB93" name="firewall18:lo(ip)" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3EE4CD4C" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3EF7F809" host_OS="linux24" lastCompiled="1272404329" lastInstalled="1142003872" lastModified="0" platform="iptables" name="firewall19" comment="testing different cmbinations of objects in the policy rules on loopback interface" ro="False">
|
|
<NAT id="id3EF7F80A" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3EF7F86D" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3EF7F884" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3EF7F809"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EF7F881"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EF7F9E2" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3EF7F86E"/>
|
|
<ObjectRef ref="id3EF7F871"/>
|
|
<ObjectRef ref="id3EF7F87E"/>
|
|
<ObjectRef ref="id3EF7F881"/>
|
|
<ObjectRef ref="id3EF7F8B0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EF7F881"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EF7F89C" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3EF7F871"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EF7F881"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EF7F8A6" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EF7F881"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EFB9E41" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">2</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EFB9E5F" disabled="False" group="" log="True" position="5" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EFBA6FE" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id40038F90" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id40038E79"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id40038F1E" disabled="False" group="" log="False" position="8" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id40038E79"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id40038EB9" disabled="False" group="" log="False" position="9" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id40038E79"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4003B20A" disabled="False" group="" log="False" position="10" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4003B1AC"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3F1A2791" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3EF7F881"/>
|
|
<ObjectRef ref="id3EF7F87E"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EFB9E6D" disabled="False" group="" log="True" position="12" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3F1B9CCE" disabled="True" group="" log="True" position="13" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3F1B9C18"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3EF7F809-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3EF7F86E" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id3EF7F86F" name="firewall18:eth2(ip)" comment="" ro="False" address="66.66.66.1" netmask="255.255.255.128"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3EF7F871" dedicated_failover="False" dyn="False" label="" security_level="33" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3EF7F872" name="firewall18:eth0(ip)" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3EF7F87E" dedicated_failover="False" dyn="False" label="" security_level="66" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3EF7F87F" name="firewall18:eth1(ip)" comment="" ro="False" address="66.66.66.130" netmask="255.255.255.128"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3EF7F881" dedicated_failover="False" dyn="False" label="" security_level="99" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3EF7F882" name="firewall18:lo(ip)" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3EF7F8B0" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3EFBC648" host_OS="linux24" inactive="False" lastCompiled="1272404356" lastInstalled="1142003872" lastModified="1286307234" platform="iptables" version="" name="firewall20" comment="testing firewall_is_part_of_any_and_networks also testing SNAT and DNAT rules when external interface has dynamic address dynamic interface ppp0 has an address object attached to it (interface used to be static and had an address, then got converted to dynamic but address object is still there). Compiler should ignore this address object and issue a warning. " ro="False">
|
|
<NAT id="id3EFBC649" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3EFBC64A" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3EFBC648"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3EFBC658" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id1009519X12234" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3EFBC6F1"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id1391329X69541" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3EFBC6F1"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="ipt_nat_random">True</Option>
|
|
<Option name="ipt_snat_random">True</Option>
|
|
<Option name="ipt_use_snat_instead_of_masq">False</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id1169447X12234" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3EFBC6F1"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="ipt_snat_random">False</Option>
|
|
<Option name="ipt_use_snat_instead_of_masq">True</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3EFBC666" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3EFBC648"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3FADADE5" disabled="False" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3EFBC702"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id647653X13110" disabled="False" group="" position="7" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3EFBC702"/>
|
|
<ObjectRef ref="id3EFBC6F1"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3EFBC674" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3EFBC6F4" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="ppp clients get addresses on 10.1.1.0">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3EFBCCBA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EFBC6F1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EFBCAFF" disabled="False" group="" log="True" position="1" action="Deny" direction="Inbound" comment="ppp clients can not connect to the firewall">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3EFBC6F1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EFBC6F1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EFBCBA3" disabled="False" group="" log="True" position="2" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3EFBC648"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EFBC6F1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EFBCB1F" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="ppp clients can only connect to the mail server and web proxy on DMZ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EFBC6F1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EFBCB6C" disabled="False" group="" log="True" position="4" action="Deny" direction="Inbound" comment="ppp clients can not connect to anything else on DMZ and internal net">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EFBC6F1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id433C890013970" disabled="False" group="" log="False" position="5" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EFBC6F1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EFBCACB" disabled="False" group="" log="True" position="6" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EFBC702"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EFBC675" disabled="False" group="" log="True" position="7" action="Accept" direction="Both" comment="hostF has the same IP address as firewal.">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EFBC67F" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3EFBC648"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EFBC689" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3EFBC6F1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EFBC693" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19BF58"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EFBC69D" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EFBC6A8" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EFBC6B3" disabled="False" group="" log="True" position="13" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EFBC6BE" disabled="False" group="" log="False" position="14" action="Accept" direction="Both" comment="firewall is part of Any, so compiler should generate code in both FORWARD and OUTPUT chains">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EFBC6C8" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="firewall is part of Any, compiler should generate code for both FORWARD and INPUT chains">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EFBC6D2" disabled="False" group="" log="False" position="16" action="Accept" direction="Both" comment="because firewall has interface on network internal_net, compiler should generate code for both FORWARD and INPUT chains">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EFBC6DC" disabled="False" group="" log="False" position="17" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id40551X29621" disabled="False" group="" log="True" position="18" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id45862X16372"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EFBC6E7" disabled="False" group="" log="True" position="19" action="Deny" direction="Both" comment="Automatically generated 'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="id"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3EFBC648-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3EFBC6F1" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp*" comment="" ro="False">
|
|
<IPv4 id="id3EFBC6F2" name="firewall20:ppp*:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3EFBC6FF" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3EFBC700" name="firewall20:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3EFBC702" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id3EFBC703" name="firewall20:eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"/>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_limit_suffix"/>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3F29FAAD" host_OS="linux24" lastCompiled="1272404361" lastInstalled="1142003872" lastModified="1264552320" platform="iptables" name="firewall21" comment="two dynamic interfaces in the same policy or NAT rule " ro="False">
|
|
<NAT id="id3F29FAAE" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id908101X71214" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3F29FAF4"/>
|
|
<ObjectRef ref="id3F29FAF7"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3F2A008C" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3F29FAF4"/>
|
|
<ObjectRef ref="id3F29FAF7"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="ipt_nat_random">True</Option>
|
|
<Option name="ipt_use_snat_instead_of_masq">False</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id1352003X12234" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3F29FAF4"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id2608974X69541" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3F29FAF4"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="ipt_nat_random">True</Option>
|
|
<Option name="ipt_snat_random">True</Option>
|
|
<Option name="ipt_use_snat_instead_of_masq">False</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id1352019X12234" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3F29FAF4"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="ipt_use_snat_instead_of_masq">True</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id2609056X69541" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3F29FAF4"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="ipt_nat_random">True</Option>
|
|
<Option name="ipt_snat_random">True</Option>
|
|
<Option name="ipt_use_snat_instead_of_masq">True</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3F29FACB" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id414F492F" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3F29FAF4"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3F29FAF4"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3F29FAEA" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3F29FAF4"/>
|
|
<ObjectRef ref="id3F29FAF7"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3FFA5833" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D17F4"/>
|
|
<ObjectRef ref="id3F29FAF4"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3F29FAE0" disabled="False" group="" log="True" position="3" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3F29FAAD-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3F29FAF4" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3F29FAF7" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3F29FB06" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3F29FB07" name="address" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3F29FB90" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id3F29FB92" name="firewall21:eth2(ip)" comment="" ro="False" address="192.168.1.100" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A on interface %I </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3FADB89A" host_OS="linux24" lastCompiled="1272404367" lastInstalled="1142003872" lastModified="1142003913" platform="iptables" version="1.2.9" name="firewall22" comment="testing NAT rules using custom services " ro="False">
|
|
<NAT id="id3FADB89B" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3FADBAA3" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3FADE3CC"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3FADB89A"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3FADBAC2" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3FADB98B"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3FADE3CC"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3FADBAD4" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3FADE3CC"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3FADB98B"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3FADB8D4" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3FADB98E" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3FADB98B"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3FADB947" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="id"/>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level">error</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">10</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3FADB89A-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3FADB988" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3FADB989" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3FADB98B" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3FADB98C" name="address" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"/>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_limit_suffix"/>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3FB32E8E" host_OS="linux24" inactive="False" lastCompiled="1272404369" lastInstalled="1142003872" lastModified="1215123498" platform="iptables" version="" name="firewall23" comment=" This is BRIDGING FIREWALL " ro="False">
|
|
<NAT id="id3FB32E8F" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3FB32EAC" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3FB33184" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3FB32E8E"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3FB32F13"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id402A6DCC" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3FB32F13"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3FB32F15" disabled="False" group="" log="False" position="2" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3FB32F13"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3FB32F1F" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3FB32F13"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3FB32F29" disabled="False" group="" log="False" position="4" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3A84EECE"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3FB32F13"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3FB32F33" disabled="False" group="" log="False" position="5" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3FB32F13"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3FB32F3D" disabled="False" group="" log="False" position="6" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3FB32F13"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3FB32EAD" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3FB32EB7" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3FB32EC2" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3A84EECE"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3FB32ECD" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D84EEC8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3FB32ED7" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3FB32EE1" disabled="False" group="" log="True" position="12" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3FB32EEB" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="this rule should generate commands in both INPUT and FORWARD chains because this is a bridging firewall see bug #811860">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3FB32E8E"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3FB32EF5" disabled="False" group="" log="False" position="14" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3FB32E8E"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3FB32EFF" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="interface of another firewall (firewall11) Why do we need to test for this? ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F28B886"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3FB32F09" disabled="True" group="" log="False" position="16" action="Accept" direction="Both" comment="testing processor checkForUnnumbered">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3FB32F13"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3FB32E8E-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3FB32F13" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="True" unprotected="False" name="eth*" comment="this interface is part of the bridge" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3FB32F49" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3FB32F4A" name="address" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3FB32F4C" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="br0" comment="c" ro="False">
|
|
<IPv4 id="id3FB331CD" name="firewall23:br0(ip)" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">True</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="enable_ipv6">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id402B23A8" host_OS="linux24" lastCompiled="1272404374" lastInstalled="1142003872" lastModified="0" platform="iptables" name="firewall24" comment="testing rules on unnumbered interface tun* " ro="False">
|
|
<NAT id="id402B23A9" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id402B23AA" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id402B2413" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id402B23A8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id402B2411"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id402B241D" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id402B2411"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id402B268E" disabled="False" group="" log="False" position="2" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id402B2411"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id402B269C" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id402B2411"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id403B9475" disabled="False" group="" log="False" position="4" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id402B2411"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id402B2427" disabled="False" group="" log="False" position="5" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id402B2411"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id402B2431" disabled="False" group="" log="False" position="6" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id402B2411"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id402B243B" disabled="False" group="" log="False" position="7" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3A84EECE"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id402B2411"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id402B2445" disabled="False" group="" log="False" position="8" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id402B2411"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id402B244F" disabled="False" group="" log="False" position="9" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id402B2411"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id402B23AB" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id402B23B5" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id417C304A" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id417B3641"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id402B23C0" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3A84EECE"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id402B23CB" disabled="False" group="" log="False" position="14" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D84EEC8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id402B23D5" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id402B23DF" disabled="False" group="" log="True" position="16" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id402B23E9" disabled="False" group="" log="False" position="17" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id402B23A8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id402B23F3" disabled="False" group="" log="False" position="18" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id402B23A8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id402B23FD" disabled="False" group="" log="False" position="19" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id402B245C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id402B2407" disabled="True" group="" log="False" position="20" action="Accept" direction="Both" comment="testing processor checkForUnnumbered">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id402B2411"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id402B23A8-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id402B2411" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="True" unprotected="False" name="tun*" comment="this interface is part of the bridge" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id402B2459" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id402B245A" name="address" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id402B245C" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id402B245D" name="firewall23:eth0(ip)" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id41528C2C" host_OS="linux24" lastCompiled="1272404591" lastInstalled="1142003872" lastModified="0" platform="iptables" version="" name="rh90" comment="This is an example of a firewall protecting a host ( a server or a workstation). Only SSH access to the host is permitted. Host has dynamic address." ro="False">
|
|
<NAT id="id41528C52" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id41528C31" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id41528C60" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id41528C2C"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id41528C53"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41528C78" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id41528C6A"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41528C32" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to the host; useful ICMP types; ping request">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id41528C2C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41528C3E" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id41528C2C"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41528C48" disabled="False" group="" log="True" position="4" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id41528C2C-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id41528C53" dedicated_failover="False" dyn="False" label="outside" mgmt="True" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id41528C88" name="rh90:eth0:ip" comment="" ro="False" address="10.3.14.58" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id41528C6A" dedicated_failover="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id41528C82" name="rh90:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">true</Option>
|
|
<Option name="activation">
|
|
|
|
|
|
echo '%FWBPROMPT%';
|
|
cat > %FWDIR%/%FWSCRIPT%;
|
|
|
|
|
|
|
|
|
|
echo '%FWBPROMPT%'; chmod +x %FWDIR%/%FWSCRIPT%; sudo -S %FWDIR%/%FWSCRIPT%; sudo -S ps ax|awk '/shutdown/ {printf "kill %d\n",$1;}'|sh
|
|
|
|
|
|
echo '%FWBPROMPT%'; chmod +x %FWDIR%/%FWSCRIPT%; sudo -S %FWDIR%/%FWSCRIPT%; sudo -S ps ax|awk '/shutdown/ {printf "kill %d\n",$1;}'|sh
|
|
|
|
|
|
|
|
|
|
|
|
echo '%FWBPROMPT%'; chmod +x /tmp/%FWSCRIPT%; sudo -S /sbin/shutdown -r +%RBTIMEOUT%; sudo -S /tmp/%FWSCRIPT%
|
|
|
|
|
|
echo '%FWBPROMPT%'; chmod +x /tmp/%FWSCRIPT%; sudo -S /tmp/%FWSCRIPT%
|
|
|
|
|
|
|
|
|
|
|
|
|
|
echo '%FWBPROMPT%';
|
|
cat > %FWDIR%/%FWSCRIPT%;
|
|
|
|
|
|
|
|
|
|
echo '%FWBPROMPT%'; sh %FWDIR%/%FWSCRIPT%; ps ax|awk '/shutdown/ {printf "kill %d\n",$1;}'|sh
|
|
|
|
|
|
echo '%FWBPROMPT%'; sh %FWDIR%/%FWSCRIPT%; ps ax|awk '/shutdown/ {printf "kill %d\n",$1;}'|sh
|
|
|
|
|
|
|
|
|
|
|
|
echo '%FWBPROMPT%'; /sbin/shutdown -r +%RBTIMEOUT%; sh /tmp/%FWSCRIPT%
|
|
|
|
|
|
echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
|
|
|
|
|
|
|
|
|
|
</Option>
|
|
<Option name="check_shading">true</Option>
|
|
<Option name="configure_interfaces">true</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="fwdir">/etc/fw</Option>
|
|
<Option name="fwdir_test">/tmp</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">true</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="timeout_units">sec</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id417C680B" host_OS="linux24" inactive="False" lastCompiled="1272404379" lastInstalled="1142003872" lastModified="1280359295" platform="iptables" version="1.4.0" name="firewall25" comment="this firewall uses iptables-restore format. Firewall has wildcard interface ppp*; script is generated dynamically and then piped to iptables-restore two rule sets for the filter table, to make sure there is only one COMMIT for both" ro="False">
|
|
<NAT id="id417C688D" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id417C688E" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id417C680B"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id417C689C" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id417C68AA" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id417C680B"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id417C68B8" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id417C6938"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id417C6810" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id417C68FE" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="ppp clients get addresses on 10.1.1.0">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3EFBCCBA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id417C68C6"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id417C6908" disabled="False" group="" log="True" position="1" action="Deny" direction="Inbound" comment="ppp clients can not connect to the firewall">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id417C68C6"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id417C68C6"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id417C6912" disabled="False" group="" log="True" position="2" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id417C680B"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id417C68C6"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id417C691C" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="ppp clients can only connect to the mail server and web proxy on DMZ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id417C68C6"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id417C6927" disabled="False" group="" log="True" position="4" action="Deny" direction="Inbound" comment="ppp clients can not connect to anything else on DMZ and internal net">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id417C68C6"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id417C6946" disabled="False" group="" log="True" position="5" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id417C6938"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id417C6811" disabled="False" group="" log="True" position="6" action="Accept" direction="Both" comment="hostF has the same IP address as firewal.">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id417C681B" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id417C680B"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id417C6825" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id417C68C6"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id417C682F" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19BF58"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id417C6839" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id417C6844" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id417C684F" disabled="False" group="" log="True" position="12" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id417C685A" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="firewall is part of Any, so compiler should generate code in both FORWARD and OUTPUT chains">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id417C6864" disabled="False" group="" log="False" position="14" action="Accept" direction="Both" comment="firewall is part of Any, compiler should generate code for both FORWARD and INPUT chains">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id417C686E" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="because firewall has interface on network internal_net, compiler should generate code for both FORWARD and INPUT chains">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id417C6878" disabled="False" group="" log="False" position="16" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id38498X96121" disabled="False" position="17" direction="Both" action="Continue" log="True" comment="this rule should go to mangle table, since we also have default rule that goes to mangle (TCPMSS) and pure mangle ruleset, making sure all rules for mangle table end up with one COMMIT" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagobject_id">id342984</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id55907X96121" disabled="False" group="" log="False" position="18" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id38458X96057</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">True</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_reply_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1821637X72329" disabled="False" group="" log="False" position="19" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id1821563X72329</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_copy_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">True</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_reply_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1821755X72329" disabled="False" group="" log="False" position="20" action="Branch" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id417C6933"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id38458X96057</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">True</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_reply_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1821801X72329" disabled="False" group="" log="False" position="21" action="Branch" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id417C6933"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id1821563X72329</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_copy_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">True</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_reply_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id417C6883" disabled="False" group="" log="True" position="22" action="Deny" direction="Both" comment="Automatically generated 'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="id"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id38458X96057" name="policy_2" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id1821888X72329" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id417C6938"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id38459X96057" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id38485X96121" name="mangle_ruleset" comment="Pure mangle rule set. Checking that there will be only one COMMIT" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id38486X96121" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id1821563X72329" name="policy_2_mangle" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id1822003X72329" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id417C6938"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id57311X14972" disabled="False" group="" log="True" position="1" action="Reject" direction="Both" comment="SF bug report 3034628 "iptables does not allow target REJECT in mangle table"">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C1A66EF"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1821565X72329" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions>
|
|
<Option name="mangle_only_rule_set">True</Option>
|
|
</RuleSetOptions>
|
|
</Policy>
|
|
<Routing id="id417C680B-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id417C68C6" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp*" comment="" ro="False">
|
|
<IPv4 id="id417C6932" name="firewall25:ppp*:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id417C6933" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id417C6937" name="firewall25:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id417C6938" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id417C6950" name="firewall25:eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"/>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="install_script"/>
|
|
<Option name="ipt_mangle_only_rulesets"> Policy_2 mangle_ruleset</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_limit_suffix"/>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.1</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id418C4609" host_OS="linux24" inactive="False" lastCompiled="1272404382" lastInstalled="1142003872" lastModified="1264474374" platform="iptables" version="1.4.0" name="firewall26" comment="this firewall uses iptables-restore format One interface has dynamic address, script uses echo to generated iptables commands and then pipes them to iptables-restore" ro="False">
|
|
<NAT id="id418C468B" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id418C468C" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id418C4609"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id418C469A" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id418C46A8" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id418C4609"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id418C46B6" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id418C4736"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id418C460E" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id418C46FC" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="ppp clients get addresses on 10.1.1.0">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3EFBCCBA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id418C46C4"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id418C4706" disabled="False" group="" log="True" position="1" action="Deny" direction="Inbound" comment="ppp clients can not connect to the firewall">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id418C46C4"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id418C46C4"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id418C4710" disabled="False" group="" log="True" position="2" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id418C4609"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id418C46C4"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id418C471A" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="ppp clients can only connect to the mail server and web proxy on DMZ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id418C46C4"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id418C4725" disabled="False" group="" log="True" position="4" action="Deny" direction="Inbound" comment="ppp clients can not connect to anything else on DMZ and internal net">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id418C46C4"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id418C4744" disabled="False" group="" log="True" position="5" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id418C4736"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id418C460F" disabled="False" group="" log="True" position="6" action="Accept" direction="Both" comment="hostF has the same IP address as firewal.">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id418C4619" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id418C4609"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id418C4623" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id418C46C4"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id418C462D" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19BF58"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id418C4637" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id418C4642" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id418C464D" disabled="False" group="" log="True" position="12" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id418C4658" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="firewall is part of Any, so compiler should generate code in both FORWARD and OUTPUT chains">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id418C4662" disabled="False" group="" log="False" position="14" action="Accept" direction="Both" comment="firewall is part of Any, compiler should generate code for both FORWARD and INPUT chains">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id418C466C" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="because firewall has interface on network internal_net, compiler should generate code for both FORWARD and INPUT chains">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id418C4676" disabled="False" group="" log="False" position="16" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id418C4681" disabled="False" group="" log="True" position="17" action="Deny" direction="Both" comment="Automatically generated 'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="id"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id418C4609-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id418C46C4" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id418C4731" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id418C4735" name="firewall26:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id418C4736" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id418C474E" name="firewall26:eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"/>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="install_script"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_limit_suffix"/>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.1</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4183D041" host_OS="linux24" inactive="False" lastCompiled="1272404385" lastInstalled="1142003872" lastModified="1264474374" platform="iptables" version="1.4.0" name="firewall27" comment="this firewall uses iptables-restore format all interfaces have static addresses, script pipes iptables commands straight to iptables-restore" ro="False">
|
|
<NAT id="id4183D0C3" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id4183D0C4" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4183D041"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id4183D0D2" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id4183D0E0" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id4183D041"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id4183D0EE" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4183D16C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id4183D046" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id4183D133" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="ppp clients get addresses on 10.1.1.0">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3EFBCCBA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4183D0FC"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4183D13D" disabled="False" group="" log="True" position="1" action="Deny" direction="Inbound" comment="ppp clients can not connect to the firewall">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4183D0FC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4183D0FC"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4183D147" disabled="False" group="" log="True" position="2" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4183D041"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4183D0FC"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4183D151" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="ppp clients can only connect to the mail server and web proxy on DMZ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4183D0FC"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4183D15C" disabled="False" group="" log="True" position="4" action="Deny" direction="Inbound" comment="ppp clients can not connect to anything else on DMZ and internal net">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4183D0FC"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4183D17A" disabled="False" group="" log="True" position="5" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4183D16C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4183D047" disabled="False" group="" log="True" position="6" action="Accept" direction="Both" comment="hostF has the same IP address as firewal.">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4183D051" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4183D041"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4183D05B" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4183D0FC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4183D065" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19BF58"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4183D06F" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4183D07A" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4183D085" disabled="False" group="" log="True" position="12" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4183D090" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="firewall is part of Any, so compiler should generate code in both FORWARD and OUTPUT chains">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4183D09A" disabled="False" group="" log="False" position="14" action="Accept" direction="Both" comment="firewall is part of Any, compiler should generate code for both FORWARD and INPUT chains">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4183D0A4" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="because firewall has interface on network internal_net, compiler should generate code for both FORWARD and INPUT chains">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4183D0AE" disabled="False" group="" log="False" position="16" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4183D0B9" disabled="False" group="" log="True" position="17" action="Deny" direction="Both" comment="Automatically generated 'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="id"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id4183D041-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id4183D0FC" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp" comment="" ro="False">
|
|
<IPv4 id="id4183D18A" name="firewall27:ppp:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4183D167" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id4183D16B" name="firewall27:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4183D16C" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id4183D184" name="firewall27:eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"/>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="install_script"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_limit_suffix"/>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.1</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id419DC88E" host_OS="linux24" lastCompiled="1142003872" lastInstalled="1142003872" lastModified="0" platform="iptables" version="" name="firewall28" comment=" " ro="False">
|
|
<NAT id="id419DC8B2" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id419DC8C1" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id419DC8D4"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id419DC893" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id419DC894" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="this rule should shadow rule #1 because it uses IPService object with protocol 0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id419D6869"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id419E8B1F" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id419DC89E" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id419DC8A8" disabled="False" group="" log="True" position="3" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id419DC88E-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id419DC8CF" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id419DC8D3" name="firewall28:eth0:ip" comment="" ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id419DC8D4" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id419DC8D8" name="firewall28:eth1:ip" comment="" ro="False" address="22.22.23.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="22.22.22.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id41D2945B" host_OS="linux24" lastCompiled="1272404390" lastInstalled="1142003872" lastModified="1298082486" platform="iptables" version="" name="firewall29" comment="two dynamic interfaces in the same policy or NAT rule. Interfaces have a dot in their names " ro="False">
|
|
<NAT id="id41D29482" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id41D29483" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id41D29492"/>
|
|
<ObjectRef ref="id41D294A9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id41D29460" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id41D2949F" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id41D29492"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id41D29492"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41D29461" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id41D29492"/>
|
|
<ObjectRef ref="id41D294A9"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41D2946D" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D17F4"/>
|
|
<ObjectRef ref="id41D29492"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id50714X84264" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="should be --connlimit-above 10 ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id41D2945B"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">10</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id380567X84915" disabled="False" group="" log="False" position="4" action="Accept" direction="Inbound" comment="should be ! --connlimit-above 10 ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id41D2945B"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_above_not">True</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">10</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41D29478" disabled="False" group="" log="True" position="5" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id41D2945B-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id41D29492" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0.200" comment="VLAN interface" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id41D294A9" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0.100" comment="VLAN interface" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id41D294AC" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id41D294B0" name="firewall29:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id41D294B1" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id41D294B5" name="firewall29:eth1:ip" comment="" ro="False" address="192.168.1.100" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A on interface %I </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id41F62B80" host_OS="linux24" lastCompiled="1272404395" lastInstalled="1142003872" lastModified="0" platform="iptables" version="" name="firewall30" comment="testing shading of rules using MAC addresses" ro="False">
|
|
<NAT id="id41F62BA4" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id41F62B85" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id41F62B86" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3BF1B3E2-pa"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41F62B90" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3BF1B3E8-pa"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41F62B9A" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id41F62B80-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id41F62C34" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id41F62C38" name="firewall30:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id41F62C39" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id41F62C51" name="firewall30:eth1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id41F62C57" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id41F62C5B" name="firewall30:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A %I</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id429910D5" host_OS="linux24" lastCompiled="1272404397" lastInstalled="1142003872" lastModified="0" platform="iptables" version="" name="firewall31" comment="used to test time matching rules" ro="False">
|
|
<NAT id="id429910DB" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id429910DA" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id4299E22F" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="id3C63479C"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4299E223" disabled="False" group="" log="True" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="int-afterhours"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id429910F3" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="int-weekends"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4299E253" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="int-workhours"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4299E23B" disabled="False" group="" log="True" position="4" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="True">
|
|
<IntervalRef ref="int-weekends"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4299E247" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="True">
|
|
<IntervalRef ref="id3C63479C"/>
|
|
<IntervalRef ref="id3C63479E"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id429910FD" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id429910D5-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id429910DC" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id429910E0" name="firewall31:eth0:ip" comment="" ro="False" address="33.33.33.33" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id429910E1" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id429910E5" name="firewall31:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id429910EB" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id43868A331434" host_OS="linux24" lastCompiled="1272404400" lastInstalled="1142003872" lastModified="1221975696" platform="iptables" version="" name="firewall32" comment="testing AddressTable" ro="False">
|
|
<NAT id="id43868A6D1434" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id43868A6E1434" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id43868A7F1434"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id43868A391434" name="Policy_fw32" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id43868A461434" disabled="False" group="" log="False" position="0" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id43868A7F1434"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43868A7F1434"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4386CE421434" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4385C1081434"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43868A541434" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D17F4"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43868A611434" disabled="False" group="" log="True" position="3" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id43868A7D1434" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id43868A7F1434" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0.100" comment="VLAN interface" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id43868A801434" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id43868A821434" name="firewall32:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id43868A831434" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id43868A851434" name="firewall32:eth1:ip" comment="" ro="False" address="192.168.1.100" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A on %I </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id43867C1018346" host_OS="linux24" inactive="False" lastCompiled="1247364049" lastInstalled="1142003872" lastModified="1275495585" platform="iptables" version="" name="firewall33" comment="testing DNSName object" ro="False">
|
|
<NAT id="id43867C4818346" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id43867C4918346" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id43867C5818346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id43876E2618346" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id43869E8C18346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43867C5818346"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id43876E5218346" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43867C5818346"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id43876E6918346" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
<ObjectRef ref="id4387287A18346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43867C5818346"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id43876E7B18346" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
<ObjectRef ref="id4387287A18346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43867C5818346"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id43867C1618346" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id43867C2418346" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43869E8C18346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43869E9018346" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43869E9E18346" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43869E8E18346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43869EAA18346" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43869E8F18346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4386E38318346" disabled="False" group="" log="False" position="4" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8C18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4386E37718346" disabled="False" group="" log="False" position="5" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43867C3018346" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8E18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4386C10D18346" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8F18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id438728A918346" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8C18346"/>
|
|
<ObjectRef ref="id4387287918346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id438728BA18346" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
<ObjectRef ref="id4387287A18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id438728CD18346" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8C18346"/>
|
|
<ObjectRef ref="id4387287A18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47CBF5D429252" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="test for bug #1905718 Group of DNS Name objects considered empty ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id47CBF5D129252"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44703X361" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id30841X361"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43867C3C18346" disabled="False" group="" log="True" position="13" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id43867C5718346" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id43867C5818346" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0.100" comment="VLAN interface" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id43867C5918346" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id43867C5B18346" name="firewall33:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id43867C5C18346" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id43867C5E18346" name="firewall33:eth1:ip" comment="" ro="False" address="192.168.1.100" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A on %I </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4389EDAE18346" host_OS="linux24" inactive="False" lastCompiled="1272404436" lastInstalled="1142003872" lastModified="1297367851" platform="iptables" version="" name="firewall34" comment="testing AddressTable object" ro="False">
|
|
<NAT id="id4389EE4818346" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id4389EEB018346" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id4389EE8418346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id43913DCB25682"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id43891B6E674" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id43913DEA25682"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4389EE8418346"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id4389EDB418346" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id4389EDB518346" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9018346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4388CFEA674" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4390C25825682" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4390C25525682"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4389EDC118346" disabled="False" group="" log="False" position="3" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43920D5025682" disabled="False" group="" log="False" position="4" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4389EE8418346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4388CFF8674" disabled="False" group="" log="True" position="5" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4388C36F674" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4388F5A9674" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4392312525682" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4389EE8418346"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4389EEA118346" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id43913DCB25682"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4389EDCD18346" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43913DEA25682"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4389EE3C18346" disabled="False" group="" log="True" position="11" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id459673BF7794" disabled="False" group="" log="True" position="12" action="Deny" direction="Both" comment="using address table object with no addresses">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id459673BE7794"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45969FDB7794" disabled="False" group="" log="True" position="13" action="Deny" direction="Both" comment="using address table object with no addresses">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45969FEC7794"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45948F957794" disabled="False" group="" log="False" position="14" action="Accept" direction="Both" comment="using connlimit option. Connlimit is only valid in combination with "-p tcp -m tcp"">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43913DEA25682"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9018346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">2</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id89724X31706" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id89715X31706"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id30995X8792" name="Policy_ipv6" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id31008X8792" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9018346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id30996X8792" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id4389EE8318346" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id4389EE8418346" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0.100" comment="VLAN interface" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4389EE8518346" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id4389EE8718346" name="firewall34:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4389EE8818346" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id4389EE8A18346" name="firewall34:eth1:ip" comment="" ro="False" address="192.168.1.100" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A on %I </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id439254F225682" host_OS="linux24" inactive="False" lastCompiled="1280362216" lastInstalled="1142003872" lastModified="1276021114" platform="iptables" version="" name="firewall35" comment="testing AddressTable object like firewall34, but uses different script format" ro="False">
|
|
<NAT id="id4392558E25682" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id4392558F25682" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id439255AC25682"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id43913DCB25682"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id4392559D25682" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id43913DEA25682"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id439255AC25682"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id439254F825682" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id439254F925682" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9018346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4392550525682" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4392551125682" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4390C25525682"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4392551D25682" disabled="False" group="" log="False" position="3" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4392552A25682" disabled="False" group="" log="False" position="4" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id439255AC25682"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id55557X84465" disabled="False" group="" log="False" position="5" action="Branch" direction="Inbound" comment="test rule for the discussion https://sourceforge.net/projects/fwbuilder/forums/forum/16372/topic/3733964/index/page/1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id439254F225682"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id55450X84465</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4392553725682" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4392554325682" disabled="False" group="" log="True" position="7" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4392555025682" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4392555D25682" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id439255AC25682"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4392556A25682" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id43913DCB25682"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4392557625682" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43913DEA25682"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4392558225682" disabled="False" group="" log="True" position="12" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id55450X84465" name="block_local_bcast" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id55485X84465" disabled="False" group="" log="False" position="0" action="Deny" direction="Both" comment="an attempt to build rule blocking local broadcast packets on the subnet where firewall has dynamic interface">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id55476X84465"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions>
|
|
<Option name="mangle_only_rule_set">False</Option>
|
|
</RuleSetOptions>
|
|
</Policy>
|
|
<Routing id="id439255AB25682" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RoutingRule id="id53770X97650" disabled="True" group="" metric="0" position="0" comment="for bug 1404 - routing_functions configlet should be expanded">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id439255AC25682" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0.100" comment="VLAN interface" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id439255AD25682" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id439255AF25682" name="firewall35:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id439255B025682" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id439255B225682" name="firewall35:eth1:ip" comment="" ro="False" address="192.168.1.100" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="enable_ipv6">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A on %I </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id43A2BF7416451" host_OS="linux24" inactive="False" lastCompiled="1272404443" lastInstalled="1142003872" lastModified="1303247848" platform="iptables" version="" name="firewall36" comment=" testing routing rules - both actually routing and ROUTE target routing ruleset installs ECMP default" ro="False">
|
|
<NAT id="id43A2C00E16451" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id43A2BF7A16451" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id43A2BFF616451" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="This permits access from internal net to the Internet and DMZ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44925B5F24380" disabled="False" position="1" direction="Both" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C20EEB5"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_anchor_name"/>
|
|
<Option name="branch_chain_name"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif">eth1</Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44925B6C24380" disabled="False" position="2" direction="Both" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_anchor_name"/>
|
|
<Option name="branch_chain_name"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">True</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif">eth1</Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44925B7924380" disabled="False" position="3" direction="Both" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_anchor_name"/>
|
|
<Option name="branch_chain_name"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">True</Option>
|
|
<Option name="ipt_gw">1.2.3.4</Option>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4492843F24380" disabled="False" position="4" direction="Both" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C20EEB5"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_anchor_name"/>
|
|
<Option name="branch_chain_name"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif">eth1</Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4492844C24380" disabled="False" position="5" direction="Both" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3AEDBE6E"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_anchor_name"/>
|
|
<Option name="branch_chain_name"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw">1.2.3.4</Option>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">True</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43A4EC5216451" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id43A2C03A16451" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RoutingRule id="id43A3790B16451" disabled="False" group="" metric="0" position="0" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="id43A2C03B16451"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id43A3791416451" disabled="False" group="" metric="0" position="1" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="id43A2C04416451"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id40851X98946" disabled="False" group="" metric="0" position="2" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id4733FFE419714"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id40860X98946"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="id43A2C03E16451"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id42129X3455" disabled="False" group="" metric="0" position="3" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id4368AD8615884"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id40860X98946"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="id43A2C03E16451"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id99395X15242" disabled="False" group="" metric="0" position="4" comment="should drop ipv6 routing rule and issue warning">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id40508X82687"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="id43A2C03E16451"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id164976X15242" disabled="False" group="" metric="0" position="5" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id3BBC0EFC"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="id43A2C03E16451"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id43A2C03B16451" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id43A2C03D16451" name="firewall36:eth0:ip" comment="This is a test address, change it to your real one" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id43A2C03E16451" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id43A2C04016451" name="firewall36:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id43A2C04116451" dedicated_failover="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id43A2C04316451" name="firewall36:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id43A2C04416451" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id43A2C04616451" name="firewall36:eth2:ip" comment="" ro="False" address="192.0.100.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id43BB80919745" host_OS="linux24" inactive="False" lastCompiled="1247364089" lastInstalled="1142003872" lastModified="1272071722" platform="iptables" version="" name="firewall37" comment="testing TAG and CLASSIFY rules normal script mode (not using iptables-restore)" ro="False">
|
|
<NAT id="id43BB80B09745" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id43BB814D9745" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id43BB80919745"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id43BB80979745" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id43BBA6A09745" disabled="False" position="0" direction="Both" action="Accept" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43BBA6C49745" disabled="False" position="1" direction="Both" action="Accept" log="True" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id483502D710047" disabled="False" position="2" direction="Both" action="Accept" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43BB80919745"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id30009X2275" disabled="False" position="3" direction="Outbound" action="Accept" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43BB80919745"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id483502E810047" disabled="False" position="4" direction="Both" action="Accept" log="True" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43BB80919745"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43501X5007" disabled="False" position="5" direction="Outbound" action="Accept" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43BB817E9745"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43518X5007" disabled="False" position="6" direction="Outbound" action="Accept" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43535X5007" disabled="False" position="7" direction="Outbound" action="Accept" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43BB80919745"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43554X5007" disabled="False" position="8" direction="Outbound" action="Accept" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43BB817E9745"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43571X5007" disabled="False" position="9" direction="Outbound" action="Accept" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43588X5007" disabled="False" position="10" direction="Outbound" action="Accept" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43BB80919745"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43BBCC139745" disabled="False" position="11" direction="Both" action="Accept" log="True" comment="" group="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4665E24F7765" disabled="False" position="12" direction="Both" action="Accept" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43BBCC3D9745" disabled="False" position="13" direction="Inbound" action="Accept" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id459E471C10946" disabled="False" position="14" direction="Outbound" action="Accept" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4483A4BD1810" disabled="False" position="15" direction="Both" action="Accept" log="False" comment="using CONNMARK" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="color">#C08B5A</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id342984</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4483A4CE1810" disabled="False" position="16" direction="Both" action="Accept" log="True" comment="using CONNMARK" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="color">#C08B5A</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id342984</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4483A4DF1810" disabled="False" position="17" direction="Both" action="Accept" log="True" comment="using CONNMARK" group="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="color">#C08B5A</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id342984</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4483A4F01810" disabled="False" position="18" direction="Inbound" action="Accept" log="False" comment="using CONNMARK" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="color">#C08B5A</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id342984</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id459E472D10946" disabled="False" position="19" direction="Outbound" action="Accept" log="False" comment="using CONNMARK" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="color">#C08B5A</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id342984</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id37410X26379" disabled="False" group="" log="False" position="20" action="Accept" direction="Both" comment="tag 0 matches packet that has not been marked yet. ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id37422X26379"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="color">#C86E6E</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_reply_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagobject_id">id37422X26379</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43BB80989745" disabled="False" group="" log="False" position="21" action="Pipe" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43BB81879745" disabled="False" position="22" direction="Both" action="Accept" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:2</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"/>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id451E2B486383" disabled="False" position="23" direction="Both" action="Accept" log="True" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:2</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"/>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id451E56936383" disabled="False" position="24" direction="Both" action="Accept" log="False" comment="" group="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:2</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"/>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id451E56A46383" disabled="False" position="25" direction="Both" action="Accept" log="True" comment="" group="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:2</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"/>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id451EAD596383" disabled="False" position="26" direction="Both" action="Accept" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:2</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"/>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id451EAD6A6383" disabled="False" position="27" direction="Both" action="Accept" log="True" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:2</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"/>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id451ED8E76383" disabled="False" position="28" direction="Both" action="Accept" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:2</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"/>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id451ED8F86383" disabled="False" position="29" direction="Both" action="Accept" log="True" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:2</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"/>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4599A9DC19324" disabled="False" position="30" direction="Both" action="Accept" log="False" comment="testing for bug #1618381 classify action is non-terminating in this firewall object" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:10</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4599A9E919324" disabled="False" position="31" direction="Both" action="Accept" log="False" comment="second rule for bug #1618381" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB81799745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:11</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id459A026219324" disabled="False" position="32" direction="Both" action="Accept" log="False" comment="testing for bug #1618381" group="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:10</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id459A5AFB19324" disabled="False" position="33" direction="Both" action="Accept" log="False" comment="testing for bug #1618381" group="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:10</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id459A875F19324" disabled="False" position="34" direction="Both" action="Accept" log="False" comment="bug #1618381 this rule uses multiport and has to be split because of that" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id41D0F023"/>
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB81799745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:11</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43F46B8A28368" disabled="False" group="" log="False" position="35" action="Custom" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="color">#C0C0C0</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43495X28575" disabled="False" group="" log="True" position="36" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id29865X28575</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">True</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43BB80A49745" disabled="False" group="" log="True" position="37" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id29865X28575" name="mymark" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id29866X28575" disabled="False" position="0" direction="Both" action="Accept" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id29880X28575" disabled="False" position="1" direction="Both" action="Accept" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagobject_id">id449328D924380</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id39898X29169" name="mangle_rules" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id39899X29169" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id37422X26379"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56804X29169" disabled="False" position="1" direction="Both" action="Accept" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagobject_id">id449328D824380</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56817X29169" disabled="False" position="2" direction="Both" action="Accept" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id449328D824380"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:12</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id37516X13558" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id48416A7216880"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id449328D824380"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:12</Option>
|
|
<Option name="color"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id88329X13558" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id30878X4903"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id449328D824380"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:12</Option>
|
|
<Option name="color"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id88346X13558" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44749X4903"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id449328D824380"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:12</Option>
|
|
<Option name="color"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id122277X13558" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id47CBF5D129252"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id449328D824380"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:12</Option>
|
|
<Option name="color"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id139267X13558" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DE689FE"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id449328D824380"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:12</Option>
|
|
<Option name="color"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id190288X13558" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43BB80919745"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id449328D824380"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:12</Option>
|
|
<Option name="color"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id156271X13558" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id449328D824380"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:12</Option>
|
|
<Option name="color"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id207332X13558" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id43BB80919745"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id449328D824380"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:12</Option>
|
|
<Option name="color"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id224390X13558" disabled="False" group="" log="False" position="11" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id449328D824380"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:12</Option>
|
|
<Option name="color"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id258515X13558" disabled="False" group="" log="False" position="12" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id449328D824380"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:12</Option>
|
|
<Option name="color"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id480281X13558" disabled="False" group="" log="False" position="13" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id30878X4903"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id449328D824380"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:12</Option>
|
|
<Option name="color"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id480300X13558" disabled="False" group="" log="False" position="14" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id44749X4903"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id449328D824380"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:12</Option>
|
|
<Option name="color"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43052X80179" disabled="False" group="" log="False" position="15" action="Accept" direction="Outbound" comment="rules in mangle-only ruleset with action Accept normally go to PREROUTING, but if direction is set to outbound, they go to POSTROUTING. This is just a convention since there is no better criteria as to how to tell the compiler that such rule should be placed in POSTROUTING. ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id47CBF5D129252"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id449328D824380"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions>
|
|
<Option name="mangle_only_rule_set">
|
|
True
|
|
</Option>
|
|
</RuleSetOptions>
|
|
</Policy>
|
|
<Routing id="id43BB81789745" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id43BB81799745" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id43BB817B9745" name="firewall37:eth0:ip" comment="" ro="False" address="192.168.1.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id43BB817C9745" dedicated_failover="False" dyn="False" label="eth1(outside)" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id43BB817E9745" name="firewall37:eth1:ip" comment="" ro="False" address="22.22.23.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id43BB817F9745" dedicated_failover="False" dyn="False" label="eth2(dmz)" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id43BB81819745" name="firewall37:eth2:ip" comment="this interface is on the subnet that overlaps with eth1" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">True</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="ipt_mangle_only_rulesets"> mangle_rules</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id43BBF18E9745" host_OS="linux24" inactive="False" lastCompiled="1272404487" lastInstalled="1142003872" lastModified="1263410373" platform="iptables" version="1.3.0" name="firewall38" comment="testing TAG rules using iptables-restore " ro="False">
|
|
<NAT id="id43BBF1E99745" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id43BBF1EA9745" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id43BBF18E9745"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43BBF1FD9745"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id43EC8B962279" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id43EC877332486"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43BBF1FD9745"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id43BBF1949745" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id43BBF1959745" disabled="False" position="0" direction="Both" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43BBF1A19745" disabled="False" position="1" direction="Both" action="Continue" log="True" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43BBF1AD9745" disabled="False" position="2" direction="Both" action="Continue" log="True" comment="" group="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43BBF1B99745" disabled="False" position="3" direction="Inbound" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BBF1FD9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id462DEFE630547" disabled="False" position="4" direction="Both" action="Continue" log="False" comment="rule comment: rule 4" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43BBF18E9745"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id449328D924380</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id462E1E0230547" disabled="False" position="5" direction="Both" action="Continue" log="True" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43BBF1FD9745"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id449328D924380</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id462E4C2A30547" disabled="False" position="6" direction="Outbound" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43BBF1FD9745"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BBF1FD9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id449328D924380</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id462E4C3B30547" disabled="False" position="7" direction="Inbound" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43BBF1FD9745"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BBF1FD9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id449328D924380</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id462EA8B230547" disabled="False" position="8" direction="Outbound" action="Continue" log="False" comment="" group="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id43BBF1FD9745"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BBF1FD9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id449328D924380</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43EC876732486" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id43EC877332486"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43EC878C32486" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id43EC877332486"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43EC879D32486" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id43EC877332486"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43EC87C832486" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id43EC877332486"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43BBF1C59745" disabled="False" group="" log="False" position="13" action="Pipe" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43BBF1D19745" disabled="False" group="" log="False" position="14" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43BBF1DD9745" disabled="False" group="" log="True" position="15" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id43BBF1F99745" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id43BBF1FA9745" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id43BBF1FC9745" name="firewall38:eth0:ip" comment="" ro="False" address="192.168.1.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id43BBF1FD9745" dedicated_failover="False" dyn="False" label="eth1(outside)" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id43BBF1FF9745" name="firewall38:eth1:ip" comment="" ro="False" address="22.22.23.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id43BBF2009745" dedicated_failover="False" dyn="False" label="eth2(dmz)" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id43BBF2029745" name="firewall38:eth2:ip" comment="this interface is on the subnet that overlaps with eth1" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="enable_ipv6">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id440C055614846" host_OS="linux24" inactive="False" lastCompiled="1272404372" lastInstalled="1142003872" lastModified="1265839725" platform="iptables" version="1.3.0" name="firewall23-1" comment=" This is BRIDGING FIREWALL Testing module physdev " ro="False">
|
|
<NAT id="id440C062B14846" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id440C055C14846" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id440C055D14846" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id440C055614846"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id268374X84702"/>
|
|
<ObjectRef ref="id268388X84702"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id440C056914846" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id268374X84702"/>
|
|
<ObjectRef ref="id268388X84702"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45546A9B30629" disabled="False" group="" log="True" position="2" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id268374X84702"/>
|
|
<ObjectRef ref="id268388X84702"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45546AAE30629" disabled="False" group="" log="True" position="3" action="Accept" direction="Inbound" comment="testing for bug 1593221">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id268374X84702"/>
|
|
<ObjectRef ref="id268388X84702"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id440C057514846" disabled="False" group="" log="False" position="4" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id268374X84702"/>
|
|
<ObjectRef ref="id268388X84702"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id440C058114846" disabled="False" group="" log="False" position="5" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id268374X84702"/>
|
|
<ObjectRef ref="id268388X84702"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id440C058D14846" disabled="False" group="" log="False" position="6" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3A84EECE"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id268374X84702"/>
|
|
<ObjectRef ref="id268388X84702"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id440C059914846" disabled="False" group="" log="False" position="7" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id268374X84702"/>
|
|
<ObjectRef ref="id268388X84702"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id440C065A14846" disabled="False" group="" log="False" position="8" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id268374X84702"/>
|
|
<ObjectRef ref="id268388X84702"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id440C05A514846" disabled="False" group="" log="False" position="9" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id268374X84702"/>
|
|
<ObjectRef ref="id268388X84702"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id389939X85037" disabled="False" group="" log="False" position="10" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3DC75CEC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id268374X84702"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id606759X85037" disabled="False" group="" log="False" position="11" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3DC75CEC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id268374X84702"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id413820X85037" disabled="False" group="" log="False" position="12" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3DC75CEC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id268388X84702"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id440C2D7814846" disabled="False" position="13" direction="Outbound" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id268374X84702"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:12</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"/>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id440C2DA414846" disabled="False" position="14" direction="Outbound" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id268388X84702"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">2:12</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"/>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id451CBF6532306" disabled="False" position="15" direction="Outbound" action="Continue" log="True" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id268374X84702"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:12</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"/>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id440C05B114846" disabled="False" group="" log="False" position="16" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id440C05BD14846" disabled="False" group="" log="False" position="17" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id440C05CA14846" disabled="False" group="" log="False" position="18" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3A84EECE"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id440C05D714846" disabled="False" group="" log="False" position="19" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D84EEC8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id440C05E314846" disabled="False" group="" log="False" position="20" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id440C05EF14846" disabled="False" group="" log="True" position="21" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id440C05FB14846" disabled="False" group="" log="False" position="22" action="Accept" direction="Both" comment="this rule should generate commands in both INPUT and FORWARD chains because this is a bridging firewall see bug #811860">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id440C055614846"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id440C060714846" disabled="False" group="" log="False" position="23" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id440C055614846"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id440C061314846" disabled="False" group="" log="False" position="24" action="Accept" direction="Both" comment="interface of another firewall (firewall11) Why do we need to test for this? ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F28B886"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id440C061F14846" disabled="True" group="" log="False" position="25" action="Accept" direction="Both" comment="testing processor checkForUnnumbered">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id268374X84702"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id440C062C14846" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id440C062E14846" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id440C063014846" name="firewall23-1:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id440C063114846" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="br0" comment="" ro="False">
|
|
<IPv4 id="id440C063314846" name="firewall23-1:br0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="bonding_policy"/>
|
|
<Option name="bondng_driver_options"/>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="type">bridge</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
<Option name="xmit_hash_policy"/>
|
|
</InterfaceOptions>
|
|
<Interface id="id268374X84702" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id268388X84702" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">True</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="enable_ipv6">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id445DA2F330753" host_OS="linux24" inactive="False" lastCompiled="1272404497" lastInstalled="1146967632" lastModified="1298254709" platform="iptables" version="" name="firewall39" comment="testing branching rules normal script mode (not using iptables-restore)" ro="False">
|
|
<NAT id="id445DA35A30753" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id445DA35B30753" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id445DA2F330753"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id445DA2F930753" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id445DA2FA30753" disabled="False" group="" log="False" position="0" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_name">rule0_branch</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DA30630753" disabled="False" group="" log="True" position="1" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_name">rule1_branch</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DA31230753" disabled="False" group="" log="True" position="2" action="Branch" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_name">rule2_branch</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DA31E30753" disabled="False" group="" log="False" position="3" action="Branch" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DA36E30753"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_name">rule3_branch</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id464C589B3999" disabled="False" group="" log="False" position="4" action="Branch" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DA36E30753"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_name">rule3_branch</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DA32A30753" disabled="False" group="" log="False" position="5" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="branch_name">rule4_branch</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DA33630753" disabled="False" group="" log="False" position="6" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_name">rule5_branch</Option>
|
|
<Option name="classify_str">1:2</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"/>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id464C29973999" disabled="False" group="" log="False" position="7" action="Branch" direction="Both" comment="green rules branch also in mangle table">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_name">rule0_branch</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">True</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id464C29A93999" disabled="False" group="" log="True" position="8" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_name">rule1_branch</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">True</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id464C29BB3999" disabled="False" group="" log="True" position="9" action="Branch" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_name">rule2_branch</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">True</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id464C29CD3999" disabled="False" group="" log="False" position="10" action="Branch" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DA36E30753"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_name">rule3_branch</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">True</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id464C58AD3999" disabled="False" group="" log="False" position="11" action="Branch" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DA36E30753"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_name">rule3_branch</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">True</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id464C29DF3999" disabled="False" group="" log="False" position="12" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_name">rule4_branch</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">True</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id464C29F13999" disabled="False" group="" log="False" position="13" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_name">rule5_branch</Option>
|
|
<Option name="classify_str">1:2</Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">True</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"/>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id99075X19289" disabled="False" group="" log="False" position="14" action="Branch" direction="Both" comment="testing loop in branching rules">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id99127X19289</Option>
|
|
<Option name="branch_name">rule5_branch</Option>
|
|
<Option name="classify_str">1:2</Option>
|
|
<Option name="color">#C86E6E</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_copy_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="pf_classify_str"/>
|
|
<Option name="pf_classify_terminating">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_tag_terminating">False</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"/>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DA34230753" disabled="False" group="" log="False" position="15" action="Custom" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id451DA7EF4163" disabled="False" group="" log="True" position="16" action="Custom" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CEBFCAE"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str">-j TARPIT</Option>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DA34E30753" disabled="False" group="" log="True" position="17" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id45514D0E11228" name="rule_4_0_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id45514D0F11228" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DA37130753"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45545B9C22651" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id4554876222651" name="rule_4_1_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id4554877422651" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DA37130753"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4554876322651" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id445DCB2A30753" name="rule0_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id445DCB3030753" disabled="False" group="" log="True" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id445DCB2B30753" name="rule1_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id445DCB3C30753" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DCB5230753" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id445DCB2C30753" name="rule2_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id445DF33930753" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445E431430753" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CEBFCAE"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445E432F30753" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id445DCB2D30753" name="rule3_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id445E6B3A30753" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id445DA2F330753"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DA36E30753"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445E6B4730753" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id445DCB2E30753" name="rule4_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id45514D0211228" disabled="False" group="" log="True" position="0" action="Branch" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DA36E30753"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_name">rule_4_0_branch</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4554875522651" disabled="False" group="" log="True" position="1" action="Branch" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DA36B30753"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_name">rule_4_1_branch</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id445DCB2F30753" name="rule5_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id459651137309" disabled="True" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id99127X19289" name="rule6_branch" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id99185X19289" disabled="False" group="" log="False" position="0" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id445DA2F930753</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_classify_str"/>
|
|
<Option name="pf_classify_terminating">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="pf_tag_terminating">False</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions>
|
|
<Option name="mangle_only_rule_set">False</Option>
|
|
</RuleSetOptions>
|
|
</Policy>
|
|
<Routing id="id445DA36A30753" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id445DA36B30753" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id445DA36D30753" name="firewall39:eth0:ip" comment="" ro="False" address="192.168.1.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id445DA36E30753" dedicated_failover="False" dyn="False" label="eth1(outside)" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id445DA37030753" name="firewall39:eth1:ip" comment="" ro="False" address="22.22.23.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id445DA37130753" dedicated_failover="False" dyn="False" label="eth2(dmz)" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id445DA37330753" name="firewall39:eth2:ip" comment="this interface is on the subnet that overlaps with eth1" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4492FED324380" host_OS="linux24" inactive="False" lastCompiled="1272404504" lastInstalled="1142003872" lastModified="1221325413" platform="iptables" version="1.4.0" name="firewall40" comment=" more complex and realistic combination of Tag and Route rules " ro="False">
|
|
<NAT id="id4492FF2E24380" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id4492FF2F24380" disabled="False" group="" position="0" action="Translate" comment="Translate source address for outgoing connections">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4492FF4E24380"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id4492FED924380" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id449328B224380" disabled="False" position="0" direction="Inbound" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4492FF4E24380"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_anchor_name"/>
|
|
<Option name="branch_chain_name"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id449328D824380</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id449328BF24380" disabled="False" position="1" direction="Inbound" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4492FF5724380"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_anchor_name"/>
|
|
<Option name="branch_chain_name"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id449328D924380</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4492FEDA24380" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="This permits access from internal net to the Internet and DMZ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id449328CC24380" disabled="False" position="3" direction="Both" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id449328D824380"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_anchor_name"/>
|
|
<Option name="branch_chain_name"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">True</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif">eth0</Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id449328DB24380" disabled="False" position="4" direction="Both" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id449328D924380"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_anchor_name"/>
|
|
<Option name="branch_chain_name"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">True</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif">eth2</Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4492FF2224380" disabled="False" group="" log="True" position="5" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id37084X26841" disabled="False" position="6" direction="Both" action="Continue" log="True" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagobject_id">id365999</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id4492FF3D24380" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id4492FF4E24380" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id4492FF5024380" name="firewall40:eth0:ip" comment="This is a test address, change it to your real one" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4492FF5424380" dedicated_failover="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id4492FF5624380" name="firewall40:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4492FF5724380" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id4492FF5924380" name="firewall40:eth2:ip" comment="" ro="False" address="192.0.100.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4492FF6024380" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id4492FF6124380" name="firewall40:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id44EC18128791" host_OS="linux24" inactive="False" lastCompiled="1247364146" lastInstalled="0" lastModified="1263600863" platform="iptables" version="" name="firewall41" comment="testing rule shadowing with run-time objects, rules with such objects should be ignored " ro="False">
|
|
<NAT id="id44EC18168791" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id44EC18158791" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id44EC181E8791" disabled="False" group="" log="True" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44EC18128791"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44EC181D8791"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44F7056428576" disabled="False" group="" log="True" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44EC18128791"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44F707E428576" disabled="False" group="" log="True" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44EC18128791"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id42683X89554" disabled="False" group="" log="True" position="3" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id212774X97815" disabled="False" group="" log="True" position="4" action="Accept" direction="Both" comment="testing for bug #1086 when two run-time objects are used in the rule, compiler adds blank command that blocks (permits) any to any ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44EC18128791"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id50115X1683" disabled="False" group="" log="True" position="5" action="Deny" direction="Both" comment="there should be warning saying the table could not be found">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44EC18128791"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id50108X1683"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id50145X10982" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44EC18128791"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id50136X10982"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id44EC18178791" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id44EC18188791" dedicated_failover="False" dyn="False" label="ext" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id44EC18198791" name="firewall41:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id44EC181A8791" dedicated_failover="False" dyn="False" label="int" security_level="50" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id44EC181B8791" name="firewall41:eth1:ip" comment="" ro="False" address="2.2.2.2" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">true</Option>
|
|
<Option name="check_shading">true</Option>
|
|
<Option name="configure_interfaces">true</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">true</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4513DEA62143" host_OS="linux24" inactive="False" lastCompiled="1272404594" lastInstalled="0" lastModified="1256245133" platform="iptables" version="" name="test-shadowing-1" comment="testing shadowing detection compiler runs with -xt flag firewall is assumed to be part of any" ro="False">
|
|
<NAT id="id4513DEAA2143" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id4513DEA92143" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id4513DECC2143" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="shades rule below">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4513DEAC2143"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4513DEC02143" disabled="False" group="" log="True" position="1" action="Deny" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4513DEAC2143"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4514B3F72143" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="firewall is part of any for this rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">1</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4514B3E62143" disabled="False" group="" log="False" position="3" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4513DEA62143"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id451488B82143" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-All_TCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4513DEB42143" disabled="False" group="" log="False" position="5" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4513DEDA2143" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-All_UDP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id48966X73664" disabled="False" group="" log="False" position="7" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-ntp"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id451509E52143" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="this rule should shadow rule below it because it uses IPService object with protocol 0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id419D6869"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id451509D42143" disabled="False" group="" log="False" position="9" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_reply"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id4513DEAB2143" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id4513DEAC2143" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id4513DEAD2143" name="test-shadowing-1:eth0:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4513DEAE2143" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id4513DEAF2143" name="test-shadowing-1:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4513DEB02143" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id4513DEB12143" name="test-shadowing-1:eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.2.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id451488C42143" host_OS="linux24" inactive="False" lastCompiled="1272404596" lastInstalled="0" lastModified="1272160512" platform="iptables" version="" name="test-shadowing-2" comment="testing shadowing detection compiler runs with -xt flag firewall is NOT assumed to be part of any" ro="False">
|
|
<NAT id="id451489072143" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id451488CA2143" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id451488CB2143" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="shades rule below">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id451489092143"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id451488D72143" disabled="False" group="" log="False" position="1" action="Deny" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id451489092143"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id451488E32143" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="firewall is part of any for this rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">1</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id451488EF2143" disabled="False" group="" log="False" position="3" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id451488C42143"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45150A072143" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="this rule should shadow rule below it because it uses IPService object with protocol 0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id419D6869"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id451509F62143" disabled="False" group="" log="False" position="5" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id451488FB2143" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id451489082143" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id451489092143" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id4514890B2143" name="test-shadowing-2:eth0:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4514890C2143" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id4514890E2143" name="test-shadowing-2:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4514890F2143" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id451489112143" name="test-shadowing-2:eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.2.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id45AB5A2C25451" host_OS="linux24" inactive="False" lastCompiled="1272404483" lastInstalled="1142003872" lastModified="1221325256" platform="iptables" version="" name="firewall37-1" comment="testing TAG and CLASSIFY rules same as firewall37 except rules are made to be terminating" ro="False">
|
|
<NAT id="id45AB5C5225451" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id45AB5C5325451" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id45AB5A2C25451"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id45AB5A3225451" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id45AB5AAD25451" disabled="False" position="0" direction="Both" action="Accept" log="False" comment="terminating target" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="classify_terminating_target">False</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tag_terminating_target">True</Option>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5AB925451" disabled="False" position="1" direction="Both" action="Accept" log="True" comment="terminating target" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="classify_terminating_target">False</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tag_terminating_target">True</Option>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5AC525451" disabled="False" position="2" direction="Both" action="Accept" log="True" comment="terminating target" group="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="classify_terminating_target">False</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tag_terminating_target">True</Option>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5AD225451" disabled="False" position="3" direction="Inbound" action="Accept" log="False" comment="terminating target" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45AB5C6625451"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="classify_terminating_target">False</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tag_terminating_target">True</Option>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5ADE25451" disabled="False" position="4" direction="Outbound" action="Accept" log="False" comment="temrinating target" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45AB5C6625451"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="classify_terminating_target">False</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tag_terminating_target">True</Option>
|
|
<Option name="tagobject_id">id43EC877332486</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5AEA25451" disabled="False" position="5" direction="Both" action="Accept" log="False" comment="terminating and CONNMARK" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="classify_terminating_target">False</Option>
|
|
<Option name="color">#C0C0C0</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tag_terminating_target">True</Option>
|
|
<Option name="tagobject_id">id342984</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5AF625451" disabled="False" position="6" direction="Both" action="Accept" log="True" comment="terminating and CONNMARK" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="classify_terminating_target">False</Option>
|
|
<Option name="color">#C0C0C0</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tag_terminating_target">True</Option>
|
|
<Option name="tagobject_id">id342984</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5B0225451" disabled="False" position="7" direction="Both" action="Accept" log="True" comment="terminating and CONNMARK" group="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="classify_terminating_target">False</Option>
|
|
<Option name="color">#C0C0C0</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tag_terminating_target">True</Option>
|
|
<Option name="tagobject_id">id342984</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5B0F25451" disabled="False" position="8" direction="Inbound" action="Accept" log="False" comment="terminating and CONNMARK" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45AB5C6625451"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="classify_terminating_target">False</Option>
|
|
<Option name="color">#C0C0C0</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tag_terminating_target">True</Option>
|
|
<Option name="tagobject_id">id365999</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5B1B25451" disabled="False" position="9" direction="Outbound" action="Accept" log="False" comment="terminating and CONNMARK" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45AB5C6625451"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="classify_terminating_target">False</Option>
|
|
<Option name="color">#C0C0C0</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tag_terminating_target">True</Option>
|
|
<Option name="tagobject_id">id366232</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5B2725451" disabled="False" group="" log="False" position="10" action="Pipe" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5B9525451" disabled="False" position="11" direction="Both" action="Accept" log="False" comment="testing for bug #1618381 this rule, and the next one, should place CLASSIFY rule in a separate chain and pass control to it using -g" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:10</Option>
|
|
<Option name="classify_terminating_target">True</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tag_terminating_target">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5BA125451" disabled="False" position="12" direction="Both" action="Accept" log="False" comment="second rule for bug #1618381" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45AB5C6325451"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:11</Option>
|
|
<Option name="classify_terminating_target">True</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tag_terminating_target">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5BAD25451" disabled="False" position="13" direction="Both" action="Accept" log="False" comment="testing for bug #1618381" group="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:10</Option>
|
|
<Option name="classify_terminating_target">True</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tag_terminating_target">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5BBA25451" disabled="False" position="14" direction="Both" action="Accept" log="False" comment="testing for bug #1618381" group="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:10</Option>
|
|
<Option name="classify_terminating_target">True</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tag_terminating_target">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5BC825451" disabled="False" position="15" direction="Both" action="Accept" log="False" comment="bug #1618381 this rule uses multiport and has to be split because of that" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id41D0F023"/>
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45AB5C6325451"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:11</Option>
|
|
<Option name="classify_terminating_target">True</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tag_terminating_target">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5BD525451" disabled="False" position="16" direction="Both" action="Accept" log="False" comment="testing for bug #1618381 this rule, and the next one, should place CLASSIFY rule in a separate chain and pass control to it using -g" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:10</Option>
|
|
<Option name="classify_terminating_target">True</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5BE125451" disabled="False" position="17" direction="Both" action="Accept" log="False" comment="second rule for bug #1618381" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45AB5C6325451"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:11</Option>
|
|
<Option name="classify_terminating_target">True</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5BED25451" disabled="False" position="18" direction="Outbound" action="Accept" log="True" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45AB5C6325451"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:11</Option>
|
|
<Option name="classify_terminating_target">True</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tag_terminating_target">False</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5BF925451" disabled="False" position="19" direction="Both" action="Accept" log="False" comment="testing for bug #1618381" group="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:10</Option>
|
|
<Option name="classify_terminating_target">True</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5C0625451" disabled="False" position="20" direction="Both" action="Accept" log="False" comment="testing for bug #1618381" group="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:10</Option>
|
|
<Option name="classify_terminating_target">True</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5C1425451" disabled="False" position="21" direction="Both" action="Accept" log="False" comment="bug #1618381 this rule uses multiport and has to be split because of that" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id41D0F023"/>
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45AB5C6325451"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:11</Option>
|
|
<Option name="classify_terminating_target">True</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5C2125451" disabled="False" group="" log="False" position="22" action="Branch" direction="Both" comment="bug #1618381 should generate branching code in both filter and mangle tables ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-All_TCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_name">rule27_branch</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">True</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5C3A25451" disabled="False" group="" log="False" position="23" action="Custom" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="color">#C0C0C0</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45AB5C4625451" disabled="False" group="" log="True" position="24" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id45AB5C2D25451" name="rule27_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id45AB5C2E25451" disabled="False" position="0" direction="Both" action="Accept" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id459E36F110170"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str">1:16</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">True</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4640109629860" disabled="False" group="" log="True" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id45AB5C6225451" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id45AB5C6325451" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id45AB5C6525451" name="firewall37-1:eth0:ip" comment="" ro="False" address="192.168.1.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id45AB5C6625451" dedicated_failover="False" dyn="False" label="eth1(outside)" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id45AB5C6825451" name="firewall37-1:eth1:ip" comment="" ro="False" address="22.22.23.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id45AB5C6925451" dedicated_failover="False" dyn="False" label="eth2(dmz)" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id45AB5C6B25451" name="firewall37-1:eth2:ip" comment="this interface is on the subnet that overlaps with eth1" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">True</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id46EFBD7031183" host_OS="linux24" inactive="False" lastCompiled="1272404508" lastInstalled="1142003872" lastModified="1190091778" platform="iptables" version="" name="firewall42" comment="simple test for a rule that matches local broadcast and should go into INPUT chain, but internal interface of the firewall is dynamic so compiler can not determine that given address is broadcast. Using fake interface to make this address match. " ro="False">
|
|
<NAT id="id46EFBE3731183" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id46EFBD7631183" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id46EFBD7731183" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46EFBE4731183"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46EFBD8331183" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46EFBE4731183"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46EFBD8F31183" disabled="False" group="" log="False" position="2" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3A84EECE"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46EFBE4731183"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46EFBD9B31183" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id40236C9A"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46EFBE4731183"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46EFBDA731183" disabled="False" group="" log="False" position="4" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id46EFBE4731183"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46EFBE4731183"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id46EFBE4631183" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id46EFBE4731183" dedicated_failover="False" dyn="True" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id46EFBE4A31183" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id46EFBE4C31183" name="firewall42:eth1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id46EFBE5031183" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id46EFBE5231183" name="firewall42:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<IPv4 id="id46EFBE5B31183" name="firewall42:lo:ip-1" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id47339E9919714" host_OS="linux24" inactive="False" lastCompiled="1272404514" lastInstalled="1142003872" lastModified="1194539763" platform="iptables" version="" name="firewall50" comment="testing action 'Continue' " ro="False">
|
|
<NAT id="id47339EDC19714" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id47339E9F19714" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id47339EFA19714" disabled="False" group="" log="False" position="0" action="Continue" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
<ObjectRef ref="id4733FFE419714"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47339EEC19714" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4734305119714" disabled="False" group="" log="False" position="2" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="branch_name">rule2_branch</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4733CF6F19714" disabled="False" group="" log="True" position="3" action="Deny" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
<ObjectRef ref="id4733FFE419714"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47339F0719714" disabled="False" group="" log="True" position="4" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id4734305D19714" name="rule2_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id4734305F19714" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
<ObjectRef ref="id4733FFE419714"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id47339EDD19714" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id47339EDE19714" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id47339EF819714" name="firewall50:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id47339EDF19714" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id47339EE119714" name="firewall50:eth1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id47339EE219714" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id47339EE519714" name="firewall50:lo:ip1" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<IPv4 id="id47339EE619714" name="firewall50:lo:ip2" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4833F62B6131" host_OS="linux24" inactive="False" lastCompiled="1280268015" lastInstalled="0" lastModified="1288399354" platform="iptables" version="" name="firewall-ipv6-1" comment="Using ULOG globally, but ipv6 rules should fall back to LOG because there is no ULOG for ip6tables yet Bug 2141911 " ro="False">
|
|
<NAT id="id4833F62F6131" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id483F5B7623190" name="Policy_ipv6" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id30141X31704" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="for bug 2047082 ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4833F62B6131"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id72496X4903" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id47CBF5D129252"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id72509X4903" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id30841X361"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id31046X27543" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="INPUT, OUTPUT, FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id72942X27543" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="INPUT, OUTPUT, FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id113929X82687" disabled="False" group="" log="False" position="5" action="Deny" direction="Both" comment="for bug 2462927, ipv6 networks with /32 netmask">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id40508X82687"/>
|
|
<ObjectRef ref="id40507X82687"/>
|
|
<ObjectRef ref="id169012X82687"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F62B6131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id38355X5161" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F62B6131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idCFE27660"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id38369X5161" disabled="False" group="" log="False" position="7" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F62B6131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idCFE27660"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id90394X5161" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idCFE27660"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2237207X9812" disabled="False" group="" log="False" position="9" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F62B6131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idCFE27660"/>
|
|
<ServiceRef ref="id3B4FED9F"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C08B5A</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2782843X9812" disabled="False" group="" log="False" position="10" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F62B6131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idCFE27660"/>
|
|
<ServiceRef ref="id3E7E3E9A"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C08B5A</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1419191X9812" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F62B6131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idCFE27660"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1419145X9812" disabled="False" group="" log="False" position="12" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F62B6131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idCFE27660"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1419099X9812" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idCFE27660"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43597X31704" disabled="False" group="" log="False" position="14" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4833F6316131"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43963X63240" disabled="False" group="" log="True" position="15" action="Deny" direction="Both" comment="ipv4 address range for bug 2820152">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id42386X35957"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43989X63637" disabled="False" group="" log="True" position="16" action="Deny" direction="Both" comment="ipv4 address range for bug 2820152 ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id4833F62E6131" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id4837BFE628819" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="this rule shadows the next. Note that we add command line flag -xt to the compiler">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F6316131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4834578B6131" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id48416A7216880"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F6316131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4834577C6131" disabled="False" group="" log="True" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id48416A7116880"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F62B6131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4834D3038571" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2238571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F6316131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4834D3108571" disabled="False" group="" log="True" position="4" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2278571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F6316131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4835040E8571" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2238571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F62B6131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4835041F8571" disabled="False" group="" log="True" position="6" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2278571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F62B6131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4834576F6131" disabled="False" group="" log="True" position="7" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F62B6131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4834B9216131" disabled="False" group="" log="True" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id483566468571" disabled="False" group="" log="True" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2238571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id483566548571" disabled="False" group="" log="True" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2278571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id80471535" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4833F6316131"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id80541535" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4833F6346131"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="idA67C6042" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C20EEB5"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="idA6B96042" disabled="False" group="" log="False" position="14" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idCFE27660"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="idA6896042" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="idA6966042" disabled="False" group="" log="False" position="16" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ipv6-icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="idA6A86042" disabled="False" group="" log="False" position="17" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ipv6-icmp-ping_request"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id86949X27543" disabled="False" group="" log="False" position="18" action="Accept" direction="Both" comment="INPUT, OUTPUT, FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id86936X27543"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id86937X27543" disabled="False" group="" log="False" position="19" action="Accept" direction="Both" comment="INPUT, OUTPUT, FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id86936X27543"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id86421X4903" disabled="False" group="" log="False" position="20" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id47CBF5D129252"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id86438X4903" disabled="False" group="" log="True" position="21" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id30841X361"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id4833F6306131" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id4833F6316131" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id4833F6326131" name="firewall-ipv6-1:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id4833F6346131" name="firewall-ipv6-1:eth0:ipv6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="1.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="add_mgmt_ssh_rule_when_stoped">False</Option>
|
|
<Option name="add_rules_for_ipv6_neighbor_discovery">True</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="clear_unknown_interfaces">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_bonding_interfaces">False</Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_ipv6_forward">1</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_ip6tables"/>
|
|
<Option name="linux24_path_ip6tables_restore"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_iptables_restore"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">0</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">0</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">1.1.1.2</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_name_on_firewall"/>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_m_set">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4844C0A114522" host_OS="linux24" inactive="False" lastCompiled="1272404525" lastInstalled="0" lastModified="1212443911" platform="iptables" version="" name="firewall60" comment="testing time litmiting for iptables < 1.4.0 " ro="False">
|
|
<NAT id="id4844C0A514522" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id4844C0A414522" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id484523F114522" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="id3C63479C"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4844D58415791" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="id3C63479E"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4844D57815791" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="int-afterhours"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4844D56C15791" disabled="False" group="" log="True" position="3" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="int-weekends"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4844D56015791" disabled="False" group="" log="True" position="4" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="int-workhours"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id4844C0A614522" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id4844C0A814522" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id4844C0A914522" name="firewall60:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4844F24B14522" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id4844F24C14522" name="firewall60:eth1:ip" comment="" ro="False" address="222.222.222.222" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4845077415791" host_OS="linux24" inactive="False" lastCompiled="1272404540" lastInstalled="0" lastModified="1230686952" platform="iptables" version="1.4.0" name="firewall61-1.4" comment="testing time litmiting for iptables 1.4.0 " ro="False">
|
|
<NAT id="id484507B715791" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id4845077A15791" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id195154X64488" disabled="False" group="" log="True" position="0" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id37854X15403</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id59239X78859" name="Policy_ipv6" comment="v6 policy to test conditional generation of TCPMSS rule for ip6tables depending on version bug #2477775" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id59240X78859" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id484507B815791" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id484507B915791" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id484507BB15791" name="firewall61-1.4:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id484507BC15791" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id484507BE15791" name="firewall61-1.4:eth1:ip" comment="" ro="False" address="222.222.222.222" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_ipv6_forward">1</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_ip6tables"/>
|
|
<Option name="linux24_path_ip6tables_restore"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_iptables_restore"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">0</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">0</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4848A4294626" host_OS="linux24" inactive="False" lastCompiled="1272403939" lastInstalled="1142003872" lastModified="1235665840" platform="iptables" version="" name="firewall-base-rulesets" comment="this firewall is used to test a rule in the global policy of object "firewall" " ro="False">
|
|
<NAT id="id4848A4304626" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id4848A42F4626" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id4848A4414626" name="web_server_inbound" comment="Basic rules for web servers. " ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id4848A4424626" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4848A44F4626" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id38434X42665" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B4FEEEE"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix">%R/%N -- %A</Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id48493B6E4626" name="mail_server_inbound" comment="Basic rules for mail servers" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id48493B6F4626" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id48493B7B4626" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id484B0A134626" name="mail_server_outbound" comment="Basic rules for mail servers" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id484B0A2D4626" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3F530CC8"/>
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484B0A3A4626" disabled="False" group="" log="False" position="1" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id484B3D324626" name="web_server_outbound" comment="Basic rules for web servers. " ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id484B3D3F4626" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484B3D4C4626" disabled="False" group="" log="False" position="1" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3F530CC8"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id41960X1271" name="base-ruleset" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id41961X1271" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4848A4294626"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id4848A4314626" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id4848A4324626" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id4848A4344626" name="firewall-base-rulesets:eth0:ip" comment="" ro="False" address="33.33.33.33" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4848A4354626" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id4848A4374626" name="firewall-base-rulesets:eth1:ip" comment="" ro="False" address="172.16.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4848A4384626" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id4848A43A4626" name="firewall-base-rulesets:eth2:ip" comment="" ro="False" address="192.168.100.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.100.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id484A05C44626" host_OS="linux24" inactive="False" lastCompiled="1272404520" lastInstalled="1142003872" lastModified="1235665873" platform="iptables" version="" name="firewall51" comment="testing branching rules that point at rule sets defined in object firewall-base-rulesets" ro="False">
|
|
<NAT id="id484A06174626" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id484A05CA4626" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id484A05CB4626" disabled="False" group="" log="False" position="0" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id48493B6E4626</Option>
|
|
<Option name="branch_name">rule0_branch</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484B704C4626" disabled="False" group="" log="False" position="1" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id484B0A134626</Option>
|
|
<Option name="branch_name">rule0_branch</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_reply_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A05D84626" disabled="False" group="" log="False" position="2" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id4848A4414626</Option>
|
|
<Option name="branch_name">rule1_branch</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484B705F4626" disabled="False" group="" log="False" position="3" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id484B3D324626</Option>
|
|
<Option name="branch_name">rule1_branch</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_reply_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id61000X1271" disabled="False" group="" log="False" position="4" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id41960X1271</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A05E44626" disabled="False" group="" log="False" position="5" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="branch_name">rule2_branch</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id484A06094626" name="rule2_branch" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id484A060A4626" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
<ObjectRef ref="id4733FFE419714"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id484A06184626" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id484A06194626" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id484A061B4626" name="firewall51:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id484A061C4626" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id484A061E4626" name="firewall51:eth1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id484A061F4626" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id484A06224626" name="firewall51:lo:ip1" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<IPv4 id="id484A06234626" name="firewall51:lo:ip2" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4848F19020246" host_OS="linux24" inactive="False" lastCompiled="1272404543" lastInstalled="0" lastModified="1224814681" platform="iptables" version="1.4.0" name="firewall62" comment="testing rules using UserService object Note that iptables does not allow entering iptables command that tries to match using module 'owner' in any chain other than OUTPUT. This includes user defined chains too (it checks how control passes to user defined chain and blocks command if it appears that user defined chain gets control not from OUTPUT) " ro="False">
|
|
<NAT id="id4848F1D320246" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id4848F19620246" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id4848F19720246" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A8D2620246" disabled="False" group="" log="False" position="1" action="Accept" direction="Outbound" comment=" ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A599620246" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment=" ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A8D3820246" disabled="False" group="" log="False" position="3" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4848F1A320246" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4848F1D520246"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4848F1AF20246" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4848F1BB20246" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484AF47A20246" disabled="False" group="" log="False" position="7" action="Accept" direction="Inbound" comment="direction inbound - can not use user service in INPUT chain">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A261420246" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A260320246" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id55355X1137" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="bug 2186568">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id38142X1137"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id55369X1137" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="bug 2186568">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id38142X1137"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id72645X1137" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="bug 2186568">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id72626X1137" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="bug 2186568">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id124556X1137" disabled="False" group="" log="False" position="14" action="Accept" direction="Both" comment="bug 2186568">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id38142X1137"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id124573X1137" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="bug 2186568">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id38142X1137"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id89947X1137" disabled="False" group="" log="False" position="16" action="Accept" direction="Both" comment="bug 2186568">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
<ServiceRef ref="id4849253720246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id89930X1137" disabled="False" group="" log="False" position="17" action="Accept" direction="Both" comment="bug 2186568">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
<ServiceRef ref="id4849253720246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4848F1C720246" disabled="False" group="" log="False" position="18" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id4848F1D420246" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id4848F1D520246" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id4848F1D720246" name="firewall62:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4848F1D820246" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id4848F1DA20246" name="firewall62:eth1:ip" comment="" ro="False" address="222.222.222.222" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id7A6218769" host_OS="linux24" inactive="False" lastCompiled="1272404546" lastInstalled="0" lastModified="1215305401" platform="iptables" version="1.4.0" name="firewall63" comment="testing TOS and DSCP matching " ro="False">
|
|
<NAT id="id7ABD18769" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id7A6818769" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id7A6918769" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idAF4D18769"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id7A7518769" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idAF4E18769"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id7A8118769" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idAF4F18769"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id7ABE18769" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id7ABF18769" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id7AC118769" name="firewall63:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id7AC218769" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id7AC418769" name="firewall63:eth1:ip" comment="" ro="False" address="222.222.222.222" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id30191X26784" host_OS="linux24" inactive="False" lastCompiled="1272404359" lastInstalled="1142003872" lastModified="1286307167" platform="iptables" version="" name="firewall20-ipv6" comment="testing firewall_is_part_of_any_and_networks also testing SNAT and DNAT rules when external interface has dynamic address dynamic interface ppp0 has an address object attached to it (interface used to be static and had an address, then got converted to dynamic but address object is still there). Compiler should ignore this address object and issue a warning. " ro="False">
|
|
<NAT id="id30432X26784" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
|
|
<NATRule id="id30433X26784" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id30191X26784"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id30447X26784" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id30461X26784" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id30191X26784"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id30475X26784" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id30496X26784"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id76714X13110" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id30490X26784"/>
|
|
<ObjectRef ref="id30496X26784"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id30197X26784" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id30198X26784" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="ppp clients get addresses on 10.1.1.0">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3EFBCCBA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id30490X26784"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id30210X26784" disabled="False" group="" log="True" position="1" action="Deny" direction="Inbound" comment="ppp clients can not connect to the firewall">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id30490X26784"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id30490X26784"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id30222X26784" disabled="False" group="" log="True" position="2" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id30191X26784"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id30490X26784"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id30234X26784" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="ppp clients can only connect to the mail server and web proxy on DMZ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id30490X26784"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id30247X26784" disabled="False" group="" log="True" position="4" action="Deny" direction="Inbound" comment="ppp clients can not connect to anything else on DMZ and internal net">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id30490X26784"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id30260X26784" disabled="False" group="" log="False" position="5" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id30490X26784"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id30272X26784" disabled="False" group="" log="True" position="6" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id30496X26784"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id30284X26784" disabled="False" group="" log="True" position="7" action="Accept" direction="Both" comment="hostF has the same IP address as firewal.">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id30296X26784" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id30191X26784"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id30308X26784" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id30490X26784"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id30320X26784" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19BF58"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id30332X26784" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id30345X26784" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id30358X26784" disabled="False" group="" log="True" position="13" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id30371X26784" disabled="False" group="" log="False" position="14" action="Accept" direction="Both" comment="firewall is part of Any, so compiler should generate code in both FORWARD and OUTPUT chains">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id30383X26784" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="firewall is part of Any, compiler should generate code for both FORWARD and INPUT chains">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id30395X26784" disabled="False" group="" log="False" position="16" action="Accept" direction="Both" comment="because firewall has interface on network internal_net, compiler should generate code for both FORWARD and INPUT chains">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id30407X26784" disabled="False" group="" log="False" position="17" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id58934X29621" disabled="False" group="" log="True" position="18" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id45862X16372"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id30420X26784" disabled="False" group="" log="True" position="19" action="Deny" direction="Both" comment="Automatically generated 'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="id"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id30489X26784" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id30490X26784" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp*" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id30493X26784" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id30495X26784" name="firewall20-ipv6:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id44352X26784" name="firewall20-ipv6:eth0:ipv6" comment="" ro="False" address="fe80::1" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id30496X26784" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id30498X26784" name="firewall20-ipv6:eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id44353X26784" name="firewall20-ipv6:eth2:ipv6" comment="" ro="False" address="2001:470:1f05:590::1" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"/>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_limit_suffix"/>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id31158X1798" host_OS="linux24" inactive="False" lastCompiled="1215360886" lastInstalled="1142003872" lastModified="1264474374" platform="iptables" version="lt_1.2.6" name="firewall2-1" comment="copy of firewall2 but old iptables version" ro="False">
|
|
<NAT id="id31415X1798" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id31416X1798" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id31158X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id31430X1798" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id31158X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id31445X1798" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
<ServiceRef ref="id3F3E9EFC"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id31158X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id31462X1798" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id32096X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id31476X1798" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id32100X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id31490X1798" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id48356E0A14854"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id31504X1798" disabled="False" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id31518X1798" disabled="False" group="" position="7" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DE47B6C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id31532X1798" disabled="False" group="" position="8" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="id3D8FC56A"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31547X1798" disabled="False" group="" position="9" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
<ObjectRef ref="id31158X1798"/>
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
<ObjectRef ref="id3D151947"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31565X1798" disabled="False" group="" position="10" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3D151943"/>
|
|
<ObjectRef ref="id3D151947"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31581X1798" disabled="False" group="" position="11" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
<ServiceRef ref="id3F3E9EFC"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31599X1798" disabled="False" group="" position="12" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id31158X1798"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31615X1798" disabled="False" group="" position="13" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id32096X1798"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31630X1798" disabled="False" group="" position="14" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id31158X1798"/>
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31646X1798" disabled="True" group="" position="15" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31661X1798" disabled="False" group="" position="16" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DE47B6C"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31676X1798" disabled="False" group="" position="17" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFC0F70"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31690X1798" disabled="False" group="" position="18" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3BD6736B"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id31704X1798" disabled="False" group="" position="19" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3BD6736B"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31718X1798" disabled="False" group="" position="20" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4368AD8615884"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31732X1798" disabled="False" group="" position="21" action="Translate" comment="NETMAP ">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31746X1798" disabled="False" group="" position="22" action="Translate" comment="NETMAP">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31760X1798" disabled="False" group="" position="23" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id31158X1798"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31774X1798" disabled="False" group="" position="24" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id32093X1798"/>
|
|
<ObjectRef ref="id32096X1798"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id32090X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31789X1798" disabled="False" group="" position="25" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31803X1798" disabled="False" group="" position="26" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id31158X1798"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="id3B4FED69"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31818X1798" disabled="False" group="" position="27" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id32093X1798"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31832X1798" disabled="False" group="" position="28" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id32093X1798"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3CD87A5E"/>
|
|
<ObjectRef ref="id3CD87A6D"/>
|
|
<ObjectRef ref="id3CD87A8B"/>
|
|
<ObjectRef ref="id3CD87A7C"/>
|
|
<ObjectRef ref="id3CD87A53"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31850X1798" disabled="False" group="" position="29" action="Translate" comment="transparent proxy rule">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31864X1798" disabled="True" group="" position="30" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id32093X1798"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31879X1798" disabled="False" group="" position="31" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31893X1798" disabled="False" group="" position="32" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31907X1798" disabled="False" group="" position="33" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id32093X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31921X1798" disabled="False" group="" position="34" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id32090X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31935X1798" disabled="False" group="" position="35" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id40F195D2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id40F195D2"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31949X1798" disabled="False" group="" position="36" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="True">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id32090X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31963X1798" disabled="False" group="" position="37" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id32090X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id31977X1798" disabled="False" group="" position="38" action="Translate" comment="this is the "exception" rule used in support req. originally">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id32095X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C08B5A</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id31991X1798" disabled="False" group="" position="39" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id32092X1798"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C08B5A</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id32005X1798" disabled="False" group="" position="40" action="Translate" comment=""exception" rule in the pair from a support req.">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id32095X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id32019X1798" disabled="False" group="" position="41" action="Translate" comment="testing transparent proxy roules for a support req.">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id32092X1798"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id32033X1798" disabled="False" group="" position="42" action="Translate" comment="testing transparent proxy roules for a support req.">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id32090X1798"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id32047X1798" disabled="False" group="" position="43" action="Translate" comment="testing transparent proxy roules for a support req.">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id31158X1798"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id32061X1798" disabled="False" group="" position="44" action="Translate" comment=""exception" rule in the pair from a support req.">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id32095X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id32075X1798" disabled="False" group="" position="45" action="Translate" comment="testing transparent proxy roules for a support req.">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id40F195D2"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id31164X1798" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id31165X1798" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="Anti-spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id31158X1798"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id32093X1798"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id31178X1798" disabled="False" group="" log="True" position="1" action="Deny" direction="Outbound" comment="Anti-spoofing rule">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id31158X1798"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id32093X1798"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id31191X1798" disabled="False" group="" log="True" position="2" action="Deny" direction="Inbound" comment="testing group in "interface" this rule should be identical to rule 3 ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4653B4A820440"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id31203X1798" disabled="False" group="" log="True" position="3" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id32093X1798"/>
|
|
<ObjectRef ref="id32096X1798"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id31216X1798" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="testing choice of chains in case when several interfaces are used and rule matches 'any' or broadcast ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id32093X1798"/>
|
|
<ObjectRef ref="id32096X1798"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id31229X1798" disabled="False" group="" log="False" position="5" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44C0695713221"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id32093X1798"/>
|
|
<ObjectRef ref="id32096X1798"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id31242X1798" disabled="False" group="" log="False" position="6" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id32093X1798"/>
|
|
<ObjectRef ref="id32096X1798"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id31255X1798" disabled="False" group="" log="True" position="7" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id31267X1798" disabled="False" group="" log="True" position="8" action="Deny" direction="Both" comment="block fragments">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id31279X1798" disabled="False" group="" log="True" position="9" action="Reject" direction="Both" comment="sends TCP RST and makes custom record in the log">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-Auth"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">IDENT</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id31291X1798" disabled="False" group="" log="True" position="10" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id112778X70161" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id94383X70161" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id131133X70161" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CEBFF28"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id131116X70161" disabled="False" group="" log="False" position="14" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CEBFF28"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id94366X70161" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id94349X70161" disabled="False" group="" log="False" position="16" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id94331X70161" disabled="False" group="" log="False" position="17" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
<ObjectRef ref="id417B3641"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id94313X70161" disabled="False" group="" log="False" position="18" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
<ObjectRef ref="id417B3641"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id59411X59595" disabled="False" group="" log="True" position="19" action="Deny" direction="Both" comment="using module iprange if iptables version is >= 1.2.11 also test for bug #2526173">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id40D153ED"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id80837X35957" disabled="False" group="" log="False" position="20" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id42386X35957"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id31303X1798" disabled="False" group="" log="True" position="21" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id32101X1798"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C1A5D46"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id31315X1798" disabled="False" group="" log="False" position="22" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
<ObjectRef ref="id3D8FC56A"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-secondary1-com"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id31328X1798" disabled="False" group="" log="False" position="23" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-secondary1-com"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
<ObjectRef ref="id3D8FC56A"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id31341X1798" disabled="False" group="" log="False" position="24" action="Reject" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id31354X1798" disabled="False" group="" log="False" position="25" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id31367X1798" disabled="False" group="" log="True" position="26" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id31379X1798" disabled="False" group="" log="True" position="27" action="Accept" direction="Both" comment="host-fw2 has the same address as one of the firewall's interfaces">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC0F70"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_burst">10</Option>
|
|
<Option name="limit_suffix">/minute</Option>
|
|
<Option name="limit_value">5</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id31391X1798" disabled="False" group="" log="True" position="28" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id31158X1798"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id31403X1798" disabled="False" group="" log="True" position="29" action="Deny" direction="Both" comment="'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id32089X1798" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id32090X1798" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id32092X1798" name="firewall2-1:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id32093X1798" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id32095X1798" name="firewall2-1:eth1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id32096X1798" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id32099X1798" name="firewall2-1:eth3:ip1" comment="" ro="False" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
<IPv4 id="id32100X1798" name="firewall2-1:eth3:ip2" comment="" ro="False" address="22.22.25.50" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id32101X1798" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id32104X1798" name="firewall2-1:eth2:ip1" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<IPv4 id="id32105X1798" name="firewall2-1:eth2:ip2" comment="" ro="False" address="192.168.2.40" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id32106X1798" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id32108X1798" name="firewall2-1:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"/>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">5</Option>
|
|
<Option name="linux24_accept_redirects">0</Option>
|
|
<Option name="linux24_accept_source_route">0</Option>
|
|
<Option name="linux24_icmp_echo_ignore_all">1</Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses">1</Option>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_log_martians">1</Option>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter">1</Option>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N - %A **</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">after_flush</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">True</Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="useULOG">False</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_ip_tool">True</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id32114X1798" host_OS="linux24" inactive="False" lastCompiled="1215360886" lastInstalled="1142003872" lastModified="1264474374" platform="iptables" version="1.4.0" name="firewall2-2" comment="another copy of firewall2 but new iptables version" ro="False">
|
|
<NAT id="id32371X1798" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id32372X1798" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id32114X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id32386X1798" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id32114X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id32401X1798" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
<ServiceRef ref="id3F3E9EFC"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id32114X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id32418X1798" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id33052X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id32432X1798" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id33056X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id32446X1798" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id48356E0A14854"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id32460X1798" disabled="False" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id32474X1798" disabled="False" group="" position="7" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DE47B6C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id32488X1798" disabled="False" group="" position="8" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="id3D8FC56A"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32503X1798" disabled="False" group="" position="9" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
<ObjectRef ref="id32114X1798"/>
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
<ObjectRef ref="id3D151947"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32521X1798" disabled="False" group="" position="10" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3D151943"/>
|
|
<ObjectRef ref="id3D151947"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32537X1798" disabled="False" group="" position="11" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
<ServiceRef ref="id3F3E9EFC"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32555X1798" disabled="False" group="" position="12" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id32114X1798"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32571X1798" disabled="False" group="" position="13" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id33052X1798"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32586X1798" disabled="False" group="" position="14" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id32114X1798"/>
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32602X1798" disabled="True" group="" position="15" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32617X1798" disabled="False" group="" position="16" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DE47B6C"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32632X1798" disabled="False" group="" position="17" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFC0F70"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32646X1798" disabled="False" group="" position="18" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3BD6736B"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id32660X1798" disabled="False" group="" position="19" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3BD6736B"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32674X1798" disabled="False" group="" position="20" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4368AD8615884"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32688X1798" disabled="False" group="" position="21" action="Translate" comment="NETMAP ">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32702X1798" disabled="False" group="" position="22" action="Translate" comment="NETMAP">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32716X1798" disabled="False" group="" position="23" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id32114X1798"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32730X1798" disabled="False" group="" position="24" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id33049X1798"/>
|
|
<ObjectRef ref="id33052X1798"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id33046X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32745X1798" disabled="False" group="" position="25" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32759X1798" disabled="False" group="" position="26" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id32114X1798"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="id3B4FED69"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32774X1798" disabled="False" group="" position="27" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id33049X1798"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32788X1798" disabled="False" group="" position="28" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id33049X1798"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3CD87A5E"/>
|
|
<ObjectRef ref="id3CD87A6D"/>
|
|
<ObjectRef ref="id3CD87A8B"/>
|
|
<ObjectRef ref="id3CD87A7C"/>
|
|
<ObjectRef ref="id3CD87A53"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32806X1798" disabled="False" group="" position="29" action="Translate" comment="transparent proxy rule">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32820X1798" disabled="True" group="" position="30" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id33049X1798"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32835X1798" disabled="False" group="" position="31" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32849X1798" disabled="False" group="" position="32" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32863X1798" disabled="False" group="" position="33" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id33049X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32877X1798" disabled="False" group="" position="34" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id33046X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32891X1798" disabled="False" group="" position="35" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id40F195D2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id40F195D2"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32905X1798" disabled="False" group="" position="36" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="True">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id33046X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32919X1798" disabled="False" group="" position="37" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id33046X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id32933X1798" disabled="False" group="" position="38" action="Translate" comment="this is the "exception" rule used in support req. originally">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id33051X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C08B5A</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id32947X1798" disabled="False" group="" position="39" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id33048X1798"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C08B5A</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id32961X1798" disabled="False" group="" position="40" action="Translate" comment=""exception" rule in the pair from a support req.">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id33051X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id32975X1798" disabled="False" group="" position="41" action="Translate" comment="testing transparent proxy roules for a support req.">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id33048X1798"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id32989X1798" disabled="False" group="" position="42" action="Translate" comment="testing transparent proxy roules for a support req.">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id33046X1798"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id33003X1798" disabled="False" group="" position="43" action="Translate" comment="testing transparent proxy roules for a support req.">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id32114X1798"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id33017X1798" disabled="False" group="" position="44" action="Translate" comment=""exception" rule in the pair from a support req.">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id33051X1798"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id33031X1798" disabled="False" group="" position="45" action="Translate" comment="testing transparent proxy roules for a support req.">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id40F195D2"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id32120X1798" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id32121X1798" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="Anti-spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id32114X1798"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id33049X1798"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id32134X1798" disabled="False" group="" log="True" position="1" action="Deny" direction="Outbound" comment="Anti-spoofing rule">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id32114X1798"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id33049X1798"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id32147X1798" disabled="False" group="" log="True" position="2" action="Deny" direction="Inbound" comment="testing group in "interface" this rule should be identical to rule 3 ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4653B4A820440"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id32159X1798" disabled="False" group="" log="True" position="3" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id33049X1798"/>
|
|
<ObjectRef ref="id33052X1798"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id32172X1798" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="testing choice of chains in case when several interfaces are used and rule matches 'any' or broadcast ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id33049X1798"/>
|
|
<ObjectRef ref="id33052X1798"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id32185X1798" disabled="False" group="" log="False" position="5" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44C0695713221"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id33049X1798"/>
|
|
<ObjectRef ref="id33052X1798"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id32198X1798" disabled="False" group="" log="False" position="6" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id33049X1798"/>
|
|
<ObjectRef ref="id33052X1798"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id32211X1798" disabled="False" group="" log="True" position="7" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id32223X1798" disabled="False" group="" log="True" position="8" action="Deny" direction="Both" comment="block fragments">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id32235X1798" disabled="False" group="" log="True" position="9" action="Reject" direction="Both" comment="sends TCP RST and makes custom record in the log">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-Auth"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">IDENT</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id32247X1798" disabled="False" group="" log="True" position="10" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id94487X70161" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id94470X70161" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id131167X70161" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CEBFF28"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id131150X70161" disabled="False" group="" log="False" position="14" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CEBFF28"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id94453X70161" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id94436X70161" disabled="False" group="" log="False" position="16" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id94418X70161" disabled="False" group="" log="False" position="17" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
<ObjectRef ref="id417B3641"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id94400X70161" disabled="False" group="" log="False" position="18" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
<ObjectRef ref="id417B3641"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id59428X59595" disabled="False" group="" log="True" position="19" action="Deny" direction="Both" comment="using module iprange if iptables version is >= 1.2.11 also test for bug #2526173">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id40D153ED"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id80854X35957" disabled="False" group="" log="False" position="20" action="Accept" direction="Both" comment="using module iprange if iptables version is >= 1.2.11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id42386X35957"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id32259X1798" disabled="False" group="" log="True" position="21" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id33057X1798"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C1A5D46"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id32271X1798" disabled="False" group="" log="False" position="22" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
<ObjectRef ref="id3D8FC56A"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-secondary1-com"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id32284X1798" disabled="False" group="" log="False" position="23" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-secondary1-com"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
<ObjectRef ref="id3D8FC56A"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id32297X1798" disabled="False" group="" log="False" position="24" action="Reject" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id32310X1798" disabled="False" group="" log="False" position="25" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id32323X1798" disabled="False" group="" log="True" position="26" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id32335X1798" disabled="False" group="" log="True" position="27" action="Accept" direction="Both" comment="host-fw2 has the same address as one of the firewall's interfaces">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC0F70"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_burst">10</Option>
|
|
<Option name="limit_suffix">/minute</Option>
|
|
<Option name="limit_value">5</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id32347X1798" disabled="False" group="" log="True" position="28" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id32114X1798"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id32359X1798" disabled="False" group="" log="True" position="29" action="Deny" direction="Both" comment="'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id33045X1798" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id33046X1798" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id33048X1798" name="firewall2-2:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id33049X1798" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id33051X1798" name="firewall2-2:eth1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id33052X1798" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id33055X1798" name="firewall2-2:eth3:ip1" comment="" ro="False" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
<IPv4 id="id33056X1798" name="firewall2-2:eth3:ip2" comment="" ro="False" address="22.22.25.50" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id33057X1798" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id33060X1798" name="firewall2-2:eth2:ip1" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<IPv4 id="id33061X1798" name="firewall2-2:eth2:ip2" comment="" ro="False" address="192.168.2.40" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id33062X1798" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id33064X1798" name="firewall2-2:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"/>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">5</Option>
|
|
<Option name="linux24_accept_redirects">0</Option>
|
|
<Option name="linux24_accept_source_route">0</Option>
|
|
<Option name="linux24_icmp_echo_ignore_all">1</Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses">1</Option>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_log_martians">1</Option>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter">1</Option>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N - %A **</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">after_flush</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">True</Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="useULOG">False</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_ip_tool">True</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id35107X1833" host_OS="linux24" inactive="False" lastCompiled="1272404348" lastInstalled="1142003872" lastModified="1264474374" platform="iptables" version="ge_1.2.6" name="firewall2-3" comment="copy of firewall2, version >= 1.2.6 " ro="False">
|
|
<NAT id="id35364X1833" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id35365X1833" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id35107X1833"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id35379X1833" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id35107X1833"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id35394X1833" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
<ServiceRef ref="id3F3E9EFC"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id35107X1833"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id35411X1833" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id36045X1833"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id35425X1833" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id36049X1833"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id35439X1833" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id48356E0A14854"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id35453X1833" disabled="False" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id35467X1833" disabled="False" group="" position="7" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DE47B6C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id35481X1833" disabled="False" group="" position="8" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="id3D8FC56A"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35496X1833" disabled="False" group="" position="9" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
<ObjectRef ref="id35107X1833"/>
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
<ObjectRef ref="id3D151947"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35514X1833" disabled="False" group="" position="10" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3D151943"/>
|
|
<ObjectRef ref="id3D151947"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35530X1833" disabled="False" group="" position="11" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
<ServiceRef ref="id3F3E9EFC"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35548X1833" disabled="False" group="" position="12" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id35107X1833"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35564X1833" disabled="False" group="" position="13" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id36045X1833"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35579X1833" disabled="False" group="" position="14" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id35107X1833"/>
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35595X1833" disabled="True" group="" position="15" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35610X1833" disabled="False" group="" position="16" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DE47B6C"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35625X1833" disabled="False" group="" position="17" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFC0F70"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35639X1833" disabled="False" group="" position="18" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3BD6736B"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id35653X1833" disabled="False" group="" position="19" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3BD6736B"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35667X1833" disabled="False" group="" position="20" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4368AD8615884"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35681X1833" disabled="False" group="" position="21" action="Translate" comment="NETMAP ">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35695X1833" disabled="False" group="" position="22" action="Translate" comment="NETMAP">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35709X1833" disabled="False" group="" position="23" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id35107X1833"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35723X1833" disabled="False" group="" position="24" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id36042X1833"/>
|
|
<ObjectRef ref="id36045X1833"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id36039X1833"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35738X1833" disabled="False" group="" position="25" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35752X1833" disabled="False" group="" position="26" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id35107X1833"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="id3B4FED69"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35767X1833" disabled="False" group="" position="27" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id36042X1833"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35781X1833" disabled="False" group="" position="28" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id36042X1833"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3CD87A5E"/>
|
|
<ObjectRef ref="id3CD87A6D"/>
|
|
<ObjectRef ref="id3CD87A8B"/>
|
|
<ObjectRef ref="id3CD87A7C"/>
|
|
<ObjectRef ref="id3CD87A53"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35799X1833" disabled="False" group="" position="29" action="Translate" comment="transparent proxy rule">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35813X1833" disabled="True" group="" position="30" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id36042X1833"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35828X1833" disabled="False" group="" position="31" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35842X1833" disabled="False" group="" position="32" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35856X1833" disabled="False" group="" position="33" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id36042X1833"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35870X1833" disabled="False" group="" position="34" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id36039X1833"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35884X1833" disabled="False" group="" position="35" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id40F195D2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id40F195D2"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35898X1833" disabled="False" group="" position="36" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="True">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id36039X1833"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35912X1833" disabled="False" group="" position="37" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id36039X1833"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id35926X1833" disabled="False" group="" position="38" action="Translate" comment="this is the "exception" rule used in support req. originally">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id36044X1833"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C08B5A</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id35940X1833" disabled="False" group="" position="39" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id36041X1833"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C08B5A</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id35954X1833" disabled="False" group="" position="40" action="Translate" comment=""exception" rule in the pair from a support req.">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id36044X1833"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id35968X1833" disabled="False" group="" position="41" action="Translate" comment="testing transparent proxy roules for a support req.">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id36041X1833"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id35982X1833" disabled="False" group="" position="42" action="Translate" comment="testing transparent proxy roules for a support req.">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id36039X1833"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id35996X1833" disabled="False" group="" position="43" action="Translate" comment="testing transparent proxy roules for a support req.">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id35107X1833"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id36010X1833" disabled="False" group="" position="44" action="Translate" comment=""exception" rule in the pair from a support req.">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id36044X1833"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id36024X1833" disabled="False" group="" position="45" action="Translate" comment="testing transparent proxy roules for a support req.">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id40F195D2"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id35113X1833" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id35114X1833" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="Anti-spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id35107X1833"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id36042X1833"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id35127X1833" disabled="False" group="" log="True" position="1" action="Deny" direction="Outbound" comment="Anti-spoofing rule">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id35107X1833"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id36042X1833"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id35140X1833" disabled="False" group="" log="True" position="2" action="Deny" direction="Inbound" comment="testing group in "interface" this rule should be identical to rule 3 ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4653B4A820440"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id35152X1833" disabled="False" group="" log="True" position="3" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id36042X1833"/>
|
|
<ObjectRef ref="id36045X1833"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id35165X1833" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="testing choice of chains in case when several interfaces are used and rule matches 'any' or broadcast ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id36042X1833"/>
|
|
<ObjectRef ref="id36045X1833"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id35178X1833" disabled="False" group="" log="False" position="5" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44C0695713221"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id36042X1833"/>
|
|
<ObjectRef ref="id36045X1833"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id35191X1833" disabled="False" group="" log="False" position="6" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id36042X1833"/>
|
|
<ObjectRef ref="id36045X1833"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id35204X1833" disabled="False" group="" log="True" position="7" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id35216X1833" disabled="False" group="" log="True" position="8" action="Deny" direction="Both" comment="block fragments">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id35228X1833" disabled="False" group="" log="True" position="9" action="Reject" direction="Both" comment="sends TCP RST and makes custom record in the log">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-Auth"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">IDENT</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id35240X1833" disabled="False" group="" log="True" position="10" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id35252X1833" disabled="False" group="" log="True" position="11" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id36050X1833"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C1A5D46"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id35264X1833" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
<ObjectRef ref="id3D8FC56A"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-secondary1-com"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id35277X1833" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-secondary1-com"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
<ObjectRef ref="id3D8FC56A"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id35290X1833" disabled="False" group="" log="False" position="14" action="Reject" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id35303X1833" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id35316X1833" disabled="False" group="" log="True" position="16" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id35328X1833" disabled="False" group="" log="True" position="17" action="Accept" direction="Both" comment="host-fw2 has the same address as one of the firewall's interfaces">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC0F70"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="limit_burst">10</Option>
|
|
<Option name="limit_suffix">/minute</Option>
|
|
<Option name="limit_value">5</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id35340X1833" disabled="False" group="" log="True" position="18" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id35107X1833"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id35352X1833" disabled="False" group="" log="True" position="19" action="Deny" direction="Both" comment="'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id36038X1833" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id36039X1833" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id36041X1833" name="firewall2-3:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id36042X1833" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id36044X1833" name="firewall2-3:eth1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id36045X1833" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id36048X1833" name="firewall2-3:eth3:ip1" comment="" ro="False" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
<IPv4 id="id36049X1833" name="firewall2-3:eth3:ip2" comment="" ro="False" address="22.22.25.50" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id36050X1833" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id36053X1833" name="firewall2-3:eth2:ip1" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<IPv4 id="id36054X1833" name="firewall2-3:eth2:ip2" comment="" ro="False" address="192.168.2.40" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id36055X1833" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id36057X1833" name="firewall2-3:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"/>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">5</Option>
|
|
<Option name="linux24_accept_redirects">0</Option>
|
|
<Option name="linux24_accept_source_route">0</Option>
|
|
<Option name="linux24_icmp_echo_ignore_all">1</Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses">1</Option>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_log_martians">1</Option>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter">1</Option>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N - %A **</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">after_flush</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">True</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="useULOG">False</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_ip_tool">True</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id37848X15403" host_OS="linux24" inactive="False" lastCompiled="1272404528" lastInstalled="0" lastModified="1230686938" platform="iptables" version="lt_1.2.6" name="firewall61-1.2.5" comment="testing time litmiting for iptables 1.2.5 " ro="False">
|
|
<NAT id="id37939X15403" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id37854X15403" name="fw61-Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id37855X15403" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="id3C63479C"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id37867X15403" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="id3C63479E"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id37879X15403" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="int-afterhours"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id37891X15403" disabled="False" group="" log="True" position="3" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="int-weekends"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id37903X15403" disabled="False" group="" log="True" position="4" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="int-workhours"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id37915X15403" disabled="False" group="" log="True" position="5" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="id3D6864D0"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id37927X15403" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="id45F8C4E013056"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id106632X15403" disabled="False" group="" log="True" position="7" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="id89441X15403"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id38120X64488" disabled="False" group="" log="True" position="8" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="id38119X64488"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions>
|
|
<Option name="mangle_only_rule_set">
|
|
True
|
|
</Option>
|
|
</RuleSetOptions>
|
|
</Policy>
|
|
<Policy id="id40740X78859" name="Policy_ipv6" comment="v6 policy to test conditional generation of TCPMSS rule for ip6tables depending on version bug #2477775 " ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id40741X78859" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id37940X15403" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id37941X15403" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id37943X15403" name="firewall61-1.2.5:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id37944X15403" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id37946X15403" name="firewall61-1.2.5:eth1:ip" comment="" ro="False" address="222.222.222.222" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"> fw61-Policy</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id72587X64488" host_OS="linux24" inactive="False" lastCompiled="1272404532" lastInstalled="0" lastModified="1230686944" platform="iptables" version="ge_1.2.6" name="firewall61-1.2.6" comment="testing time litmiting for iptables 1.2.6" ro="False">
|
|
<NAT id="id72702X64488" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id72593X64488" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id212560X64488" disabled="False" group="" log="True" position="0" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id37854X15403</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id72594X64488" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="id3C63479C"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id59213X78859" name="Policy_ipv6" comment="v6 policy to test conditional generation of TCPMSS rule for ip6tables depending on version bug #2477775" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id59214X78859" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id72703X64488" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id72704X64488" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id72706X64488" name="firewall61-1.2.6:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id72707X64488" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id72709X64488" name="firewall61-1.2.6:eth1:ip" comment="" ro="False" address="222.222.222.222" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id72715X64488" host_OS="linux24" inactive="False" lastCompiled="1272404536" lastInstalled="0" lastModified="1230686948" platform="iptables" version="1.3.0" name="firewall61-1.3.x" comment="testing time litmiting for iptables 1.3.x " ro="False">
|
|
<NAT id="id72830X64488" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id72721X64488" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id212543X64488" disabled="False" group="" log="True" position="0" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id37854X15403</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id59226X78859" name="Policy_ipv6" comment="v6 policy to test conditional generation of TCPMSS rule for ip6tables depending on version bug #2477775" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id59227X78859" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id72831X64488" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id72832X64488" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id72834X64488" name="firewall61-1.3.x:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id72835X64488" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id72837X64488" name="firewall61-1.3.x:eth1:ip" comment="" ro="False" address="222.222.222.222" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id55972X87590" host_OS="linux24" inactive="False" lastCompiled="1280268021" lastInstalled="0" lastModified="1280267975" platform="iptables" version="" name="firewall-ipv6-2" comment="Using ULOG globally, but ipv6 rules should fall back to LOG because there is no ULOG for ip6tables yet Bug 2141911 " ro="False">
|
|
<NAT id="id56353X87590" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id56087X87590" name="Policy" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id56088X87590" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="this rule shadows the next. Note that we add command line flag -xt to the compiler">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id56355X87590"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56100X87590" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id48416A7216880"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id56355X87590"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56112X87590" disabled="False" group="" log="True" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id48416A7116880"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id55972X87590"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56124X87590" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2238571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id56355X87590"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56136X87590" disabled="False" group="" log="True" position="4" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2278571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id56355X87590"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56148X87590" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2238571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id55972X87590"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56160X87590" disabled="False" group="" log="True" position="6" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2278571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id55972X87590"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56172X87590" disabled="False" group="" log="True" position="7" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id55972X87590"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id62066X3768" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id42703X3768"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id178305X3791" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id42750X3791"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56184X87590" disabled="False" group="" log="True" position="10" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56196X87590" disabled="False" group="" log="True" position="11" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2238571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56208X87590" disabled="False" group="" log="True" position="12" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2278571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56220X87590" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id56355X87590"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56232X87590" disabled="False" group="" log="False" position="14" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id56359X87590"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56244X87590" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C20EEB5"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56256X87590" disabled="False" group="" log="False" position="16" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idCFE27660"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56268X87590" disabled="False" group="" log="False" position="17" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56280X87590" disabled="False" group="" log="False" position="18" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ipv6-icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56292X87590" disabled="False" group="" log="False" position="19" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ipv6-icmp-ping_request"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56305X87590" disabled="False" group="" log="False" position="20" action="Accept" direction="Both" comment="INPUT, OUTPUT, FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id86936X27543"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56317X87590" disabled="False" group="" log="False" position="21" action="Accept" direction="Both" comment="INPUT, OUTPUT, FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id86936X27543"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56365X87590" disabled="False" group="" log="False" position="22" action="Accept" direction="Outbound" comment="for bug 2047082 ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id55972X87590"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56329X87590" disabled="False" group="" log="False" position="23" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id47CBF5D129252"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56341X87590" disabled="False" group="" log="True" position="24" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id30841X361"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56382X87590" disabled="False" group="" log="False" position="25" action="Accept" direction="Both" comment="INPUT, OUTPUT, FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56399X87590" disabled="False" group="" log="False" position="26" action="Accept" direction="Both" comment="INPUT, OUTPUT, FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56416X87590" disabled="False" group="" log="False" position="27" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id55972X87590"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idCFE27660"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56433X87590" disabled="False" group="" log="False" position="28" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id55972X87590"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idCFE27660"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56450X87590" disabled="False" group="" log="False" position="29" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idCFE27660"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56467X87590" disabled="False" group="" log="False" position="30" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id56355X87590"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id77330X29621" disabled="False" group="" log="True" position="31" action="Deny" direction="Both" comment="test for bug 2463048 "custom services should have IPv4/v6 setting" rule should compile for ipv6 b/c custom service object "ipv6 source route" is configured as "ipv6" ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id45862X16372"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id123850X63637" disabled="False" group="" log="True" position="32" action="Deny" direction="Both" comment="ipv4 address range for bug 2820152">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id42386X35957"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id123867X63637" disabled="False" group="" log="True" position="33" action="Deny" direction="Both" comment="ipv4 address range for bug 2820152 ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id111075X88392" disabled="False" group="" log="True" position="34" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id56354X87590" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id56355X87590" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id56358X87590" name="firewall-ipv6-2:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id56359X87590" name="firewall-ipv6-2:eth0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="1.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="add_mgmt_ssh_rule_when_stoped">True</Option>
|
|
<Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="clear_unknown_interfaces">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_bonding_interfaces">False</Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_ipv6_forward">1</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_ip6tables"/>
|
|
<Option name="linux24_path_ip6tables_restore"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_iptables_restore"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">0</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">0</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">1.1.1.2</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_name_on_firewall"/>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_m_set">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id39576X8300" host_OS="linux24" inactive="False" lastCompiled="1280268026" lastInstalled="0" lastModified="1247356177" platform="iptables" version="" name="firewall-ipv6-3" comment="Simple policy that makes sense in ipv4 but translates into a few wide-matching rules in ipv6. Policy is configured as dual address family" ro="False">
|
|
<NAT id="id39944X8300" name="NAT" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<NATRule id="id39859X15057" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id86936X27543"/>
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id39576X8300"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id39582X8300" name="fw-ipv6-3" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id39667X8300" disabled="False" group="" log="True" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id39576X8300"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id39715X8300" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id39946X8300"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id39739X8300" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C20EEB5"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id39763X8300" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id39800X8300" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="INPUT, OUTPUT, FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id86936X27543"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id39812X8300" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="INPUT, OUTPUT, FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id86936X27543"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id39824X8300" disabled="False" group="" log="False" position="6" action="Accept" direction="Outbound" comment="for bug 2047082 ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id39576X8300"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id39836X8300" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id47CBF5D129252"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id39848X8300" disabled="False" group="" log="True" position="8" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id30841X361"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id223872X63637" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="ipv4 address range for bug 2820152">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id42386X35957"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id223889X63637" disabled="False" group="" log="True" position="10" action="Deny" direction="Both" comment="ipv4 address range for bug 2820152 ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id39932X8300" disabled="False" group="" log="True" position="11" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id39945X8300" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id39946X8300" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id39949X8300" name="firewall-ipv6-3:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id39950X8300" name="firewall-ipv6-3:eth0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id94008X15057" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id78498X6647" name="firewall-ipv6-3:eth1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="1.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_ipv6_forward">1</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_ip6tables"/>
|
|
<Option name="linux24_path_ip6tables_restore"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_iptables_restore"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">0</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">0</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id77991X59595" host_OS="linux24" inactive="False" lastCompiled="1272404553" lastInstalled="0" lastModified="1266606464" platform="iptables" version="" name="firewall70" comment="this firewall translates outgoing connections using address of the particular interface (not external one). Also testing different cmbinations of objects in the policy rules on loopback interface. Finally, testing for a situation when dynamic interface "shades" a rule with old broadcast Also the name of the script on the firewall is different" ro="False">
|
|
<NAT id="id78058X59595" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id77997X59595" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id78176X59595" name="very_long_ruleset_name_should_be_gt_30_chars" comment="testing for bug #2507239 iptables does not allow chain names >30 chars " ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id96844X59595" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id190154X59595" name="not_quite_long_ruleset_name" comment="this ruleset name is under 30 chars, but automatically generated chain names become to long" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id208737X59595" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B665643"/>
|
|
<ObjectRef ref="id3B665641"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id77991X59595"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id78157X59595" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id78161X59595" dedicated_failover="False" dyn="False" label="" security_level="33" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id78163X59595" name="firewall70:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id78164X59595" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id78166X59595" name="firewall70:eth1:ip" comment="" ro="False" address="66.66.66.130" netmask="255.255.255.128"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id78167X59595" dedicated_failover="False" dyn="False" label="" security_level="99" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id78169X59595" name="firewall70:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_mgmt_ssh_rule_when_stoped">False</Option>
|
|
<Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="clear_unknown_interfaces">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_bonding_interfaces">False</Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_name_on_firewall">iptables.sh</Option>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id41068X54933" host_OS="linux24" inactive="False" lastCompiled="1272404197" lastInstalled="0" lastModified="1247356287" platform="iptables" version="" name="firewall-ipv6-4" comment="Simple policy that makes sense in ipv4 but translates into a few wide-matching rules in ipv6. Policy is configured as dual address family. Using iptables-restore." ro="False">
|
|
<NAT id="id41195X54933" name="NAT" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<NATRule id="id41196X54933" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id86936X27543"/>
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id41068X54933"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id41074X54933" name="Policy" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id41075X54933" disabled="False" group="" log="True" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id41068X54933"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41087X54933" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id41212X54933"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41099X54933" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C20EEB5"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41111X54933" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41123X54933" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="INPUT, OUTPUT, FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id86936X27543"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41135X54933" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="INPUT, OUTPUT, FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id86936X27543"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41147X54933" disabled="False" group="" log="False" position="6" action="Accept" direction="Outbound" comment="for bug 2047082 ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id41068X54933"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41159X54933" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id47CBF5D129252"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41171X54933" disabled="False" group="" log="True" position="8" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id30841X361"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id203828X63637" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="ipv4 address range for bug 2820152">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id42386X35957"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id203845X63637" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="ipv4 address range for bug 2820152 ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41183X54933" disabled="False" group="" log="True" position="11" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id41211X54933" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id41212X54933" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id41215X54933" name="firewall-ipv6-4:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id41216X54933" name="firewall-ipv6-4:eth0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id41217X54933" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="1.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_ipv6_forward">1</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_ip6tables"/>
|
|
<Option name="linux24_path_ip6tables_restore"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_iptables_restore"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">0</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">0</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_iptables_restore">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id41068X6647" host_OS="linux24" inactive="False" lastCompiled="1272404284" lastInstalled="0" lastModified="1233079338" platform="iptables" version="" name="firewall-ipv6-ipt-reset-prolog-top" comment="Policy is configured as dual address family. Usigng iptables-restore. Prolog is on top of the policy" ro="False">
|
|
<NAT id="id41195X6647" name="NAT" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<NATRule id="id41196X6647" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id86936X27543"/>
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id41068X6647"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id41074X6647" name="Policy" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id41075X6647" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id39582X8300</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id41211X6647" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id41212X6647" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id41215X6647" name="firewall-ipv6-ipt-reset-prolog-top:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id41216X6647" name="firewall-ipv6-ipt-reset-prolog-top:eth0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id41217X6647" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id78499X6647" name="firewall-ipv6-ipt-reset-prolog-top:eth1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="1.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_ipv6_forward">1</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_ip6tables"/>
|
|
<Option name="linux24_path_ip6tables_restore"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_iptables_restore"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">0</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">0</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script">echo "This is prolog"
|
|
</Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_iptables_restore">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id153064X6647" host_OS="linux24" inactive="False" lastCompiled="1272404275" lastInstalled="0" lastModified="1233079354" platform="iptables" version="" name="firewall-ipv6-ipt-reset-prolog-after-flush" comment="Policy is configured as dual address family. Usigng iptables-restore. Prolog is after iptables reset and flush" ro="False">
|
|
<NAT id="id153083X6647" name="NAT" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<NATRule id="id153084X6647" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id86936X27543"/>
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id153064X6647"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id153070X6647" name="Policy" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id153071X6647" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id39582X8300</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id153099X6647" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id153100X6647" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id153103X6647" name="firewall-ipv6-ipt-reset-prolog-after-flush:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id153104X6647" name="firewall-ipv6-ipt-reset-prolog-after-flush:eth0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id153105X6647" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id153107X6647" name="firewall-ipv6-ipt-reset-prolog-after-flush:eth1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="1.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_ipv6_forward">1</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_ip6tables"/>
|
|
<Option name="linux24_path_ip6tables_restore"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_iptables_restore"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">0</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">0</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">after_flush</Option>
|
|
<Option name="prolog_script">echo "This is prolog"
|
|
</Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_iptables_restore">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id171798X6647" host_OS="linux24" inactive="False" lastCompiled="1272404280" lastInstalled="0" lastModified="1233079345" platform="iptables" version="" name="firewall-ipv6-ipt-reset-prolog-after-interfaces" comment="Policy is configured as dual address family. Usigng iptables-restore. Prolog is after configuration of interfaces" ro="False">
|
|
<NAT id="id171817X6647" name="NAT" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<NATRule id="id171818X6647" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id86936X27543"/>
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id171798X6647"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id171804X6647" name="Policy" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id171805X6647" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id39582X8300</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id171833X6647" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id171834X6647" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id171837X6647" name="firewall-ipv6-ipt-reset-prolog-after-interfaces:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id171838X6647" name="firewall-ipv6-ipt-reset-prolog-after-interfaces:eth0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id171839X6647" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id171841X6647" name="firewall-ipv6-ipt-reset-prolog-after-interfaces:eth1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="1.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_ipv6_forward">1</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_ip6tables"/>
|
|
<Option name="linux24_path_ip6tables_restore"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_iptables_restore"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">0</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">0</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">after_interfaces</Option>
|
|
<Option name="prolog_script">echo "This is prolog"
|
|
</Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_iptables_restore">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id228034X6647" host_OS="linux24" inactive="False" lastCompiled="1272404288" lastInstalled="0" lastModified="1233079328" platform="iptables" version="" name="firewall-ipv6-prolog-after-flush" comment="Policy is configured as dual address family. Prolog is after iptables reset and flush" ro="False">
|
|
<NAT id="id228053X6647" name="NAT" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<NATRule id="id228054X6647" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id86936X27543"/>
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id228034X6647"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id228040X6647" name="Policy" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id228041X6647" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id39582X8300</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id228069X6647" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id228070X6647" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id228073X6647" name="firewall-ipv6-prolog-after-flush:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id228074X6647" name="firewall-ipv6-prolog-after-flush:eth0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id228075X6647" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id228077X6647" name="firewall-ipv6-prolog-after-flush:eth1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="1.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_ipv6_forward">1</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_ip6tables"/>
|
|
<Option name="linux24_path_ip6tables_restore"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_iptables_restore"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">0</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">0</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">after_flush</Option>
|
|
<Option name="prolog_script">echo "This is prolog"
|
|
</Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id228083X6647" host_OS="linux24" inactive="False" lastCompiled="1272404292" lastInstalled="0" lastModified="1233079321" platform="iptables" version="" name="firewall-ipv6-prolog-after-interfaces" comment="Policy is configured as dual address family. Prolog is after configuration of interfaces" ro="False">
|
|
<NAT id="id228102X6647" name="NAT" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<NATRule id="id228103X6647" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id86936X27543"/>
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id228083X6647"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id228089X6647" name="Policy" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id228090X6647" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id39582X8300</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id228118X6647" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id228119X6647" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id228122X6647" name="firewall-ipv6-prolog-after-interfaces:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id228123X6647" name="firewall-ipv6-prolog-after-interfaces:eth0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id228124X6647" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id228126X6647" name="firewall-ipv6-prolog-after-interfaces:eth1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="1.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_ipv6_forward">1</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_ip6tables"/>
|
|
<Option name="linux24_path_ip6tables_restore"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_iptables_restore"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">0</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">0</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">after_interfaces</Option>
|
|
<Option name="prolog_script">echo "This is prolog"
|
|
</Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id228132X6647" host_OS="linux24" inactive="False" lastCompiled="1272404295" lastInstalled="0" lastModified="1233079312" platform="iptables" version="" name="firewall-ipv6-prolog-top" comment="Policy is configured as dual address family. Prolog is on top of the policy" ro="False">
|
|
<NAT id="id228151X6647" name="NAT" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<NATRule id="id228152X6647" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id86936X27543"/>
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id228132X6647"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id228138X6647" name="Policy" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id228139X6647" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id39582X8300</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id228167X6647" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id228168X6647" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id228171X6647" name="firewall-ipv6-prolog-top:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id228172X6647" name="firewall-ipv6-prolog-top:eth0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id228173X6647" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id228175X6647" name="firewall-ipv6-prolog-top:eth1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="1.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_ipv6_forward">1</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_ip6tables"/>
|
|
<Option name="linux24_path_ip6tables_restore"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_iptables_restore"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">0</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">0</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script">echo "This is prolog"
|
|
</Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id42015X9876" host_OS="linux24" inactive="False" lastCompiled="1272404445" lastInstalled="0" lastModified="1235803779" platform="iptables" version="" name="firewall36-1" comment="Testing routing configuration where routing rules do not install default route" ro="False">
|
|
<NAT id="id42106X9876" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id42021X9876" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id42121X9876" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RoutingRule id="id42138X9876" disabled="False" group="" metric="0" position="0" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id4733FFE419714"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id40860X98946"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="id42149X9876"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id42146X9876" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id42148X9876" name="firewall36-1:eth0:ip" comment="This is a test address, change it to your real one" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id42149X9876" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id42151X9876" name="firewall36-1:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id42152X9876" dedicated_failover="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id42154X9876" name="firewall36-1:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id42155X9876" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id42157X9876" name="firewall36-1:eth2:ip" comment="" ro="False" address="192.0.100.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id118575X9876" host_OS="linux24" inactive="False" lastCompiled="1272404448" lastInstalled="0" lastModified="1235803774" platform="iptables" version="" name="firewall36-2" comment="Testing routing configuration where routing rules install simple (not ECMP) default route" ro="False">
|
|
<NAT id="id118582X9876" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id118581X9876" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id118597X9876" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RoutingRule id="id118598X9876" disabled="False" group="" metric="0" position="0" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id118625X9876"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="id118606X9876"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id118606X9876" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id118608X9876" name="firewall36-2:eth0:ip" comment="This is a test address, change it to your real one" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id118609X9876" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id118611X9876" name="firewall36-2:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id118612X9876" dedicated_failover="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id118614X9876" name="firewall36-2:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id118615X9876" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id118617X9876" name="firewall36-2:eth2:ip" comment="" ro="False" address="192.0.100.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id42147X60089" host_OS="linux24" inactive="False" lastCompiled="1272404557" lastInstalled="0" lastModified="1239407156" platform="iptables" version="1.4.0" name="firewall71" comment="this firewall uses iptables-restore format. two rule sets for the filter table, no rules in mangle, to make sure there is only one COMMIT for both option "Clamp MSS to MTU" should be off because it puts rule in mangle table. " ro="False">
|
|
<NAT id="id42426X60089" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id42427X60089" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id42147X60089"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id42153X60089" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id42351X60089" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id42376X60089" disabled="False" group="" log="True" position="1" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id42400X60089</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option"/>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_reply_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id42388X60089" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="Automatically generated 'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="id"/>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id42400X60089" name="fw71_policy_2" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id42401X60089" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id42413X60089" name="mangle_ruleset" comment="Pure mangle rule set. Checking that there will be only one COMMIT" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id42483X60089" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id42487X60089" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id42489X60089" name="firewall71:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id42490X60089" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id42492X60089" name="firewall71:eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"/>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="install_script"/>
|
|
<Option name="ipt_mangle_only_rulesets"> Policy_2 mangle_ruleset</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_limit_suffix"/>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.1</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id42462X47974" host_OS="linux24" inactive="False" lastCompiled="1272404264" lastInstalled="0" lastModified="1242537217" platform="iptables" version="" name="firewall-ipv6-5" comment="two interfaces, one has ipv4 address, another ipv6 Combined ipv6+ipv6 ruleset. Only interface with address that matches address family should be used in generated rule " ro="False">
|
|
<NAT id="id42589X47974" name="NAT" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id42468X47974" name="Policy" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id42469X47974" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id42462X47974"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id42606X47974"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id139728X48026" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id42462X47974"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id42611X47974"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id333172X48026" disabled="False" group="" log="False" position="2" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id42462X47974"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id42611X47974"/>
|
|
<ObjectRef ref="id42606X47974"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id42605X47974" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id42606X47974" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id42609X47974" name="firewall-ipv6-5:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id42611X47974" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv6 id="id236458X48026" name="firewall-ipv6-5:eth1:ipv6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="1.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_ipv6_forward">1</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_ip6tables"/>
|
|
<Option name="linux24_path_ip6tables_restore"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_iptables_restore"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">0</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">0</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id178341X48026" host_OS="linux24" inactive="False" lastCompiled="1272404268" lastInstalled="0" lastModified="1242538408" platform="iptables" version="" name="firewall-ipv6-6" comment="one interfaces with both ipv4 and ipv6 addresses" ro="False">
|
|
<NAT id="id178372X48026" name="NAT" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id178347X48026" name="Policy" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id178348X48026" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id178341X48026"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id178389X48026"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id313823X48026" name="Policy_v6" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id313826X48026" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id178341X48026"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id178389X48026"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id178388X48026" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id178389X48026" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id178391X48026" name="firewall-ipv6-6:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id255814X48026" name="firewall-ipv6-6:eth0:ipv6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id178392X48026" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="1.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_ipv6_forward">1</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_ip6tables"/>
|
|
<Option name="linux24_path_ip6tables_restore"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_iptables_restore"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">0</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">0</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id45738X95438" host_OS="linux24" lastCompiled="1244482781" lastInstalled="0" lastModified="1247363562" platform="iptables" version="" name="fw1" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
|
|
<NAT id="id46392X95438" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id46393X95438" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id46425X95438" disabled="False" group="" position="1" action="Translate" comment="source port only">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id46447X95438"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id46457X95438"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id46460X95438" disabled="False" group="" position="2" action="Translate" comment="dest port only">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id46482X95438"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id46492X95438"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id46495X95438" disabled="False" group="" position="3" action="Translate" comment="SDNAT ">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id45738X95438"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id45821X95438"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id45738X95438"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id46523X95438"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id46529X95438" disabled="False" group="" position="4" action="Translate" comment="SDNAT with source port">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id45738X95438"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id46447X95438"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id45738X95438"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id46523X95438"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id46457X95438"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id46562X95438" disabled="False" group="" position="5" action="Translate" comment="SDNAT with dest port">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id46482X95438"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id45738X95438"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id46523X95438"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id46492X95438"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id46595X95438" disabled="False" group="" position="6" action="Translate" comment="SDNAT translate src and dst addresses and src and dst ports">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id46617X95438"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id45738X95438"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id46523X95438"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id46627X95438"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id46630X95438" disabled="False" group="" position="7" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id46482X95438"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id46457X95438"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id46663X95438" disabled="False" group="" position="8" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id45821X95438"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id46457X95438"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id45744X95438" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id45745X95438" disabled="False" group="New Group" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id45738X95438"/>
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id46203X95438"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46224X95438" disabled="False" group="New Group" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46251X95438" disabled="False" group="New Group" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted only from internal network">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45738X95438"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46279X95438" disabled="False" group="New Group" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines on internal network for DNS">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id45738X95438"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3F530CC8"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46307X95438" disabled="False" group="New Group" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to the firewall are denied and logged">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45738X95438"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46335X95438" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id46355X95438"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"/>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46364X95438" disabled="False" group="" log="True" position="6" action="Reject" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id46696X95438" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id46697X95438" dedicated_failover="False" dyn="False" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id46698X95438" name="fw1:eth0:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id46699X95438" dedicated_failover="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id46700X95438" name="fw1:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id46701X95438" name="fw1:eth1:ipv6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id46702X95438" dedicated_failover="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id46703X95438" name="fw1:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">true</Option>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="check_shading">true</Option>
|
|
<Option name="configure_interfaces">true</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">true</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id45763X95438" host_OS="ios" inactive="False" lastCompiled="1272403930" lastInstalled="1223233524" lastModified="1243804646" platform="iosacl" version="12.x" name="c3620" comment="ff" ro="False">
|
|
<NAT id="id46197X95438" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id45769X95438" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id45770X95438" disabled="False" group="" log="False" position="0" action="Deny" direction="Inbound" comment="Imported from e1_0_acl_in ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id45790X95438"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45799X95438" disabled="False" group="" log="True" position="1" action="Accept" direction="Inbound" comment="Imported from e1_0_acl_in ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id45813X95438"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45817X95438"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id45821X95438"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45830X95438" disabled="False" group="" log="True" position="2" action="Accept" direction="Inbound" comment="Imported from e1_0_acl_in ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id45813X95438"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45847X95438"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id45821X95438"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45859X95438" disabled="False" group="" log="True" position="3" action="Accept" direction="Inbound" comment="Imported from e1_0_acl_in ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45876X95438"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45888X95438" disabled="False" group="" log="True" position="4" action="Deny" direction="Inbound" comment="Imported from e1_0_acl_in ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45916X95438" disabled="False" group="" log="True" position="5" action="Accept" direction="Outbound" comment="Imported from e1_0_acl_out ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id45876X95438"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C08B5A</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45944X95438" disabled="False" group="" log="True" position="6" action="Deny" direction="Outbound" comment="Imported from e1_0_acl_out ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45972X95438" disabled="False" group="" log="True" position="7" action="Accept" direction="Inbound" comment="Imported from fe0_0_acl_in ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id45813X95438"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45817X95438"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id45821X95438"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46000X95438" disabled="False" group="" log="True" position="8" action="Accept" direction="Inbound" comment="Imported from fe0_0_acl_in ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id45813X95438"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45847X95438"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id45821X95438"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46028X95438" disabled="False" group="" log="True" position="9" action="Accept" direction="Inbound" comment="Imported from fe0_0_acl_in ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id45876X95438"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46056X95438" disabled="False" group="" log="True" position="10" action="Deny" direction="Inbound" comment="Imported from fe0_0_acl_in ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46084X95438" disabled="False" group="" log="True" position="11" action="Accept" direction="Outbound" comment="Imported from fe0_0_acl_out ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45876X95438"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46112X95438" disabled="False" group="" log="True" position="12" action="Deny" direction="Outbound" comment="Imported from fe0_0_acl_out ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id46140X95438" name="ipv6_rules" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id46141X95438" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id46155X95438"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id46170X95438" name="extra_acl" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id46171X95438" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id46198X95438" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id46199X95438" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="FastEthernet0/0" comment="" ro="False">
|
|
<IPv4 id="id46200X95438" name="c3620:FastEthernet0/0:ip1" comment="" ro="False" address="192.168.100.100" netmask="255.255.255.0"/>
|
|
<IPv4 id="id46201X95438" name="c3620:FastEthernet0/0:ip2" comment="" ro="False" address="10.3.14.201" netmask="255.255.255.0"/>
|
|
<IPv6 id="id46202X95438" name="c3620:FastEthernet0/0:ipv6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id46203X95438" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="Ethernet1/0" comment="" ro="False">
|
|
<IPv4 id="id46204X95438" name="c3620:Ethernet1/0:ip" comment="" ro="False" address="192.168.171.2" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id46205X95438" dedicated_failover="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="Serial1/0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id46206X95438" dedicated_failover="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="Ethernet1/1" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id46207X95438" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="Serial1/1" comment="" ro="False">
|
|
<IPv4 id="id46208X95438" name="c3620:Serial1/1:ip" comment="" ro="False" address="3.3.3.3" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.100.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">true</Option>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="configure_interfaces">true</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_acl_basic">True</Option>
|
|
<Option name="iosacl_acl_no_clear">False</Option>
|
|
<Option name="iosacl_acl_substitution">False</Option>
|
|
<Option name="iosacl_acl_temp_addr"/>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_epilog_script"/>
|
|
<Option name="iosacl_include_comments">True</Option>
|
|
<Option name="iosacl_logging_buffered">False</Option>
|
|
<Option name="iosacl_logging_buffered_level">0</Option>
|
|
<Option name="iosacl_logging_console">False</Option>
|
|
<Option name="iosacl_logging_console_level">0</Option>
|
|
<Option name="iosacl_logging_timestamp">False</Option>
|
|
<Option name="iosacl_logging_trap_level">0</Option>
|
|
<Option name="iosacl_prolog_script"/>
|
|
<Option name="iosacl_regroup_commands">False</Option>
|
|
<Option name="iosacl_syslog_facility"/>
|
|
<Option name="iosacl_syslog_host"/>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">true</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id344110X63637" host_OS="linux24" inactive="False" lastCompiled="1272404261" lastInstalled="0" lastModified="1247356441" platform="iptables" version="1.4.0" name="firewall-ipv6-4-1" comment="Policy is configured as dual address family. Using iptables-restore. Firewall is NOT part of any " ro="False">
|
|
<NAT id="id344261X63637" name="NAT" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<NATRule id="id344262X63637" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id86936X27543"/>
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id344110X63637"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id344116X63637" name="Policy" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id344117X63637" disabled="False" group="" log="True" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id344110X63637"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id344129X63637" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id344278X63637"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id344141X63637" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C20EEB5"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id344153X63637" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id344165X63637" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="INPUT, OUTPUT, FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id86936X27543"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id344177X63637" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="INPUT, OUTPUT, FORWARD">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id86936X27543"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id344189X63637" disabled="False" group="" log="False" position="6" action="Accept" direction="Outbound" comment="for bug 2047082 ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id344110X63637"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id344201X63637" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id47CBF5D129252"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id344213X63637" disabled="False" group="" log="True" position="8" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id30841X361"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id344225X63637" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="ipv4 address range for bug 2820152">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id42386X35957"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id344237X63637" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="ipv4 address range for bug 2820152 ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id344249X63637" disabled="False" group="" log="True" position="11" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id344277X63637" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id344278X63637" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id344281X63637" name="firewall-ipv6-4-1:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id344282X63637" name="firewall-ipv6-4-1:eth0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id344283X63637" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="1.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_ipv6_forward">1</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_ip6tables"/>
|
|
<Option name="linux24_path_ip6tables_restore"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_iptables_restore"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">0</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">0</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_iptables_restore">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id1080708X92250" host_OS="linux24" inactive="False" lastCompiled="1272404560" lastInstalled="0" lastModified="1264474374" platform="iptables" version="1.3.0" name="firewall72-1.3.x" comment="this firewall is used to test a rule in the global policy of object "firewall" " ro="False">
|
|
<NAT id="id1080739X92250" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id212991X8629" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id212971X8629" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id212951X8629" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id1080708X92250"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id212931X8629" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id1080708X92250"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id212911X8629" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3BBC0EFC"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id1080708X92250"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id212891X8629" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id1080708X92250"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id1080714X92250" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id533195X8629" disabled="False" group="" log="False" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id490484X8629"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="id490483X8629"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107355X8629" disabled="False" group="" log="False" position="1" action="Deny" direction="Outbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id1080708X92250"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id1080744X92250"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107338X8629" disabled="False" group="" log="False" position="2" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id1080708X92250"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id1080744X92250"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107321X8629" disabled="False" group="" log="False" position="3" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id1080744X92250"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107304X8629" disabled="False" group="" log="False" position="4" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id1080744X92250"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107287X8629" disabled="False" group="" log="False" position="5" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id1080744X92250"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="icmp-Host_unreach"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107270X8629" disabled="False" group="" log="False" position="6" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id1080744X92250"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="icmp-Host_unreach"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107253X8629" disabled="False" group="" log="False" position="7" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id1080744X92250"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3D703C8F"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107236X8629" disabled="False" group="" log="False" position="8" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id1080744X92250"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107219X8629" disabled="False" group="" log="False" position="9" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id1080744X92250"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id43EC877332486"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107202X8629" disabled="False" group="" log="False" position="10" action="Deny" direction="Inbound" comment="Should use ! -i eth1 eventually ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="id1080744X92250"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107185X8629" disabled="False" group="" log="False" position="11" action="Deny" direction="Inbound" comment="Should use ! -i eth1 eventually ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="id1080744X92250"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107168X8629" disabled="False" group="" log="False" position="12" action="Deny" direction="Outbound" comment="Should use ! -i eth1 eventually ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="id1080744X92250"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107151X8629" disabled="False" group="" log="False" position="13" action="Deny" direction="Both" comment="Should use ! -i eth1 eventually ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="id1080744X92250"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id107134X8629" disabled="False" group="" log="False" position="14" action="Deny" direction="Both" comment="Should use ! -i eth1 eventually ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="id1080744X92250"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1080727X92250" disabled="False" group="" log="False" position="15" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id1080708X92250"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id1080744X92250"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id4849253720246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id1080740X92250" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id1080741X92250" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id1080743X92250" name="firewall72-1.3.x:eth0:ip" comment="" ro="False" address="33.33.33.33" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id1080744X92250" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id1080746X92250" name="firewall72-1.3.x:eth1:ip" comment="" ro="False" address="172.16.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id490483X8629" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id490484X8629" name="firewall72-1.3.x:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.100.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id170423X8629" host_OS="linux24" inactive="False" lastCompiled="1272404563" lastInstalled="0" lastModified="1264474374" platform="iptables" version="1.4.3" name="firewall72-1.4.3" comment="this firewall is used to test a rule in the global policy of object "firewall" " ro="False">
|
|
<NAT id="id170610X8629" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id213111X8629" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id213091X8629" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id213071X8629" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id170423X8629"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id213051X8629" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id170423X8629"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id213031X8629" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3BBC0EFC"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id170423X8629"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id213011X8629" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id170423X8629"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id170429X8629" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id554578X8629" disabled="False" group="" log="False" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id511839X8629"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="id490485X8629"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id170430X8629" disabled="False" group="" log="False" position="1" action="Deny" direction="Outbound" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id170423X8629"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id170615X8629"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id170442X8629" disabled="False" group="" log="False" position="2" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id170423X8629"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id170615X8629"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id170454X8629" disabled="False" group="" log="False" position="3" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id170615X8629"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id170466X8629" disabled="False" group="" log="False" position="4" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id170615X8629"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id170478X8629" disabled="False" group="" log="False" position="5" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id170615X8629"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="icmp-Host_unreach"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id170490X8629" disabled="False" group="" log="False" position="6" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id170615X8629"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="icmp-Host_unreach"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id170502X8629" disabled="False" group="" log="False" position="7" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id170615X8629"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3D703C8F"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id170514X8629" disabled="False" group="" log="False" position="8" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id170615X8629"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id170526X8629" disabled="False" group="" log="False" position="9" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id170615X8629"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id43EC877332486"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id170538X8629" disabled="False" group="" log="False" position="10" action="Deny" direction="Inbound" comment="Should use ! -i eth1 eventually ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="id170615X8629"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id170550X8629" disabled="False" group="" log="False" position="11" action="Deny" direction="Inbound" comment="Should use ! -i eth1 eventually ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="id170615X8629"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id170562X8629" disabled="False" group="" log="False" position="12" action="Deny" direction="Outbound" comment="Should use ! -i eth1 eventually ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="id170615X8629"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id170574X8629" disabled="False" group="" log="False" position="13" action="Deny" direction="Both" comment="Should use ! -i eth1 eventually ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="id170615X8629"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id170586X8629" disabled="False" group="" log="False" position="14" action="Deny" direction="Both" comment="Should use ! -i eth1 eventually ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="id170615X8629"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id170598X8629" disabled="False" group="" log="False" position="15" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id170423X8629"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id170615X8629"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id4849253720246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id170611X8629" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id170612X8629" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id170614X8629" name="firewall72-1.4.3:eth0:ip" comment="" ro="False" address="33.33.33.33" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id170615X8629" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id170617X8629" name="firewall72-1.4.3:eth1:ip" comment="" ro="False" address="172.16.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id490485X8629" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id511839X8629" name="firewall72-1.4.3:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.100.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id46837X38889" host_OS="linux24" inactive="False" lastCompiled="1272404566" lastInstalled="0" lastModified="1247704190" platform="iptables" version="1.4.3" name="firewall73" comment="testing for "-i +" that is generated when interface rule element is "any" but direction is inbound. Trying different combinations. Bug 2822098 "Firewall is part of any" is on " ro="False">
|
|
<NAT id="id46844X38889" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id46843X38889" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id89496X38889" disabled="False" group="group 1" log="False" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46846X38889"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id89521X38889" disabled="False" group="group 1" log="False" position="1" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46846X38889"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id89545X38889" disabled="False" group="group 1" log="False" position="2" action="Deny" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46846X38889"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id68891X42406" disabled="False" group="group 1" log="False" position="3" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id68889X42406"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id68908X42406" disabled="False" group="group 1" log="False" position="4" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id68889X42406"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id68925X42406" disabled="False" group="group 1" log="False" position="5" action="Deny" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id68889X42406"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id282692X38889" disabled="False" group="group 1" log="False" position="6" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id282709X38889" disabled="False" group="group 1" log="False" position="7" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id282726X38889" disabled="False" group="group 1" log="False" position="8" action="Deny" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id89557X38889" disabled="False" group="group 2" log="False" position="9" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id46837X38889"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46846X38889"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id110963X38889" disabled="False" group="group 2" log="False" position="10" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id46837X38889"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46846X38889"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id110980X38889" disabled="False" group="group 2" log="False" position="11" action="Deny" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id46837X38889"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46846X38889"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id282746X38889" disabled="False" group="group 2" log="False" position="12" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id46837X38889"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id282763X38889" disabled="False" group="group 2" log="False" position="13" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id46837X38889"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id282780X38889" disabled="False" group="group 2" log="False" position="14" action="Deny" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id46837X38889"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id132415X38889" disabled="False" group="group 3" log="False" position="15" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id46837X38889"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46846X38889"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id132432X38889" disabled="False" group="group 3" log="False" position="16" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id46837X38889"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46846X38889"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id132449X38889" disabled="False" group="group 3" log="False" position="17" action="Deny" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id46837X38889"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46846X38889"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id282797X38889" disabled="False" group="group 3" log="False" position="18" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id46837X38889"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id282814X38889" disabled="False" group="group 3" log="False" position="19" action="Deny" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id46837X38889"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id282831X38889" disabled="False" group="group 3" log="False" position="20" action="Deny" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id46837X38889"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id46845X38889" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id46846X38889" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id46848X38889" name="firewall73:eth0:ip" comment="" ro="False" address="33.33.33.33" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id46849X38889" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id46851X38889" name="firewall73:eth1:ip" comment="" ro="False" address="172.16.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id68889X42406" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id68890X42406" name="firewall73:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.100.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id48956X39861" host_OS="ipcop" inactive="False" lastCompiled="1272404588" lastInstalled="0" lastModified="1250648007" platform="iptables" version="" name="ipcop1" comment="Endian firewall appliance, 2 interfaces: br0 is GREEN eth1 is RED Do not forget to change IP addresses to match your firewall." ro="False">
|
|
<NAT id="id48969X39861" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id48968X39861" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id48978X39861" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45813X95438"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id179389X39861" disabled="False" group="" log="True" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4389EE9018346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id244637X39861" disabled="False" group="" log="True" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id48970X39861" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id48962X39861" dedicated_failover="False" dyn="False" label="GREEN" mgmt="True" security_level="100" unnum="False" unprotected="False" name="et0" comment="" ro="False">
|
|
<IPv4 id="id48964X39861" name="ipcop1:et0:ip" comment="" ro="False" address="10.3.14.254" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id48965X39861" dedicated_failover="False" dyn="False" label="RED" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id48967X39861" name="ipcop1:eth1:ip" comment="" ro="False" address="192.168.253.128" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">true</Option>
|
|
<Option name="activationCmd">/etc/rc.d/rc.firewall restart</Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="check_shading">true</Option>
|
|
<Option name="comment"> defaults for ipcop </Option>
|
|
<Option name="configure_interfaces">true</Option>
|
|
<Option name="firewall_dir">/etc/rc.d/</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="flush_and_set_default_policy">False</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_ipv6_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_ip6tables"/>
|
|
<Option name="linux24_path_ip6tables_restore"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_iptables_restore"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">0</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">0</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="manage_virtual_addr">true</Option>
|
|
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
|
|
<Option name="output_file">rc.firewall.local</Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id48783X29790" host_OS="linux24" inactive="False" lastCompiled="1272404572" lastInstalled="0" lastModified="1282238317" platform="iptables" version="" name="firewall80" comment="Branch rules in NAT" ro="False">
|
|
<NAT id="id48857X29790" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id138652X29790" disabled="False" group="" position="0" action="NATBranch" comment="Branch rule with actual translation. Translation is ignored and warning should be issued">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id48792X29790"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id71294X29790</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id116180X29790" disabled="False" group="" position="1" action="NATBranch" comment="DNAT Rule">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id71294X29790</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id57866X1812" disabled="False" group="" position="2" action="NATBranch" comment="for #1686 ">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id48792X29790"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id71294X29790</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id916423X1812" disabled="False" group="" position="3" action="NATBranch" comment="for #1686 ">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id48783X29790"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id71294X29790</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<NAT id="id71294X29790" name="NAT_1" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<NATRule id="id71295X29790" disabled="False" group="" position="0" action="Translate" comment="DNAT Rule">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id48792X29790"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id93732X29790" disabled="False" group="" position="1" action="Translate" comment="SNAT rule">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id48792X29790"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id48805X29790" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id48873X29790" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id48792X29790" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="VLAN interface" ro="False">
|
|
<IPv4 id="id228530X29790" name="firewall80:eth0:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id48795X29790" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id48798X29790" name="firewall80:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id48800X29790" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id48803X29790" name="firewall80:eth1:ip" comment="" ro="False" address="192.168.1.100" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_mgmt_ssh_rule_when_stoped">False</Option>
|
|
<Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="clear_unknown_interfaces">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_bonding_interfaces">False</Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A on interface %I </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="script_name_on_firewall"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_m_set">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id304832X79913" host_OS="linux24" inactive="False" lastCompiled="1272404272" lastInstalled="0" lastModified="1276701005" platform="iptables" version="1.4.0" name="firewall-ipv6-7" comment="one interface has dynamic address, testing functions that get the address at run time" ro="False">
|
|
<NAT id="id304996X79913" name="NAT" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id304850X79913" name="Policy" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id305013X79913" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id304840X79913" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id304844X79913" name="firewall-ipv6-7:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id304845X79913" name="firewall-ipv6-7:eth0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id304847X79913" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="1.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="add_rules_for_ipv6_neighbor_discovery">True</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_bonding_interfaces">False</Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_ipv6_forward">1</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_ip6tables"/>
|
|
<Option name="linux24_path_ip6tables_restore"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_iptables_restore"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">0</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">0</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_name_on_firewall"/>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_iptables_restore">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id49872X46711" host_OS="linux24" inactive="False" lastCompiled="1280365875" lastInstalled="0" lastModified="1280366034" platform="iptables" version="" name="firewall81" comment="This firewall has no "top" rule set objects." ro="False">
|
|
<NAT id="id49897X46711" name="NAT_2" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<NATRule id="id49898X46711" disabled="False" group="" position="0" action="NATBranch" comment="Branch rule with actual translation. Translation is ignored and warning should be issued">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id49880X46711"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id71294X29790</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id49912X46711" disabled="False" group="" position="1" action="NATBranch" comment="DNAT Rule">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id71294X29790</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<NAT id="id49927X46711" name="NAT_1" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<NATRule id="id49928X46711" disabled="False" group="" position="0" action="Translate" comment="DNAT Rule">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id49880X46711"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id49942X46711" disabled="False" group="" position="1" action="Translate" comment="SNAT rule">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id49880X46711"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id49895X46711" name="Policy" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id50007X46711" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions>
|
|
<Option name="mangle_only_rule_set">False</Option>
|
|
</RuleSetOptions>
|
|
</Policy>
|
|
<Policy id="id96003X46711" name="Policy_ipv6" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<RuleSetOptions>
|
|
<Option name="mangle_only_rule_set">False</Option>
|
|
</RuleSetOptions>
|
|
</Policy>
|
|
<Routing id="id49957X46711" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id49880X46711" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="VLAN interface" ro="False">
|
|
<IPv4 id="id49883X46711" name="firewall81:eth0:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id49885X46711" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id49888X46711" name="firewall81:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id49890X46711" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id49893X46711" name="firewall81:eth1:ip" comment="" ro="False" address="192.168.1.100" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A on interface %I </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id50164X27203" host_OS="linux24" inactive="False" lastCompiled="1272404351" lastInstalled="1142003872" lastModified="1263955845" platform="iptables" version="" name="firewall2-4" comment="tests for error conditions in NATCompiler_ipt::VerifyRules" ro="False">
|
|
<NAT id="id50575X27203" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id50576X27203" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="True">
|
|
<ObjectRef ref="id50164X27203"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id50590X27203" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id50177X27203"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id50605X27203" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id50177X27203"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="True">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id50622X27203" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id50177X27203"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id847624X27203" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id50177X27203"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id41D0F023"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id1040880X27203" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id50177X27203"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id50636X27203" disabled="False" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id1404055X27203" disabled="False" group="" position="7" action="NATBranch" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id50650X27203" disabled="False" group="" position="8" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id50664X27203" disabled="False" group="" position="9" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id50182X27203"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id50692X27203" disabled="False" group="" position="10" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DE71E90"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id50707X27203" disabled="False" group="" position="11" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id50193X27203"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id2201304X27203" disabled="False" group="" position="12" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id2389233X27203" disabled="False" group="" position="13" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id46627X95438"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id50177X27203"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3CE719F5"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id2976927X27203" disabled="False" group="" position="14" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id50177X27203"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id46492X95438"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id69386X25753"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id50201X27203" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id50562X27203" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id51292X27203" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id50172X27203" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id50175X27203" name="fw2:eth0:ip - internal" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id50177X27203" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id50180X27203" name="fw2:eth1:ip - external" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id50182X27203" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="eth3" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id50189X27203" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id50193X27203" name="fw2:eth2:1" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<IPv4 id="id50194X27203" name="fw2:eth2:2" comment="" ro="False" address="192.168.2.40" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id50196X27203" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id50199X27203" name="address" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"/>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">5</Option>
|
|
<Option name="linux24_accept_redirects">0</Option>
|
|
<Option name="linux24_accept_source_route">0</Option>
|
|
<Option name="linux24_icmp_echo_ignore_all">1</Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses">1</Option>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_log_martians">1</Option>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter">1</Option>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N - %A **</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">after_flush</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">True</Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="useULOG">False</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_ip_tool">True</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id433918X83572" host_OS="linux24" inactive="False" lastCompiled="1272404353" lastInstalled="1142003872" lastModified="1264468897" platform="iptables" version="" name="firewall2-5" comment="various tests for the "-o itf" clause in SNAT rules" ro="False">
|
|
<NAT id="id433965X83572" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id1261473X83572" disabled="False" group="" position="0" action="Translate" comment="NETMAP and no -o itf">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id1072290X83572" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DECF4EB"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id1971843X83572" disabled="False" group="" position="2" action="Translate" comment="	">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id1971809X83572"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id2327300X83572" disabled="False" group="" position="3" action="Translate" comment="	">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id433934X83572"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id481529X83572" disabled="False" group="" position="4" action="Translate" comment="should be -o eth1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3CEBFF28"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id433966X83572" disabled="False" group="" position="5" action="Translate" comment="should be -o eth2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id504951X83572"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id1380877X2261" disabled="False" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id1380862X2261"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id528405X83572" disabled="False" group="" position="7" action="Translate" comment="partially matches eth3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id528432X83572"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id528530X83572" disabled="False" group="" position="8" action="Translate" comment="should be two rules: -o eth2 and -o eth3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id528565X83572"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id51150X85535" disabled="False" group="" position="9" action="Translate" comment="should be -o eth2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id433939X83572"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id433951X83572" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id433952X83572" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id434180X83572" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id433926X83572" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id433929X83572" name="firewall2-5:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id433931X83572" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id433934X83572" name="firewall2-5:eth1:ip" comment="" ro="False" address="222.222.222.222" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id433936X83572" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id1379494X84720" name="firewall2-5:eth3:ip" comment="subnet 33.33.33.24-31" ro="False" address="33.33.33.25" netmask="255.255.255.248"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id433939X83572" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id433943X83572" name="firewall2-5:eth2:ip" comment="" ro="False" address="33.33.33.3" netmask="255.255.255.248"/>
|
|
<IPv4 id="id51114X85535" name="firewall2-5:eth2:ip-1" comment="" ro="False" address="33.33.33.4" netmask="255.255.255.248"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id433946X83572" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id433949X83572" name="firewall2-5:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"/>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">5</Option>
|
|
<Option name="linux24_accept_redirects">0</Option>
|
|
<Option name="linux24_accept_source_route">0</Option>
|
|
<Option name="linux24_icmp_echo_ignore_all">1</Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses">1</Option>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_log_martians">1</Option>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter">1</Option>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N - %A **</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">after_flush</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">True</Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="useULOG">False</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_ip_tool">True</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id218915X73327" host_OS="linux24" inactive="False" lastCompiled="1272404364" lastInstalled="1142003872" lastModified="1264554293" platform="iptables" version="1.4.3" name="firewall21-1" comment="two dynamic interfaces in the same policy or NAT rule iptables v1.4.3" ro="False">
|
|
<NAT id="id218992X73327" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id218993X73327" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id218923X73327"/>
|
|
<ObjectRef ref="id218926X73327"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id219008X73327" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id218923X73327"/>
|
|
<ObjectRef ref="id218926X73327"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="ipt_nat_persistent">True</Option>
|
|
<Option name="ipt_nat_random">True</Option>
|
|
<Option name="ipt_use_snat_instead_of_masq">False</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id219023X73327" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id218923X73327"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="ipt_nat_persistent">True</Option>
|
|
<Option name="ipt_nat_random">False</Option>
|
|
<Option name="ipt_use_snat_instead_of_masq">False</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id219037X73327" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id218923X73327"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="ipt_nat_persistent">True</Option>
|
|
<Option name="ipt_nat_random">True</Option>
|
|
<Option name="ipt_snat_random">True</Option>
|
|
<Option name="ipt_use_snat_instead_of_masq">False</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id219051X73327" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id218923X73327"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="ipt_nat_persistent">True</Option>
|
|
<Option name="ipt_nat_random">False</Option>
|
|
<Option name="ipt_use_snat_instead_of_masq">True</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id219065X73327" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id218923X73327"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="ipt_nat_persistent">True</Option>
|
|
<Option name="ipt_nat_random">True</Option>
|
|
<Option name="ipt_snat_random">True</Option>
|
|
<Option name="ipt_use_snat_instead_of_masq">True</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id218939X73327" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id218940X73327" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id218923X73327"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id218923X73327"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id218952X73327" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id218923X73327"/>
|
|
<ObjectRef ref="id218926X73327"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id218966X73327" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D17F4"/>
|
|
<ObjectRef ref="id218923X73327"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id218979X73327" disabled="False" group="" log="True" position="3" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id219080X73327" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id218923X73327" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id218926X73327" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id218929X73327" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id218932X73327" name="address" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id218934X73327" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id218937X73327" name="firewall21:eth2(ip)" comment="" ro="False" address="192.168.1.100" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A on interface %I </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id1312536X29313" host_OS="linux24" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1268936749" platform="iptables" version="" name="firewall-server-1-s" comment="fw is part of any is OFF ip forwarding is OFF" ro="False">
|
|
<NAT id="id1312586X29313" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id1312555X29313" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id1481524X29313" disabled="False" group="" log="False" position="0" action="Deny" direction="Inbound" comment="ticket #1338: "assume fw is part of any" is off, ip forwarding is off this rule generates no iptables commands">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id1312536X29313"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id1312547X29313"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1312557X29313" disabled="False" group="" log="False" position="1" action="Deny" direction="Inbound" comment="ticket #1338: local override of "Assume fw is part of any" only INPUT chain because ip forwarding is off">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id1312536X29313"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id1312547X29313"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">1</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2293081X29313" disabled="False" group="" log="False" position="2" action="Deny" direction="Inbound" comment="ticket #1338: "assume fw is part of any" is off, ip forwarding is off ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id1312536X29313"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id1312536X29313"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id1312547X29313"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2462216X29313" disabled="False" group="" log="False" position="3" action="Deny" direction="Inbound" comment="ticket #1338: "assume fw is part of any" is off, ip forwarding is off ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id1312536X29313"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id1312547X29313"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id1312547X29313"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id1312589X29313" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id1312544X29313" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id1312545X29313" name="firewall-server-1-s:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id1312547X29313" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id1312548X29313" name="firewall-server-1-s:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_mgmt_ssh_rule_when_stoped">False</Option>
|
|
<Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="clear_unknown_interfaces">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_bonding_interfaces">False</Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="flush_and_set_default_policy">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_conntrack_hashsize">0</Option>
|
|
<Option name="linux24_conntrack_max">0</Option>
|
|
<Option name="linux24_conntrack_tcp_be_liberal"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_ipv6_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_brctl"/>
|
|
<Option name="linux24_path_ifenslave"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_ip6tables"/>
|
|
<Option name="linux24_path_ip6tables_restore"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_iptables_restore"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_path_vconfig"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">0</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">0</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_name_on_firewall"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id55125X40565" host_OS="linux24" inactive="False" lastCompiled="1271533331" lastInstalled="0" lastModified="1271785316" platform="iptables" version="1.3.0" name="fw-A" comment="" ro="False">
|
|
<NAT id="id55177X40565" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id55174X40565" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id55180X40565" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RoutingRule id="id55182X40565" disabled="False" group="" metric="0" position="0" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id55195X40565"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="id55153X40565"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id55201X40565" disabled="False" group="" metric="0" position="1" comment="for 1410: gateway matches subnet of a vlan interface">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id55211X40565"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id55215X40565"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="id55142X40565"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id55221X40565" disabled="False" group="" metric="0" position="2" comment="for 1410: gateway matches subnet of a vlan interface">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id55231X40565"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id55235X40565"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="id55139X40565"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id55241X40565" disabled="False" group="" metric="0" position="3" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id55251X40565"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id55255X40565"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="id55156X40565"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id55261X40565" disabled="False" group="" metric="0" position="4" comment="for 1410: gateway matches subnet of a vlan interface">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id55271X40565"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id55275X40565"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="id55147X40565"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id55281X40565" disabled="False" group="" metric="0" position="5" comment="for 1410: gateway matches subnet of a vlan interface">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id55291X40565"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id55295X40565"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="id55150X40565"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id55133X40565" dedicated_failover="False" dyn="False" label="bond0" mgmt="False" security_level="0" unnum="True" unprotected="False" name="bond0" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="bonding_policy">802.3ad</Option>
|
|
<Option name="bondng_driver_options">miimon=100</Option>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="type">bonding</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
<Option name="xmit_hash_policy">layer2</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id55135X40565" dedicated_failover="False" dyn="False" label="eth0" mgmt="False" security_level="0" unnum="True" unprotected="False" name="eth0" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="bonding_policy"/>
|
|
<Option name="bondng_driver_options"/>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
<Option name="xmit_hash_policy"/>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id55137X40565" dedicated_failover="False" dyn="False" label="eth1" mgmt="False" security_level="0" unnum="True" unprotected="False" name="eth1" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id55139X40565" dedicated_failover="False" dyn="False" label="bond0.2 - LAN usr" mgmt="False" security_level="0" unnum="False" unprotected="False" name="bond0.2" comment="" ro="False">
|
|
<IPv4 id="id55140X40565" name="fw-A:bond0:bond0.2:ip" comment="" ro="False" address="192.168.2.11" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="bonding_policy"/>
|
|
<Option name="bondng_driver_options"/>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">2</Option>
|
|
<Option name="xmit_hash_policy"/>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id55142X40565" dedicated_failover="False" dyn="False" label="bond0.1 - LAN des" mgmt="True" security_level="0" unnum="False" unprotected="False" name="bond0.1" comment="" ro="False">
|
|
<IPv4 id="id55143X40565" name="fw-A:bond0:bond0.1:ip" comment="" ro="False" address="192.168.1.11" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="bonding_policy"/>
|
|
<Option name="bondng_driver_options"/>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">1</Option>
|
|
<Option name="xmit_hash_policy"/>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Interface id="id55145X40565" dedicated_failover="False" dyn="False" label="eth2" mgmt="False" security_level="0" unnum="True" unprotected="False" name="eth2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id55147X40565" dedicated_failover="False" dyn="False" label="eth2.201 - DMZ201" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2.201" comment="" ro="False">
|
|
<IPv4 id="id55148X40565" name="fw-A:eth2:eth2.201:ip" comment="" ro="False" address="192.168.201.11" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">201</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id55150X40565" dedicated_failover="False" dyn="False" label="eth2.202 - DMZ 202" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2.202" comment="" ro="False">
|
|
<IPv4 id="id55151X40565" name="fw-A:eth2:eth2.202:ip" comment="" ro="False" address="192.168.202.11" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">202</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Interface id="id55153X40565" dedicated_failover="False" dyn="False" label="eth3 - Internet" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id55154X40565" name="fw-A:eth3:ip" comment="" ro="False" address="192.0.2.11" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id55156X40565" dedicated_failover="False" dyn="False" label="bond1 - CAD" mgmt="False" security_level="0" unnum="False" unprotected="False" name="bond1" comment="" ro="False">
|
|
<IPv4 id="id55157X40565" name="fw-A:bond1:ip" comment="" ro="False" address="192.168.11.11" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="bonding_policy">802.3ad</Option>
|
|
<Option name="bondng_driver_options">miimon=100</Option>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="type">bonding</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
<Option name="xmit_hash_policy">layer2</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id55159X40565" dedicated_failover="False" dyn="False" label="eth4" mgmt="False" security_level="0" unnum="True" unprotected="False" name="eth4" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id55161X40565" dedicated_failover="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="eth5" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Interface id="id55163X40565" dedicated_failover="False" dyn="False" label="lo" mgmt="False" security_level="0" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id55164X40565" name="fw-A:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id55166X40565" dedicated_failover="False" dyn="False" label="eth6 - sync" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth6" comment="" ro="False">
|
|
<IPv4 id="id55167X40565" name="fw-A:eth6:ip" comment="" ro="False" address="192.168.6.11" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Management address="192.168.1.11">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_mgmt_ssh_rule_when_stoped">True</Option>
|
|
<Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="clear_unknown_interfaces">True</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_bonding_interfaces">True</Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/sw/FWbuilder</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="flush_and_set_default_policy">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects">0</Option>
|
|
<Option name="linux24_accept_source_route">0</Option>
|
|
<Option name="linux24_conntrack_hashsize">250000</Option>
|
|
<Option name="linux24_conntrack_max">250000</Option>
|
|
<Option name="linux24_conntrack_tcp_be_liberal">1</Option>
|
|
<Option name="linux24_icmp_echo_ignore_all">0</Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts">1</Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses">0</Option>
|
|
<Option name="linux24_ip_dynaddr">1</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_ipv6_forward"/>
|
|
<Option name="linux24_log_martians">1</Option>
|
|
<Option name="linux24_path_brctl"/>
|
|
<Option name="linux24_path_ifenslave"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_ip6tables"/>
|
|
<Option name="linux24_path_ip6tables_restore"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_iptables_restore"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_path_vconfig"/>
|
|
<Option name="linux24_rp_filter">1</Option>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">0</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">0</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies">1</Option>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">True</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">True</Option>
|
|
<Option name="log_tcp_seq">True</Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.100</Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_name_on_firewall"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">True</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id54445X20318" host_OS="linux24" inactive="False" lastCompiled="1272404602" lastInstalled="0" lastModified="1272387229" platform="iptables" version="" name="test-shadowing-3" comment="testing shadowing detection compiler runs with -xt flag testing shadowing when rules have non-default options" ro="False">
|
|
<NAT id="id54554X20318" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id54468X20318" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id54469X20318" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="limit ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id54453X20318"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">10</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id54481X20318" disabled="False" group="" log="False" position="1" action="Deny" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id54453X20318"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id55734X20318" name="Policy_1" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id55855X20318" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="connlimit">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id54453X20318"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">10</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id55809X20318" disabled="False" group="" log="False" position="1" action="Deny" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id54453X20318"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id55760X20318" name="Policy_2" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id55947X20318" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="hashlimit">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id54453X20318"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name">test</Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix">/second</Option>
|
|
<Option name="hashlimit_value">10</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id55901X20318" disabled="False" group="" log="False" position="1" action="Deny" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id54453X20318"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id54621X87331" name="Policy_3" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id54854X87331" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="50/sec">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id54453X20318"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C86E6E</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">True</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name">test</Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix">/second</Option>
|
|
<Option name="hashlimit_value">50</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id54900X87331" disabled="False" group="" log="False" position="1" action="Accept" direction="Outbound" comment="50/sec">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id54453X20318"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C86E6E</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">True</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name">test</Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix">/second</Option>
|
|
<Option name="hashlimit_value">50</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id54971X87331" name="Policy_4" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id55112X87331" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="30/sec">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id54453X20318"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">True</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name">test</Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix">/second</Option>
|
|
<Option name="hashlimit_value">30</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id55158X87331" disabled="False" group="" log="False" position="1" action="Accept" direction="Outbound" comment="50/sec">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id54453X20318"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">True</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name">test</Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix">/second</Option>
|
|
<Option name="hashlimit_value">50</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id55066X87331" disabled="False" group="" log="False" position="2" action="Accept" direction="Outbound" comment="htable_rule_4 ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id54453X20318"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">True</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name">htable_rule_4</Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix">/second</Option>
|
|
<Option name="hashlimit_value">10</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id55020X87331" disabled="False" group="" log="False" position="3" action="Accept" direction="Outbound" comment="htable_rule_5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id54453X20318"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">True</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name">htable_rule_5</Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix">/second</Option>
|
|
<Option name="hashlimit_value">10</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id54773X87346" name="Policy_5" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id54822X87346" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="50/sec">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id54453X20318"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C86E6E</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">True</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name">test</Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix">/second</Option>
|
|
<Option name="hashlimit_value">50</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id54868X87346" disabled="False" group="" log="False" position="1" action="Accept" direction="Outbound" comment="30/sec">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id54453X20318"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C86E6E</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">True</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name">test</Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix">/second</Option>
|
|
<Option name="hashlimit_value">30</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id54556X20318" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id54453X20318" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id54456X20318" name="test-shadowing-3:eth0:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id54458X20318" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id54461X20318" name="test-shadowing-3:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id54463X20318" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id54466X20318" name="test-shadowing-3:eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.2.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id54736X99373" host_OS="linux24" inactive="False" lastCompiled="1272414362" lastInstalled="0" lastModified="1272414351" platform="iptables" version="1.4.0" name="firewall74" comment="this firewall uses iptables-restore format and has no rules " ro="False">
|
|
<NAT id="id54809X99373" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id54754X99373" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id54825X99373" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id54744X99373" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id54747X99373" name="firewall74:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id54749X99373" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id54752X99373" name="firewall74:eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"/>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="install_script"/>
|
|
<Option name="ipt_mangle_only_rulesets"> Policy_2 mangle_ruleset</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward"/>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_limit_suffix"/>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"/>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.1</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id54821X29165" host_OS="linux24" inactive="False" lastCompiled="1272737108" lastInstalled="1142003872" lastModified="1272737191" platform="iptables" version="1.4.0" name="firewall40-1" comment=" more complex and realistic combination of Tag and Route rules that are in the separate Policy rule set " ro="False">
|
|
<NAT id="id54936X29165" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id54937X29165" disabled="False" group="" position="0" action="Translate" comment="Translate source address for outgoing connections">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id54829X29165"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id54849X29165" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id55100X22068" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="any rule here to make top Policy ruleset non-empty">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id54988X29165" name="Policy_1" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id55315X29165" disabled="False" position="0" direction="Inbound" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id54829X29165"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_anchor_name"/>
|
|
<Option name="branch_chain_name"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id449328D824380</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id55269X29165" disabled="False" position="1" direction="Inbound" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id54839X29165"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_anchor_name"/>
|
|
<Option name="branch_chain_name"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id449328D924380</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id55223X29165" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="This permits access from internal net to the Internet and DMZ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id55177X29165" disabled="False" position="3" direction="Both" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id449328D824380"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_anchor_name"/>
|
|
<Option name="branch_chain_name"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">True</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif">eth0</Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id55131X29165" disabled="False" position="4" direction="Both" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id449328D924380"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_anchor_name"/>
|
|
<Option name="branch_chain_name"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">True</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif">eth2</Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id55085X29165" disabled="False" group="" log="True" position="5" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id55038X29165" disabled="False" position="6" direction="Both" action="Continue" log="True" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagobject_id">id365999</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id54952X29165" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id54829X29165" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id54832X29165" name="firewall40:eth0:ip" comment="This is a test address, change it to your real one" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id54834X29165" dedicated_failover="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id54837X29165" name="firewall40:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id54839X29165" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id54842X29165" name="firewall40:eth2:ip" comment="" ro="False" address="192.0.100.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id54844X29165" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id54847X29165" name="firewall40:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id55112X22068" host_OS="linux24" inactive="False" lastCompiled="1272737108" lastInstalled="1142003872" lastModified="1272737150" platform="iptables" version="1.4.0" name="firewall40-2" comment=" more complex and realistic combination of Tag and Route rules that are in the separate Policy rule set. Here the top Policy rule set is empty " ro="False">
|
|
<NAT id="id55241X22068" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id55242X22068" disabled="False" group="" position="0" action="Translate" comment="Translate source address for outgoing connections">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id55120X22068"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id55140X22068" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id55154X22068" name="Policy_1" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id55155X22068" disabled="False" position="0" direction="Inbound" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id55120X22068"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_anchor_name"/>
|
|
<Option name="branch_chain_name"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id449328D824380</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id55167X22068" disabled="False" position="1" direction="Inbound" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id55130X22068"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_anchor_name"/>
|
|
<Option name="branch_chain_name"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="tagobject_id">id449328D924380</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id55179X22068" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="This permits access from internal net to the Internet and DMZ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id55191X22068" disabled="False" position="3" direction="Both" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id449328D824380"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_anchor_name"/>
|
|
<Option name="branch_chain_name"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">True</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif">eth0</Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id55203X22068" disabled="False" position="4" direction="Both" action="Continue" log="False" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id449328D924380"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_anchor_name"/>
|
|
<Option name="branch_chain_name"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">True</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif">eth2</Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagging">False</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id55215X22068" disabled="False" group="" log="True" position="5" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id55227X22068" disabled="False" position="6" direction="Both" action="Continue" log="True" comment="" group="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagobject_id">id365999</Option>
|
|
<Option name="tagging">True</Option>
|
|
<Option name="classification">False</Option>
|
|
<Option name="routing">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id55257X22068" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id55120X22068" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id55123X22068" name="firewall40-2:eth0:ip" comment="This is a test address, change it to your real one" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id55125X22068" dedicated_failover="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id55128X22068" name="firewall40-2:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id55130X22068" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id55133X22068" name="firewall40-2:eth2:ip" comment="" ro="False" address="192.0.100.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id55135X22068" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id55138X22068" name="firewall40-2:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id55404X17308" host_OS="linux24" lastCompiled="1275496386" lastInstalled="0" lastModified="1275496350" platform="iptables" name="firewall33-1" comment="" ro="False">
|
|
<NAT id="id55408X17308" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id55406X17308" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id55421X17308" disabled="False" group="" log="False" position="0" action="Branch" direction="Both" comment="branches to firewall33:Policy which uses DNSName objects testing for bug 1485">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id43867C1618346</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id55410X17308" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id55412X17308" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id55413X17308" name="firewall33-1:eth0:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id55414X17308" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id55415X17308" name="firewall33-1:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_mgmt_ssh_rule_when_stoped">False</Option>
|
|
<Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="clear_unknown_interfaces">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_bonding_interfaces">False</Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="flush_and_set_default_policy">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_name_on_firewall"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id654160X7324" host_OS="linux24" inactive="False" lastCompiled="1280426747" lastInstalled="0" lastModified="1276815782" platform="iptables" version="1.4.0" name="firewall-ipv6-8" comment="matching multicast with different directions" ro="False">
|
|
<NAT id="id654194X7324" name="NAT" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id654178X7324" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
|
|
<RuleSetOptions>
|
|
<Option name="mangle_only_rule_set">False</Option>
|
|
</RuleSetOptions>
|
|
</Policy>
|
|
<Policy id="id1825747X7324" name="Policy_v6" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id4536389X7324" disabled="False" group="fw is part of any and networks is OFF" log="False" position="0" action="Accept" direction="Both" comment="see #1523">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id2383X75851"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2383X75851"/>
|
|
<ObjectRef ref="id2685X75851"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id654168X7324"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C86E6E</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">0</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id395092X14549" disabled="False" group="fw is part of any and networks is OFF" log="False" position="1" action="Accept" direction="Inbound" comment="see #1523">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id2383X75851"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2685X75851"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id654168X7324"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C86E6E</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">0</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4536436X7324" disabled="False" group="fw is part of any and networks is OFF" log="False" position="2" action="Accept" direction="Outbound" comment="see #1523">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id2383X75851"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2685X75851"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id654168X7324"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C86E6E</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">0</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3110548X16199" disabled="False" group="fw is part of any and networks is OFF" log="False" position="3" action="Accept" direction="Outbound" comment="see #1523">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3110516X16199"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2685X75851"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id654168X7324"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C86E6E</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">0</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2091305X16199" disabled="False" group="fw is part of any and networks is OFF" log="False" position="4" action="Accept" direction="Outbound" comment="see #1523">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id654160X7324"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2685X75851"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id654168X7324"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C86E6E</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">0</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2091259X16199" disabled="False" group="fw is part of any and networks is OFF" log="False" position="5" action="Accept" direction="Outbound" comment="see #1523">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id654168X7324"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2685X75851"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id654168X7324"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C86E6E</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">0</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1751929X16199" disabled="False" group="fw is part of any and networks is OFF" log="False" position="6" action="Accept" direction="Outbound" comment="see #1523">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id654173X7324"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2685X75851"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id654168X7324"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C86E6E</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">0</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2095965X26084" disabled="False" group="fw is part of any and networks is ON" log="False" position="7" action="Accept" direction="Both" comment="see #1523">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id2383X75851"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2383X75851"/>
|
|
<ObjectRef ref="id2685X75851"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id654168X7324"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">1</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2096012X26084" disabled="False" group="fw is part of any and networks is ON" log="False" position="8" action="Accept" direction="Inbound" comment="see #1523">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id2383X75851"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2685X75851"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id654168X7324"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">1</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2096058X26084" disabled="False" group="fw is part of any and networks is ON" log="False" position="9" action="Accept" direction="Outbound" comment="see #1523">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id2383X75851"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2685X75851"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id654168X7324"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">1</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2096104X26084" disabled="False" group="fw is part of any and networks is ON" log="False" position="10" action="Accept" direction="Outbound" comment="see #1523">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3110516X16199"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2685X75851"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id654168X7324"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">1</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2096150X26084" disabled="False" group="fw is part of any and networks is ON" log="False" position="11" action="Accept" direction="Outbound" comment="see #1523">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id654160X7324"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2685X75851"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id654168X7324"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">1</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2096196X26084" disabled="False" group="fw is part of any and networks is ON" log="False" position="12" action="Accept" direction="Outbound" comment="see #1523">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id654168X7324"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2685X75851"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id654168X7324"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">1</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2096242X26084" disabled="False" group="fw is part of any and networks is ON" log="False" position="13" action="Accept" direction="Outbound" comment="see #1523">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id654173X7324"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2685X75851"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id654168X7324"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">1</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1825823X7324" disabled="False" group="" log="False" position="14" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id654834X7324"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id1825785X7324</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2164144X7324" disabled="False" group="" log="False" position="15" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id654834X7324"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id654168X7324"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id1825785X7324</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions>
|
|
<Option name="mangle_only_rule_set">False</Option>
|
|
</RuleSetOptions>
|
|
</Policy>
|
|
<Policy id="id1825785X7324" name="Policy_OSPF" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="False">
|
|
<PolicyRule id="id2502746X7324" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id2383X75851"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2383X75851"/>
|
|
<ObjectRef ref="id2685X75851"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id654168X7324"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C08B5A</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">0</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2841658X7324" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id2383X75851"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2383X75851"/>
|
|
<ObjectRef ref="id2685X75851"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C08B5A</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">0</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions>
|
|
<Option name="mangle_only_rule_set">False</Option>
|
|
</RuleSetOptions>
|
|
</Policy>
|
|
<Routing id="id654196X7324" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id654168X7324" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id654172X7324" name="firewall-ipv6-8:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id654173X7324" name="firewall-ipv6-8:eth0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id654175X7324" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="1.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="add_mgmt_ssh_rule_when_stoped">False</Option>
|
|
<Option name="add_rules_for_ipv6_neighbor_discovery">True</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="clear_unknown_interfaces">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_bonding_interfaces">False</Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_ipv6_forward">1</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_ip6tables"/>
|
|
<Option name="linux24_path_ip6tables_restore"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_iptables_restore"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">0</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">0</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_name_on_firewall"/>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_iptables_restore">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id654310X7324" host_OS="linux24" inactive="False" lastCompiled="1272754730" lastInstalled="0" lastModified="1276700649" platform="iptables" version="" name="test_fw" comment="This firewall has three interfaces. Eth0 faces outside and has a static routable address; eth1 faces inside; eth2 is connected to DMZ subnet. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0, DMZ is 192.168.2.0/255.255.255.0. Since DMZ used private IP address, it needs NAT. There is a mail relay host located on DMZ (object 'server on dmz'). Policy rules permit SMTP connections to it from the Internet and allow this server to connect to a host on internal network 'internal server'. All other access from DMZ to internal net is denied. To provide access to the mail relay its private address is mapped to firewall's outside interface address by NAT rule #1." ro="False">
|
|
<NAT id="id654678X7324" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id654680X7324" disabled="False" group="" position="0" action="Translate" comment="no need to translate between DMZ and internal net">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-2"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id654713X7324" disabled="False" group="" position="1" action="Translate" comment="Translate source address for outgoing connections">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
<ObjectRef ref="id3DC75CE7-2"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id654318X7324"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id654747X7324" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id654318X7324"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D84EECF"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id654336X7324" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id654338X7324" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id654310X7324"/>
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
<ObjectRef ref="id3DC75CE7-2"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id654318X7324"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id654368X7324" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id654325X7324"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id654396X7324" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted only from internal network">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id654310X7324"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id654424X7324" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines on internal network for DNS">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id654310X7324"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D84EECE"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3F530CC8"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id654452X7324" disabled="False" group="" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to the firewall are denied and logged">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id654310X7324"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id654480X7324" disabled="False" group="" log="False" position="5" action="Reject" direction="Both" comment="Quickly reject attempts to connect to ident server to avoid SMTP delays">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-Auth"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id654508X7324" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="Mail relay on DMZ can accept connections from hosts on the Internet">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D84EECF"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id654536X7324" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="this rule permits a mail relay located on DMZ to connect to internal mail server">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3D84EECF"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D84EECE"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id654564X7324" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="Mail relay needs DNS and can connect to mail servers on the Internet">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3D84EECF"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3F530CC8"/>
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id654593X7324" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="All other access from DMZ to internal net is denied">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-2"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id654621X7324" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="This permits access from internal net to the Internet and DMZ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id654649X7324" disabled="False" group="" log="True" position="11" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id654784X7324" name="Policy_v6" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
|
|
<PolicyRule id="id654786X7324" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id2383X75851"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2685X75851"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id654321X7324"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id654814X7324" disabled="False" group="" log="False" position="1" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id654834X7324"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id654844X7324</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions>
|
|
<Option name="mangle_only_rule_set">False</Option>
|
|
</RuleSetOptions>
|
|
</Policy>
|
|
<Policy id="id654844X7324" name="Policy_OSPF" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="False">
|
|
<PolicyRule id="id654846X7324" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id2383X75851"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2383X75851"/>
|
|
<ObjectRef ref="id2685X75851"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id654321X7324"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C08B5A</Option>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">0</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id654875X7324" disabled="False" group="" log="False" position="1" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id2383X75851"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2685X75851"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id654321X7324"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions>
|
|
<Option name="mangle_only_rule_set">False</Option>
|
|
</RuleSetOptions>
|
|
</Policy>
|
|
<Routing id="id654781X7324" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id654318X7324" dedicated_failover="False" dyn="False" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id654319X7324" name="test_fw:eth0:ip" comment="This is a test address, change it to your real one" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id654321X7324" dedicated_failover="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id654322X7324" name="test_fw:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id654324X7324" name="test_fw:eth1:ip6" comment="" ro="False" address="fe80::20c:29ff:fed2:cca1" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id654325X7324" dedicated_failover="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id654326X7324" name="test_fw:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id654328X7324" dedicated_failover="False" dyn="False" label="dmz" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id654329X7324" name="test_fw:eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_mgmt_ssh_rule_when_stoped">False</Option>
|
|
<Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="clear_unknown_interfaces">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_bonding_interfaces">False</Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="flush_and_set_default_policy">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_name_on_firewall"/>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id56583X26628" host_OS="linux24" inactive="False" lastCompiled="1279850008" lastInstalled="0" lastModified="1279949656" platform="iptables" version="1.4.1.1" name="firewall41-1" comment="testing run time address table objects with module set" ro="False">
|
|
<NAT id="id56688X26628" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id985478X9995" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id56591X26628"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id2287813X9995" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id56591X26628"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id985500X9995" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id46523X95438"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id56601X26628" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id56614X26628" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id56583X26628"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1162747X27867" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id56583X26628"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3819891X29460" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id56583X26628"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">0</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56650X26628" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id56583X26628"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id794173X27867" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id56583X26628"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1162799X27867" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id56583X26628"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3819961X29460" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id56583X26628"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">0</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id794220X27867" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id56583X26628"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id56638X26628" disabled="False" group="" log="False" position="8" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id56690X26628" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id56591X26628" dedicated_failover="False" dyn="False" label="ext" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id56594X26628" name="firewall41:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id56596X26628" dedicated_failover="False" dyn="False" label="int" security_level="50" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id56599X26628" name="firewall41:eth1:ip" comment="" ro="False" address="2.2.2.2" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_mgmt_ssh_rule_when_stoped">False</Option>
|
|
<Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="clear_unknown_interfaces">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_bonding_interfaces">False</Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_name_on_firewall"/>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_m_set">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4374266X29460" host_OS="openwrt" inactive="False" lastCompiled="1279850008" lastInstalled="0" lastModified="1279949642" platform="iptables" version="1.4.3" name="firewall41-2" comment="testing run time address table objects with module set use module set is turned off " ro="False">
|
|
<NAT id="id4374396X29460" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id1543124X9995" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id56591X26628"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id2101361X9995" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id56591X26628"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id1543070X9995" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id46523X95438"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id4374284X29460" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id4374285X29460" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4374266X29460"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4374297X29460" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4374266X29460"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks"/>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4374309X29460" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4374266X29460"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">0</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4374321X29460" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4374266X29460"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4374334X29460" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4374266X29460"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4374346X29460" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4374266X29460"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4374358X29460" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4374266X29460"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_above_not">False</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">0</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"/>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"/>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="limit_value_not">False</Option>
|
|
<Option name="log_level"/>
|
|
<Option name="log_prefix"/>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4374370X29460" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4374266X29460"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4374383X29460" disabled="False" group="" log="False" position="8" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id4374398X29460" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id4374274X29460" dedicated_failover="False" dyn="False" label="ext" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id4374277X29460" name="firewall41-2:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id4374279X29460" dedicated_failover="False" dyn="False" label="int" security_level="50" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id4374282X29460" name="firewall41-2:eth1:ip" comment="" ro="False" address="2.2.2.2" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">true</Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="check_shading">true</Option>
|
|
<Option name="configure_interfaces">true</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="firewall_dir">/etc/init.d</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="flush_and_set_default_policy">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">true</Option>
|
|
<Option name="modules_dir">/lib/modules/`uname -r`/</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file">fwbuilder.fw</Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id58461X22302" host_OS="linux24" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1280368498" platform="iptables" version="" name="firewall82_A" comment="this object is used to hold branch rulesets for firewall82" ro="False">
|
|
<NAT id="id58561X22302" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id58474X22302" name="Policy_A" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id58476X22302" disabled="False" group="" log="False" position="0" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id58582X22302</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id58504X22302" disabled="False" group="" log="False" position="1" action="Branch" direction="Both" comment="recursive branching ">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id58643X22302</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id58532X22302" disabled="False" group="" log="False" position="2" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id58474X22302</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions>
|
|
<Option name="mangle_only_rule_set">False</Option>
|
|
</RuleSetOptions>
|
|
</Policy>
|
|
<Routing id="id58564X22302" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">true</Option>
|
|
<Option name="check_shading">true</Option>
|
|
<Option name="configure_interfaces">true</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="flush_and_set_default_policy">True</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="manage_virtual_addr">true</Option>
|
|
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id58569X22302" host_OS="linux24" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1280367174" platform="iptables" version="" name="firewall82_B" comment="this object is used to hold branch rulesets for firewall82 and firewall82_A " ro="False">
|
|
<NAT id="id58614X22302" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id58582X22302" name="Policy_B" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id58584X22302" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id58601X22302"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions>
|
|
<Option name="mangle_only_rule_set">False</Option>
|
|
</RuleSetOptions>
|
|
</Policy>
|
|
<Routing id="id58617X22302" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">true</Option>
|
|
<Option name="check_shading">true</Option>
|
|
<Option name="configure_interfaces">true</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="flush_and_set_default_policy">True</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="manage_virtual_addr">true</Option>
|
|
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id58622X22302" host_OS="linux24" inactive="False" lastCompiled="1280368514" lastInstalled="0" lastModified="1280368498" platform="iptables" version="" name="firewall82" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
|
|
<NAT id="id58871X22302" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id58873X22302" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id58630X22302"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id58643X22302" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id58645X22302" disabled="False" group="" log="False" position="0" action="Branch" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id58474X22302</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id58907X22302" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id58630X22302" dedicated_failover="False" dyn="True" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id58632X22302" dedicated_failover="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id58633X22302" name="firewall82:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id58635X22302" dedicated_failover="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id58636X22302" name="firewall82:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">true</Option>
|
|
<Option name="check_shading">true</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">true</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="flush_and_set_default_policy">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">true</Option>
|
|
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id57603X15729" host_OS="linux24" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1280885581" platform="iptables" version="" name="firewall90" comment="test for ipv4options module" ro="False">
|
|
<NAT id="id57607X15729" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id57605X15729" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id630015X15729" disabled="False" group="" log="False" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id49146X15005"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id630109X15729" disabled="False" group="" log="False" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-RR"/>
|
|
<ServiceRef ref="ip-SRR"/>
|
|
<ServiceRef ref="id3B6659A5"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id630061X15729" disabled="False" group="" log="False" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id49136X22476"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id57609X15729" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id57611X15729" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id57612X15729" name="firewall90:eth0:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_mgmt_ssh_rule_when_stoped">False</Option>
|
|
<Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="clear_unknown_interfaces">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_bonding_interfaces">False</Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="flush_and_set_default_policy">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_name_on_firewall"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_m_set">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id1192674X15729" host_OS="linux24" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1280885576" platform="iptables" version="1.4.3" name="firewall91" comment="test for ipv4options module for v1.4.3 and later " ro="False">
|
|
<NAT id="id1192727X15729" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id1192687X15729" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id1192688X15729" disabled="False" group="" log="False" position="0" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id49146X15005"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1192700X15729" disabled="False" group="" log="False" position="1" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-RR"/>
|
|
<ServiceRef ref="ip-SRR"/>
|
|
<ServiceRef ref="id3B6659A5"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1192714X15729" disabled="False" group="" log="False" position="2" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id49136X22476"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id1192729X15729" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id1192682X15729" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id1192685X15729" name="firewall91:eth0:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_mgmt_ssh_rule_when_stoped">False</Option>
|
|
<Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="clear_unknown_interfaces">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_bonding_interfaces">False</Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="flush_and_set_default_policy">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_name_on_firewall"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_m_set">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id630768X9517" host_OS="linux24" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1282244903" platform="iptables" version="" name="firewall92" comment="rules for the TOR transparent proxy per https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy See ticket 1685 " ro="False">
|
|
<NAT id="id630772X9517" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id630812X9517" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id630768X9517"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id248805X9517"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id630768X9517"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id630920X9517" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id630768X9517"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id57956X8289"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id630768X9517"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id1195021X6573"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id630866X9517" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id630768X9517"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id248805X9517"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id630768X9517"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id1195021X6573"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id630770X9517" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id631046X9517" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id630768X9517"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id57956X8289"/>
|
|
<ServiceRef ref="id248805X9517"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1009773X9517" disabled="False" group="" log="False" position="1" action="Branch" direction="Outbound" comment="matching module owner here and tcp and udp ports in the branch">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id630768X9517"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id631131X9517"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="branch_id">id1009662X9517</Option>
|
|
<Option name="classify_str"/>
|
|
<Option name="custom_str"/>
|
|
<Option name="ipf_route_opt_addr"/>
|
|
<Option name="ipf_route_opt_if"/>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"/>
|
|
<Option name="ipt_iif"/>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"/>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"/>
|
|
<Option name="pf_route_opt_if"/>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id631140X9517" disabled="False" group="" log="True" position="2" action="Deny" direction="Outbound" comment="this only matches module owner">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id630768X9517"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id631131X9517"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id1009662X9517" name="Policy_1" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id1009688X9517" disabled="False" group="" log="True" position="0" action="Deny" direction="Outbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id630768X9517"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
<ServiceRef ref="id1195021X6573"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id630774X9517" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id630776X9517" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id630777X9517" name="firewall92:eth0:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id630778X9517" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id630779X9517" name="firewall92:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_mgmt_ssh_rule_when_stoped">False</Option>
|
|
<Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="clear_unknown_interfaces">False</Option>
|
|
<Option name="cmdline"/>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_bonding_interfaces">False</Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="flush_and_set_default_policy">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_name_on_firewall"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_m_set">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id58536X16164" host_OS="linux24" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1291313406" platform="iptables" version="" name="firewall93" comment="testing shell code generated for dynamic interface with "-" in the name" ro="False">
|
|
<NAT id="id58540X16164" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id58538X16164" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id58669X16164" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id58536X16164"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id58546X16164"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id58554X16164" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id58536X16164"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id58547X16164"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id58636X17179" name="Policy_v6" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="False">
|
|
<PolicyRule id="id58697X17179" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id58536X16164"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id58547X16164"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id58743X17179" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id58536X16164"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id58546X16164"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions>
|
|
<Option name="mangle_only_rule_set">False</Option>
|
|
</RuleSetOptions>
|
|
</Policy>
|
|
<Routing id="id58542X16164" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id58544X16164" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id58545X16164" name="firewall93:eth0:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id58771X17179" name="firewall93:eth0:ipv6" comment="" ro="False" address="fe80::20c:29ff:fe28:c078" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id58546X16164" dedicated_failover="False" dyn="True" label="" security_level="0" unnum="False" unprotected="False" name="ppp0" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id58547X16164" dedicated_failover="False" dyn="True" label="" security_level="0" unnum="False" unprotected="False" name="ppp-dsl" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">true</Option>
|
|
<Option name="check_shading">true</Option>
|
|
<Option name="configure_interfaces">true</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="flush_and_set_default_policy">True</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="manage_virtual_addr">true</Option>
|
|
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id1430997X8221" host_OS="linux24" inactive="False" lastCompiled="1272404353" lastInstalled="1142003872" lastModified="1298252008" platform="iptables" version="" name="firewall2-6" comment="tests for nat rules with inbound and outbound interfaces" ro="False">
|
|
<NAT id="id1431063X8221" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id1431065X8221" disabled="False" group="" position="0" action="Translate" comment="NETMAP and no -o itf">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id1431108X8221" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id1431010X8221"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id1431151X8221" disabled="False" group="" position="2" action="Translate" comment="	">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id1431015X8221"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id1431194X8221" disabled="False" group="" position="3" action="Translate" comment="	">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id1431010X8221"/>
|
|
<ObjectRef ref="id1431015X8221"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id98406X19416" disabled="False" group="" position="4" action="Translate" comment="	">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="True">
|
|
<ObjectRef ref="id1431015X8221"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id98319X19416" disabled="False" group="" position="5" action="Translate" comment="	">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="True">
|
|
<ObjectRef ref="id1431010X8221"/>
|
|
<ObjectRef ref="id1431015X8221"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id2795147X14495" disabled="False" group="" position="6" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="id1431020X8221"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id98506X19416" disabled="False" group="" position="7" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="True">
|
|
<ObjectRef ref="id1431020X8221"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id1431237X8221" disabled="False" group="" position="8" action="Translate" comment="should be -i eth2 -o eth1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="id1431020X8221"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id1431010X8221"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id98598X19416" disabled="False" group="" position="9" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="True">
|
|
<ObjectRef ref="id1431020X8221"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="True">
|
|
<ObjectRef ref="id1431010X8221"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id1431280X8221" disabled="False" group="" position="10" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="id1431020X8221"/>
|
|
<ObjectRef ref="id1431005X8221"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id1431010X8221"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id1431323X8221" disabled="False" group="" position="11" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="id1431005X8221"/>
|
|
<ObjectRef ref="id1431020X8221"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id1431010X8221"/>
|
|
<ObjectRef ref="id1431015X8221"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id6396926X14495" disabled="False" group="" position="12" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="id6396817X14495"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id6396847X14495"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id1431366X8221" disabled="False" group="" position="13" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id46523X95438"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id1431409X8221" disabled="False" group="" position="14" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id46523X95438"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="id1431010X8221"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id1431452X8221" disabled="False" group="" position="15" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id46523X95438"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="id1431015X8221"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3232244X13709" disabled="False" group="" position="16" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id46523X95438"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="id1431015X8221"/>
|
|
<ObjectRef ref="id1431010X8221"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id2795053X14495" disabled="False" group="" position="17" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id46523X95438"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id1431005X8221"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3232330X13709" disabled="False" group="" position="18" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id46523X95438"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="id1431010X8221"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id1431005X8221"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3232416X13709" disabled="False" group="" position="19" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id46523X95438"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="id1431015X8221"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id1431005X8221"/>
|
|
<ObjectRef ref="id1431020X8221"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3232621X13709" disabled="False" group="" position="20" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id46523X95438"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="id1431015X8221"/>
|
|
<ObjectRef ref="id1431010X8221"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id1431005X8221"/>
|
|
<ObjectRef ref="id1431020X8221"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3232535X13709" disabled="False" group="" position="21" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id46523X95438"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="id6396847X14495"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id6396817X14495"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id98982X13518" disabled="False" group="" position="22" action="Translate" comment="rule for SF feature request 1954286">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id553876X13518"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id46523X95438"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="id1431020X8221"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#A37EC0</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id98177X18075" disabled="False" group="" position="23" action="Translate" comment="REDIRECT ">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id1430997X8221"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="id1431005X8221"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#7694C0</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id1431032X8221" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id1431034X8221" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id1431496X8221" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id1431005X8221" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id1431008X8221" name="firewall2-6:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id1431010X8221" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id1431013X8221" name="firewall2-6:eth1:ip" comment="" ro="False" address="222.222.222.222" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id1431015X8221" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id1431018X8221" name="firewall2-6:eth3:ip" comment="subnet 33.33.33.24-31" ro="False" address="33.33.33.25" netmask="255.255.255.248"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id1431020X8221" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id1431024X8221" name="firewall2-6:eth2:ip" comment="" ro="False" address="33.33.33.3" netmask="255.255.255.248"/>
|
|
<IPv4 id="id1431025X8221" name="firewall2-6:eth2:ip-1" comment="" ro="False" address="33.33.33.4" netmask="255.255.255.248"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id1431027X8221" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id1431030X8221" name="firewall2-6:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"/>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">5</Option>
|
|
<Option name="linux24_accept_redirects">0</Option>
|
|
<Option name="linux24_accept_source_route">0</Option>
|
|
<Option name="linux24_icmp_echo_ignore_all">1</Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses">1</Option>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_log_martians">1</Option>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter">1</Option>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N - %A **</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">after_flush</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">True</Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="useULOG">False</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_ip_tool">True</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id1908527X19416" host_OS="linux24" inactive="False" lastCompiled="1272404353" lastInstalled="1142003872" lastModified="1297995836" platform="iptables" version="" name="firewall2-7" comment="tests for nat rules with inbound and outbound interfaces with complex interface configuration" ro="False">
|
|
<NAT id="id1908593X19416" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id1908595X19416" disabled="False" group="" position="0" action="Translate" comment="NETMAP and no -o itf">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id1908638X19416" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id1908681X19416" disabled="False" group="" position="2" action="Translate" comment="	">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="id1909731X19416"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id1908768X19416" disabled="False" group="" position="3" action="Translate" comment="	">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id1880621X8221"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="True">
|
|
<ObjectRef ref="id1908545X19416"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="id"/>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id1909550X19416" disabled="False" group="" position="4" action="Translate" comment="REDIRECT ">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id1908527X19416"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="id1908535X19416"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions>
|
|
<Option name="color">#7694C0</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id1908562X19416" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id1908564X19416" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="'catch all' rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"/>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id1909594X19416" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id1908535X19416" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id1908538X19416" name="firewall2-7:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id1908545X19416" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<IPv4 id="id1908548X19416" name="firewall2-7:eth3:ip" comment="subnet 33.33.33.24-31" ro="False" address="33.33.33.25" netmask="255.255.255.248"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id1908550X19416" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<IPv4 id="id1908554X19416" name="firewall2-7:eth2:ip" comment="" ro="False" address="33.33.33.3" netmask="255.255.255.248"/>
|
|
<IPv4 id="id1908555X19416" name="firewall2-7:eth2:ip-1" comment="" ro="False" address="33.33.33.4" netmask="255.255.255.248"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id1908557X19416" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id1908560X19416" name="firewall2-7:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id1909694X19416" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="eth4" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id1909731X19416" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan101" comment="" ro="False">
|
|
<IPv4 id="id1909749X19416" name="firewall2-7:eth1:ip" comment="" ro="False" address="222.222.222.222" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="bonding_policy"/>
|
|
<Option name="bondng_driver_options"/>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">101</Option>
|
|
<Option name="xmit_hash_policy"/>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Interface id="id1909758X19416" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="bridge0" comment="" ro="False">
|
|
<IPv4 id="id1909816X19416" name="firewall2-7:bridge0:ip" comment="" ro="False" address="10.1.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="bonding_policy"/>
|
|
<Option name="bondng_driver_options"/>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="type">bridge</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
<Option name="xmit_hash_policy"/>
|
|
</InterfaceOptions>
|
|
<Interface id="id1909796X19416" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth5" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id1909810X19416" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth6" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"/>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir"/>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"/>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"/>
|
|
<Option name="inst_script"/>
|
|
<Option name="install_script"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">5</Option>
|
|
<Option name="linux24_accept_redirects">0</Option>
|
|
<Option name="linux24_accept_source_route">0</Option>
|
|
<Option name="linux24_icmp_echo_ignore_all">1</Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses">1</Option>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_log_martians">1</Option>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter">1</Option>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N - %A **</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">after_flush</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="proxy_arp">True</Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_env_path"/>
|
|
<Option name="snmp_contact"/>
|
|
<Option name="snmp_description"/>
|
|
<Option name="snmp_location"/>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="useULOG">False</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_ip_tool">True</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id99266X18910" host_OS="linux24" inactive="False" lastCompiled="1272404272" lastInstalled="0" lastModified="1302483413" platform="iptables" version="1.4.0" name="firewall-ipv6-nd-ns-1" comment="automatic ND/NS rules" ro="False">
|
|
<NAT id="id99287X18910" name="NAT" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id99284X18910" name="Policy" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id99290X18910" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id99274X18910" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id99278X18910" name="firewall-ipv6-nd-ns-1:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id99279X18910" name="firewall-ipv6-nd-ns-1:eth0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id99281X18910" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id99427X18910" name="firewall-ipv6-nd-ns-1:eth1:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="1.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="add_mgmt_ssh_rule_when_stoped">False</Option>
|
|
<Option name="add_rules_for_ipv6_neighbor_discovery">True</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="clear_unknown_interfaces">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_bonding_interfaces">False</Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_ipv6_forward">1</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_ip6tables"/>
|
|
<Option name="linux24_path_ip6tables_restore"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_iptables_restore"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">0</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">0</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_name_on_firewall"/>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_iptables_restore">True</Option>
|
|
<Option name="use_m_set">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id99463X18910" host_OS="linux24" inactive="False" lastCompiled="1272404272" lastInstalled="0" lastModified="1302483429" platform="iptables" version="1.4.0" name="firewall-ipv6-nd-ns-2" comment="automatic ND/NS rules, bridging fw " ro="False">
|
|
<NAT id="id99486X18910" name="NAT" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id99483X18910" name="Policy" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id99489X18910" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id99471X18910" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id99475X18910" name="firewall-ipv6-nd-ns-2:eth0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id99476X18910" name="firewall-ipv6-nd-ns-2:eth0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id99478X18910" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id99481X18910" name="firewall-ipv6-nd-ns-2:eth1:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="1.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"/>
|
|
<Option name="activationCmd"/>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="add_mgmt_ssh_rule_when_stoped">False</Option>
|
|
<Option name="add_rules_for_ipv6_neighbor_discovery">True</Option>
|
|
<Option name="admUser"/>
|
|
<Option name="altAddress"/>
|
|
<Option name="bridging_fw">True</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="clear_unknown_interfaces">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"/>
|
|
<Option name="configure_bonding_interfaces">False</Option>
|
|
<Option name="configure_bridge_interfaces">False</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="epilog_script"/>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"/>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"/>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"/>
|
|
<Option name="linux24_accept_source_route"/>
|
|
<Option name="linux24_icmp_echo_ignore_all"/>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"/>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"/>
|
|
<Option name="linux24_ip_dynaddr"/>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_ipv6_forward">1</Option>
|
|
<Option name="linux24_log_martians"/>
|
|
<Option name="linux24_path_ip"/>
|
|
<Option name="linux24_path_ip6tables"/>
|
|
<Option name="linux24_path_ip6tables_restore"/>
|
|
<Option name="linux24_path_iptables"/>
|
|
<Option name="linux24_path_iptables_restore"/>
|
|
<Option name="linux24_path_logger"/>
|
|
<Option name="linux24_path_lsmod"/>
|
|
<Option name="linux24_path_modprobe"/>
|
|
<Option name="linux24_rp_filter"/>
|
|
<Option name="linux24_tcp_ecn"/>
|
|
<Option name="linux24_tcp_fack"/>
|
|
<Option name="linux24_tcp_fin_timeout">0</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">0</Option>
|
|
<Option name="linux24_tcp_sack"/>
|
|
<Option name="linux24_tcp_syncookies"/>
|
|
<Option name="linux24_tcp_timestamps"/>
|
|
<Option name="linux24_tcp_window_scaling"/>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"/>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"/>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"/>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="scpArgs"/>
|
|
<Option name="script_name_on_firewall"/>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"/>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_iptables_restore">True</Option>
|
|
<Option name="use_m_set">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
</ObjectGroup>
|
|
<IntervalGroup id="stdid11_1" name="Time" comment="" ro="False">
|
|
<Interval id="id3D6864D0" days_of_week="0,1" from_day="-1" from_hour="1" from_minute="1" from_month="-1" from_weekday="0" from_year="-1" to_day="-1" to_hour="2" to_minute="2" to_month="-1" to_weekday="1" to_year="-1" name="test time 1" comment="" ro="False"/>
|
|
<Interval id="id45F8C4E013056" days_of_week="0,1" from_day="13" from_hour="1" from_minute="1" from_month="3" from_weekday="0" from_year="2008" to_day="1" to_hour="2" to_minute="2" to_month="1" to_weekday="1" to_year="2010" name="test time 2" comment="" ro="False"/>
|
|
<Interval id="id89441X15403" days_of_week="5,6" from_day="13" from_hour="0" from_minute="0" from_month="3" from_weekday="-1" from_year="2008" to_day="1" to_hour="1" to_minute="0" to_month="1" to_weekday="-1" to_year="2010" name="test time 3" comment="" ro="False"/>
|
|
<Interval id="id38119X64488" days_of_week="5,6" from_day="-1" from_hour="1" from_minute="0" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="2" to_minute="0" to_month="-1" to_weekday="-1" to_year="-1" name="test time 4" comment="" ro="False"/>
|
|
</IntervalGroup>
|
|
</Library>
|
|
<Library id="id4387B43718346" color="#FFFFFF" name="transfer" comment="" ro="False">
|
|
<ObjectGroup id="id4387B43818346_clusters" name="Clusters" comment="" ro="False"/>
|
|
<ObjectGroup id="id4387B43818346" name="Objects" comment="" ro="False">
|
|
<ObjectGroup id="id4387B43918346" name="Addresses" comment="" ro="False"/>
|
|
<ObjectGroup id="id4387B43A18346" name="DNS Names" comment="" ro="False"/>
|
|
<ObjectGroup id="id4387B43B18346" name="Address Tables" comment="" ro="False"/>
|
|
<ObjectGroup id="id4387B43C18346" name="Groups" comment="" ro="False"/>
|
|
<ObjectGroup id="id4387B43D18346" name="Hosts" comment="" ro="False"/>
|
|
<ObjectGroup id="id4387B43E18346" name="Networks" comment="" ro="False"/>
|
|
<ObjectGroup id="id4387B43F18346" name="Address Ranges" comment="" ro="False"/>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="id4387B44018346" name="Services" comment="" ro="False">
|
|
<ServiceGroup id="id4387B44018346_userservices" name="Users" comment="" ro="False"/>
|
|
<ServiceGroup id="id4387B44018346_og_tag_1" name="TagServices" comment="" ro="False"/>
|
|
<ServiceGroup id="id4387B44118346" name="Groups" comment="" ro="False"/>
|
|
<ServiceGroup id="id4387B44218346" name="ICMP" comment="" ro="False"/>
|
|
<ServiceGroup id="id4387B44318346" name="IP" comment="" ro="False"/>
|
|
<ServiceGroup id="id4387B44418346" name="TCP" comment="" ro="False"/>
|
|
<ServiceGroup id="id4387B44518346" name="UDP" comment="" ro="False"/>
|
|
<ServiceGroup id="id4387B44618346" name="Custom" comment="" ro="False"/>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="id4387B44718346" name="Firewalls" comment="" ro="False"/>
|
|
<IntervalGroup id="id4387B44818346" name="Time" comment="" ro="False"/>
|
|
</Library>
|
|
</FWObjectDatabase>
|