mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-19 17:57:22 +01:00
3715 lines
226 KiB
XML
3715 lines
226 KiB
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
|
|
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1253911075" id="root">
|
|
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
|
|
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
|
|
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
|
|
<AnyInterval id="sysid2" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1" name="Any" comment="Any Interval" ro="False"/>
|
|
<ObjectGroup id="stdid01" name="Objects" comment="" ro="False">
|
|
<ObjectGroup id="stdid16" name="Addresses" comment="" ro="False">
|
|
<IPv4 id="id2001X88798" name="all-hosts" comment="" ro="False" address="224.0.0.1" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2002X88798" name="all-routers" comment="" ro="False" address="224.0.0.2" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2003X88798" name="all DVMRP" comment="" ro="False" address="224.0.0.4" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2117X88798" name="OSPF (all routers)" comment="RFC2328" ro="False" address="224.0.0.5" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2128X88798" name="OSPF (designated routers)" comment="RFC2328" ro="False" address="224.0.0.6" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2430X88798" name="RIP" comment="RFC1723" ro="False" address="224.0.0.9" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2439X88798" name="EIGRP" comment="" ro="False" address="224.0.0.10" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2446X88798" name="DHCP server, relay agent" comment="RFC 1884" ro="False" address="224.0.0.12" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2455X88798" name="PIM" comment="" ro="False" address="224.0.0.13" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2462X88798" name="RSVP" comment="" ro="False" address="224.0.0.14" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2469X88798" name="VRRP" comment="RFC3768" ro="False" address="224.0.0.18" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2777X88798" name="IGMP" comment="" ro="False" address="224.0.0.22" netmask="0.0.0.0"/>
|
|
<IPv4 id="id2784X88798" name="OSPFIGP-TE" comment="RFC4973" ro="False" address="224.0.0.24" netmask="0.0.0.0"/>
|
|
<IPv4 id="id3094X88798" name="HSRP" comment="" ro="False" address="224.0.0.102" netmask="0.0.0.0"/>
|
|
<IPv4 id="id3403X88798" name="mDNS" comment="" ro="False" address="224.0.0.251" netmask="0.0.0.0"/>
|
|
<IPv4 id="id3410X88798" name="LLMNR" comment="Link-Local Multicast Name Resolution, RFC4795" ro="False" address="224.0.0.252" netmask="0.0.0.0"/>
|
|
<IPv4 id="id3411X88798" name="Teredo" comment="" ro="False" address="224.0.0.253" netmask="0.0.0.0"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid17" name="DNS Names" comment="" ro="False"/>
|
|
<ObjectGroup id="stdid18" name="Address Tables" comment="" ro="False"/>
|
|
<ObjectGroup id="stdid04" name="Groups" comment="" ro="False">
|
|
<ObjectGroup id="id3DC75CE8" name="rfc1918-nets" comment="" ro="False">
|
|
<ObjectRef ref="id3DC75CE5"/>
|
|
<ObjectRef ref="id3DC75CE6"/>
|
|
<ObjectRef ref="id3DC75CE7"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3292X75851" name="ipv6 private" comment="These are various ipv6 networks that should not be routed on the Internet " ro="False">
|
|
<ObjectRef ref="id2088X75851"/>
|
|
<ObjectRef ref="id2986X75851"/>
|
|
<ObjectRef ref="id2383X75851"/>
|
|
</ObjectGroup>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid02" name="Hosts" comment="" ro="False">
|
|
<Host id="id3D84EECE" name="internal server" comment="This host is used in examples and template objects" ro="False">
|
|
<Interface id="id3D84EED2" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3D84EED3" name="ip" comment="" ro="False" address="192.168.1.10" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3D84EECF" name="server on dmz" comment="This host is used in examples and template objects" ro="False">
|
|
<Interface id="id3D84EEE3" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3D84EEE4" name="ip" comment="" ro="False" address="192.168.2.10" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.2.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid03" name="Networks" comment="" ro="False">
|
|
<Network id="id3DC75CEC" name="all multicasts" comment="224.0.0.0/4 - This block, formerly known as the Class D address space, is allocated for use in IPv4 multicast address assignments. The IANA guidelines for assignments from this space are described in [RFC3171]. " ro="False" address="224.0.0.0" netmask="240.0.0.0"/>
|
|
<Network id="id3F4ECE3E" name="link-local" comment="169.254.0.0/16 - This is the "link local" block. It is allocated for communication between hosts on a single link. Hosts obtain these addresses by auto-configuration, such as when a DHCP server may not be found. " ro="False" address="169.254.0.0" netmask="255.255.0.0"/>
|
|
<Network id="id3F4ECE3D" name="loopback-net" comment="127.0.0.0/8 - This block is assigned for use as the Internet host loopback address. A datagram sent by a higher level protocol to an address anywhere within this block should loop back inside the host. This is ordinarily implemented using only 127.0.0.1/32 for loopback, but no addresses within this block should ever appear on any network anywhere [RFC1700, page 5]. " ro="False" address="127.0.0.0" netmask="255.0.0.0"/>
|
|
<Network id="id3DC75CE5" name="net-10.0.0.0" comment="10.0.0.0/8 - This block is set aside for use in private networks. Its intended use is documented in [RFC1918]. Addresses within this block should not appear on the public Internet." ro="False" address="10.0.0.0" netmask="255.0.0.0"/>
|
|
<Network id="id3DC75CE7" name="net-172.16.0.0" comment="172.16.0.0/12 - This block is set aside for use in private networks. Its intended use is documented in [RFC1918]. Addresses within this block should not appear on the public Internet. " ro="False" address="172.16.0.0" netmask="255.240.0.0"/>
|
|
<Network id="id3DC75CE6" name="net-192.168.0.0" comment="192.168.0.0/16 - This block is set aside for use in private networks. Its intended use is documented in [RFC1918]. Addresses within this block should not appear on the public Internet. " ro="False" address="192.168.0.0" netmask="255.255.0.0"/>
|
|
<Network id="id3F4ECE3F" name="test-net" comment="192.0.2.0/24 - This block is assigned as "TEST-NET" for use in documentation and example code. It is often used in conjunction with domain names example.com or example.net in vendor and protocol documentation. Addresses within this block should not appear on the public Internet. " ro="False" address="192.0.2.0" netmask="255.255.255.0"/>
|
|
<Network id="id3F4ECE40" name="this-net" comment="0.0.0.0/8 - Addresses in this block refer to source hosts on "this" network. Address 0.0.0.0/32 may be used as a source address for this host on this network; other addresses within 0.0.0.0/8 may be used to refer to specified hosts on this network [RFC1700, page 4]." ro="False" address="0.0.0.0" netmask="255.0.0.0"/>
|
|
<Network id="id3DC75CE7-1" name="net-192.168.1.0" comment="192.168.1.0/24 - Address often used for home and small office networks. " ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
|
|
<Network id="id3DC75CE7-2" name="net-192.168.2.0" comment="192.168.2.0/24 - Address often used for home and small office networks. " ro="False" address="192.168.2.0" netmask="255.255.255.0"/>
|
|
<NetworkIPv6 id="id2088X75851" name="documentation net" comment="RFC3849" ro="False" address="2001:db8::" netmask="32"/>
|
|
<NetworkIPv6 id="id2383X75851" name="link-local ipv6" comment="RFC4291 Link-local unicast net" ro="False" address="fe80::" netmask="10"/>
|
|
<NetworkIPv6 id="id2685X75851" name="multicast ipv6" comment="RFC4291 ipv6 multicast addresses" ro="False" address="ff00::" netmask="8"/>
|
|
<NetworkIPv6 id="id2986X75851" name="experimental ipv6" comment="RFC2928, RFC4773 "The block of Sub-TLA IDs assigned to the IANA (i.e., 2001:0000::/29 - 2001:01F8::/29) is for assignment for testing and experimental usage to support activities such as the 6bone, and for new approaches like exchanges." [RFC2928] " ro="False" address="2001::" netmask="23"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid15" name="Address Ranges" comment="" ro="False">
|
|
<AddressRange id="id3F6D115C" name="broadcast" comment="" ro="False" start_address="255.255.255.255" end_address="255.255.255.255"/>
|
|
<AddressRange id="id3F6D115D" name="old-broadcast" comment="" ro="False" start_address="0.0.0.0" end_address="0.0.0.0"/>
|
|
</ObjectGroup>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
|
|
<CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
|
|
</CustomService>
|
|
<CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
|
|
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
|
|
</CustomService>
|
|
<ServiceGroup id="stdid10" name="Groups" comment="" ro="False">
|
|
<ServiceGroup id="sg-DHCP" name="DHCP" comment="" ro="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3F530CC8" name="DNS" comment="" ro="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
<ServiceRef ref="tcp-DNS"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3CB1279B" name="IPSEC" comment="" ro="False">
|
|
<ServiceRef ref="id3CB12797"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="sg-NETBIOS" name="NETBIOS" comment="" ro="False">
|
|
<ServiceRef ref="udp-netbios-dgm"/>
|
|
<ServiceRef ref="udp-netbios-ns"/>
|
|
<ServiceRef ref="id3E755609"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3CB131CC" name="PCAnywhere" comment="" ro="False">
|
|
<ServiceRef ref="id3CB131CA"/>
|
|
<ServiceRef ref="id3CB131C8"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="sg-Useful_ICMP" name="Useful_ICMP" comment="" ro="False">
|
|
<ServiceRef ref="icmp-Time_exceeded"/>
|
|
<ServiceRef ref="icmp-Time_exceeded_in_transit"/>
|
|
<ServiceRef ref="icmp-ping_reply"/>
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3B4FEDD9" name="kerberos" comment="" ro="False">
|
|
<ServiceRef ref="id3B4FEDA5"/>
|
|
<ServiceRef ref="id3B4FEDA9"/>
|
|
<ServiceRef ref="id3B4FEDA7"/>
|
|
<ServiceRef ref="id3B4FEDAB"/>
|
|
<ServiceRef ref="id3B4FEDA3"/>
|
|
<ServiceRef ref="id3B4FEE21"/>
|
|
<ServiceRef ref="id3B4FEE23"/>
|
|
<ServiceRef ref="id3E7E3EA2"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3B4FF35E" name="nfs" comment="" ro="False">
|
|
<ServiceRef ref="id3B4FEE7A"/>
|
|
<ServiceRef ref="id3B4FEE78"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3B4FEFFA" name="quake" comment="" ro="False">
|
|
<ServiceRef ref="id3B4FEF7C"/>
|
|
<ServiceRef ref="id3B4FEF7E"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3D703C9A" name="Real Player" comment="" ro="False">
|
|
<ServiceRef ref="id3D703C99"/>
|
|
<ServiceRef ref="id3D703C8B"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3E7E3E95" name="WinNT" comment="" ro="False">
|
|
<ServiceRef ref="sg-NETBIOS"/>
|
|
<ServiceRef ref="id3DC8C8BB"/>
|
|
<ServiceRef ref="id3E7E3D58"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3E7E3E9A" name="Win2000" comment="" ro="False">
|
|
<ServiceRef ref="id3E7E3E95"/>
|
|
<ServiceRef ref="udp-DNS"/>
|
|
<ServiceRef ref="id3DC8C8BC"/>
|
|
<ServiceRef ref="id3E7E3EA2"/>
|
|
<ServiceRef ref="id3AECF778"/>
|
|
<ServiceRef ref="id3D703C90"/>
|
|
<ServiceRef ref="id3E7E4039"/>
|
|
<ServiceRef ref="id3E7E403A"/>
|
|
<ServiceRef ref="id3B4FEDA5"/>
|
|
<ServiceRef ref="tcp-DNS"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id41291786" name="UPnP" comment="" ro="False">
|
|
<ServiceRef ref="id41291784"/>
|
|
<ServiceRef ref="id41291785"/>
|
|
<ServiceRef ref="id41291783"/>
|
|
<ServiceRef ref="id412Z18A9"/>
|
|
</ServiceGroup>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid07" name="ICMP" comment="" ro="False">
|
|
<ICMPService id="icmp-Unreachables" code="-1" type="3" name="all ICMP unreachables" comment="" ro="False"/>
|
|
<ICMPService id="id3C20EEB5" code="-1" type="-1" name="any ICMP" comment="" ro="False"/>
|
|
<ICMPService id="icmp-Host_unreach" code="1" type="3" name="host_unreach" comment="" ro="False"/>
|
|
<ICMPService id="icmp-ping_reply" code="0" type="0" name="ping reply" comment="" ro="False"/>
|
|
<ICMPService id="icmp-ping_request" code="0" type="8" name="ping request" comment="" ro="False"/>
|
|
<ICMPService id="icmp-Port_unreach" code="3" type="3" name="port unreach" comment="Port unreachable" ro="False"/>
|
|
<ICMPService id="icmp-Time_exceeded" code="0" type="11" name="time exceeded" comment="ICMP messages of this type are needed for traceroute" ro="False"/>
|
|
<ICMPService id="icmp-Time_exceeded_in_transit" code="1" type="11" name="time exceeded in transit" comment="" ro="False"/>
|
|
<ICMP6Service id="ipv6-icmp-ping_request" code="0" type="128" name="ipv6 ping request" comment="IPv6 ping request" ro="False"/>
|
|
<ICMP6Service id="ipv6-icmp-ping_reply" code="0" type="129" name="ipv6 ping reply" comment="IPv6 ping reply" ro="False"/>
|
|
<ICMP6Service id="ipv6-icmp-routersol" code="0" type="133" name="ipv6 routersol" comment="IPv6 router solicitation" ro="False"/>
|
|
<ICMP6Service id="ipv6-icmp-routeradv" code="0" type="134" name="ipv6 routeradv" comment="IPv6 router advertisement" ro="False"/>
|
|
<ICMP6Service id="ipv6-icmp-neighbrsol" code="0" type="135" name="ipv6 neighbrsol" comment="IPv6 neighbor solicitation" ro="False"/>
|
|
<ICMP6Service id="ipv6-icmp-neighbradv" code="0" type="136" name="ipv6 neighbradv" comment="IPv6 neighbor advertisement" ro="False"/>
|
|
<ICMP6Service id="ipv6-icmp-redir" code="0" type="137" name="ipv6 redir" comment="IPv6 redirect: shorter route exists" ro="False"/>
|
|
<ICMP6Service id="idCFE27650" code="0" type="3" name="ipv6 time exceeded" comment="Time exceeded in transit" ro="False"/>
|
|
<ICMP6Service id="idCFF27650" code="1" type="3" name="ipv6 time exceeded in reassembly" comment="Time exceeded in reassembly" ro="False"/>
|
|
<ICMP6Service id="idE0B27650" code="-1" type="2" name="ipv6 packet too big" comment="" ro="False"/>
|
|
<ICMP6Service id="idE0D27650" code="-1" type="1" name="ipv6 all dest unreachable" comment="All icmpv6 codes for type "destination unreachable" " ro="False"/>
|
|
<ICMP6Service id="idCFE27660" code="-1" type="-1" name="ipv6 any ICMP6" comment="any ICMPv6" ro="False"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid06" name="IP" comment="" ro="False">
|
|
<IPService id="id3CB12797" fragm="False" lsrr="False" protocol_num="51" rr="False" short_fragm="False" ssrr="False" ts="False" name="AH" comment="IPSEC Authentication Header Protocol" ro="False"/>
|
|
<IPService id="ip-IPSEC" fragm="False" lsrr="False" protocol_num="50" rr="False" short_fragm="False" ssrr="False" ts="False" name="ESP" comment="IPSEC Encapsulating Security Payload Protocol" ro="False"/>
|
|
<IPService id="ip-RR" fragm="False" lsrr="False" protocol_num="0" rr="True" short_fragm="False" ssrr="False" ts="False" name="RR" comment="Route recording packets" ro="False"/>
|
|
<IPService id="ip-SRR" fragm="False" lsrr="True" protocol_num="0" rr="False" short_fragm="False" ssrr="True" ts="False" name="SRR" comment="All sorts of Source Routing Packets" ro="False"/>
|
|
<IPService id="ip-IP_Fragments" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="True" ssrr="False" ts="False" name="ip_fragments" comment="'Short' fragments" ro="False"/>
|
|
<IPService id="id3D703C8E" fragm="False" lsrr="False" protocol_num="57" rr="False" short_fragm="False" ssrr="False" ts="False" name="SKIP" comment="IPSEC Simple Key Management for Internet Protocols" ro="False"/>
|
|
<IPService id="id3D703C8F" fragm="False" lsrr="False" protocol_num="47" rr="False" short_fragm="False" ssrr="False" ts="False" name="GRE" comment="Generic Routing Encapsulation " ro="False"/>
|
|
<IPService id="id3D703C95" fragm="False" lsrr="False" protocol_num="112" rr="False" short_fragm="False" ssrr="False" ts="False" name="vrrp" comment="Virtual Router Redundancy Protocol" ro="False"/>
|
|
<IPService id="ip-IGMP" fragm="False" lsrr="False" protocol_num="2" rr="False" rtralt="True" rtralt_value="0" short_fragm="False" ssrr="False" ts="False" name="IGMP" comment="Internet Group Management Protocol, Version 3, RFC 3376" ro="False"/>
|
|
<IPService id="ip-PIM" fragm="False" lsrr="False" protocol_num="103" rr="False" rtralt="False" rtralt_value="0" short_fragm="False" ssrr="False" ts="False" name="PIM" comment="Protocol Independent Multicast - Dense Mode (PIM-DM), RFC 3973, or Protocol Independent Multicast-Sparse Mode (PIM-SM) RFC 2362" ro="False"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid09" name="TCP" comment="" ro="False">
|
|
<TCPService id="tcp-ALL_TCP_Masqueraded" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ALL TCP Masqueraded" comment="ipchains used to use this range of port numbers for masquerading. " ro="False" src_range_start="61000" src_range_end="65095" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id3D703C94" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="AOL" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5190" dst_range_end="5190"/>
|
|
<TCPService id="tcp-All_TCP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="All TCP" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id3CB131C4" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Citrix-ICA" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1494" dst_range_end="1494"/>
|
|
<TCPService id="id3D703C91" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Entrust-Admin" comment="Entrust CA Administration Service" ro="False" src_range_start="0" src_range_end="0" dst_range_start="709" dst_range_end="709"/>
|
|
<TCPService id="id3D703C92" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Entrust-KeyMgmt" comment="Entrust CA Key Management Service" ro="False" src_range_start="0" src_range_end="0" dst_range_start="710" dst_range_end="710"/>
|
|
<TCPService id="id3AEDBEAC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="H323" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1720" dst_range_end="1720"/>
|
|
<TCPService id="id412Z18A9" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="icslap" comment="Sometimes this protocol is called icslap, but Microsoft does not call it that and just says that DSPP uses port 2869 in Windows XP SP2" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2869" dst_range_end="2869"/>
|
|
<TCPService id="id3E7E4039" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="LDAP GC" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3268" dst_range_end="3268"/>
|
|
<TCPService id="id3E7E403A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="LDAP GC SSL" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3269" dst_range_end="3269"/>
|
|
<TCPService id="id3D703C83" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="OpenWindows" comment="Open Windows" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2000" dst_range_end="2000"/>
|
|
<TCPService id="id3CB131C8" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="PCAnywhere-data" comment="data channel for PCAnywhere v7.52 and later " ro="False" src_range_start="0" src_range_end="0" dst_range_start="5631" dst_range_end="5631"/>
|
|
<TCPService id="id3D703C8B" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Real-Audio" comment="RealNetworks PNA Protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="7070" dst_range_end="7070"/>
|
|
<TCPService id="id3D703C93" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="RealSecure" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2998" dst_range_end="2998"/>
|
|
<TCPService id="id3DC8C8BC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="SMB" comment="SMB over TCP (without NETBIOS) " ro="False" src_range_start="0" src_range_end="0" dst_range_start="445" dst_range_end="445"/>
|
|
<TCPService id="id3D703C8D" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="TACACSplus" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="49" dst_range_end="49"/>
|
|
<TCPService id="id3D703C84" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="TCP high ports" comment="TCP high ports" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1024" dst_range_end="65535"/>
|
|
<TCPService id="id3E7E3D58" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="WINS replication" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="42" dst_range_end="42"/>
|
|
<TCPService id="id3D703C82" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="X11" comment="X Window System" ro="False" src_range_start="0" src_range_end="0" dst_range_start="6000" dst_range_end="6063"/>
|
|
<TCPService id="tcp-Auth" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="auth" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="113" dst_range_end="113"/>
|
|
<TCPService id="id3AEDBE6E" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="daytime" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="13" dst_range_end="13"/>
|
|
<TCPService id="tcp-DNS" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="domain" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
|
|
<TCPService id="id3B4FEDA3" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="eklogin" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2105" dst_range_end="2105"/>
|
|
<TCPService id="id3AECF774" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="finger" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="79" dst_range_end="79"/>
|
|
<TCPService id="tcp-FTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ftp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="21" dst_range_end="21"/>
|
|
<TCPService id="tcp-FTP_data" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ftp data" comment="FTP data channel. Note: FTP protocol does not really require server to use source port 20 for the data channel, but many ftp server implementations do so." ro="False" src_range_start="20" src_range_end="20" dst_range_start="1024" dst_range_end="65535"/>
|
|
<TCPService id="id3E7553BC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ftp data passive" comment="FTP data channel for passive mode transfers " ro="False" src_range_start="0" src_range_end="0" dst_range_start="20" dst_range_end="20"/>
|
|
<TCPService id="tcp-HTTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="http" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="80" dst_range_end="80"/>
|
|
<TCPService id="id3B4FED69" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="https" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="443" dst_range_end="443"/>
|
|
<TCPService id="id3AECF776" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="imap" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="143" dst_range_end="143"/>
|
|
<TCPService id="id3B4FED9F" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="imaps" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="993" dst_range_end="993"/>
|
|
<TCPService id="id3B4FF13C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="irc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="6667" dst_range_end="6667"/>
|
|
<TCPService id="id3E7E3EA2" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="kerberos" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="88" dst_range_end="88"/>
|
|
<TCPService id="id3B4FEE21" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="klogin" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="543" dst_range_end="543"/>
|
|
<TCPService id="id3B4FEE23" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ksh" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="544" dst_range_end="544"/>
|
|
<TCPService id="id3AECF778" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ldap" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="389" dst_range_end="389"/>
|
|
<TCPService id="id3D703C90" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ldaps" comment="Lightweight Directory Access Protocol over TLS/SSL" ro="False" src_range_start="0" src_range_end="0" dst_range_start="636" dst_range_end="636"/>
|
|
<TCPService id="id3B4FF000" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="linuxconf" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="98" dst_range_end="98"/>
|
|
<TCPService id="id3D703C97" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="lpr" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="515" dst_range_end="515"/>
|
|
<TCPService id="id3DC8C8BB" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="microsoft-rpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="135" dst_range_end="135"/>
|
|
<TCPService id="id3D703C98" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ms-sql" comment="Microsoft SQL Server" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1433" dst_range_end="1433"/>
|
|
<TCPService id="id3B4FEEEE" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="mysql" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3306" dst_range_end="3306"/>
|
|
<TCPService id="id3E755609" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="netbios-ssn" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="139" dst_range_end="139"/>
|
|
<TCPService id="id3B4FEE7A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nfs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2049" dst_range_end="2049"/>
|
|
<TCPService id="tcp-NNTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nntp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="119" dst_range_end="119"/>
|
|
<TCPService id="id3E7553BB" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nntps" comment="NNTP over SSL" ro="False" src_range_start="0" src_range_end="0" dst_range_start="563" dst_range_end="563"/>
|
|
<TCPService id="id3B4FEE1D" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="pop3" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="110" dst_range_end="110"/>
|
|
<TCPService id="id3E7553BA" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="pop3s" comment="POP-3 over SSL" ro="False" src_range_start="0" src_range_end="0" dst_range_start="995" dst_range_end="995"/>
|
|
<TCPService id="id3B4FF0EA" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="postgres" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5432" dst_range_end="5432"/>
|
|
<TCPService id="id3AECF782" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="printer" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="515" dst_range_end="515"/>
|
|
<TCPService id="id3B4FEF7C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="quake" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="26000" dst_range_end="26000"/>
|
|
<TCPService id="id3AECF77A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rexec" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="512" dst_range_end="512"/>
|
|
<TCPService id="id3AECF77C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rlogin" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="513" dst_range_end="513"/>
|
|
<TCPService id="id3AECF77E" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rshell" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="514" dst_range_end="514"/>
|
|
<TCPService id="id3D703C99" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rtsp" comment="Real Time Streaming Protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="554" dst_range_end="554"/>
|
|
<TCPService id="id3B4FEF34" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rwhois" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4321" dst_range_end="4321"/>
|
|
<TCPService id="id3D703C89" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="securidprop" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5510" dst_range_end="5510"/>
|
|
<TCPService id="tcp-SMTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="smtp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="25" dst_range_end="25"/>
|
|
<TCPService id="id3B4FF04C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="smtps" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="465" dst_range_end="465"/>
|
|
<TCPService id="id3B4FEE76" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="socks" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1080" dst_range_end="1080"/>
|
|
<TCPService id="id3D703C87" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="sqlnet1" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1521" dst_range_end="1521"/>
|
|
<TCPService id="id3B4FF09A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="squid" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3128" dst_range_end="3128"/>
|
|
<TCPService id="tcp-SSH" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ssh" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/>
|
|
<TCPService id="id3AEDBE00" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="sunrpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="111" dst_range_end="111"/>
|
|
<TCPService id="tcp-TCP-SYN" ack_flag="False" ack_flag_mask="True" fin_flag="False" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" name="tcp-syn" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="tcp-Telnet" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="telnet" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="23" dst_range_end="23"/>
|
|
<TCPService id="tcp-uucp" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="uucp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="540" dst_range_end="540"/>
|
|
<TCPService id="id3CB131C6" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="winterm" comment="Windows Terminal Services" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3389" dst_range_end="3389"/>
|
|
<TCPService id="id3B4FF1B8" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xfs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="7100" dst_range_end="7100"/>
|
|
<TCPService id="id3C685B2B" ack_flag="True" ack_flag_mask="True" fin_flag="True" fin_flag_mask="True" psh_flag="True" psh_flag_mask="True" rst_flag="True" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="True" urg_flag_mask="True" name="xmas scan - full" comment="This service object matches TCP packet with all six flags set." ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id4127E949" ack_flag="False" ack_flag_mask="True" fin_flag="True" fin_flag_mask="True" psh_flag="True" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="False" syn_flag_mask="True" urg_flag="True" urg_flag_mask="True" name="xmas scan" comment="This service object matches TCP packet with flags FIN, PSH and URG set and other flags cleared. This is a "christmas scan" as defined in snort rules. Nmap can generate this scan, too." ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id4127EA72" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rsync" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="873" dst_range_end="873"/>
|
|
<TCPService id="id4127EBAC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="distcc" comment="distributed compiler" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3632" dst_range_end="3632"/>
|
|
<TCPService id="id4127ECF1" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="cvspserver" comment="CVS client/server operations" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2401" dst_range_end="2401"/>
|
|
<TCPService id="id4127ECF2" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="cvsup" comment="CVSup file transfer/John Polstra/FreeBSD" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5999" dst_range_end="5999"/>
|
|
<TCPService id="id4127ED5E" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="afp" comment="AFP (Apple file sharing) over TCP" ro="False" src_range_start="0" src_range_end="0" dst_range_start="548" dst_range_end="548"/>
|
|
<TCPService id="id4127EDF6" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="whois" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="43" dst_range_end="43"/>
|
|
<TCPService id="id4127F04F" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="bgp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="179" dst_range_end="179"/>
|
|
<TCPService id="id4127F146" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="radius" comment="Radius protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1812" dst_range_end="1812"/>
|
|
<TCPService id="id4127F147" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="radius acct" comment="Radius Accounting" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1813" dst_range_end="1813"/>
|
|
<TCPService id="id41291784" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="upnp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5000" dst_range_end="5000"/>
|
|
<TCPService id="id41291785" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="upnp-5431" comment="Although UPnP specification say it should use TCP port 5000, Linksys running Sveasoft firmware listens on port 5431" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5431" dst_range_end="5431"/>
|
|
<TCPService id="id41291787" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-java-0" comment="Java VNC viewer, display 0" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5800" dst_range_end="5800"/>
|
|
<TCPService id="id41291788" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-0" comment="Regular VNC viewer, display 0" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5900" dst_range_end="5900"/>
|
|
<TCPService id="id41291887" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-java-1" comment="Java VNC viewer, display 1" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5801" dst_range_end="5801"/>
|
|
<TCPService id="id41291888" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-1" comment="Regular VNC viewer, display 1" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5901" dst_range_end="5901"/>
|
|
<TCPService id="id463FE5FE11008" ack_flag="False" ack_flag_mask="False" established="True" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="All TCP established" comment="Some firewall platforms can match TCP packets with flags ACK or RST set; the option is usually called "established". Note that you can use this object only in the policy rules of the firewall that supports this option. If you need to match reply packets for a specific TCP service and wish to use option "established", make a copy of this object and set source port range to match the service. " ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid08" name="UDP" comment="" ro="False">
|
|
<UDPService id="udp-ALL_UDP_Masqueraded" name="ALL UDP Masqueraded" comment="ipchains used to use this port range for masqueraded packets" ro="False" src_range_start="61000" src_range_end="65095" dst_range_start="0" dst_range_end="0"/>
|
|
<UDPService id="udp-All_UDP" name="All UDP" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<UDPService id="id3D703C96" name="ICQ" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4000" dst_range_end="4000"/>
|
|
<UDPService id="id3CB129D2" name="IKE" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="500" dst_range_end="500"/>
|
|
<UDPService id="id3CB131CA" name="PCAnywhere-status" comment="status channel for PCAnywhere v7.52 and later" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5632" dst_range_end="5632"/>
|
|
<UDPService id="id3AED0D6B" name="RIP" comment="routing protocol RIP" ro="False" src_range_start="0" src_range_end="0" dst_range_start="520" dst_range_end="520"/>
|
|
<UDPService id="id3D703C8C" name="Radius" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1645" dst_range_end="1645"/>
|
|
<UDPService id="id3D703C85" name="UDP high ports" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1024" dst_range_end="65535"/>
|
|
<UDPService id="id3D703C86" name="Who" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="513" dst_range_end="513"/>
|
|
<UDPService id="id3B4FEDA1" name="afs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="7000" dst_range_end="7009"/>
|
|
<UDPService id="udp-bootpc" name="bootpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="68" dst_range_end="68"/>
|
|
<UDPService id="udp-bootps" name="bootps" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="67" dst_range_end="67"/>
|
|
<UDPService id="id3AEDBE70" name="daytime" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="13" dst_range_end="13"/>
|
|
<UDPService id="udp-DNS" name="domain" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
|
|
<UDPService id="id3D703C8A" name="interphone" comment="VocalTec Internet Phone" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22555" dst_range_end="22555"/>
|
|
<UDPService id="id3B4FEDA5" name="kerberos" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="88" dst_range_end="88"/>
|
|
<UDPService id="id3B4FEDA9" name="kerberos-adm" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="749" dst_range_end="750"/>
|
|
<UDPService id="id3B4FEDA7" name="kpasswd" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="464" dst_range_end="464"/>
|
|
<UDPService id="id3B4FEDAB" name="krb524" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4444" dst_range_end="4444"/>
|
|
<UDPService id="id3F865B0D" name="microsoft-rpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="135" dst_range_end="135"/>
|
|
<UDPService id="udp-netbios-dgm" name="netbios-dgm" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="138" dst_range_end="138"/>
|
|
<UDPService id="udp-netbios-ns" name="netbios-ns" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="137" dst_range_end="137"/>
|
|
<UDPService id="udp-netbios-ssn" name="netbios-ssn" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="139" dst_range_end="139"/>
|
|
<UDPService id="id3B4FEE78" name="nfs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2049" dst_range_end="2049"/>
|
|
<UDPService id="udp-ntp" name="ntp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="123" dst_range_end="123"/>
|
|
<UDPService id="id3B4FEF7E" name="quake" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="26000" dst_range_end="26000"/>
|
|
<UDPService id="id3D703C88" name="secureid-udp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1024" dst_range_end="1024"/>
|
|
<UDPService id="udp-SNMP" name="snmp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="161" dst_range_end="161"/>
|
|
<UDPService id="id3AED0D69" name="snmp-trap" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="162" dst_range_end="162"/>
|
|
<UDPService id="id3AEDBE19" name="sunrpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="111" dst_range_end="111"/>
|
|
<UDPService id="id3AECF780" name="syslog" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="514" dst_range_end="514"/>
|
|
<UDPService id="id3AED0D67" name="tftp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="69" dst_range_end="69"/>
|
|
<UDPService id="id3AED0D8C" name="traceroute" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="33434" dst_range_end="33524"/>
|
|
<UDPService id="id4127EA73" name="rsync" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="873" dst_range_end="873"/>
|
|
<UDPService id="id41291783" name="SSDP" comment="Simple Service Discovery Protocol (used for UPnP)" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1900" dst_range_end="1900"/>
|
|
<UDPService id="id41291883" name="OpenVPN" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1194" dst_range_end="1194"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid13" name="Custom" comment="" ro="False">
|
|
<CustomService id="id3B64EEA8" name="rpc" comment="works in iptables and requires patch-o-matic. For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-m record_rpc</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
|
</CustomService>
|
|
<CustomService id="id3B64EF4E" name="irc-conn" comment="IRC connection tracker, supports DCC. Works on iptables and requires patch-o-matic. For more information look for patch-o-matic on http://www.netfilter.org/ " ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-m irc</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
|
</CustomService>
|
|
<CustomService id="id3B64EF50" name="psd" comment="Port scan detector, works only on iptables and requires patch-o-matic For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-m psd --psd-weight-threshold 5 --psd-delay-threshold 10000</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
|
</CustomService>
|
|
<CustomService id="id3B64EF52" name="string" comment="Matches a string in a whole packet, works in iptables and requires patch-o-matic. For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-m string --string test_pattern</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
|
</CustomService>
|
|
<CustomService id="id3B64EF54" name="talk" comment="Talk protocol support. Works in iptables and requires patch-o-matic. For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
|
|
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-m talk</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
|
</CustomService>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid19" name="TagServices" comment="" ro="False"/>
|
|
<ServiceGroup id="stdid20" name="UserServices" comment="" ro="False"/>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="stdid12" name="Firewalls" comment="" ro="False"/>
|
|
<ObjectGroup id="stdid21" name="Clusters" comment="" ro="False"/>
|
|
<IntervalGroup id="stdid11" name="Time" comment="" ro="False">
|
|
<Interval id="int-workhours" days_of_week="1,2,3,4,5" from_day="-1" from_hour="9" from_minute="0" from_month="-1" from_weekday="1" from_year="-1" to_day="-1" to_hour="17" to_minute="0" to_month="-1" to_weekday="5" to_year="-1" name="workhours" comment="any day, 9:00am through 5:00pm" ro="False"/>
|
|
<Interval id="int-weekends" days_of_week="6,0" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1" name="weekends" comment="weekends: Saturday 0:00 through Sunday 23:59 " ro="False"/>
|
|
<Interval id="int-afterhours" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="18" from_minute="0" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="-1" to_year="-1" name="afterhours" comment="any day 6:00pm - 12:00am" ro="False"/>
|
|
<Interval id="id3C63479C" days_of_week="6" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="6" to_year="-1" name="Sat" comment="" ro="False"/>
|
|
<Interval id="id3C63479E" days_of_week="0" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="0" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1" name="Sun" comment="" ro="False"/>
|
|
</IntervalGroup>
|
|
</Library>
|
|
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
|
|
<StateSyncClusterGroup id="id3505X94039" type="conntrack" name="State Sync Group-1" comment="">
|
|
<ClusterGroupOptions/>
|
|
</StateSyncClusterGroup>
|
|
<FailoverClusterGroup id="id2719X89830" type="vrrp" name="cluster3:vrrp0:members" comment="">
|
|
<ClusterGroupOptions>
|
|
<Option name="vrrp_secret">vrrp_secret</Option>
|
|
<Option name="vrrp_vrid"></Option>
|
|
</ClusterGroupOptions>
|
|
</FailoverClusterGroup>
|
|
<StateSyncClusterGroup id="id2762X92940" type="conntrack" name="State Sync Group-1" comment="">
|
|
<ClusterGroupOptions/>
|
|
</StateSyncClusterGroup>
|
|
<StateSyncClusterGroup id="id2767X92969" type="conntrack" name="State Sync Group-2" comment="">
|
|
<ClusterGroupOptions/>
|
|
</StateSyncClusterGroup>
|
|
<StateSyncClusterGroup id="id2726X89830" type="conntrack" name="State sync group" comment="">
|
|
<ClusterGroupOptions/>
|
|
</StateSyncClusterGroup>
|
|
<Interface id="id10489X48869" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="br0" comment="" ro="False">
|
|
<IPv4 id="id11790X48869" name="secuwall-1:br0:ip" comment="" ro="False" address="2.2.2.2" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="iface_disablearp">False</Option>
|
|
<Option name="iface_disableboot">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">bridge</Option>
|
|
<Option name="vlan_id"></Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id10491X48869" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="iface_disablearp">False</Option>
|
|
<Option name="iface_disableboot">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id"></Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id10493X48869" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
</Interface>
|
|
<Interface id="id5112X49120" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="New Interface" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3209X42281" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="carp2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="carp_password">my_secret</Option>
|
|
<Option name="type">carp</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id3211X42281" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="carp3" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="carp_password">my_secret</Option>
|
|
<Option name="type">carp</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id3203X35714" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">vrrp</Option>
|
|
<Option name="vrrp_secret">my_secret</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<StateSyncClusterGroup id="id7981X81475" type="pfsync" name="pfsync group 2" comment="">
|
|
<ClusterGroupOptions/>
|
|
</StateSyncClusterGroup>
|
|
<Interface id="id2960X48869" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vlan100" comment="" ro="False">
|
|
<IPv4 id="id3508X48869" name="eth1:vlan100:ip" comment="" ro="False" address="10.10.100.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="iface_disablearp">False</Option>
|
|
<Option name="iface_disableboot">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">100</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id9262X48869" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vlan101" comment="" ro="False">
|
|
<IPv4 id="id9264X48869" name="eth1:vlan101:ip" comment="" ro="False" address="10.10.101.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="iface_disablearp">False</Option>
|
|
<Option name="iface_disableboot">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">101</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Cluster id="id3631X95766" host_OS="openbsd" inactive="False" lastCompiled="1244758659" lastInstalled="0" lastModified="1244757366" platform="pf" name="pf_cluster_1" comment="" ro="False">
|
|
<NAT id="id3640X95766" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3162X39764" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id11381X39764" disabled="False" group="" position="1" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id11397X39764" disabled="False" group="" position="2" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id11417X39764"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id15078X39764" disabled="False" group="" position="3" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id15840X39764"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id16591X39764" disabled="False" group="" position="4" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id15840X39764"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id16611X39764" disabled="False" group="" position="5" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id11417X39764"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id15840X39764"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3639X95766" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id5954X26920" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id7136X39764" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id7162X39764" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id7149X39764" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id5942X26920" disabled="False" group="" log="True" position="4" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3641X95766" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3642X95766" dedicated_failover="False" dyn="False" label="pf_clsuter_1 carp0" mgmt="False" security_level="0" unnum="False" unprotected="False" name="carp0" comment="" ro="False">
|
|
<IPv4 id="id3647X95766" name="pf_cluster_1:carp0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.255.0"/>
|
|
<IPv4 id="id16633X39764" name="pf_cluster_1:carp0:ip-1" comment="" ro="False" address="172.24.0.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="type">carp</Option>
|
|
</InterfaceOptions>
|
|
<FailoverClusterGroup id="id3649X95766" master_iface="id2833X26920" type="carp" name="carp0:members" comment="">
|
|
<ClusterGroupOptions>
|
|
<Option name="carp_advbase">1</Option>
|
|
<Option name="carp_default_advskew">0</Option>
|
|
<Option name="carp_master_advskew">0</Option>
|
|
<Option name="carp_password">secret</Option>
|
|
<Option name="carp_vhid">101</Option>
|
|
</ClusterGroupOptions>
|
|
</FailoverClusterGroup>
|
|
</Interface>
|
|
<Interface id="id3651X95766" dedicated_failover="False" dyn="False" label="pf_cluster_1 carp1" mgmt="False" security_level="0" unnum="False" unprotected="False" name="carp1" comment="" ro="False">
|
|
<IPv4 id="id3656X95766" name="pf_cluster_1:carp1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="type">carp</Option>
|
|
</InterfaceOptions>
|
|
<FailoverClusterGroup id="id3658X95766" master_iface="id2835X26920" type="carp" name="carp1:members" comment="">
|
|
<ClusterGroupOptions>
|
|
<Option name="carp_password">secret</Option>
|
|
<Option name="carp_vhid">100</Option>
|
|
</ClusterGroupOptions>
|
|
</FailoverClusterGroup>
|
|
</Interface>
|
|
<FirewallOptions/>
|
|
<StateSyncClusterGroup id="id3661X95766" master_iface="id2833X26920" type="pfsync" name="pfsync group" comment="">
|
|
<ClusterGroupOptions>
|
|
<Option name="syncpeer">True</Option>
|
|
</ClusterGroupOptions>
|
|
</StateSyncClusterGroup>
|
|
</Cluster>
|
|
<Firewall id="id2827X26920" host_OS="openbsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1244783399" platform="pf" version="4.x" name="openbsd-1" comment="" ro="False">
|
|
<NAT id="id2831X26920" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id2830X26920" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id2832X26920" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id2833X26920" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="en0" comment="" ro="False">
|
|
<IPv4 id="id2834X26920" name="openbsd-1:en0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
<Interface id="id3234X10904" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vlan0" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">100</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Interface id="id2835X26920" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="en1" comment="" ro="False">
|
|
<IPv4 id="id2836X26920" name="openbsd-1:en1:ip" comment="" ro="False" address="192.168.1.2" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_carp_interfaces">True</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">0</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3337X26920" host_OS="openbsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1244783399" platform="pf" version="4.x" name="openbsd-2" comment="" ro="False">
|
|
<NAT id="id3344X26920" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3343X26920" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3345X26920" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3346X26920" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="en0" comment="" ro="False">
|
|
<IPv4 id="id3348X26920" name="openbsd-2:en0:ip" comment="" ro="False" address="172.24.0.3" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3349X26920" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="en1" comment="" ro="False">
|
|
<IPv4 id="id3351X26920" name="openbsd-2:en1:ip" comment="" ro="False" address="192.168.1.3" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_carp_interfaces">True</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_pfsync_interfaces">False</Option>
|
|
<Option name="configure_vlan_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_flush_states">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">0</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Cluster id="id3867X13237" host_OS="linux24" lastCompiled="0" lastInstalled="0" lastModified="0" platform="iptables" name="vrrp_cluster_2" comment="" ro="False">
|
|
<NAT id="id3871X13237" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3870X13237" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3872X13237" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3875X13237" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False">
|
|
<IPv4 id="id3876X13237" name="vrrp_cluster_2:vrrp0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">vrrp</Option>
|
|
</InterfaceOptions>
|
|
<FailoverClusterGroup id="id3878X13237" type="vrrp" name="vrrp_cluster_2:vrrp0:members" comment="">
|
|
<ClusterGroupOptions>
|
|
<Option name="vrrp_secret">vrrp_secret</Option>
|
|
<Option name="vrrp_vrid">1</Option>
|
|
</ClusterGroupOptions>
|
|
</FailoverClusterGroup>
|
|
</Interface>
|
|
<Interface id="id3880X13237" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp1" comment="" ro="False">
|
|
<IPv4 id="id3881X13237" name="vrrp_cluster_2:vrrp1:ip" comment="" ro="False" address="2.2.2.2" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">vrrp</Option>
|
|
</InterfaceOptions>
|
|
<FailoverClusterGroup id="id3883X13237" type="vrrp" name="vrrp_cluster_2:vrrp1:members" comment="">
|
|
<ClusterGroupOptions>
|
|
<Option name="vrrp_secret">vrrp_secret</Option>
|
|
<Option name="vrrp_vrid">1</Option>
|
|
</ClusterGroupOptions>
|
|
</FailoverClusterGroup>
|
|
</Interface>
|
|
<Interface id="id3885X13237" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="lo0" comment="" ro="False">
|
|
<IPv4 id="id3886X13237" name="vrrp_cluster_2:lo0:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">vrrp</Option>
|
|
</InterfaceOptions>
|
|
<FailoverClusterGroup id="id3888X13237" type="vrrp" name="vrrp_cluster_2:lo0:members" comment="">
|
|
<ClusterGroupOptions>
|
|
<Option name="vrrp_secret">vrrp_secret</Option>
|
|
<Option name="vrrp_vrid">1</Option>
|
|
</ClusterGroupOptions>
|
|
</FailoverClusterGroup>
|
|
</Interface>
|
|
<FirewallOptions/>
|
|
<StateSyncClusterGroup id="id3873X13237" type="conntrack" name="State Sync Group" comment="">
|
|
<ClusterGroupOptions/>
|
|
</StateSyncClusterGroup>
|
|
</Cluster>
|
|
<FailoverClusterGroup id="id3958X13563" type="vrrp" name="vrrp_cluster_2:lo0:members" comment="">
|
|
<ClusterGroupOptions>
|
|
<Option name="vrrp_secret">vrrp_secret</Option>
|
|
<Option name="vrrp_vrid">1</Option>
|
|
</ClusterGroupOptions>
|
|
</FailoverClusterGroup>
|
|
<Interface id="id6189X76214" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Firewall id="id4021X2906" host_OS="secuwall" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1244045700" platform="iptables" version="" name="secuwall-1" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
|
|
<NAT id="id4028X2906" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id4027X2906" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id4029X2906" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id4030X2906" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id4032X2906" name="secuwall-1:eth0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.0.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id4033X2906" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id4036X2906" name="secuwall-1:eth1:ip" comment="" ro="False" address="192.168.1.2" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="iface_disablearp">False</Option>
|
|
<Option name="iface_disableboot">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id"></Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id4038X2906" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id4040X2906" name="secuwall-1:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Management address="192.168.1.2">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="flush_and_set_default_policy">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="secuwall_add_files">False</Option>
|
|
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
|
|
<Option name="secuwall_dns_reso1">files</Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4046X2906" host_OS="secuwall" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1243788928" platform="iptables" version="" name="secuwall-2" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
|
|
<NAT id="id4053X2906" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id4052X2906" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id4054X2906" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id4055X2906" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id4057X2906" name="secuwall-2:eth0:ip" comment="" ro="False" address="172.24.0.3" netmask="255.255.0.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id4058X2906" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id4060X2906" name="secuwall-2:eth1:ip" comment="" ro="False" address="192.168.1.3" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id4061X2906" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id4063X2906" name="secuwall-2:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id3805X49120" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="br0" comment="" ro="False">
|
|
<IPv4 id="id3809X49120" name="secuwall-2:br0:ip" comment="" ro="False" address="2.2.2.2" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="iface_disablearp">False</Option>
|
|
<Option name="iface_disableboot">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_options"></Option>
|
|
<Option name="type">bonding</Option>
|
|
<Option name="vlan_id"></Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id3807X49120" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id3808X49120" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="iface_type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Management address="192.168.1.3">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="flush_and_set_default_policy">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="secuwall_add_files">False</Option>
|
|
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
|
|
<Option name="secuwall_dns_reso1">files</Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3783X36775" host_OS="linux24" inactive="False" lastCompiled="1251482998" lastInstalled="0" lastModified="1251482982" platform="iptables" version="" name="linux-bonding-1" comment="VLAN and bonding interface configuration" ro="False">
|
|
<NAT id="id3817X36775" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3816X36775" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id4355X56095" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3818X36775" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3789X36775" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3794X36775" name="linux-bonding-1:eth0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.0.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id3796X36775" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0.100" comment="" ro="False">
|
|
<IPv4 id="id10563X39036" name="linux-bonding-1:eth0:eth0.100:ip" comment="" ro="False" address="172.16.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="dev_plus_vid">False</Option>
|
|
<Option name="dev_plus_vid_no_pad">True</Option>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">100</Option>
|
|
<Option name="vlan_plus_vid">False</Option>
|
|
<Option name="vlan_plus_vid_no_pad">False</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Interface id="id3799X36775" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="bond1" comment="" ro="False">
|
|
<IPv4 id="id3805X36775" name="linux-bonding-1:bond1:ip" comment="" ro="False" address="192.168.1.2" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="bonding_mode">blance xor</Option>
|
|
<Option name="bonding_policy">balance-xor</Option>
|
|
<Option name="bondng_driver_options"></Option>
|
|
<Option name="dev_plus_vid">False</Option>
|
|
<Option name="dev_plus_vid_no_pad">False</Option>
|
|
<Option name="enable_stp">True</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="type">bonding</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
<Option name="vlan_plus_vid">False</Option>
|
|
<Option name="vlan_plus_vid_no_pad">True</Option>
|
|
<Option name="xmit_hash_policy">layer3+4</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id3807X36775" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="eth2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="dev_plus_vid">False</Option>
|
|
<Option name="dev_plus_vid_no_pad">False</Option>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
<Option name="vlan_plus_vid">False</Option>
|
|
<Option name="vlan_plus_vid_no_pad">True</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id3810X36775" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="eth3" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id6778X41225" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="bond1.123" comment="" ro="False">
|
|
<IPv4 id="id16320X39036" name="linux-bonding-1:bond1:bond1.123:ip" comment="" ro="False" address="172.16.2.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="bonding_policy"></Option>
|
|
<Option name="bondng_driver_options"></Option>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">123</Option>
|
|
<Option name="xmit_hash_policy"></Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Interface id="id3811X36775" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3814X36775" name="linux-bonding-1:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id19205X39036" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="eth2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id19207X39036" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="eth3" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Management address="192.168.1.2">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_bonding_interfaces">True</Option>
|
|
<Option name="configure_bridge_interfaces">True</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="flush_and_set_default_policy">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="secuwall_add_files">False</Option>
|
|
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
|
|
<Option name="secuwall_dns_reso1">files</Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Cluster id="id2708X89830" host_OS="secuwall" inactive="False" lastCompiled="1248541093" lastInstalled="0" lastModified="1244047289" platform="iptables" name="secuwall_cluster_1" comment="" ro="False">
|
|
<NAT id="id2712X89830" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id2711X89830" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id2713X89830" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id2716X89830" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False">
|
|
<IPv4 id="id2717X89830" name="cluster3:vrrp0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="type">vrrp</Option>
|
|
</InterfaceOptions>
|
|
<FailoverClusterGroup id="id3048X95200" master_iface="id4030X2906" type="vrrp" name="Failover group" comment=""/>
|
|
</Interface>
|
|
<Interface id="id2721X89830" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp1" comment="" ro="False">
|
|
<IPv4 id="id2722X89830" name="cluster3:vrrp1:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="type">vrrp</Option>
|
|
</InterfaceOptions>
|
|
<FailoverClusterGroup id="id2724X89830" master_iface="id4033X2906" type="vrrp" name="cluster3:vrrp1:members" comment=""/>
|
|
</Interface>
|
|
<FirewallOptions/>
|
|
<StateSyncClusterGroup id="id2714X89830" master_iface="id4030X2906" type="conntrack" name="State Sync Group" comment=""/>
|
|
</Cluster>
|
|
<Cluster id="id3433X13311" host_OS="linux24" inactive="False" lastCompiled="1251482764" lastInstalled="0" lastModified="1253910805" platform="iptables" name="heartbeat_cluster_1" comment="This is an example of linux/heartbeat cluster with two policy rule sets. Branching rule in the top policy passes control to rule set to_fw, which is different in member firewalls. See ticket #372 for explanation. " ro="False">
|
|
<NAT id="id3587X13311" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id3588X13311" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3465X13311" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3466X13311" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3054X14356"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3068X14356"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3478X13311" disabled="False" group="" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
<ObjectRef ref="id3433X13311"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3491X13311" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3503X13311" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted only from internal network">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3433X13311"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3515X13311" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted only from internal network">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3527X13311" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines on internal network for DNS">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3433X13311"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3F530CC8"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4369X67939" disabled="False" group="" log="False" position="6" action="Branch" direction="Both" comment="branch rule set is different in members linux-1 and linux-2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3433X13311"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id6187X76214</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"></Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">none</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3539X13311" disabled="False" group="" log="True" position="7" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3433X13311"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"></Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3551X13311" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3563X13311" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3575X13311" disabled="False" group="" log="True" position="10" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id6187X76214" name="to_fw" comment="this is a placeholder ruleset used in branching rule in Policy Member firewalls linux-1 and linux-2 have their own copy of the rule set with the same name which is used." ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3602X13311" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RoutingRule id="id97243X57559" disabled="False" group="" metric="0" position="0" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id95767X57559"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id98741X57559"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3441X13311" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3448X13311" name="heartbeat_cluster_1:eth0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.0.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="type">heartbeat</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
<FailoverClusterGroup id="id3450X13311" master_iface="id2843X69605" type="heartbeat" name="cluster1:eth0:members" comment=" ">
|
|
<ObjectRef ref="id2843X69605"/>
|
|
<ObjectRef ref="id3117X69605"/>
|
|
<ClusterGroupOptions>
|
|
<Option name="heartbeat_port">694</Option>
|
|
<Option name="vrrp_secret">not so secret</Option>
|
|
<Option name="vrrp_vrid">200</Option>
|
|
</ClusterGroupOptions>
|
|
</FailoverClusterGroup>
|
|
</Interface>
|
|
<Interface id="id3454X13311" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3460X13311" name="heartbeat_cluster_1:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="type">heartbeat</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
<FailoverClusterGroup id="id3462X13311" master_iface="id2844X69605" type="none" name="cluster1:eth1:members" comment=" ">
|
|
<ObjectRef ref="id2844X69605"/>
|
|
<ObjectRef ref="id3118X69605"/>
|
|
<ClusterGroupOptions/>
|
|
</FailoverClusterGroup>
|
|
</Interface>
|
|
<FirewallOptions>
|
|
<Option name="ipt_mangle_only_rulesets"></Option>
|
|
</FirewallOptions>
|
|
<StateSyncClusterGroup id="id3604X13311" master_iface="id2843X69605" type="conntrack" name="State Sync Group" comment="">
|
|
<ObjectRef ref="id2843X69605"/>
|
|
<ObjectRef ref="id3117X69605"/>
|
|
<ClusterGroupOptions>
|
|
<Option name="conntrack_address">225.0.0.50</Option>
|
|
<Option name="conntrack_port">3781</Option>
|
|
</ClusterGroupOptions>
|
|
</StateSyncClusterGroup>
|
|
</Cluster>
|
|
<Cluster id="id4400X28690" host_OS="linux24" inactive="False" lastCompiled="1248555910" lastInstalled="0" lastModified="1253911350" platform="iptables" name="openais_cluster_1" comment="" ro="False">
|
|
<NAT id="id4568X28690" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id4569X28690" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id4434X28690" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id4435X28690" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3054X14356"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3068X14356"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4447X28690" disabled="False" group="" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
<ObjectRef ref="id4400X28690"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4460X28690" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4472X28690" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted only from internal network">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4400X28690"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4484X28690" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted only from internal network">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4496X28690" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines on internal network for DNS">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4400X28690"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3F530CC8"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4508X28690" disabled="False" group="" log="False" position="6" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4400X28690"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"></Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4520X28690" disabled="False" group="" log="True" position="7" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4400X28690"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"></Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4532X28690" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4544X28690" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4556X28690" disabled="False" group="" log="True" position="10" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id4583X28690" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RoutingRule id="id225294X57559" disabled="False" group="" metric="0" position="0" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id95767X57559"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id98741X57559"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id263952X57559" disabled="False" group="" metric="0" position="1" comment="interface vrrp1 belongs to a different firewall (cluster)">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id95767X57559"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id98741X57559"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id4408X28690" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id4415X28690" name="heartbeat_cluster_1-1:eth0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.0.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="type">heartbeat</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
<FailoverClusterGroup id="id4417X28690" master_iface="id2843X69605" type="openais" name="cluster1:eth0:members" comment=" ">
|
|
<ObjectRef ref="id2843X69605"/>
|
|
<ObjectRef ref="id3117X69605"/>
|
|
<ClusterGroupOptions>
|
|
<Option name="heartbeat_port">694</Option>
|
|
<Option name="openais_address">226.94.1.1</Option>
|
|
<Option name="openais_port">5405</Option>
|
|
<Option name="vrrp_secret">not so secret</Option>
|
|
<Option name="vrrp_vrid">200</Option>
|
|
</ClusterGroupOptions>
|
|
</FailoverClusterGroup>
|
|
</Interface>
|
|
<Interface id="id4421X28690" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id4428X28690" name="heartbeat_cluster_1-1:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="enable_stp">False</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="type">heartbeat</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
<FailoverClusterGroup id="id4430X28690" master_iface="id2844X69605" type="none" name="cluster1:eth1:members" comment=" ">
|
|
<ObjectRef ref="id2844X69605"/>
|
|
<ObjectRef ref="id3118X69605"/>
|
|
<ClusterGroupOptions/>
|
|
</FailoverClusterGroup>
|
|
</Interface>
|
|
<FirewallOptions/>
|
|
<StateSyncClusterGroup id="id4585X28690" master_iface="id2843X69605" type="conntrack" name="State Sync Group" comment="">
|
|
<ObjectRef ref="id2843X69605"/>
|
|
<ObjectRef ref="id3117X69605"/>
|
|
<ClusterGroupOptions>
|
|
<Option name="conntrack_address">225.0.0.50</Option>
|
|
<Option name="conntrack_port">3781</Option>
|
|
</ClusterGroupOptions>
|
|
</StateSyncClusterGroup>
|
|
</Cluster>
|
|
<Cluster id="id2772X94039" host_OS="linux24" inactive="False" lastCompiled="1248541095" lastInstalled="0" lastModified="1253911174" platform="iptables" name="vrrp_cluster_1" comment="" ro="False">
|
|
<NAT id="id2866X94039" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id2867X94039" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id2780X94039" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id3055X14356" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3054X14356"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3068X14356"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2781X94039" disabled="False" group="" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
<ObjectRef ref="id2772X94039"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2794X94039" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2806X94039" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted only from internal network">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2772X94039"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3725X2234" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted only from internal network">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2818X94039" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines on internal network for DNS">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id2772X94039"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3F530CC8"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2830X94039" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to the firewall are denied and logged">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2772X94039"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"></Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2842X94039" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2854X94039" disabled="False" group="" log="True" position="8" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3087X2234" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id2881X94039" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RoutingRule id="id146086X57559" disabled="False" group="" metric="0" position="0" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id95767X57559"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id98741X57559"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule id="id185502X57559" disabled="False" group="" metric="0" position="1" comment="">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="id95767X57559"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="id98741X57559"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id2882X94039" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False">
|
|
<IPv4 id="id2889X94039" name="cluster1-1:vrrp0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.0.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="type">vrrp</Option>
|
|
</InterfaceOptions>
|
|
<FailoverClusterGroup id="id2891X94039" master_iface="id2843X69605" type="vrrp" name="cluster1:vrrp0:members" comment=" ">
|
|
<ObjectRef ref="id2843X69605"/>
|
|
<ObjectRef ref="id3117X69605"/>
|
|
<ClusterGroupOptions>
|
|
<Option name="vrrp_secret">not so secret</Option>
|
|
<Option name="vrrp_vrid">200</Option>
|
|
</ClusterGroupOptions>
|
|
</FailoverClusterGroup>
|
|
</Interface>
|
|
<Interface id="id2895X94039" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp1" comment="" ro="False">
|
|
<IPv4 id="id2901X94039" name="cluster1-1:vrrp1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="type">vrrp</Option>
|
|
</InterfaceOptions>
|
|
<FailoverClusterGroup id="id2903X94039" master_iface="id2844X69605" type="vrrp" name="cluster1:vrrp1:members" comment=" ">
|
|
<ObjectRef ref="id2844X69605"/>
|
|
<ObjectRef ref="id3118X69605"/>
|
|
</FailoverClusterGroup>
|
|
</Interface>
|
|
<FirewallOptions/>
|
|
<StateSyncClusterGroup id="id2907X94039" master_iface="id2843X69605" type="conntrack" name="State Sync Group" comment="">
|
|
<ObjectRef ref="id2843X69605"/>
|
|
<ObjectRef ref="id3117X69605"/>
|
|
<ClusterGroupOptions/>
|
|
</StateSyncClusterGroup>
|
|
</Cluster>
|
|
<Cluster id="id3937X13563" host_OS="linux24" lastCompiled="1248541096" lastInstalled="0" lastModified="1251419063" platform="iptables" name="vrrp_cluster_2" comment="" ro="False">
|
|
<NAT id="id3941X13563" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id5083X25627" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3940X13563" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id5257X25627" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3054X14356"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3068X14356"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id5239X25627" disabled="False" group="" log="True" position="1" action="Deny" direction="Inbound" comment="anti spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
<ObjectRef ref="id3937X13563"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id5222X25627" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id5205X25627" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="SSH Access to firewall is permitted only from internal network">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3937X13563"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id5188X25627" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="SSH Access to firewall is permitted only from internal network">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id5171X25627" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="Firewall uses one of the machines on internal network for DNS">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3937X13563"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3F530CC8"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id5154X25627" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="All other attempts to connect to the firewall are denied and logged">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3937X13563"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"></Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id5137X25627" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id5120X25627" disabled="False" group="" log="True" position="8" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id5103X25627" disabled="False" group="" log="True" position="9" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3942X13563" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3945X13563" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False">
|
|
<IPv4 id="id3946X13563" name="vrrp_cluster_2:vrrp0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">vrrp</Option>
|
|
</InterfaceOptions>
|
|
<FailoverClusterGroup id="id3948X13563" type="vrrp" name="vrrp_cluster_2:vrrp0:members" comment="">
|
|
<ObjectRef ref="id2843X69605"/>
|
|
<ObjectRef ref="id3117X69605"/>
|
|
<ClusterGroupOptions>
|
|
<Option name="vrrp_secret">vrrp_secret</Option>
|
|
<Option name="vrrp_vrid">1</Option>
|
|
</ClusterGroupOptions>
|
|
</FailoverClusterGroup>
|
|
</Interface>
|
|
<Interface id="id3950X13563" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp1" comment="" ro="False">
|
|
<IPv4 id="id3951X13563" name="vrrp_cluster_2:vrrp1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">vrrp</Option>
|
|
</InterfaceOptions>
|
|
<FailoverClusterGroup id="id3953X13563" type="vrrp" name="vrrp_cluster_2:vrrp1:members" comment="">
|
|
<ObjectRef ref="id2844X69605"/>
|
|
<ObjectRef ref="id3118X69605"/>
|
|
<ClusterGroupOptions>
|
|
<Option name="vrrp_secret">vrrp_secret</Option>
|
|
<Option name="vrrp_vrid">1</Option>
|
|
</ClusterGroupOptions>
|
|
</FailoverClusterGroup>
|
|
</Interface>
|
|
<Interface id="id3955X13563" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3956X13563" name="vrrp_cluster_2:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">vrrp</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<FirewallOptions/>
|
|
<StateSyncClusterGroup id="id3943X13563" type="conntrack" name="State Sync Group" comment="">
|
|
<ObjectRef ref="id2843X69605"/>
|
|
<ObjectRef ref="id3117X69605"/>
|
|
<ClusterGroupOptions/>
|
|
</StateSyncClusterGroup>
|
|
</Cluster>
|
|
<Firewall id="id3095X82837" host_OS="linux24" inactive="False" lastCompiled="1248541097" lastInstalled="0" lastModified="1244071962" platform="iptables" version="" name="gw1-bridge" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
|
|
<NAT id="id3102X82837" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3101X82837" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3103X82837" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3104X82837" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3109X82837" name="gw1-bridge:eth0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.0.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id3111X82837" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0.100" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="dev_plus_vid">False</Option>
|
|
<Option name="dev_plus_vid_no_pad">True</Option>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">100</Option>
|
|
<Option name="vlan_plus_vid">False</Option>
|
|
<Option name="vlan_plus_vid_no_pad">False</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Interface id="id3114X82837" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="br1" comment="" ro="False">
|
|
<IPv4 id="id3117X82837" name="gw1-bridge:br1:ip" comment="" ro="False" address="192.168.1.2" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="dev_plus_vid">False</Option>
|
|
<Option name="dev_plus_vid_no_pad">False</Option>
|
|
<Option name="enable_stp">True</Option>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="type">bridge</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
<Option name="vlan_plus_vid">False</Option>
|
|
<Option name="vlan_plus_vid_no_pad">True</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id3127X82837" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="dev_plus_vid">False</Option>
|
|
<Option name="dev_plus_vid_no_pad">False</Option>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
<Option name="vlan_plus_vid">False</Option>
|
|
<Option name="vlan_plus_vid_no_pad">True</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Interface id="id3129X82837" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
</Interface>
|
|
<Interface id="id3119X82837" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3121X82837" name="gw1-bridge:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.2">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_bonding_interfaces">True</Option>
|
|
<Option name="configure_bridge_interfaces">True</Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="flush_and_set_default_policy">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="secuwall_add_files">False</Option>
|
|
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
|
|
<Option name="secuwall_dns_reso1">files</Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Interface id="id2847X69605" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id2849X69605" name="pix-1:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<IPv4 id="id3764X78273" name="pix-1:FastEthernet0/0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.0.0"/>
|
|
</Library>
|
|
<Library id="id1495X69605" color="#d2ffd0" name="User" comment="" ro="False">
|
|
<ObjectGroup id="id1502X69605" name="Clusters" comment="" ro="False">
|
|
<Cluster id="id2366X75741" host_OS="ios" inactive="True" lastCompiled="1248670597" lastInstalled="0" lastModified="1269894292" platform="iosacl" name="cluster1" comment="" ro="False">
|
|
<NAT id="id2370X75741" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<NATRule id="id4606X78273" disabled="False" group="" position="0" action="Translate" comment="">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id2374X75741"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<ItfInb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfInb>
|
|
<ItfOutb neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ItfOutb>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id2369X75741" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<PolicyRule id="id2913X78273" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
<ObjectRef ref="id2366X75741"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id2374X75741"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2896X78273" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2879X78273" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted only from internal network">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2366X75741"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2862X78273" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines on internal network for DNS">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id2366X75741"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3F530CC8"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2845X78273" disabled="False" group="" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to the firewall are denied and logged">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id2366X75741"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2828X78273" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id2811X78273" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="pf_classify_str"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id2371X75741" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id2374X75741" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False">
|
|
<IPv4 id="id2375X75741" name="cluster1:vrrp0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.0.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="type">vrrp</Option>
|
|
</InterfaceOptions>
|
|
<FailoverClusterGroup id="id2377X75741" type="" name="cluster1:vrrp0:members" comment="">
|
|
<ClusterGroupOptions>
|
|
<Option name="vrrp_secret">not so secret</Option>
|
|
<Option name="vrrp_vrid">100</Option>
|
|
</ClusterGroupOptions>
|
|
</FailoverClusterGroup>
|
|
</Interface>
|
|
<Interface id="id2379X75741" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp1" comment="" ro="False">
|
|
<IPv4 id="id2380X75741" name="cluster1:vrrp1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="type">vrrp</Option>
|
|
</InterfaceOptions>
|
|
<FailoverClusterGroup id="id2382X75741" master_iface="id2844X69605" type="" name="cluster1:vrrp1:members" comment="">
|
|
<ObjectRef ref="id2844X69605"/>
|
|
<ObjectRef ref="id3118X69605"/>
|
|
</FailoverClusterGroup>
|
|
</Interface>
|
|
<Interface id="id3213X42281" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="vrrp2" comment="" ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="type">vrrp</Option>
|
|
<Option name="vrrp_secret">my_secret</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<FirewallOptions/>
|
|
<StateSyncClusterGroup id="id2372X75741" type="" name="State Sync Group" comment="">
|
|
<ClusterGroupOptions/>
|
|
</StateSyncClusterGroup>
|
|
</Cluster>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id1496X69605" name="Objects" comment="" ro="False">
|
|
<ObjectGroup id="id1497X69605" name="Addresses" comment="" ro="False">
|
|
<IPv4 id="id3054X14356" name="VRRP group" comment="" ro="False" address="224.0.0.18" netmask="0.0.0.0"/>
|
|
<IPv4 id="id11417X39764" name="like pf_cluster_1:carp0:ip" comment="" ro="False" address="172.24.0.1" netmask="0.0.0.0"/>
|
|
<IPv4 id="id15840X39764" name="int host" comment="" ro="False" address="172.24.0.100" netmask="0.0.0.0"/>
|
|
<IPv4 id="id98741X57559" name="gw1" comment="" ro="False" address="172.24.0.100" netmask="0.0.0.0"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id1498X69605" name="DNS Names" comment="" ro="False"/>
|
|
<ObjectGroup id="id1499X69605" name="Address Tables" comment="" ro="False"/>
|
|
<ObjectGroup id="id1500X69605" name="Groups" comment="" ro="False"/>
|
|
<ObjectGroup id="id1501X69605" name="Hosts" comment="" ro="False"/>
|
|
<ObjectGroup id="id1503X69605" name="Networks" comment="" ro="False">
|
|
<Network id="id95767X57559" name="net-172.24.1" comment="" ro="False" address="172.24.1.0" netmask="255.255.255.0"/>
|
|
<Network id="id95768X57559" name="net-172.24.2" comment="" ro="False" address="172.24.2.0" netmask="255.255.255.0"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id1504X69605" name="Address Ranges" comment="" ro="False"/>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="id1505X69605" name="Services" comment="" ro="False">
|
|
<ServiceGroup id="id1506X69605" name="Groups" comment="" ro="False"/>
|
|
<ServiceGroup id="id1507X69605" name="ICMP" comment="" ro="False"/>
|
|
<ServiceGroup id="id1508X69605" name="IP" comment="" ro="False">
|
|
<IPService id="id3068X14356" dscp="" fragm="False" lsrr="False" protocol_num="112" rr="False" short_fragm="False" ssrr="False" tos="" ts="False" name="VRRP Service" comment="" ro="False"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id1509X69605" name="TCP" comment="" ro="False"/>
|
|
<ServiceGroup id="id1510X69605" name="UDP" comment="" ro="False"/>
|
|
<ServiceGroup id="id1511X69605" name="Users" comment="" ro="False"/>
|
|
<ServiceGroup id="id1512X69605" name="Custom" comment="" ro="False"/>
|
|
<ServiceGroup id="id1513X69605" name="TagServices" comment="" ro="False"/>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="id1514X69605" name="Firewalls" comment="" ro="False">
|
|
<Firewall id="id2735X69605" host_OS="ios" inactive="False" lastCompiled="1251482764" lastInstalled="0" lastModified="1257786087" platform="iosacl" version="12.4" name="ios-1" comment=" " ro="False">
|
|
<NAT id="id2827X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id2741X69605" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id6188X76214" name="to_fw" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id10428X76214" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="hashlimit 10/sec">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"></Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix">/second</Option>
|
|
<Option name="hashlimit_value">10</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id2842X69605" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id2843X69605" dedicated_failover="False" dyn="False" label="" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="FastEthernet0/0" comment=" " ro="False">
|
|
<InterfaceOptions>
|
|
<Option name="type">ethernet</Option>
|
|
<Option name="vlan_id">0</Option>
|
|
</InterfaceOptions>
|
|
<Interface id="id3188X29979" dedicated_failover="False" dyn="False" label="" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="FastEthernet0/0.101" comment="vlan interface " ro="False">
|
|
<IPv4 id="id10439X39874" name="ios-1:FastEthernet0/0:FastEthernet0/0.101:ip" comment="" ro="False" address="192.168.100.1" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="dev_plus_vid">False</Option>
|
|
<Option name="dev_plus_vid_no_pad">True</Option>
|
|
<Option name="type">8021q</Option>
|
|
<Option name="vlan_id">101</Option>
|
|
<Option name="vlan_plus_vid">False</Option>
|
|
<Option name="vlan_plus_vid_no_pad">False</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
</Interface>
|
|
<Interface id="id2844X69605" dedicated_failover="False" dyn="False" label="" mgmt="True" network_zone="sysid0" security_level="100" unnum="False" unprotected="False" name="FastEthernet0/1" comment="" ro="False">
|
|
<IPv4 id="id2846X69605" name="ios-1:FastEthernet0/1:ip" comment="" ro="False" address="192.168.1.2" netmask="255.255.255.0"/>
|
|
<InterfaceOptions>
|
|
<Option name="iface_mtu">1500</Option>
|
|
<Option name="type">ethernet</Option>
|
|
</InterfaceOptions>
|
|
</Interface>
|
|
<Management address="192.168.1.2">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="configure_vlan_interfaces">True</Option>
|
|
<Option name="ctiqbe_fixup">2 2748 0 nil 0</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dns_fixup">2 65535 0 nil 0</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="espike_fixup">2 0 0 nil 0</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="flush_and_set_default_policy">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ftp_fixup">2 21 0 strict 0</Option>
|
|
<Option name="h323_h225_fixup">2 1720 1720 nil 0</Option>
|
|
<Option name="h323_ras_fixup">2 1718 1719 nil 0</Option>
|
|
<Option name="http_fixup">2 80 80 nil 0</Option>
|
|
<Option name="icmp_error_fixup">2 0 0 nil 0</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="ils_fixup">2 389 389 nil 0</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"></Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgcp_fixup">2 2427 2727 nil 0</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_acl_basic">True</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="pptp_fixup">2 1723 0 nil 0</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="rsh_fixup">2 514 0 nil 0</Option>
|
|
<Option name="rtsp_fixup">2 554 0 nil 0</Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="secuwall_add_files">False</Option>
|
|
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
|
|
<Option name="secuwall_dns_reso1">files</Option>
|
|
<Option name="sip_fixup">2 5060 5060 nil 0</Option>
|
|
<Option name="sip_udp_fixup">2 5060 0 nil 0</Option>
|
|
<Option name="skinny_fixup">2 2000 2000 nil 0</Option>
|
|
<Option name="smtp_fixup">2 25 25 nil 0</Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sqlnet_fixup">2 1521 1521 nil 0</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="tftp_fixup">2 69 0 nil 0</Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3009X69605" host_OS="ios" inactive="False" lastCompiled="1251482764" lastInstalled="0" lastModified="1257786076" platform="iosacl" version="12.4" name="ios-2" comment="" ro="False">
|
|
<NAT id="id3101X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</NAT>
|
|
<Policy id="id3015X69605" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Policy id="id6191X76214" name="to_fw" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
|
|
<PolicyRule id="id10440X76214" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="hashlimit 20/sec">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode_dstip">False</Option>
|
|
<Option name="hashlimit_mode_dstport">False</Option>
|
|
<Option name="hashlimit_mode_srcip">False</Option>
|
|
<Option name="hashlimit_mode_srcport">False</Option>
|
|
<Option name="hashlimit_name"></Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix">/second</Option>
|
|
<Option name="hashlimit_value">20</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_classify_str"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<RuleSetOptions/>
|
|
</Policy>
|
|
<Routing id="id3116X69605" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
<RuleSetOptions/>
|
|
</Routing>
|
|
<Interface id="id3117X69605" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
<IPv4 id="id3765X78273" name="ios-2:eth0:ip" comment="" ro="False" address="172.24.0.3" netmask="255.255.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3118X69605" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
|
|
<IPv4 id="id3120X69605" name="ios-2:eth1:ip" comment="" ro="False" address="192.168.1.3" netmask="255.255.255.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Interface id="id3121X69605" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
|
|
<IPv4 id="id3123X69605" name="ios-2:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<InterfaceOptions/>
|
|
</Interface>
|
|
<Management address="192.168.1.3">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="flush_and_set_default_policy">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipt_mangle_only_rulesets"></Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="scpArgs"></Option>
|
|
<Option name="secuwall_add_files">False</Option>
|
|
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
|
|
<Option name="secuwall_dns_reso1">files</Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
</ObjectGroup>
|
|
<IntervalGroup id="id1515X69605" name="Time" comment="" ro="False"/>
|
|
</Library>
|
|
</FWObjectDatabase>
|